This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

RST ACK Win=0?

0

I'm a Systems Engineer and not a network guru, so please bear with me. Trying to figure out a major issue with inbound email attachment delivery. Our headquarters Exchange servers are unable to receive any emails with attachments. Other emails are delivered fine. Our Exchange servers at our DR site CAN receive attachments. The Exchange servers show no performance issues, and we can delivery large attachments to them fine internally. Several network devices sit in front of the Exchange boxes (firewall, IDS, load balancer, etc) but the network team has run their own captures and say it is not a network issue. So I ran a capture on the Exchange server and sent a large attachment from the Internet.

I'm a novice at reading captures, but I see a packet highlighted in red that shows "RST,ACK" and "Win=0". This is from the sending server to our server. Is this abnormal?

asked 03 Oct '14, 13:16

SassyMoose's gravatar image

SassyMoose
16114
accept rate: 0%


One Answer:

2

It can be, but today, in most cases it's not, especially if you're using Microsoft products. Reset packets were once used exclusively to signal connection abort due to trouble, while FIN was used for graceful shutdowns. These days, many products terminate perfectly good sessions with RST to perform a quicker shutdown compared to FIN. So you'd have to determine if there was a problem with the TCP session to tell if the RST was sent because there was a problem, or if it is just normal session termination.

BTW, TCP window size is always zero in packets with the RST flag set. That's normal, too.

answered 03 Oct '14, 16:14

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%