This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[RST , ACK] after [FIN , ACK] by client: is it normal?

0

Sorry my question, I'm studying my TCP/IP connection with wireshark (first time) This is log packets:

No. Time Source Destination Protocol Length Info 404 10.145072000 192.168.1.2 173.194.112.111 TCP 54 aker-cdp > https [ACK] Seq=682 Ack=76019 Win=65536 Len=0 405 10.350617000 192.168.1.2 173.194.112.104 TCP 54 qadmifevent > https [FIN, ACK] Seq=357 Ack=4604 Win=65266 Len=0 406 10.350661000 192.168.1.2 173.194.112.104 TCP 54 qadmifevent > https [RST, ACK] Seq=358 Ack=4604 Win=0 Len=0 407 10.350857000 192.168.1.2 173.194.112.111 TCP 54 lsi-raid-mgmt > https [FIN, ACK] Seq=357 Ack=3828 Win=65266 Len=0 408 10.350876000 192.168.1.2 173.194.112.111 TCP 54 lsi-raid-mgmt > https [RST, ACK] Seq=358 Ack=3828 Win=0 Len=0 409 10.351015000 192.168.1.2 173.194.112.119 TCP 54 seaodbc > https [FIN, ACK] Seq=357 Ack=3828 Win=64568 Len=0 410 10.351033000 192.168.1.2 173.194.112.119 TCP 54 seaodbc > https [RST, ACK] Seq=358 Ack=3828 Win=0 Len=0 411 10.385748000 173.194.112.104 192.168.1.2 TCP 60 https > qadmifevent [FIN, ACK] Seq=4604 Ack=358 Win=45056 Len=0 412 10.388933000 173.194.112.111 192.168.1.2 TCP 60 https > lsi-raid-mgmt [FIN, ACK] Seq=3828 Ack=358 Win=45056 Len=0

asked 24 Dec '15, 10:37

wjll's gravatar image

wjll
6113
accept rate: 0%

edited 24 Dec '15, 14:01

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

Let me format your log for you (Kindly try to give packets in formatted form)

192.168.1.2 173.194.112.111 TCP 54 aker-cdp > https [ACK] Seq=682 Ack=76019 Win=65536 Len=0 
192.168.1.2 173.194.112.104 TCP 54 qadmifevent > https [FIN, ACK] Seq=357 Ack=4604 Win=65266 Len=0 
192.168.1.2 173.194.112.104 TCP 54 qadmifevent > https [RST, ACK] Seq=358 Ack=4604 Win=0 Len=0 
192.168.1.2 173.194.112.111 TCP 54 lsi-raid-mgmt > https [FIN, ACK] Seq=357 Ack=3828 Win=65266 Len=0 
192.168.1.2 173.194.112.111 TCP 54 lsi-raid-mgmt > https [RST, ACK] Seq=358 Ack=3828 Win=0 Len=0 
192.168.1.2 173.194.112.119 TCP 54 seaodbc > https [FIN, ACK] Seq=357 Ack=3828 Win=64568 Len=0 
192.168.1.2 173.194.112.119 TCP 54 seaodbc > https [RST, ACK] Seq=358 Ack=3828 Win=0 Len=0 
173.194.112.104 192.168.1.2 TCP 60 https > qadmifevent [FIN, ACK] Seq=4604 Ack=358 Win=45056 Len=0
173.194.112.111 192.168.1.2 TCP 60 https > lsi-raid-mgmt [FIN, ACK] Seq=3828 Ack=358 Win=45056 Len=0

This behavior is not RFC compliant but seems that google.com(Dst IPs belong to google) is not willing to terminate connection gracefully, may be because of excessive load on its servers. This behavior is tolerable

answered 24 Dec '15, 11:06

Muhammad%20Irshad's gravatar image

Muhammad Irshad
16115
accept rate: 0%

edited 24 Dec '15, 14:01

grahamb's gravatar image

grahamb ♦
19.8k330206

Thanks so much and sorry for my format. I noticed this behavior with Facebook Ip Dst.

(24 Dec '15, 11:45) wjll

To use a fix width format for code or packet dump, either use the code button on the toolbar, add < code>,< /code> tags or indent by 4 spaces.

(24 Dec '15, 14:03) grahamb ♦