Strange Tcp RST flow

asked 2021-10-29 03:05:21 +0000

ripper gravatar image

updated 2021-10-29 03:06:15 +0000

Dear all This is not Wireshark problem but hope i can have professional advice about this Strange Tcp RST.

Normal, when recevied un-wanted packet from other sides, device should send TCP RST to other side. But in my case, the modem sometimes send RST even if not received anything from other sides.

Does anybody knows why modem send Tcp RST packet in this case ? Many thank for your help.

2021-10-28 10:24:23.870773  TCP 172 37198 → 9000 [PSH, ACK] Seq=1161 Ack=3357 Win=135 Len=98 TSval=1503019263 TSecr=382793032

2021-10-28 10:24:24.115796    TCP 74  9000 → 37198 [ACK] Seq=3357 Ack=1259 Win=61 Len=0 TSval=382793571 TSecr=1503019263

2021-10-28 10:24:29.527818  TCP 175 37198 → 9000 [PSH, ACK] Seq=1259 Ack=3357 Win=135 Len=101 TSval=1503020263 TSecr=382793571

2021-10-28 10:24:29.772551    TCP 74  9000 → 37198 [ACK] Seq=3357 Ack=1360 Win=61 Len=0 TSval=382799228 TSecr=1503020263

2021-10-28 10:24:29.772795    TCP 150 9000 → 37198 [PSH, ACK] Seq=3357 Ack=1360 Win=61 Len=76 TSval=382799228 TSecr=1503020263

2021-10-28 10:24:29.775763  TCP 74  37198 → 9000 [ACK] Seq=1360 Ack=3433 Win=135 Len=0 TSval=1503020512 TSecr=382799228

2021-10-28 10:24:34.541725  TCP 74  37198 → 9000 [RST, ACK] Seq=1360 Ack=3433 Win=135 Len=0 TSval=1503025264 TSecr=382799228
edit retag flag offensive close merge delete


Almost nothing of use can be found in your text output of the traffic, it simply shows one side closing the connection with a RST almost 5 seconds after acknowledging the previous data.

To analyze the issue would require knowledge of the protocol in use over port 9000, captures (not text output) from both sides of the connection and an explanation of what the "modem" is and how it fits into the network setup.

grahamb gravatar imagegrahamb ( 2021-10-29 07:24:20 +0000 )edit

It was 5 seconds before the RST was sent. Is this similar to the behavior of the other "TCP strange RST flow" events? My guess is that either the end-user is closing the application or the application is dropping the TCP session because it is waiting for data.

BigFatCat gravatar imageBigFatCat ( 2021-10-29 11:59:26 +0000 )edit

There can be many reasons why a TCP RST is send. For example a crashing application, malicious content detected or just unclean termination (like MS Internet Explorer does), possibly after a time-out.

PS: I assume you mean SOHO-router by modem.

André gravatar imageAndré ( 2021-10-29 18:58:31 +0000 )edit

@André : you are right, modem is NAT router. i think, something was wrong with the application. thank you so much

ripper gravatar imageripper ( 2021-10-30 09:09:36 +0000 )edit