This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Which TCP Packet does reset the connection ?

0

I´ve got the following TCP-package:

009:38:03.287348 ftp.rus.universityA.com.ftp-data > IPLab.IT.universityB.com.49638: . 62265:63713(1448) ack 1 win 5840 <nop,nop,timestamp 126527920="" 492903732=""> (DF) [tos 0x8] (ttl 45, id 43158, len 1500)

and I have to figure out, why the next package is aborting/reseting the connection:

09:38:03.287459 IPLab.IT.universityB.com.49638 > ftp.rus.universityA.com.ftp-data: R. [tcp sum ok] ack 63713 win 63712 <nop,nop,timestamp 492903735="" 126527917,nop,nop,sack="" sack="" 1="" {65161:65537}=""> (DF) [tos 0x8] (ttl 64, id 424, len 64)

This is part of an old exam I am trying to solve. There were other packages but I think I already proved them wrong (ACK-number wasn´t right, wrong source port etc.)
What I dont understand is, all of them carry the "SEQ-Number"(63713) of the first package -1 as "Windows-Size" (63712). The original Windows-Size was 5840.

Also at first I was looking for a "RST"-Flag but they all got "ACK". So I am kind of confused, why the connection would be reseted.

Is the connection being reseted because the "Don´t fragment(DF)"-Flag is set and the Windows-Size way too large ?

Happy New Year
peacemaker

asked 01 Jan '17, 08:35

peacemaker's gravatar image

peacemaker
11225
accept rate: 100%

edited 01 Jan '17, 12:54

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

My bad guys, I just found more information on the back page:

4508 0040 01a8 4000 4006 c696 c1af 2cfa
8145 0283 c1e6 0014 15fd 1cae 04fc fad7
b014 f8e0 e899 0000 0101 080a 1d61 1d37
078a a9ad 0101 050a 04fd 007f 04fd 01f7
is also given.

Version = IPv4
IHL = 5 , so the Header is 160 bit (20byte) Protocol = 06, TCP
Because I want to know the TCP-Flags, I ignore the first 20bytes(IP-Header). So the TCP-Package starts at "c1e6", wich is my source-port 49638. The TCP-Flags are the last 6 bits at "b014". 014 in Binary is 0000 0001 0100, so the last 6 bits are 010100.
URG = 0
ACK = 1
PSH = 0
RST = 1
SYN = 0
FIN = 0

Finaly I understand why the Connection is reseted [RST] :)

greetings
peacemaker

answered 02 Jan '17, 05:52

peacemaker's gravatar image

peacemaker
11225
accept rate: 100%