This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

RST after SYN -> SYN/ACK

0

Hi

I need your help: I've got a strange TCP problem...can you guys tell me why a RST is sent after the SYN, SYN/ACK?

Wireshark Screenshot

Grab the whole file here: TCP_SYN_WIRESHARK.pcap

asked 26 Jul '16, 12:40

pesc's gravatar image

pesc
11113
accept rate: 0%


One Answer:

1

That usually happens if your application developer put a socket timeout value into his code that closes the socket way too quick. Or, in case of a web browser it was closed right after calling the URL, which would also cause a socket close leading to a reset.

answered 26 Jul '16, 12:44

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hmm, I'm using SQUID..any idea how to adjust?

(26 Jul '16, 12:54) pesc

Sorry, I don't know Squid config files that good.

(26 Jul '16, 12:56) Jasper ♦♦

ok thank you! But I'm right that no TCP (SEQ missmatch, etc...) is the problem?

(26 Jul '16, 13:00) pesc

No, TCP sequencing looks fine

(26 Jul '16, 13:02) Jasper ♦♦

Thank you Jasper!

(26 Jul '16, 13:05) pesc

But the time between SYN -> SYN/ACK is just about 200ms -> that's not abnormal, right?

(26 Jul '16, 13:10) pesc

I have a delta of about 131 milliseconds, which ain't good but also not uncommon for remote sites. Where do you see 200ms?

(26 Jul '16, 13:13) Jasper ♦♦

Yeah, I've just rounded up :) You're right, its 131 ms...could it also be a kernel issue?

(26 Jul '16, 13:15) pesc

Never seen a kernel do that on its own. It's usually an application socket shutting down which forces the kernel to send the reset packet.

(26 Jul '16, 13:23) Jasper ♦♦
showing 5 of 9 show 4 more comments