Wireshark-dev: Re: [Wireshark-dev] Expert item for TCP RST flag

From: Ed Beroset <beroset@xxxxxxxxxxxxxx>
Date: Thu, 9 Jan 2014 08:41:37 -0500 (GMT-05:00)
Joerg Mayer wrote:

>The reason for my question is that someone had network trouble and looked
>at the error/warning items. Had RST been at that level, he would have found
>the problem lots of work hours earlier - the RSTs were indications of a
>real problem.
>
>So the question is: Do we allow lazy application writers to "hide" indications
>of real problems in the network?

For what it's worth, I emphatically agree that RST abuse is is a problem (see RFC-3360 for still more corroboration http://tools.ietf.org/search/rfc3360).  By flagging these as warning indications rather than chat, misbehaving applications will be more apparent, but at the potential risk of flooding the poor network engineer with irrelevant data.  However, I think that it's probably data that can easily be filtered out.  For that reason, I'd strongly endorse changing them to "warning" level.

Ed