This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can someone explain this packet sequence?

0

I am debugging intermittent connection issues between a client and server application and when running WireShark the following packet sequence occurs:

 Server -> Client [FIN, PSH, ACK]
 Client -> Server [ACK] 
 Client -> Server [PSH, ACK] 
 Server -> Client [RST, ACK] 
 Client -> Server [FIN, PSH, ACK] 
 Server -> Client [RST] 
 Client -> Server [SYN] //start of new connection

Can anyone help explain what is going on here? It looks to me like the server is initiating closing the connection, but why does it send an RST after already having sent the FIN and received the ACK, and then send another RST?

asked 23 Dec '13, 06:21

mclaassen's gravatar image

mclaassen
11113
accept rate: 0%

edited 23 Dec '13, 08:26

Are server and client isolated when this happens? I.e., there's no possibility an errant or misconfigured "server" is "polluting" the connection?

(25 Dec '13, 03:33) rickhg12hs

One Answer:

0

without further information (time stamps, sequence numbers, length of the frames, etc.) I can only speculate. Here is what could have happened.

The server software decided to close the connection (reason unknown) and sends a FIN. After that, the server is in the state FIN WAIT 1 (see TCP state diagram). In that state it expects either a FIN/ACK or an ACK. However, the client sends two ACKs, one with a PSH flags, indicating that there is more data to 'push' to the server side application. As the server application does not expect any further data (see FIN), it 'might' send a RST in return to signal to the client to stop sending any further data (I did not check the RFC to figure out if that's the way the server should/could react). After the RST, the client closes the connection with a FIN/ACK (again with a PSH flag !?). Why this is again answered with a RST, remains unclear, as there is not enough information available. After some time, the client tries to re-establish the communication with the server (SYN).

Why this happened in the shown sequence, might have several reasons. As you did not add the time stamps and other information (sequence number, length, etc.) I could only speculate and that's going to happen in this case ;-))

Regards
Kurt

answered 25 Dec '13, 07:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%