Most of my career I have mostly been worried about layers 1, 2, and 3. Node A can reach Node B - we're good. But in my current job, I'm learning that TCP packet analysis is an invaluable skill that I need to use almost all day, every day. This is my first time actually truly diving into packet analysis. I've done it before, but not nearly at this level. This is my first time taking captures across multiple devices and trying to figure out what's going on.
For example, I'm currently working on a case where there is a source, firewall, and destination capture. I can tell from the captures that the firewall seems to be dropping the return traffic (or there is some routing issue on the return traffic). But that's not my concern with this post. I'm only using it as an example.
What I want to learn more about is TCP itself. In the source capture pictured below, I see [SYN, ECN, CWR], [SYN, ECN, CWR], then [SYN]. I see the first two in the firewall, but not the [SYN]. ... yet, I see a third [SYN, ECN, CWR] in the firewall. A total of 4 [SYN, ECN, CWR] in the firewall. Picture of PCAPs here: https://imgur.com/a/QxJaTZj
Why only 2 retransmits but 3 out of order packets? Why the simple [SYN] after [SYN, ECN, CWR], and why am I not seeing that in the firewall capture? That's the level of TCP I want to learn.
No comments:
Post a Comment