I have a situation that would like to clarify with the experts here. I am no network expert so maybe it's normal, but i rather ask.
We are trying to diagnose a problem between two servers, both are virtual servers, one is windows and the other is Linux.
What I find weird is that looking at the traffic between the two servers (as seen on the Windows virtual server by using Wireshark), is this particular sequence of TCP packets:
- Linux server sends a FIN, ACK
- Windows server responds with ACK
- Windows server sends a FIN, ACK
- Linux server responds with RST
Between 3 and 4 the Windows server sends an ARP broadcast asking for the linux server (who has "linux ip"? tell "windows ip").
I could also mention that:
- Linux virtual server runs on top a linux host, that has bonded interfaces presented to the linux virutal server
- Windows virtual server runs on top of a VMWare platform
- Both Windows and Linux server are in the same VLAN
So the question is; is this behavior normal or is there something we should look into?
Here is an image of the log file; .46 is the Linux server and .167 is the Windows server.
Wireshark capture
Best Answer
Finally we didn't see a problem in this behaviour and we looked to a full capture of the use case and this only appeared on the end of the test, not during it. So I guess that's only weird but not a real problem.
What we finally did was export the Wireshart capture to a PDML file, and we parsed that with a program we built to analize and correlate information using the TCP Streams. With that we were able to know how long a server took to respond to a HTTP request, and that helped a lot to get some insight of the root problem.