This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

RST, ACK after sending huge portion of data

0

I have IMAP server (e.g. Dovecot). I try to create 1200 mailboxes (for test performance). Servers successfully performs it. After this operation I want to list all created folders. Server gives some portion of data but after some time (near 1 second) CLIENT sends RST, ACK to server while server responds with IMAP protocol's command about the list of created folders.

Here is all mine Wireshark's dump snippet:

IMAP: Src Port: imap (143), Dst Port: 56794 (56794), Seq: 29186, Ack: 20533, Len: 24

IMAP: Src Port: 56794 (56794), Dst Port: imap (143), Seq: 20533, Ack: 29210, Len: 15

IMAP: Src Port: imap (143), Dst Port: 56794 (56794), Seq: 29210, Ack: 20548, Len: 16384

TCP: 56794 > imap [ACK] Seq=20548 Ack=45594 Win=49408 Len=0 TSV=3940902 TSER=3940902

IMAP: Src Port: imap (143), Dst Port: 56794 (56794), Seq: 45594, Ack: 20548, Len: 16384

TCP: 56794 > imap [RST, ACK] Seq=20548 Ack=61978 Win=49408 Len=0 TSV=3940902 TSER=3940902

Edit: Well, I think I figured out why RST flag is sent by client. The reason is server exceed MTU value for my loopback interface. I have checked similar behavior for sample Mina server - and all is OK there, i.e. huge packets are spited by TCP/IP protocol. So Dovecot can't manage packets wisely. But I have my own IMAP server (based on MINA) and the problem still persist there!

I've captured with Wireshark all negotiation, if interested: http://www.4shared.com/file/ymJ90Y1s/rst_mtu_555.html , the MTU value here set to 555

So why TCP/IP protocol manages sent packets (split them according to MTU value) wisely only for some apps but not for all?

asked 22 Aug '12, 12:53

Michael%20Z's gravatar image

Michael Z
1112
accept rate: 0%

edited 27 Aug '12, 00:05


One Answer:

0

sounds like your IMAP client crashed while getting (parsing) the mailbox/folder list.

Some questions:

  • What is your IMAP client?
  • What is your OS version where your run the IMAP client?
  • Do you see any error messages on the IMAP client?
  • Did you try another IMAP client?
  • A "malformed" IMAP answer might cause the client to crash or close the connection. Did you check the answer of the IMAP server in the capture file? Does it "look good" (according to the IMAP specs)? It should, if the server is a decent version of dovecot.

Regards
Kurt

answered 26 Aug '12, 01:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

By order: 1) Client is my own written Java code that connects to IMAP port. 2) Ubuntu 10.04 64 bit 3) No. See 1) 4) Yes, I've tried Evolution. It successfully lists all 1200 mailboxes. 5) There is no malformed answer from IMAP server. IT answer interrupted by client after some portion of data. As for Dovecot it writes Connection closed: Connection reset by peer bytes=20505/68146

Please see my edit in addition.

(27 Aug '12, 00:03) Michael Z

4) Yes, I've tried Evolution. It successfully lists all 1200 mailboxes.

So, obviously not network or server problem.

IT answer interrupted by client after some portion of data.

Well, then I guess it's a bug in your Java client. I don't think you can troubleshoot that with Wireshark, as the reason for the connection RESET cannot be detected by Wireshark. It might be a buffer "overflow" at the client or simply a programming error.

I suggest to debug the Java client.

(27 Aug '12, 04:21) Kurt Knochner ♦