Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

This looks like a firewall or alike is doing Deep Packet Inspection. For example for a web request the TCP connection is first set-up, then the request is send. But if that request is intercepted and an 'access denied' response is generated, you won't see that on the network level. After that the TCP connection is teared down normally. Exactly what the picture shows.

most GP connection attempts fail, that is most not all.

Maybe some request are allowed by DPI.

Regarding FIN:
Short answer: you can't have a FIN without an ACK.

Long answer:
When the ACK flag is set it means that the 'Acknowledgment Number' field (tcp.ack) is used and that field refers to a previous received segment to ACKnowledge it was received.
Obviously there is nothing to acknowledge on the very first packet, so the first SYN has no ACK.
Since you can only FINalize an active TCP connection, there is always something to ACK when using FIN.

But a RST can be without an ACK. RST-ACK is send when an active connection must be aborted. A RST without an ACK is send when the sender of the RST has no active connection when receiving a stray packet.