This is normal when doing a long term capture, as there are only 65536 possible source ports, so in due time these ports are being reused.ĭepending on the setup, the source IP address could end up being the same for every user (NAT and/or Loadbalancing are examples). The wireshark note "" means that in the packet capture file, there is a new connection for a 5-tuple (ip-src,ip-dst,protocol,srcport,dstport) that was seen before in the packet capture. Can anyone validate or put holes in my theory of them not logging out correctly? The origination ports are the ports that are being reused. The ports are going to a https site (443) which will never change. Can this cause this type of issue when their sessions timeout instead of getting closed manually and correctly? What controls the ports that are being reused. He said that user 2 was using the site in the morning and let it timeout. I asked the user 1 if user 2 was using CATS in the morning and let it timeout. He said yes and I asked if it failed to login in and I got a yes. I asked user 1 if someone else was there and using the site. While sitting there testing with this user 1 I say those messages go by with. Later that afternoon I was testing and his session continued to work. That way I got a full capture of connect and disconnect. I had him logout because were not going to test till later in the day. However that morning when I started the initial packet captures I had the user 1 login and try it. How can I look into what is causing the reused ports? I asked the users how they login and out of the site and they said to me that they usually login and let the session time out. I see the "TCP Port numbers reused" at every failure. All routes and traffic are working as expected. The browser says "Can't reach this page". In the afternoon the same connection is trying to be made I see in Wireshark and the client fails to get logged into the site. I however have another IP 192.168.1.30 that worked in the AM of said day. I see packets coming from an IP lets just say 192.168.1.47 that authenticate to a webserver with no problem.
0 Comments
Leave a Reply. |