Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-01-15 20:26:40 +0000

SYN-bit gravatar image

On the Linux side, have a look at the value of IP TTL of the packets received from the Windows host. They are probably all the same. Now have a look at the value of the IP TTL of the received RST packet. Is the TTL the same or different? If it is different, there is a big chance that an intermediate device closed the connection. There can be several reasons:

  • The intermediate device is an IPS and saw data that triggered a rule to close the connection
  • The intermediate device is a firewall or loadbalancer that closed the connection due to a session timeout (what is the delta time between the RST and the previous packet in the TCP stream?
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2