Bro behind a TLS reverse proxy

FYI - I was able to run the test commands on a VirtualBox VM and the results show that the date appears correct.

$ tshark -t ud -r lo-port-80.pcap
1 2018-04-10 15:36:12 ::1 → ::1 TCP 94 37816 > http [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=4294908231 TSecr=0 WS=128
2 2018-04-10 15:36:12 ::1 → ::1 TCP 74 http > 37816 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 2018-04-10 15:36:12 127.0.0.1 → 127.0.0.1 TCP 74 32966 > http [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4294908231 TSecr=0 WS=128
4 2018-04-10 15:36:12 127.0.0.1 → 127.0.0.1 TCP 54 http > 32966 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
$

Philip

Hi Philip,

I’m not sure what differs between your environment and mine. On my VirtualBox C7 box I see the bad packet (pcaps attached):
[vagrant@localhost ~]$ sha1sum pcaps/lo-port80.pcap
6f44be24c1491ddf4285c6e4c585fc1d8b307439 pcaps/lo-port80.pcap
[vagrant@localhost ~]$ tshark -t ud -r pcaps/lo-port80.pcap | head -n6
1 2018-04-09 23:16:28 ::1 → ::1 TCP 94 58156 > http [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0 WS=64
2 2018-04-09 23:16:28 ::1 → ::1 TCP 74 http > 58156 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 2018-04-09 23:16:28 127.0.0.1 → 127.0.0.1 TCP 74 43060 > http [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0 WS=64
4 1971-02-20 11:53:55 127.0.0.1 → 127.0.0.1 TCP 74 http > 43060 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=8358349 WS=64
5 2018-04-09 23:16:28 127.0.0.1 → 127.0.0.1 TCP 66 43060 > http [ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
6 2018-04-09 23:16:28 127.0.0.1 → 127.0.0.1 HTTP 139 GET / HTTP/1.1

I ran another test today on C7 bare metal, and this time I saw a problem with the first SYN-ACK packet, but this time the timestamp was far in the future:
[brandon.sterne@s-mxq61403r3 pcaps]$ sha1sum lo-port-80-bm.pcap
20dbe8f5e67668ef1f6e37724910470cd4e47d74 lo-port-80-bm.pcap
[brandon.sterne@s-mxq61403r3 pcaps]$ tshark -t ud -r lo-port-80-bm.pcap | head -n6
1 2018-04-10 17:13:22 ::1 → ::1 TCP 94 53636 > http [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=3967522213 TSecr=0 WS=128
2 2018-04-10 17:13:22 ::1 → ::1 TCP 74 http > 53636 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 2018-04-10 17:13:22 127.0.0.1 → 127.0.0.1 TCP 74 42944 > http [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3967522213 TSecr=0 WS=128
4 2061-07-14 21:16:16 127.0.0.1 → 127.0.0.1 TCP 74 http > 42944 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3967522213 TSecr=3967522213 WS=128
5 2018-04-10 17:13:22 127.0.0.1 → 127.0.0.1 TCP 66 42944 > http [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3967522213 TSecr=3967522213
6 2018-04-10 17:13:22 127.0.0.1 → 127.0.0.1 HTTP 139 GET / HTTP/1.1

Do others see anything like this? I appreciate any help you can offer in reducing the testcase and identifying the offending software.

Best,

Brandon

lo-port-80-bm.pcap (2.44 KB)

lo-port80.pcap (2.65 KB)