Strange Tcp RST flow
Dear all This is not Wireshark problem but hope i can have professional advice about this Strange Tcp RST.
Normal, when recevied un-wanted packet from other sides, device should send TCP RST to other side. But in my case, the modem sometimes send RST even if not received anything from other sides.
Does anybody knows why modem send Tcp RST packet in this case ? Many thank for your help.
2021-10-28 10:24:23.870773 19.252.11.19 60.192.202.127 TCP 172 37198 → 9000 [PSH, ACK] Seq=1161 Ack=3357 Win=135 Len=98 TSval=1503019263 TSecr=382793032
2021-10-28 10:24:24.115796 60.192.202.127 19.252.11.19 TCP 74 9000 → 37198 [ACK] Seq=3357 Ack=1259 Win=61 Len=0 TSval=382793571 TSecr=1503019263
2021-10-28 10:24:29.527818 19.252.11.19 60.192.202.127 TCP 175 37198 → 9000 [PSH, ACK] Seq=1259 Ack=3357 Win=135 Len=101 TSval=1503020263 TSecr=382793571
2021-10-28 10:24:29.772551 60.192.202.127 19.252.11.19 TCP 74 9000 → 37198 [ACK] Seq=3357 Ack=1360 Win=61 Len=0 TSval=382799228 TSecr=1503020263
2021-10-28 10:24:29.772795 60.192.202.127 19.252.11.19 TCP 150 9000 → 37198 [PSH, ACK] Seq=3357 Ack=1360 Win=61 Len=76 TSval=382799228 TSecr=1503020263
2021-10-28 10:24:29.775763 19.252.11.19 60.192.202.127 TCP 74 37198 → 9000 [ACK] Seq=1360 Ack=3433 Win=135 Len=0 TSval=1503020512 TSecr=382799228
2021-10-28 10:24:34.541725 19.252.11.19 60.192.202.127 TCP 74 37198 → 9000 [RST, ACK] Seq=1360 Ack=3433 Win=135 Len=0 TSval=1503025264 TSecr=382799228
Almost nothing of use can be found in your text output of the traffic, it simply shows one side closing the connection with a RST almost 5 seconds after acknowledging the previous data.
To analyze the issue would require knowledge of the protocol in use over port 9000, captures (not text output) from both sides of the connection and an explanation of what the "modem" is and how it fits into the network setup.
It was 5 seconds before the RST was sent. Is this similar to the behavior of the other "TCP strange RST flow" events? My guess is that either the end-user is closing the application or the application is dropping the TCP session because it is waiting for data.
There can be many reasons why a TCP RST is send. For example a crashing application, malicious content detected or just unclean termination (like MS Internet Explorer does), possibly after a time-out.
PS: I assume you mean SOHO-router by modem.
@André : you are right, modem is NAT router. i think, something was wrong with the application. thank you so much