I'm troubleshooting an issue and it seems the receiver is not handling a RST packet. In this case the client sends a frame of data and then a frame with FIN set. The server responds with a couple of frames with data. This data trigger the client to send a RST. Should the sequence number of this RST be the same as the sequence number of the FIN? Or should it be increased by one, as the FIN takes one "phantom" byte?
Should the sequence number of the RST be X or X+1?
asked 12 Dec '11, 09:41
edited 12 Dec '11, 12:09
Besides that this is dependent on the FIN being inside the final data packet (piggybacked), in your case, where there seems to be no TCP data inside the client FIN, the no-data containing FIN packet counts as this one phantom byte.
So in your case the RST should have a sequence number +1 higher than inside the FIN if(!) the FIN got acked previously.
Edit on new thoughts based on cloudshark post: For what I see there let me summarize the key points:
Actually I would expect the servers stack behaviour to be normal for preventing RST spoofing attacks in some way. He is perfectly sticking to the specs at least from my point of view
answered 12 Dec '11, 11:45
edited 12 Dec '11, 15:33