ack followed by fin,ack no reset 2

[jimfixit]

I am tooling along in a wireshark capture when all of a sudden I see a series of about 6 ack packets followed immediately by fin acks. The reset flag is not set in the fin ack. All of these pairs of packets (both the ack, and the fin ack) originate from different sources, close in IP address but not sequential. They all go to the same destination ip.

It's a small trace so I don't see any other conversation between these addresses and the destination, just these rapid succession ack, fin acks. The destination server never responds. Wireshark expert info lables them as 'chats'. The source in every case is a citrix server the dest is a citrix web server.

Patterns:
Source IP Dest IP Sprt Dprt data
172.16.1.33 172.16.1.1 8888 4064 [ACK] seq 0 ack 0
172.16.1.33 172.16.1.1 8888 4064 [Fin ACK] seq 0 ack 0
172.16.1.34 172.16.1.1 8888 4064 [ACK] seq 0 ack 0
172.16.1.34 172.16.1.1 8888 4064 [Fin ACK] seq 0 ack 0

and so on...

 

[LawnBoy]

Never seen that, but we don't run citrix. Any chance it could be some sort of "heartbeat" to your web server?

 

[tfg13]

It would really help to have more information. 1st, I don't see the protocol. Was it TCP, or UDP? If neither, was it just IP headers sent? Did you look at the Hex of the output? Have you tried using "tshark" and filter for these host/dest servers (tshark will allow a "better" hex dump as it doesn't interpret the hex like wireshark does. It is also strictly command line)? How often does it happen? Have you saved a PCAP of those findings for further analysis?