Hi Everyone, I captured a trace of my network connection to the internet. I noticed there were a lot of reset packets being sent by the internet server - which was not surprising as my internet browser was not configured with my proxy address settings. Now, my question is this: If I required access to the proxy server to browse, how come what was being displayed in Wireshark were the Ip addresses of the various internet servers I was trying to connect to? I thought that since the proxy server was blocking access, I should have seen it sending the TCP rest packers. Could some one please put me explain this to me? asked 30 Aug '13, 09:21  pontish |
One Answer:
It probably is your firewall sending the resets, but spoofing the address of the web server you're trying to reach. TCP is connection-oriented. The reset must come from the IP address that the client was trying to reach, otherwise the client has no way of knowing what the reset is in response to. answered 30 Aug '13, 09:49  Jim Aragon |
Thanks. Sorry but one last question: is there any way to know for sure that it is the firewall spoofing the address of the website.
many thanks.
Capture on both sides of the firewall. If the traffic appears only on the inside, then the firewall replied on behalf of the web server. If the traffic appears on both sides of the firewall, then the traffic was passed on by the firewall and the reply came from some other device.