Ask Your Question
0

Help with analysing some TCP RST packets

asked 2021-01-13 19:02:40 +0000

Hitest gravatar image

updated 2021-01-13 19:04:17 +0000

Using wireshark I am noticing a lot of TCP RST packets happening between an IP address 10.8.2.3. (and other 10.x.x.x addresses) I have an an example snapshot in jpeg format but can't attach it this website won't let me I guess I don't have 60 points yet or something. I am seeing TCP RST packets between this 10 address and an amazon IP, but it also seems to occur with cloudfare and other domains too. This is leading to my router triggering ack flood and other alerts and dropping the packets, so maybe no harm done, but what are they? My computer uses 192.168.0.100 and I can filter packets on my router between 192.168.1.100 to or from other WAN packets, but how do I filter or block this 10.8.2.3 address? More importantly how do I figure out what process on my computer is initiating this communication? I am looking at tcpview and can't see the process happen, maybe it's too quick, so my thought was disable the 10.8.2.3 address and see if it impacts any programs, but I don't know how to do this.

If 10.x.x.x addresses are class A addresses that are in my laptop somewhere how to I determine what process or PID is associated with them? Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-01-14 08:29:48 +0000

hugo.vanderkooij gravatar image

If you have a full packet capture you can select a RST packet and do follow TCP stream. Then you can tell more.

If it follows FIN packets then this is not something you will notice as user as it happens after the connection is ended. It may point to tming issues where a FIN from the other party is late and your end consideres it close. (Which strictly speaking is incorrect behaviour on your client.)

If it happens mid session then something else is wrong but in that case someone needs to look at that packet capture and dive into what is hapening.

The flowchart and tekst on https://stackoverflow.com/questions/3... might help you understand the various states and determine if the cause of the RST packets.

It could be you router doing "it's thing" securitywise.

edit flag offensive delete link more

Comments

But is there a way to block TCP packets to and from 10/x/x/x ip addresses? My router doesn't seem to let me. My current strategy is to block the 10.x.x.x address I see communicating on wireshark and see what if any programs are impacted. Thanks

Hitest gravatar imageHitest ( 2021-01-14 16:48:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-01-13 19:02:40 +0000

Seen: 49 times

Last updated: Jan 14