Ask Your Question
0

TCP DUP ACK -> RST Problem

asked 2023-05-14 09:18:26 +0000

byt0x gravatar image

Hello,

I have a problem with some network traffic and I try to find the reason. It's the comunication betwen a process (IP: 212) and a Terminal-Server (IP: 206).

Often the connection breaks and we have to restart the hardware.

In wireshark I can see these "TCP DUP ACK" and "RST" Packages. Do you know a reasy why we resend these packages so often?

The target device uses a 10MBit Port. The Process on the server uses a 100Mbit card.

I think the problem is on the side of the terminal server (IP: 206) because other connections are working fine. The strange thing is, that connections to this server on other ports than TCP:2200 are working "much better".

here are images of the TCP traffic: https://ibb.co/c667Sz7 (Port: 2100 not working) https://ibb.co/2NK7ygG (Port: 2200 working bad) https://ibb.co/tK6z5pR (Port 2400 working okay)

Thank you

edit retag flag offensive close merge delete

Comments

Ouch. a mix of 10 Mbps and 100 Mbps is allready a scenario for traffic issues. I would definitly look into getting them up-to-speed. At least the 10 Mbps one.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-05-15 12:49:21 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-05-15 00:53:14 +0000

BigFatCat gravatar image

Did the packet capture come from 206? Is there a firewall that can track network connection states?

According to Wireshark, the TCP completeness of 206 ACK is 4, as it did not detect the presence of SYN or SYN-ACK for this particular TCP stream. When device 212 gets the ACK from 206, it sends an RST reply. I believe that the RST packet was not received by 206. If 206 received the RST, it should have terminated the session.

I suggest capturing packets at 206.

  • If you can't find the TCP RST packet, you need to investigate what happened to it.

  • If you see the TCP RST packet, make sure to check all active TCP sessions on the 206 device. TCP RST should have terminated the session. It is active, that is a problem.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-05-14 09:18:26 +0000

Seen: 126 times

Last updated: May 15 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2