Ask Your Question
0

TCP connection unexpected reset

asked 2019-03-14 23:36:39 +0000

atom gravatar image

updated 2019-03-14 23:39:42 +0000

Hi

We have a problem at my Bridge club where we use Android tablets to send the result of a hand to the scoring PC over wifi to an access point, then to the scoring PC. The PC then sends feedback to the tablet. Occasionally a tablet has a problem getting feedback. We find that sometimes turning wifi off and on will allow a tablet to get feedback but it usually goes wrong again soon after. The problem is random across all tablets. I captured a wireshark log at the scoring PC and it shows that a tablet that is struggling to get feedback is sending a TCP connection reset (RST) right at the start of the TCP transaction e.g. - (source port is 57727)

2136.258745 192.168.1.58 192.168.1.10 57727 -> 9000 [SYN] Seq = 0

2136.258893 192.168.10.1 192.168.1.58 9000 -> 57727 [SYN,ACK] Seq = 0

2136.354344 192.168.1.58 192.168.10.1 57727 -> 9000 [RST] Seq = 1

2137.256806 192.168.1.58 192.168.10.1 57727 -> 9000 [TCP Retransmission] Seq = 0

2137.256901 192.168.10.1 192.168.1.58 9000 -> 57727 [segment not captured, port numbers re-used]

2136.354344 192.168.1.58 192.168.10.1 57727 -> 9000 [RST] Seq = 1

Often the TCP reset comes back really fast - 3 milliseconds e.g.

2254.954148 192.168.1.58 192.168.1.10 54281 -> 9000 [SYN] Seq = 0

2254.954254 192.168.10.1 192.168.1.58 9000 -> 54281 [SYN,ACK] Seq = 0

2254.957301 192.168.1.58 192.168.10.1 54281 -> 9000 [RST] Seq = 1

I've compared the [SYN,ACK] sent by the PC against a successful one and there is no difference. Does anyone have an idea what could cause this? The tablets are Lenovo TB3 710F. The capture file is here pcap file

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
2

answered 2019-03-15 19:49:43 +0000

mrEEde gravatar image

updated 2019-03-15 19:52:06 +0000

I think the problem is an ARP problem with the tablet connecting to different Access Points and the Windows server not updating its ARP cache fast enough.
Looking at the MAC conversations you will notice that the SYN_ACK gets a RESET when it is sent to a different MAC address than the source MAC address of the incoming SYN.

image description

Regards Matthias

edit flag offensive delete link more

Comments

Awesome. Thanks very much.

atom gravatar imageatom ( 2019-03-15 23:12:29 +0000 )edit
add a comment
0

answered 2019-03-15 01:05:13 +0000

Spooky gravatar image

Hi,

It is interesting that the tablet initiating the TCP connection is the device sending the TCP RST.

It could mean that the application is closing the connection because the SYN/ACK was damaged on its way from the PC to the tablet.

It could also mean the application closed the port for an unknown reason and the tablet sends the TCP RST because it is receiving a segment for a closed port.

It would be great if you could capture from the tablet's side.

If possible install your app on a PC and capture the traffic from there and the other PC at the same time to compare.

(I started playing with Bluestacks to install Android apps on my Windows PC.)

Hope this helps.

Cheers,

JF

edit flag offensive delete link more

Comments

Thanks for the answer. I'll have another go at capturing the wifi traffic. Did you notice that after the reset the tablet tries again using the same source port. Does that suggest that the application didn't close the connection? I'll keep blustacks in mind, thanks, - the problem is that it's random which tablet the problem happens on and once it starts happening it usually goes wrong for the rest of the night so it might never show up on a laptop. Also it's difficult to use a laptop at the Bridge table as they're a bit too big.

atom gravatar imageatom ( 2019-03-15 01:20:41 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-03-14 23:36:39 +0000

Seen: 2,170 times

Last updated: Mar 15 '19

Related questions

Large number of RST-SYN

Failures during high load

In TCP 3-way handshake, 3 segments will be sent (SYN, SYN/ACK, ACK). What happens if the third segment(ACK) is lost?

TCP SYN, SYN ACK followed by RST

What could make a host to be sending arp asking for the mac address of almost al the hosts in the network

After transmitting many normal packets in response to a post request,the server suddently sent [rst,ack]

TCP RST Packets Ignored

TCP Connection disconnect

Problem with TCP reset

What this reset cause means ? [closed]

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2