This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Wireshark I produced the following trace.

My question is, how do I determine why the host 10.0.10.110 sends the first RST,ACK in 222? Additionally, why does the server sent three RST,ACK (222, 226, and 228) before it sends a SYN in 229?

220 484.990061  10.0.10.115 10.0.10.110 TCP 263 10001 → 51020 [PSH, ACK] Seq=26523 Ack=1 Win=2047 Len=209

221 485.199823 10.0.10.110 10.0.10.115 TCP 54 51020 → 10001 [ACK] Seq=1 Ack=26732 Win=4053 Len=0

222 488.965709 10.0.10.110 10.0.10.115 TCP 54 51020 → 10001 [RST, ACK] Seq=1 Ack=26732 Win=0 Len=0

223 489.765740 Pronet_ec:0e:2b Broadcast ARP 60 Who has 10.0.10.110? Tell 10.0.10.115

224 489.765773 Dell_80:e0:60 Pronet_ec:0e:2b ARP 42 10.0.10.110 is at b8:ca:3a:80:e0:60

225 489.795624 10.0.10.115 10.0.10.110 TCP 60 10001 → 10001 [SYN] Seq=0 Win=2047 Len=0 MSS=1400

226 489.795667 10.0.10.110 10.0.10.115 TCP 54 10001 → 10001 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

227 490.065686 10.0.10.115 10.0.10.110 TCP 60 [TCP Port numbers reused] 10001 → 10001 [SYN] Seq=0 Win=2047 Len=0 MSS=1400

228 490.065733 10.0.10.110 10.0.10.115 TCP 54 10001 → 10001 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

229 494.704070 10.0.10.110 10.0.10.115 TCP 66 51050 → 10001 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

230 494.704856 10.0.10.115 10.0.10.110 TCP 60 10001 → 51050 [SYN, ACK] Seq=0 Ack=1 Win=2047 Len=0 MSS=1400

231 494.704870 10.0.10.110 10.0.10.115 TCP 54 51050 → 10001 [ACK] Seq=1 Ack=1 Win=64400 Len=0

232 494.992380 10.0.10.115 10.0.10.110 TCP 263 10001 → 51050 [PSH, ACK] Seq=1 Ack=1 Win=2047 Len=209

233 495.195210 10.0.10.110 10.0.10.115 TCP 54 51050 → 10001 [ACK] Seq=1 Ack=210 Win=64191 Len=0

Here is what is happening -- the client (10.0.10.115) is pushing data to the server (10.0.10.110). The server acknowledges it, which is the normal communication flow. 220 and 221 show the normal flow. 222 shows that the server sends an RST,ACK. 225 shows the client responding with a SYN. In 226, the server sends another RST,ACK to which the client responds with another SYN (227). The server send another RST,ACK in 228 and the client sends another SYN (229). At that point, the server sends a SYN,ACK in 230, and the client responds with an ACK in 231. 232 and 233 show normal communication flow.

asked 26 May '17, 15:23

randy_ynchausti's gravatar image

randy_ynchausti
6112
accept rate: 0%

edited 27 May '17, 01:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284


The RST,ACK in 222 is probably a normal session termination thing, which is kind of common now (instead of using FIN-ACK-FIN-ACK, which is slower).

The other resets are most likely caused by the fact that the client is trying to reuse the same socket pair again - normally, the client should use a different ephemeral port for each connection it starts. If the socket pairs are reused too soon you'll get a reset because the server stack doesn't accept a new connection yet that has the same IP and port pairs until some time has passed.

permanent link

answered 27 May '17, 01:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×139
×103
×81

question asked: 26 May '17, 15:23

question was seen: 4,510 times

last updated: 27 May '17, 01:34

p​o​w​e​r​e​d by O​S​Q​A