This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unexpected RST-ACK Why

0

Using Wireshark I produced the following trace.

My question is, how do I determine why the host 10.0.10.110 sends the first RST,ACK in 222? Additionally, why does the server sent three RST,ACK (222, 226, and 228) before it sends a SYN in 229?

220 484.990061  10.0.10.115 10.0.10.110 TCP 263 10001 → 51020 [PSH, ACK] Seq=26523 Ack=1 Win=2047 Len=209
221 485.199823  10.0.10.110 10.0.10.115 TCP 54  51020 → 10001 [ACK] Seq=1 Ack=26732 Win=4053 Len=0
222 488.965709  10.0.10.110 10.0.10.115 TCP 54  51020 → 10001 [RST, ACK] Seq=1 Ack=26732 Win=0 Len=0
223 489.765740  Pronet_ec:0e:2b Broadcast   ARP 60  Who has 10.0.10.110? Tell 10.0.10.115
224 489.765773  Dell_80:e0:60   Pronet_ec:0e:2b ARP 42  10.0.10.110 is at b8:ca:3a:80:e0:60
225 489.795624  10.0.10.115 10.0.10.110 TCP 60  10001 → 10001 [SYN] Seq=0 Win=2047 Len=0 MSS=1400
226 489.795667  10.0.10.110 10.0.10.115 TCP 54  10001 → 10001 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
227 490.065686  10.0.10.115 10.0.10.110 TCP 60  [TCP Port numbers reused] 10001 → 10001 [SYN] Seq=0 Win=2047 Len=0 MSS=1400
228 490.065733  10.0.10.110 10.0.10.115 TCP 54  10001 → 10001 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
229 494.704070  10.0.10.110 10.0.10.115 TCP 66  51050 → 10001 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
230 494.704856  10.0.10.115 10.0.10.110 TCP 60  10001 → 51050 [SYN, ACK] Seq=0 Ack=1 Win=2047 Len=0 MSS=1400
231 494.704870  10.0.10.110 10.0.10.115 TCP 54  51050 → 10001 [ACK] Seq=1 Ack=1 Win=64400 Len=0
232 494.992380  10.0.10.115 10.0.10.110 TCP 263 10001 → 51050 [PSH, ACK] Seq=1 Ack=1 Win=2047 Len=209
233 495.195210  10.0.10.110 10.0.10.115 TCP 54  51050 → 10001 [ACK] Seq=1 Ack=210 Win=64191 Len=0
Here is what is happening -- the client (10.0.10.115) is pushing data to the server (10.0.10.110). The server acknowledges it, which is the normal communication flow. 220 and 221 show the normal flow. 222 shows that the server sends an RST,ACK. 225 shows the client responding with a SYN. In 226, the server sends another RST,ACK to which the client responds with another SYN (227). The server send another RST,ACK in 228 and the client sends another SYN (229). At that point, the server sends a SYN,ACK in 230, and the client responds with an ACK in 231. 232 and 233 show normal communication flow.

asked 26 May '17, 15:23

randy_ynchausti's gravatar image

randy_ynchausti
6112
accept rate: 0%

edited 27 May '17, 01:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284


One Answer:

0

The RST,ACK in 222 is probably a normal session termination thing, which is kind of common now (instead of using FIN-ACK-FIN-ACK, which is slower).

The other resets are most likely caused by the fact that the client is trying to reuse the same socket pair again - normally, the client should use a different ephemeral port for each connection it starts. If the socket pairs are reused too soon you'll get a reset because the server stack doesn't accept a new connection yet that has the same IP and port pairs until some time has passed.

answered 27 May '17, 01:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%