Hi, I have a problem with a tcp connection and I'm trying to figure if the problem comes from the client or the server side. After a request is sent by the client, the server responds with ACK and the client starts sending a lot of RST packets, causing the server to be unreachable (I have to manually reboot it). Here is a capture of the wireshark trace. I notice the server never sends a FIN packet, is it required? Also, is it normal for a client to send that amount o RST packet? Thanks for your help, asked 08 Mar '17, 14:26  mgregoire |
One Answer:
Looks like a completely chaotic server reaction to me. All the packets from 192.168.71.9 have a TCP window value of zero (even though Wireshark only marks some of them). Also, the TCP sequence number of the Server jumps from 38 to 1091042821 (both relative). The packets of length 232 from 192.168.71.9 are interesting as well, as they contain alphabetical characters like in a ping payload - this doesn't look good to me, more like a faulty device, maybe even leaking arbitrary memory (which would be very uh-oh...). As far as I can tell there's no hop between the two according to the TTLs being 128 and 64 (Windows Client and Linux Server would be my guess, but that's not very exact, of course). Verdict: the server TCP stack seems to have gone completely nuts, for unknown reasons (maybe a damaged network card, broken drivers, etc) answered 09 Mar '17, 06:44  Jasper ♦♦ edited 09 Mar '17, 06:45 It looks really strange, there is a is completed FIN and after that this: (09 Mar '17, 06:58) Christian_R I think the stack is nuts, plain and simple :-) (09 Mar '17, 07:00) Jasper ♦♦ @Jasper the SEQ seems O.K. this is a correct mislead by the relative view. Because the session is correctly closed for the Wireshark point of view. (09 Mar '17, 07:02) Christian_R @Christian_R Oh, bugger... yes, you're correct, so it's a Wireshark display error... the stack is still crazy :-) (09 Mar '17, 07:04) Jasper ♦♦ @Jasper: But have no explanation for the crazy behaviour. And I think, too, that the most reasonable cause is a corrupted stack. (09 Mar '17, 07:07) Christian_R Ok I will check on the server side, from what I understand it might be malfunctioning... Thanks a lot for your input! (10 Mar '17, 06:16) mgregoire showing 5 of 6 show 1 more comments |
Looks strange is there a Firewall in between. Could you provide us the trace https://blog.packet-foo.com/2016/11/the-wireshark-qa-trace-file-sharing-tutorial/
You can download the trace here : https://exoc-my.sharepoint.com/personal/mgregoire_exoc_onmicrosoft_com/_layouts/15/guestaccess.aspx?docid=059fc6be222034e34bf5044f28a016a88&authkey=AWtZ0JjakF9PAyNe6jzw4Nw
The 2 devices are connected to a Cisco SG300 managed switch on my local network. From what I know, there's know firewall between.