Wireshark-dev: Re: [Wireshark-dev] Expert item for TCP RST flag

From: Michael Tuexen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Thu, 9 Jan 2014 20:01:18 +0100
On Jan 9, 2014, at 4:22 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:

> On 01/09/2014 07:40 AM, Joerg Mayer wrote:
>> On Tue, Jan 07, 2014 at 05:09:11PM -0800, Gerald Combs wrote:
>>> On 1/7/14 4:19 PM, Joerg Mayer wrote:
>>>> Right now TCP packets with RST are marked as severity chat. Is there a reason
>>>> why this isn't warn?
>>> 
>>> Some applications use RSTs as a way to quickly close connections.
>>> Internet Explorer is probably the most common example.
>> 
>> Just curious: How does an application do that (rst instead of proper
>> fin-sequence)? Kill the process that opened the tcp socket?
> 
> By calling close() instead of shutdown() on the socket fd.
... you need to enable the liger option with a timeout of 0.
Calling close() will trigger the RST. If you call close on a
socket with an empty receiver buffer, you trigger the FIN stuff.

Best regards
Michael
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>