While looking through some trace files the other day (you know, rather than go walk in the sunshine, grab lunch with friends, or any other "normal" activity), I noticed an interesting set of items in the Expert.
Do you see the second item in that list? "4 NOP in a row - a router may have removed some options"? That's a big red flag - something you should never see.
Let's look at one of these packets.
When a TCP host sends a SYN or SYN/ACK packet, it fills out the TCP options field. Because of the architecture of the TCP header length field, all TCP headers must end on a 4-byte boundary. If an option is too short (as in the case of the SACK option), we expect TCP to prepend one or more NOPs (No-Operation) bytes (0x01).
For example, the SACK permitted option is only 2 bytes long. We expect it to be preceded by 2 NOPs. In the image above, the SACK permitted option is preceded by 2 NOPs. Above that, however, we see 4 NOPs in a row. This is clearly a sign that an infrastructure device (likely something like a router or firewall) has altered the original option located at that point.
Lousy, stinkin' infrastructure device! Why would it do that? Did someone configure the device to "dummy down" the network? Is the device just plain ignorant of how TCP should work on the network. Certainly this would warrant an investigation along the path to determine when the option was replaced.
Then reconfigure or replace that piece of #)*($ on your network.
- Laura Chappell
(Woman who hates 4 NOPs)