Ask Your Question
0

RST: present, Fin: Absent, DATA: Present, ACK:

asked 2024-09-27 13:02:34 +0000

updated 2024-09-27 14:47:42 +0000

Chuckc gravatar image

Hi,

I have captured a tcpdump between Application server and Forcepoint Web Proxy server. When i try to analyse the pcap using wireshark gui tool

Postman REST API Client -> Application server -> Forcepoint Web Proxy server.

I see the below in Transmission Control Protocol frame in Wireshark GUI interface while loading the captured tcpdumpapplicationserver.pcap

**RST: Present** 
FIN: Absent 
Data: Present 
ACK: Present
SYN-ACK: Present
SYN: Present

Is there a way to find out why we see RST: Present in TCP frame as mentioned above? Is it a normal TCP handshake flow or is the application sending RST flag as Present and because of this flag, the Forcepoint Web Proxy server abrupt the connections by sending RST flag to the Application server.

Please guide.

Best Regards,

Kaushal

edit retag flag offensive close merge delete

Comments

There are example in Weberblog.net - The Ultimate PCAP

tcp.completeness == 47

[Conversation completeness: Complete, WITH_DATA (47)]
    ..1. .... = RST: Present
    ...0 .... = FIN: Absent
    .... 1... = Data: Present
    .... .1.. = ACK: Present
    .... ..1. = SYN-ACK: Present
    .... ...1 = SYN: Present
    [Completeness Flags: R·DASS]
Chuckc gravatar imageChuckc ( 2024-09-27 14:54:54 +0000 )edit

Thanks Chuck and Hugo. Can i attach the pcap to this forum?

kaushalshriyan gravatar imagekaushalshriyan ( 2024-09-27 18:28:08 +0000 )edit

Place it on a public file share (Google, Microsoft, aws) then update the question with a link to it.

Chuckc gravatar imageChuckc ( 2024-09-27 18:34:25 +0000 )edit

Thanks Chuck for the quick response. Please refer to https://www.dropbox.com/scl/fi/lr3qwh...

Best Regards,

Kaushal

kaushalshriyan gravatar imagekaushalshriyan ( 2024-09-28 04:05:47 +0000 )edit

Is there a log to check on the 172.16.x.x server?
That's a pretty quick "nope, don't support that" turn around.

Chuckc gravatar imageChuckc ( 2024-09-28 12:15:50 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2024-09-28 16:35:37 +0000

SYN-bit gravatar image

Thanks for the packet capture. Am I right in assuming that 10.133.192.95 is the application server and 172.16.223.11 is the forcepoint proxy?

What I notice in the packets is:

  • The TTL of the SYN/ACK is 127, while the TTL of the RST is 128
  • The mac addresses involved are a Microsoft one and a Checkpoint one

So to me it seems there is a Checkpoint firewall in between that seems to reset the connection, based on the desination host in the CONNECT request. Can you confirm this? And is there an URL filter list active on the checkpoint firewall?

edit flag offensive delete link more

Comments

Thanks a lot for a detailed explanation

Postman REST API Client (Windows 11 Desktop) -> Application server (Red Hat Enterprise Linux 8.10 Operating System, IP :- 10.133.192.95 ) -> Forcepoint Web Proxy (IP :- 172.16.223.11 and port 8080) which is part of the Forcepoint Web Security solution

I need to check with the team who maintains it regarding URL filter list active on the checkpoint firewall?

Thanks in advance.

Best Regards,

Kaushal

kaushalshriyan gravatar imagekaushalshriyan ( 2024-09-28 17:45:05 +0000 )edit

Hi again, I am checking in again if you need any additional details to understand the reason behind for reset packet.

kaushalshriyan gravatar imagekaushalshriyan ( 2024-10-01 18:09:53 +0000 )edit

Did you check whether there is a (checkpoint) firewall in between the AppServer and the Proxy? And if there is, does the policy indeed block this traffic?

SYN-bit gravatar imageSYN-bit ( 2024-10-01 22:14:47 +0000 )edit

Any news from the Firewall team?

SYN-bit gravatar imageSYN-bit ( 2024-10-13 19:53:58 +0000 )edit
0

answered 2024-09-27 13:55:15 +0000

hugo.vanderkooij gravatar image

Yuu can't determine the Reason for a RST packt from a packet capture. That information must be obtained from the system sending the RST packet.

Sometimes you can guess based on the packet that triggered the other party to send the RST packet. And in some cases additional information is in the RST packet.

But SYN/ACK/RST packets .... are rare.

Have a look at https://serverfault.com/questions/575...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-09-27 13:02:34 +0000

Seen: 94 times

Last updated: Sep 28