Ask Your Question
0

Client ends handshake with RST instead of ACK

asked 2018-07-14 09:58:28 +0000

insecurepassword gravatar image

updated 2018-07-14 11:08:29 +0000

Hi all,

A linux client is experiencing slow HTTP. I found, among other things, this TCP handshake which seems odd (see pcap link below). It's not the first handshake but one among many. The client, with IP 192.168.105.52, initiates the SYN. The server responds with SYN-ACK but then the client sends an RST.

What are the potential reasons for this? At least the TSecr and TSval values match. What other things should I check for that can cause RST?

Can this handshake be analyzed in isolation? I'm not comfortable sending other HTTP traffic.

https://www.cloudshark.org/captures/7...

Thanks! K

edit retag flag offensive close merge delete

Comments

Looks like the file is not public, can you check?

Jasper gravatar imageJasper ( 2018-07-15 11:45:18 +0000 )edit

Made it public now. Thanks for pointing that out!

insecurepassword gravatar imageinsecurepassword ( 2018-07-15 13:12:44 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2018-07-16 12:48:40 +0000

Jasper gravatar image

The only thing that comes to mind is that the client closed the socket before the SYN/ACK arrived, resulting in a RST because of a closed port. Reasons for that can be a program crash, or someone programmed a ridiculously low timeout value for the socket when opened.

edit flag offensive delete link more

Comments

That makes sense and is in line with one of the potential reasons I had in mind myself. Much appreciated!

insecurepassword gravatar imageinsecurepassword ( 2018-07-17 04:05:39 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-14 09:58:28 +0000

Seen: 1,844 times

Last updated: Jul 16 '18