This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Application RST

0

I'm a newbie to Wireshark and have a question on a Reset I'm seeing in the trace with an application that's getting intermittent connection failure. There is a firewall in the path but no other applications are having issues. I did a Follow TCP stream for a known failure transaction and a good transaction. I'm not sure but the failure transaction could be due to the Reset but want to confirm if it's the application that's the cause or the Firewall. For the failed transaction, a RST was sent by the Source host (SH) in the third line. I would think the RST would basically kills the transaction and the Destination host (DH)FIN,ACK in the fourth line would not be valid. Please chime in.

Failed Transaction: 1. (SH)FIN,ACK 2. (DH)PSH,ACK 3. (SH)RST 4. (DH)FIN,ACK 5. (DH)RST

Good Transaction:: 1. (SH)FIN,ACK 2. (DH)ACK 3. (SH)RST

asked 01 Nov '11, 04:20

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

2 Answers:

0

Here's the sequence for the follow TCP stream

10.1.1.1 to 192.168.1.1 (FIN, ACK) Sequence number: 304 Acknowledgement number: 172

192.168.1.1 to 10.1.1.1 (ACK) Len:1248 Sequence number: 172 Next Sequence number: 1420 Acknowledgement number: 304

10.1.1.1 to 192.168.1.1 (RST) Sequence number: 304 WIN=0 Len=0

192.168.1.1 to 10.1.1.1 (ACK) Len:1248 Sequence number: 1420 Next Sequence number: 2668 Acknowledgement number: 304

192.168.1.1 to 10.1.1.1 (FIN, PSH, ACK) Len:1027 Sequence number: 2668 Next Sequence number: 3695 Acknowledgement number: 305

10.1.1.1 to 192.168.1.1 (RST) Sequence number: 305 WIN=0 Len=0

answered 01 Nov '11, 10:57

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

0

The only thing that I can say is that FIN packets are pretty much always generated by the actually endpoint hosts in the conversation. RST packets may be sent by the hosts, though sometimes are sent by the firewall if they aren't happy with the connection status. If a host is seems to be sending packets after a RST is seen, this could be just a timing issue, in that packets were being flushed after receiving the FIN, but before the RST. (It all depends where you do the capture, and the latency of the network)

answered 02 Nov '11, 02:12

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

The traffic is only local LAN. A static entry was made for the inside host 10.1.1.1 on the FW recently and the RST went away. This apps that was having issue was running fine then started to experience disconnects while other applications do not have disconnects issue. The apps team blamed it on the network but it's possible the apps code were changed prior to the FW rule change.

(02 Nov '11, 03:29) ws2006