Reputation: 73
What is the difference between these 2 TCP packet captures? One doesn't work
Senario 1: TCP string containing "PV_MOTION_ON" is sent by a simple utility like PacketSender to an automation program for parsing TCP strings. It works perfectly.
Scenario 1 WireShark PCAP File
Scenario 2: The exact same TCP string is sent from an IP Camera. The TCP parsing utility only sees a connection being made, and then dropping with no payload data.
Scenario 2 WireShark PCAP File
I'm not good enough to see the functional difference. Any ideas on what's going on??
Note: 192.168.2.150 is the RECEIVING the packets in both scenarios
Upvotes: 0
Views: 158
Answers (1)
Reputation: 123260
I have no idea what this "TCP parsing utility" is but I assume it is something which does not work on the normal TCP stack but instead has either some custom stack (i.e. some embedded system with minimal stack) or tries to capture traffic and process it manually - but wrong.
The difference between these two pcap's is that PacketSender first does the TCP handshake and only then sends the data while the Axis sends the data already within the last packet of the handshake:
PacketSender Axis
> SYN > SYN
< SYN+ACK < SYN+ACK
> ACK > ACK + "PV_MOTION_ON"
> "PV_MOTION_ON"
It is perfectly valid TCP how the Axis behaves. It is kind of unusual though since typical socket programming techniques don't make it easy to send packets like the Axis does. The problem is still a wrong assumption inside the "TCP parsing utility" about how TCP works.
Upvotes: 1
Related Questions
- Understanding [TCP ACKed unseen segment] [TCP Previous segment not captured]
- tcpdump / wireshark capturing problems
- Understanding tshark output
- Get tcpstream - wireshark vs tshark
- Incorrect acknowledgements in TCP
- Why is my program reporting more captured packets than Wireshark?
- different tcp packets captured on sender and receiver
- Difference between two similar tcpdump filters
- Capturing incoming tcp/ip packets
- problem in capturing tcp packet properly