Ethereal-users: Re: Re: [Ethereal-users] Reset Cause

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: <martin.regner@xxxxxxxxx>
Date: Wed, 21 Apr 2004 8:53:01 +0200
Guy harris wrote:

l;rende: Re: [Ethereal-users] Reset Cause
> 
> On Tue, Apr 20, 2004 at 03:22:20PM +0200, L.Malinov wrote:
> > I'm trying to troubleshoot some TCP session resets. As far as I can see in
> > ethereal the reset causes are cki, cko, ehnc.
> 
> Ethereal itself doesn't know what the reset cause is; it's just
> displaying data in the RST segment.  There's no standard for that data -
> to quote RFC 1122:
> 
>          4.2.2.12  RST Segment: RFC-793 Section 3.4
> 
>             A TCP SHOULD allow a received RST segment to include data.
> 
>             DISCUSSION
>                  It has been suggested that a RST segment could contain
>                  ASCII text that encoded and explained the cause of the
>                  RST.  No standard has yet been established for such
>                  data.
> 
> so either
> 
> 	1) the machine sending the RST is putting those codes there, and
> 	   you'd probably have to ask whoever supplies the TCP stack for
> 	   that machine
> 
> or
> 
> 	2) it's just sending out RSTs with random junk in the segment,
> 	   in which case it doesn't mean anything.
> 
> I don't know which is the case.  Some OSes *do* put something there,
> which is why we display it; Kevin Steves of HP contributed a tcpdump
> patch to display it, which inspired me to make Ethereal display it, so
> perhaps HP-UX puts something there.  I think I might have seen it from
> some other OS as well - I think it might've been CTIX (the UNIX from
> Convergent Technologies), based on what the string was.
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 

searching on "tcp cko" respectivelly "tcp ehnc" on Google gives several hits.
I haven't looked through them enough to see if you get some good explanation about
the reason.

A few links:

http://cert.uni-stuttgart.de/archive/intrusions/2003/12/msg00085.html

http://cert.uni-stuttgart.de/archive/intrusions/2003/12/msg00081.html

http://www.dshield.org/pipermail/intrusions/2003-March/007323.php

http://archives.neohapsis.com/archives/incidents/2002-06/0177.html

http://archives.neohapsis.com/archives/sf/ids/2003-q1/0218.html