[英]Mismatch between SEQ and ACK in TCP
I have been trying to figure out a case where a TCP connection between a HTTP client and HTTP server remains in ESTABLISHED state, lingering.我一直在试图找出一个案例,其中 HTTP 客户端和 HTTP 服务器之间的 TCP 连接保持在 ESTABLISHED 状态,挥之不去。 This happens for 1 or 2 connections out of 1000+ connections.
这发生在 1000 多个连接中的 1 或 2 个连接上。 It is not clear if the client / server is at fault here.
目前尚不清楚客户端/服务器是否有问题。
I wrote a python script (using scapy) to capture all the TCP packets to figure out the root cause and I faced this specific case, where the TCP SEQ and ACK seems to be a mismatch and it is confusing me.我编写了一个 python 脚本(使用 scapy)来捕获所有 TCP 数据包以找出根本原因,我遇到了这种特定情况,其中 TCP SEQ 和 ACK 似乎不匹配,这让我感到困惑。
Here is the interesting part of the log, from the scapy script: (after lots of packets on the same port 53332)这是日志中有趣的部分,来自 scapy 脚本:(在同一端口 53332 上有很多数据包之后)
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769374665 ack:844297577 len:0
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769374665 ack:844297577 len:90
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 389255
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769374755 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769383704 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769392653 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.3:53332 -> 10.0.1.2:8080 [ A] seq:844297577 ack:769383704 len:0
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769401602 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769410551 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769419500 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.3:53332 -> 10.0.1.2:8080 [ A] seq:844297577 ack:769401602 len:0
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769428449 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769437398 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769446347 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769455296 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769464245 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769473194 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.3:53332 -> 10.0.1.2:8080 [ A] seq:844297577 ack:769446347 len:0
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769482143 ack:844297577 len:8949
2019-12-21 15:54:43 10.0.1.2:8080 -> 10.0.1.3:53332 [PA] seq:769491092 ack:844297577 len:8949
... scapy script must have missed several packets here ... ... scapy 脚本在这里一定漏掉了几个数据包...
2019-12-21 15:54:43 10.0.1.3:53332 -> 10.0.1.2:8080 [ A] seq:844297577 ack:769750613 len:0
2019-12-21 15:54:43 10.0.1.3:53332 -> 10.0.1.2:8080 [ A] seq:844297577 ack:769764010 len:0
After a couple of hours:几个小时后:
2019-12-21 17:54:45 10.0.1.2:8080 -> 10.0.1.3:53332 [ A] seq:769764009 ack:844297577 len:0
2019-12-21 17:54:45 10.0.1.3:53332 -> 10.0.1.2:8080 [ A] seq:844297577 ack:769764010 len:0
At 15:54:43, the client has responded with ACK of 769764010, indicating it has received data upto 769764010. After 2 hours, the server is sending a SEQ of 769764009, which is 1 less than the ACK. 15:54:43,客户端回复了769764010的ACK,表示已经收到了769764010的数据。2小时后,服务端发送SEQ为769764009,比ACK小1。 And the client has continued to send the ACK of 769764010.
并且客户端一直持续发送769764010的ACK。
I am perplexed as how can SEQ be less than ACK (or how can ACK be greater than SEQ).我很困惑 SEQ 怎么可能小于 ACK(或者 ACK 怎么可能大于 SEQ)。 I have verified that on both systems, the connection is still at ESTABLISHED state, so neither has sent a FIN, to have caused the increase the seq numbering.
我已经验证,在两个系统上,连接仍处于 ESTABLISHED 状态,因此都没有发送 FIN,导致 seq 编号增加。
What am I missing?我错过了什么?
This is actually @user207421 answer, but the user chose to comment, so I am writing this answer.这实际上是@user207421 答案,但用户选择发表评论,所以我正在写这个答案。
There was no problem in the first place.首先没有问题。 It was TCP Keepalive packets and all TCP keep-alive packets are simply an ACK with the sequence number set to one less than the current sequence number for the connection.
它是 TCP Keepalive 数据包,所有 TCP 保持活动数据包都只是一个 ACK,其序列号设置为比连接的当前序列号小 1。
Hence there was really no mismatch.因此,真的没有不匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.