Hello fellow packet sleuths;
I am in a predicament writing firewall software that's supposed to middleman an HTTP connection.
Here is the TCP stream of the non-middleman'd connection: https://i.imgur.com/slD6Ke2.png
Here is the TCP stream of the middleman'd connection: https://i.imgur.com/33rDBJo.png
My problem begins once an HTTP request is made across more then 1 packet. Once a request is split across 2 or more packets it never seems to get recreated on the initiating side properly.
The unexpected behavior begins after the 404 page is sent back. Instead of acknowledging receipt and terminating the connection, the client sends a "TCP Spurious Retransmission" of supposedly non-acknowledged data.
The data that is retransmitted is equal to the 2nd packets length offset from the start of the request. Meaning for some reason the client thinks only the first couple hundred bytes have been received, and re-transmits the 1460 it thinks is missing from the end of the request.
So if packet 67 has an HTTP payload length of 400 bytes, the retransmit will contain information starting from payload byte 400 in packet 66 and go all the way up through information sent in packet 67, totaling 1460 bytes.
What can be causing this re transmit of already acknowledged information? Why doesn't the middleman'd connection acknowledge receipt and terminate the connection like the non-middleman'd one?
I've spent too many hours banging my head on this, any assistance would be greatly appreciated.