我们不理解这种TCP行为,显示出一个redhat linux 5 TCP堆栈(HTTP服务器,这是从哪里转储的)接收了SYN, ACK的ACK,但继续忽略它并重复5次重复的SYN, ACK。最后,服务器对此“连接”的HTTP GET发送RST。
Time Source Destination Port Protocol Length Info
2015-01-30 08:42:18.387260000 81.74.146.89 124.219.82.236 80 TCP 74 64866 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=988669132 TSecr=0
2015-01-30 08:42:18.387309000 124.219.82.236 81.74.146.89 64866 TCP 62 http > 64866 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
2015-01-30 08:42:18.387354000 81.74.146.89 124.219.82.236 80 TCP 60 64866 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0
2015-01-30 08:42:21.386871000 124.219.82.236 81.74.146.89 64866 TCP 62 [TCP Retransmission] http > 64866 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
2015-01-30 08:42:21.387118000 81.74.146.89 124.219.82.236 80 TCP 66 [TCP Dup ACK 3#1] 64866 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 SLE=0 SRE=1
2015-01-30 08:42:27.386919000 124.219.82.236 81.74.146.89 64866 TCP 62 [TCP Retransmission] http > 64866 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
2015-01-30 08:42:27.387165000 81.74.146.89 124.219.82.236 80 TCP 66 [TCP Dup ACK 3#2] 64866 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 SLE=0 SRE=1
2015-01-30 08:42:39.387130000 124.219.82.236 81.74.146.89 64866 TCP 62 [TCP Retransmission] http > 64866 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
2015-01-30 08:42:39.387376000 81.74.146.89 124.219.82.236 80 TCP 66 [TCP Dup ACK 3#3] 64866 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 SLE=0 SRE=1
2015-01-30 08:43:03.387486000 124.219.82.236 81.74.146.89 64866 TCP 62 [TCP Retransmission] http > 64866 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
2015-01-30 08:43:03.387709000 81.74.146.89 124.219.82.236 80 TCP 66 [TCP Dup ACK 3#4] 64866 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 SLE=0 SRE=1
2015-01-30 08:43:51.588227000 124.219.82.236 81.74.146.89 64866 TCP 62 [TCP Retransmission] http > 64866 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
2015-01-30 08:43:51.588449000 81.74.146.89 124.219.82.236 80 TCP 66 [TCP Dup ACK 3#5] 64866 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 SLE=0 SRE=1
2015-01-30 08:57:13.679727000 81.74.146.89 124.219.82.236 80 TCP 353 64866 > http [PSH, ACK] Seq=1 Ack=1 Win=5840 Len=299
2015-01-30 08:57:13.679740000 124.219.82.236 81.74.146.89 64866 TCP 54 http > 64866 [RST] Seq=1 Win=0 Len=0
http://i.stack.imgur.com/5F2ZO.png
pcap: https://www.dropbox.com/s/ave4sctozc5m2a4/TcpAckIgnored.pcapng?dl=0
这个TCP虚假重传的原因是什么?有没有办法进行分析?任何帮助都将不胜感激。
Thomas
TCP_DEFER_ACCEPT
。更深入的分析请参见:https://labs.ripe.net/Members/gih/the-curious-case-of-the-crooked-tcp-handshake - Vladimír Čunát