What is [PSH, ACK] doing during my connection to a global catalog server?
PSH
is a Push flag: http://ask.wireshark.org/questions/20423/pshack-wireshark-capture
The Push flag tells the receiver's network stack to "push" the data straight to the receiving socket, and not to wait for any more packets before doing so.
The Push flag usually means that data has been sent whilst overriding an in-built TCP efficiency delay, such as Nagle's Algorithm or Delayed Acknowledgements.
These delays make TCP networking more efficient at the cost of some latency (usually around a few tens of milliseconds). A latency-sensitive application does not want to wait around for TCP's efficiency delays so the application will usually disable them, causing data to be sent as quick as possible with a Push flag set.
On Linux, this is done with the setsockopt()
flags TCP_QUICKACK
and TCP_NODELAY
. See man 7 socket
for more information.
@DarkMoon explained what the PSH flag signifies. In regards to your data, the connection establishment completes (3-way handshake), then, yes, the client sent 194 bytes of data to the server (Len=194
). The server did not like the data and closed the connection. Potentially the client isn't configured properly to communicate with the server or vice versa e.g. a SSL/TLS mismatch.
If you have access, I'd suggest examining the logs on the server to see if it logged what it didn't like about the client's data.