Ask Your Question

Help with analysing some TCP RST packets

asked 2021-01-13 19:02:40 +0000

Hitest gravatar image

updated 2021-01-13 19:04:17 +0000

Using wireshark I am noticing a lot of TCP RST packets happening between an IP address (and other 10.x.x.x addresses) I have an an example snapshot in jpeg format but can't attach it this website won't let me I guess I don't have 60 points yet or something. I am seeing TCP RST packets between this 10 address and an amazon IP, but it also seems to occur with cloudfare and other domains too. This is leading to my router triggering ack flood and other alerts and dropping the packets, so maybe no harm done, but what are they? My computer uses and I can filter packets on my router between to or from other WAN packets, but how do I filter or block this address? More importantly how do I figure out what process on my computer is initiating this communication? I am looking at tcpview and can't see the process happen, maybe it's too quick, so my thought was disable the address and see if it impacts any programs, but I don't know how to do this.

If 10.x.x.x addresses are class A addresses that are in my laptop somewhere how to I determine what process or PID is associated with them? Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-01-14 08:29:48 +0000

hugo.vanderkooij gravatar image

If you have a full packet capture you can select a RST packet and do follow TCP stream. Then you can tell more.

If it follows FIN packets then this is not something you will notice as user as it happens after the connection is ended. It may point to tming issues where a FIN from the other party is late and your end consideres it close. (Which strictly speaking is incorrect behaviour on your client.)

If it happens mid session then something else is wrong but in that case someone needs to look at that packet capture and dive into what is hapening.

The flowchart and tekst on might help you understand the various states and determine if the cause of the RST packets.

It could be you router doing "it's thing" securitywise.

edit flag offensive delete link more


But is there a way to block TCP packets to and from 10/x/x/x ip addresses? My router doesn't seem to let me. My current strategy is to block the 10.x.x.x address I see communicating on wireshark and see what if any programs are impacted. Thanks

Hitest gravatar imageHitest ( 2021-01-14 16:48:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-01-13 19:02:40 +0000

Seen: 6,509 times

Last updated: Jan 14 '21