Some weeks ago, we had a strange issue: We have an hl7 messaging service, and one of the clients that send us some messages, was telling there´s some delay with our queues. We had to put a sniffer in the client, client firewall, server and 4 firewalls that are in our environment.
The client tells us, that some packets are getting stuck for 3 seconds, and we saw that this packet, was retransmitting. Here we could see the first SYN and the tcp retransmission 3 seconds later.
Sometimes, you don´t have the time synchronized in all the systems, so you will need to make sure which packet you are displaying. Here I will show you the Packet bytes pane of the first SYN and below, the packet bytes from the TCP retransmission:
First SYN – Packet bytes pane. The identification value is 0x4253
TCP Retransmission – Packet bytes pane. The identification´s value: 0x4521
Now I will show you the server side *.pcap, where we only see one of the packets. The first SYN wasn´t reaching the server.
Now we could see on the server side, the IP identification of the packet, that corresponds, with the TCP Retransmission. Value: 0x4521
The problem was in the client´s firewall, but the propose of this message, was trying to identify a TCP retransmission packet, because identifying the packet with the time isn´t a good idea.
Maybe this is too obvious for most of you, but I think it could help for some people.