# Duplicate Get Requests

## hosler

Hey fellas,

I have a weird one here. For some urls I can see via tcpdump that my computer is issuing duplicate get requests:

```

crono ~ # tcpdump -i enp7s0f0 host skyhook.sonarr.tv

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp7s0f0, link-type EN10MB (Ethernet), capture size 262144 bytes

18:24:50.800087 IP 192.254.70.238.51122 > skyhook.sonarr.tv.http: Flags [S], seq 357603224, win 29200, options [mss 1460,sackOK,TS val 2565913199 ecr 0,nop,wscale 7], length 0

18:24:50.808834 IP skyhook.sonarr.tv.http > 192.254.70.238.51122: Flags [S.], seq 1795201529, ack 357603225, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0

18:24:50.808856 IP 192.254.70.238.51122 > skyhook.sonarr.tv.http: Flags [.], ack 1, win 229, length 0

18:24:50.808892 IP 192.254.70.238.51122 > skyhook.sonarr.tv.http: Flags [P.], seq 1:116, ack 1, win 229, length 115: HTTP: GET /v1/tvdb/search/en/?term=das%20boot HTTP/1.1

18:24:51.021586 IP 192.254.70.238.51122 > skyhook.sonarr.tv.http: Flags [P.], seq 1:116, ack 1, win 229, length 115: HTTP: GET /v1/tvdb/search/en/?term=das%20boot HTTP/1.1

18:24:51.030311 IP skyhook.sonarr.tv.http > 192.254.70.238.51122: Flags [.], ack 116, win 29, options [nop,nop,sack 1 {1:116}], length 0

18:24:51.354361 IP skyhook.sonarr.tv.http > 192.254.70.238.51122: Flags [.], seq 1:1461, ack 116, win 29, length 1460: HTTP: HTTP/1.1 200 OK

```

This is causing my http client to stall out with whatever action it is doing. Please help me debug what is happening here. I have already tried removing all kernel options related to my docker and libvirt stuff as well as made sure my iptables are clean when testing. This is only happening for some urls and all https connections appear to work fine.

----------

## mike155

 *Quote:*   

> my computer is issuing duplicate get requests:

 

Your dump probably shows an ordinary TCP retransmission. Most probably, the client retransmitted the "GET" frame, because the server didn't send an ACK to the client's first 'GET' frame within the client's Retransmission Timeout (RTO) period. Nothing wrong with that - that's how TCP works.

Don't ask: why did the client retransmit the frame? Ask: why didn't the client receive an ACK to its first "GET" frame?

----------

## hosler

hey Mike,

Thanks for the reply. If it was a retransmit, wouldnt the client be able to handle it? I'm seeing a lot of my software (curl, wget, docker pull requests) stall out because of this "duplicate" packet. Furthermore, netstat -s does not show the retransmit packet count increment after i reproduce the issue. i'm not really a networking guy. so I home i'm troubleshooting this the right way.

would duplicate packets generated from an ethernet card hardware failure show up in tcpdump on the computer that has the faulty card?

----------

## mike155

I'm sorry, but I don't see anything wrong in the dump you showed us. The client program sends a GET message and the TCP stack repeats that frame after 0.22 seconds. After that, the server sends an answer ("200 OK"). That's perfectly fine. And I don't see any reason why a client application (curl, wget, docker pull requests) would stall after that. Maybe you showed us the wrong dump - or something else is wrong.

You may want to repeat your test with Wireshark. Wireshark will show you all TCP/IP flags and fields. It will also show you the contents of the messages. It would be interesting to see the complete contents of the "200 OK" answer message.

Does your router provide a traffic dump option? Some routers do... You could compare the dump of your router with the dump on your client machine (open the dumps in 2 separate Wireshark windows). Look for frames that get lost between your client computer and your router.

----------

## hosler

unfortunately this is a remote server and i dont have access to any of it's routers. i do, however, have a second server in the same data center, but it's on a different subnet. I was toying with the idea of routing all my traffic through that server somehow so I could see a kind of man in the middle tcpdump, but im not sure how to do that it's on a different subnet. the second server, by the way, does not have this weird GET request issue.

----------

## hosler

just to add a little more context here is a video of what im experiencing:

https://imgur.com/pU7ENi3

----------

