tcpdump capturing tcp resets by host

networking tcp wireshark tcpdump
36,933

Pay attention to the Src Port and Dst Port:

Transmission Control Protocol, Src Port: http (80), Dst Port: norton-lambert (2338), Seq: 1406431331, Len: 0
    Source port: http (80)
    Destination port: norton-lambert (2338)
    [Stream index: 3]
    Sequence number: 1406431331
    Header length: 20 bytes
    Flags: 0x004 (RST)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                [Message: Connection reset (RST)]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set

Src Port: http (80) means that this RST packet was sent from server side.

If it come from the client side, then you should see the reason:

Transmission Control Protocol, Src Port: 57715 (57715), Dst Port: http (80), Seq: 3509013939, Len: 0
    Source port: 57715 (57715)
    Destination port: http (80)
    [Stream index: 32]
    Sequence number: 3509013939
    Acknowledgment Number: 0xd1274db3 [should be 0x00000000 because ACK flag is not set]
        [Expert Info (Warn/Protocol): Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is no
t set]
            [Message: Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set]
            [Severity level: Warn]
            [Group: Protocol]
    Header length: 20 bytes
    Flags: 0x004 (RST)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                [Message: Connection reset (RST)]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
Share:
36,933
rahrahruby
Author by

rahrahruby

Updated on September 18, 2022

Comments

  • rahrahruby
    rahrahruby over 1 year

    I am trying to figure out where my tcp resets on my webserver happen. I have the following capture:

    tcpdump -fnni bond0:-nnvvS -w dump.pcap 'tcp[tcpflags] & (tcp-rst) !=0'

    When I look at the pcap in wireshark shows me resets:

        Flags: 0x004 (RST)
    .... .... .1.. = Reset: Set
    .... .... ..0. = Syn: Not set
    .... .... ...0 = Fin: Not set

Window size value: 0
Calculated window size: 0
Window size scaling factor: -1 (unknown)
Checksum: 0x0f2f [validation disabled]
Good Checksum: False
Bad Checksum: False

    but doesn't show me who reset the connection. I believe that there are switches in tcpdump that would allow me to see who reset the connection and possibly why. I have tried various switches with no luck.

    Thanks in advance for your help.

    • ott--
      ott-- almost 11 years
      The peer resets the connection. Can you show the last lines of the log? A connection is normally terminated by FIN, FIN+ACK and/or RST.
    • rahrahruby
      rahrahruby almost 11 years
      I added additional information from the wireshark view of the packet.
    • ott--
      ott-- almost 11 years
      No, I meant just the last lines of a connections, not the details for one line.
    • bortzmeyer
      bortzmeyer over 10 years
      You ommitted the really important part of tcpdump's output, the source and destination IP addresses...
    • Admin
      Admin over 10 years
      Did you figure out about the RST? Mark answer accepetd?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP Server sends [ACK] followed by [PSH,ACK]
tcpdump filter for tcp zero window messages
tcpdump: snaplen set to 0 but still get "Packet size limited during capture"?
How to concatenate two tcpdump files (pcap files)
what does this wireshark info refer to
Stripping payload from a tcpdump?
TCP Dup ACK/Retransmission, bad configuration?
tcpdump read both ipv4 and ipv6 packets from pcap
Capture only TCP SYN-ACK packets with tcpdump
Capture TCP communication on a specific port using wireshark