cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2010
Views
0
Helpful
3
Replies

Need help in understanding the ASA CApture as window size keeps reducing

mohit.gupta2
Level 1
Level 1

  1: 20:49:26.861878 144.36.221.107.8154 > 72.31.9.17.1521: S 1326295747:1326295747(0) win 65535 <mss 1460,nop,nop,sackOK>

   2: 20:49:27.184225 72.31.9.17.1521 > 144.36.221.107.8154: S 3201468064:3201468064(0) ack 1326295748 win 49680 <mss 1380>

   3: 20:49:27.184652 144.36.221.107.8154 > 72.31.9.17.1521: . ack 3201468065 win 65535

   4: 20:49:27.185506 144.36.221.107.8154 > 72.31.9.17.1521: P 1326295748:1326295973(225) ack 3201468065 win 65535

   5: 20:49:27.185552 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326295973 win 16159

   6: 20:49:27.639996 72.31.9.17.1521 > 144.36.221.107.8154: P 3201468065:3201468073(8) ack 1326295973 win 16384

   7: 20:49:27.640591 144.36.221.107.8154 > 72.31.9.17.1521: P 1326295973:1326296198(225) ack 3201468073 win 65527

   8: 20:49:27.640637 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326296198 win 16159

   9: 20:49:27.962093 72.31.9.17.1521 > 144.36.221.107.8154: P 3201468073:3201468097(24) ack 1326296198 win 16384

  10: 20:49:27.962749 144.36.221.107.8154 > 72.31.9.17.1521: P 1326296198:1326296350(152) ack 3201468097 win 65503

  11: 20:49:27.962795 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326296350 win 16232

  12: 20:49:28.283371 72.31.9.17.1521 > 144.36.221.107.8154: P 3201468097:3201468224(127) ack 1326296350 win 16536

  13: 20:49:28.284058 144.36.221.107.8154 > 72.31.9.17.1521: P 1326296350:1326296383(33) ack 3201468224 win 65376

  14: 20:49:28.284088 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326296383 win 16503

  15: 20:49:28.603820 72.31.9.17.1521 > 144.36.221.107.8154: P 3201468224:3201468404(180) ack 1326296383 win 16417

  16: 20:49:28.610976 144.36.221.107.8154 > 72.31.9.17.1521: P 1326296383:1326297162(779) ack 3201468404 win 65196

  17: 20:49:28.611021 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297162 win 15638

  18: 20:49:28.935757 72.31.9.17.1521 > 144.36.221.107.8154: P 3201468404:3201469238(834) ack 1326297162 win 17163

  19: 20:49:28.936673 144.36.221.107.8154 > 72.31.9.17.1521: P 1326297162:1326297181(19) ack 3201469238 win 64362

  20: 20:49:28.936719 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297181 win 17144

  21: 20:49:29.256944 72.31.9.17.1521 > 144.36.221.107.8154: P 3201469238:3201469439(201) ack 1326297181 win 16403

  22: 20:49:29.300658 144.36.221.107.8154 > 72.31.9.17.1521: P 1326297181:1326297278(97) ack 3201469439 win 64161

  23: 20:49:29.300704 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297278 win 16306

  24: 20:49:29.628202 72.31.9.17.1521 > 144.36.221.107.8154: P 3201469439:3201469512(73) ack 1326297278 win 16481

  25: 20:49:29.629606 144.36.221.107.8154 > 72.31.9.17.1521: P 1326297278:1326297812(534) ack 3201469512 win 65535

  26: 20:49:29.629651 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297812 win 15947

  27: 20:49:29.960567 72.31.9.17.1521 > 144.36.221.107.8154: P 3201469512:3201470712(1200) ack 1326297812 win 16918

  28: 20:49:29.961940 144.36.221.107.8154 > 72.31.9.17.1521: P 1326297812:1326297825(13) ack 3201470712 win 64335

  29: 20:49:29.961986 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297825 win 16905

  30: 20:49:30.287430 72.31.9.17.1521 > 144.36.221.107.8154: P 3201470712:3201470724(12) ack 1326297825 win 16397

  31: 20:49:30.287964 144.36.221.107.8154 > 72.31.9.17.1521: P 1326297825:1326297835(10) ack 3201470724 win 64323

  32: 20:49:30.288010 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297835 win 16387

  33: 20:49:30.288132 144.36.221.107.8154 > 72.31.9.17.1521: F 1326297835:1326297835(0) ack 3201470724 win 64323

  34: 20:49:30.288177 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297836 win 16387

  35: 20:49:30.616499 72.31.9.17.1521 > 144.36.221.107.8154: F 3201470724:3201470724(0) ack 1326297836 win 16394

  36: 20:49:30.616896 144.36.221.107.8154 > 72.31.9.17.1521: . ack 3201470725 win 64323

  37: 20:50:20.657680 144.36.221.107.8155 > 72.31.9.17.1521: S 2100894672:2100894672(0) win 65535 <mss 1460,nop,nop,sackOK>

  38: 20:50:20.987040 72.31.9.17.1521 > 144.36.221.107.8155: S 2961647896:2961647896(0) ack 2100894673 win 49680 <mss 1380>

  39: 20:50:20.987451 144.36.221.107.8155 > 72.31.9.17.1521: . ack 2961647897 win 65535

  40: 20:50:21.012984 144.36.221.107.8155 > 72.31.9.17.1521: P 2100894673:2100894838(165) ack 2961647897 win 65535

  41: 20:50:21.013030 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100894838 win 16219

  42: 20:50:21.459769 72.31.9.17.1521 > 144.36.221.107.8155: P 2961647897:2961647905(8) ack 2100894838 win 16384

  43: 20:50:21.461295 144.36.221.107.8155 > 72.31.9.17.1521: P 2100894838:2100895003(165) ack 2961647905 win 65527

  44: 20:50:21.461340 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100895003 win 16219

  45: 20:50:21.787862 72.31.9.17.1521 > 144.36.221.107.8155: P 2961647905:2961647929(24) ack 2100895003 win 16384

  46: 20:50:21.789555 144.36.221.107.8155 > 72.31.9.17.1521: P 2100895003:2100895155(152) ack 2961647929 win 65503

  47: 20:50:21.789601 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100895155 win 16232

  48: 20:50:22.110437 72.31.9.17.1521 > 144.36.221.107.8155: P 2961647929:2961648056(127) ack 2100895155 win 16536

  49: 20:50:22.118432 144.36.221.107.8155 > 72.31.9.17.1521: P 2100895155:2100895188(33) ack 2961648056 win 65376

  50: 20:50:22.118478 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100895188 win 16503

  51: 20:50:22.440269 72.31.9.17.1521 > 144.36.221.107.8155: P 2961648056:2961648236(180) ack 2100895188 win 16417

  52: 20:50:22.582809 144.36.221.107.8155 > 72.31.9.17.1521: P 2100895188:2100895967(779) ack 2961648236 win 65196

  53: 20:50:22.582886 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100895967 win 15638

  54: 20:50:22.908095 72.31.9.17.1521 > 144.36.221.107.8155: P 2961648236:2961649070(834) ack 2100895967 win 17163

  55: 20:50:22.910673 144.36.221.107.8155 > 72.31.9.17.1521: P 2100895967:2100895986(19) ack 2961649070 win 64362

  56: 20:50:22.910719 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100895986 win 17144

  57: 20:50:23.235446 72.31.9.17.1521 > 144.36.221.107.8155: P 2961649070:2961649271(201) ack 2100895986 win 16403

  58: 20:50:23.240755 144.36.221.107.8155 > 72.31.9.17.1521: P 2100895986:2100896084(98) ack 2961649271 win 64161

  59: 20:50:23.240786 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100896084 win 16305

  60: 20:50:23.566895 72.31.9.17.1521 > 144.36.221.107.8155: P 2961649271:2961649344(73) ack 2100896084 win 16482

  61: 20:50:23.591781 144.36.221.107.8155 > 72.31.9.17.1521: P 2100896084:2100896619(535) ack 2961649344 win 65535

  62: 20:50:23.591873 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100896619 win 15947

  63: 20:50:23.922086 72.31.9.17.1521 > 144.36.221.107.8155: P 2961649344:2961650536(1192) ack 2100896619 win 16919

  64: 20:50:23.923963 144.36.221.107.8155 > 72.31.9.17.1521: P 2100896619:2100896632(13) ack 2961650536 win 64343

  65: 20:50:23.923993 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100896632 win 16906

  66: 20:50:24.245653 72.31.9.17.1521 > 144.36.221.107.8155: P 2961650536:2961650548(12) ack 2100896632 win 16397

  67: 20:50:24.246386 144.36.221.107.8155 > 72.31.9.17.1521: P 2100896632:2100896642(10) ack 2961650548 win 64331

  68: 20:50:24.246416 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100896642 win 16387

  69: 20:50:24.246584 144.36.221.107.8155 > 72.31.9.17.1521: F 2100896642:2100896642(0) ack 2961650548 win 64331

  70: 20:50:24.246615 72.31.9.17.1521 > 144.36.221.107.8155: . ack 2100896643 win 16387

  71: 20:50:24.566270 72.31.9.17.1521 > 144.36.221.107.8155: F 2961650548:2961650548(0) ack 2100896643 win 16394

3 Replies 3

mirober2
Cisco Employee
Cisco Employee

Hi Mohit,

The TCP window size is used to indicate to the sender how much data the receiver is willing to accept. When you see the window size decreasing, this usually means the receiver is having trouble keeping up with the amount of data it needs to process, so it asks the sender to send less data in an effort to lighten the load. This provides built in flow control for TCP.

If you do a quick search for "TCP sliding window", you'll see some examples of why this happens.

In your captures, it looks like the SQL server at 72.31.9.17 is constantly adjusting its window to keep up with this and other data transfers it is probably processing. This is probably normal since the window is rising and falling (never going close to 0), but you can check with the server administrator to see if there is anything they can do to tune the performance on the server.

Hope that helps.

-Mike

HI MIke thanks for your response.

I do undestand that the window size keep on fluacting. but what i am not able to Understand how can i see a FIn

33: 20:49:30.288132 144.36.221.107.8154 > 72.31.9.17.1521: F 1326297835:1326297835(0) ack 3201470724 win 64323

  34: 20:49:30.288177 72.31.9.17.1521 > 144.36.221.107.8154: . ack 1326297836 win 16387

  35: 20:49:30.616499 72.31.9.17.1521 > 144.36.221.107.8154: F 3201470724:3201470724(0) ack 1326297836 win 16394

  36: 20:49:30.616896 144.36.221.107.8154 > 72.31.9.17.1521: . ack 3201470725 win 64323

Without the actuall data transfer being completed and connection to the Database server resets.

and it would be great help Mike if you can help me wtiht some links whic helps me undersatanding the Packet capture end to end

thanks in Advance.

Rgds

Mohit Gupta

Hi Mohit,

What you see in packets 33-36 is a normal TCP teardown sequence (FIN-ACK, ACK, FIN-ACK, ACK). From a networking/TCP perspective, this connection ended normally and the client (144.36.221.107) is the one who initiated the closure. You'd have to look at logs on the client and the server to find out why the connection is being closed normally if the data transfer is not complete. There is no evidence of any reset on the captures themselves.

I'm not aware of documents that describe how to analyze packet captures, but you may want to check out this episode of the TAC Security Podcast:

TAC Security Podcast Episode #1 - Using the ASA Packet Capture Utility for Troubleshooting
https://supportforums.cisco.com/docs/DOC-12632

Hope that helps.

-Mike

Review Cisco Networking for a $25 gift card