tcpdump packets length mismatch
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I'm trying to find out why my application has a huge network traffic, particularly, the outbound traffic.
Researching the issue, I found a number such packets where length mismatches the difference between sequence numbers (see the example below):
len = 47688 - 47195 = 463, which is exactly the length of the response.
But length indicates that the length is over 40MB, which is an odd size for a redirect response. I'd expect those numbers to be the same.
What can it mean and how is it possible?
The command:
sudo tcpdump -nn -A 'port 80 and src host 172.25.2.20'
An example of suspicious packet:
22:01:08.829010 IP 172.25.2.20.80 > 172.25.2.7.5353: Flags [P.], seq 47195:47688, ack 73973, win 1389, options [nop,nop,TS val 179483194 ecr 867273499], length 49321584 update+% [b2&3=0x2f31] [8243a] [11825q] [12338n] [8262au][|domain]
....m^a.....!K|@..............P.....,s.
..:3...HTTP/1.1 302 Found
Server: nginx
Date: Fri, 02 Mar 2018 22:01:08 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=2
Etag: "fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0="
Location: https://match.sharethrough.com/sync/v1?source_id=882ef0fa44a9ae20d4421c83&source_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0%3D
Set-Cookie: pl_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0=; Domain=powerlinks.com; Max-Age=315360000
UPD: As it happens in AWS Cloud, I've asked them to revise the bills and explain the charges which were based on Network Usage. I'm waiting for their response.
networking http tcpdump
asked Mar 5 at 16:46
max
1143
 |Â
show 1 more comment
up vote
2
down vote
favorite
I'm trying to find out why my application has a huge network traffic, particularly, the outbound traffic.
Researching the issue, I found a number such packets where length mismatches the difference between sequence numbers (see the example below):
len = 47688 - 47195 = 463, which is exactly the length of the response.
But length indicates that the length is over 40MB, which is an odd size for a redirect response. I'd expect those numbers to be the same.
What can it mean and how is it possible?
The command:
sudo tcpdump -nn -A 'port 80 and src host 172.25.2.20'
An example of suspicious packet:
22:01:08.829010 IP 172.25.2.20.80 > 172.25.2.7.5353: Flags [P.], seq 47195:47688, ack 73973, win 1389, options [nop,nop,TS val 179483194 ecr 867273499], length 49321584 update+% [b2&3=0x2f31] [8243a] [11825q] [12338n] [8262au][|domain]
....m^a.....!K|@..............P.....,s.
..:3...HTTP/1.1 302 Found
Server: nginx
Date: Fri, 02 Mar 2018 22:01:08 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=2
Etag: "fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0="
Location: https://match.sharethrough.com/sync/v1?source_id=882ef0fa44a9ae20d4421c83&source_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0%3D
Set-Cookie: pl_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0=; Domain=powerlinks.com; Max-Age=315360000
UPD: As it happens in AWS Cloud, I've asked them to revise the bills and explain the charges which were based on Network Usage. I'm waiting for their response.
networking http tcpdump
asked Mar 5 at 16:46
max
1143
If you are asking something about the output of a command, please include the command with the exact parameters you used.
– Rui F Ribeiro
Mar 5 at 19:11
@RuiFRibeiro, thanks! I've updated the question!
– max
Mar 5 at 19:23
Could you explain better the length mismatch? I have got a hunch, but not sure.
– Rui F Ribeiro
Mar 5 at 20:06
@RuiFRibeiro I added some explanation to the question to make it clearer. Looking forward to hearing your thoughts :)
– max
Mar 5 at 20:13
My first thought was that you were missing atcpdumpoption, but it is not that. Maybe TSO, not sure.
– Rui F Ribeiro
Mar 5 at 20:31
 |Â
show 1 more comment
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm trying to find out why my application has a huge network traffic, particularly, the outbound traffic.
Researching the issue, I found a number such packets where length mismatches the difference between sequence numbers (see the example below):
len = 47688 - 47195 = 463, which is exactly the length of the response.
But length indicates that the length is over 40MB, which is an odd size for a redirect response. I'd expect those numbers to be the same.
What can it mean and how is it possible?
The command:
sudo tcpdump -nn -A 'port 80 and src host 172.25.2.20'
An example of suspicious packet:
22:01:08.829010 IP 172.25.2.20.80 > 172.25.2.7.5353: Flags [P.], seq 47195:47688, ack 73973, win 1389, options [nop,nop,TS val 179483194 ecr 867273499], length 49321584 update+% [b2&3=0x2f31] [8243a] [11825q] [12338n] [8262au][|domain]
....m^a.....!K|@..............P.....,s.
..:3...HTTP/1.1 302 Found
Server: nginx
Date: Fri, 02 Mar 2018 22:01:08 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=2
Etag: "fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0="
Location: https://match.sharethrough.com/sync/v1?source_id=882ef0fa44a9ae20d4421c83&source_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0%3D
Set-Cookie: pl_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0=; Domain=powerlinks.com; Max-Age=315360000
UPD: As it happens in AWS Cloud, I've asked them to revise the bills and explain the charges which were based on Network Usage. I'm waiting for their response.
networking http tcpdump
asked Mar 5 at 16:46
max
1143
I'm trying to find out why my application has a huge network traffic, particularly, the outbound traffic.
Researching the issue, I found a number such packets where length mismatches the difference between sequence numbers (see the example below):
len = 47688 - 47195 = 463, which is exactly the length of the response.
But length indicates that the length is over 40MB, which is an odd size for a redirect response. I'd expect those numbers to be the same.
What can it mean and how is it possible?
The command:
sudo tcpdump -nn -A 'port 80 and src host 172.25.2.20'
An example of suspicious packet:
22:01:08.829010 IP 172.25.2.20.80 > 172.25.2.7.5353: Flags [P.], seq 47195:47688, ack 73973, win 1389, options [nop,nop,TS val 179483194 ecr 867273499], length 49321584 update+% [b2&3=0x2f31] [8243a] [11825q] [12338n] [8262au][|domain]
....m^a.....!K|@..............P.....,s.
..:3...HTTP/1.1 302 Found
Server: nginx
Date: Fri, 02 Mar 2018 22:01:08 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=2
Etag: "fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0="
Location: https://match.sharethrough.com/sync/v1?source_id=882ef0fa44a9ae20d4421c83&source_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0%3D
Set-Cookie: pl_user_id=fdGd1xOMm9JndEsCTLr-3gnaNW-dTGhoVi9Lb_rtYA0=; Domain=powerlinks.com; Max-Age=315360000
UPD: As it happens in AWS Cloud, I've asked them to revise the bills and explain the charges which were based on Network Usage. I'm waiting for their response.
networking http tcpdump
asked Mar 5 at 16:46
max
1143
edited Mar 13 at 22:06
asked Mar 5 at 16:46
max
1143
asked Mar 5 at 16:46
max
1143
asked Mar 5 at 16:46
max
1143
1143
If you are asking something about the output of a command, please include the command with the exact parameters you used.
– Rui F Ribeiro
Mar 5 at 19:11
@RuiFRibeiro, thanks! I've updated the question!
– max
Mar 5 at 19:23
Could you explain better the length mismatch? I have got a hunch, but not sure.
– Rui F Ribeiro
Mar 5 at 20:06
@RuiFRibeiro I added some explanation to the question to make it clearer. Looking forward to hearing your thoughts :)
– max
Mar 5 at 20:13
My first thought was that you were missing atcpdumpoption, but it is not that. Maybe TSO, not sure.
– Rui F Ribeiro
Mar 5 at 20:31
 |Â
show 1 more comment
If you are asking something about the output of a command, please include the command with the exact parameters you used.
– Rui F Ribeiro
Mar 5 at 19:11
@RuiFRibeiro, thanks! I've updated the question!
– max
Mar 5 at 19:23
Could you explain better the length mismatch? I have got a hunch, but not sure.
– Rui F Ribeiro
Mar 5 at 20:06
@RuiFRibeiro I added some explanation to the question to make it clearer. Looking forward to hearing your thoughts :)
– max
Mar 5 at 20:13
My first thought was that you were missing atcpdumpoption, but it is not that. Maybe TSO, not sure.
– Rui F Ribeiro
Mar 5 at 20:31
If you are asking something about the output of a command, please include the command with the exact parameters you used.
– Rui F Ribeiro
Mar 5 at 19:11
If you are asking something about the output of a command, please include the command with the exact parameters you used.
– Rui F Ribeiro
Mar 5 at 19:11
@RuiFRibeiro, thanks! I've updated the question!
– max
Mar 5 at 19:23
@RuiFRibeiro, thanks! I've updated the question!
– max
Mar 5 at 19:23
Could you explain better the length mismatch? I have got a hunch, but not sure.
– Rui F Ribeiro
Mar 5 at 20:06
Could you explain better the length mismatch? I have got a hunch, but not sure.
– Rui F Ribeiro
Mar 5 at 20:06
@RuiFRibeiro I added some explanation to the question to make it clearer. Looking forward to hearing your thoughts :)
– max
Mar 5 at 20:13
@RuiFRibeiro I added some explanation to the question to make it clearer. Looking forward to hearing your thoughts :)
– max
Mar 5 at 20:13
My first thought was that you were missing a
tcpdump option, but it is not that. Maybe TSO, not sure.– Rui F Ribeiro
Mar 5 at 20:31
My first thought was that you were missing a
tcpdump option, but it is not that. Maybe TSO, not sure.– Rui F Ribeiro
Mar 5 at 20:31
 |Â
show 1 more comment
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f428320%2ftcpdump-packets-length-mismatch%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
If you are asking something about the output of a command, please include the command with the exact parameters you used.
– Rui F Ribeiro
Mar 5 at 19:11
@RuiFRibeiro, thanks! I've updated the question!
– max
Mar 5 at 19:23
Could you explain better the length mismatch? I have got a hunch, but not sure.
– Rui F Ribeiro
Mar 5 at 20:06
@RuiFRibeiro I added some explanation to the question to make it clearer. Looking forward to hearing your thoughts :)
– max
Mar 5 at 20:13
My first thought was that you were missing a
tcpdumpoption, but it is not that. Maybe TSO, not sure.– Rui F Ribeiro
Mar 5 at 20:31