Ask Your Question
0

RST: present, Fin: Absent, DATA: Present, ACK:

asked 2024-09-27 13:02:34 +0000

kaushalshriyan gravatar image

updated 2024-09-27 14:47:42 +0000

Chuckc gravatar image

Hi,

I have captured a tcpdump between Application server and Forcepoint Web Proxy server. When i try to analyse the pcap using wireshark gui tool

Postman REST API Client -> Application server -> Forcepoint Web Proxy server.

I see the below in Transmission Control Protocol frame in Wireshark GUI interface while loading the captured tcpdumpapplicationserver.pcap

**RST: Present** 
FIN: Absent 
Data: Present 
ACK: Present
SYN-ACK: Present
SYN: Present

Is there a way to find out why we see RST: Present in TCP frame as mentioned above? Is it a normal TCP handshake flow or is the application sending RST flag as Present and because of this flag, the Forcepoint Web Proxy server abrupt the connections by sending RST flag to the Application server.

Please guide.

Best Regards,

Kaushal

edit retag flag offensive close merge delete

Comments

There are example in Weberblog.net - The Ultimate PCAP

tcp.completeness == 47

[Conversation completeness: Complete, WITH_DATA (47)]
    ..1. .... = RST: Present
    ...0 .... = FIN: Absent
    .... 1... = Data: Present
    .... .1.. = ACK: Present
    .... ..1. = SYN-ACK: Present
    .... ...1 = SYN: Present
    [Completeness Flags: R·DASS]
Chuckc gravatar imageChuckc ( 2024-09-27 14:54:54 +0000 )edit

Thanks Chuck and Hugo. Can i attach the pcap to this forum?

kaushalshriyan gravatar imagekaushalshriyan ( 2024-09-27 18:28:08 +0000 )edit

Place it on a public file share (Google, Microsoft, aws) then update the question with a link to it.

Chuckc gravatar imageChuckc ( 2024-09-27 18:34:25 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2024-09-27 13:55:15 +0000

hugo.vanderkooij gravatar image

Yuu can't determine the Reason for a RST packt from a packet capture. That information must be obtained from the system sending the RST packet.

Sometimes you can guess based on the packet that triggered the other party to send the RST packet. And in some cases additional information is in the RST packet.

But SYN/ACK/RST packets .... are rare.

Have a look at https://serverfault.com/questions/575...

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-09-27 13:02:34 +0000

Seen: 19 times

Last updated: 3 hours ago