Wireshark-users: Re: [Wireshark-users] TCP Resets

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Tue, 22 Apr 2008 06:23:20 +1000
There are several cases when tcp resets will occur

1, someone tries to connect (SYN) to a port where there is no service
running and the host will respond with rst.
   i.e.   you have shut down the http server application and when
clients try to connect to port 80 (http port) the server sends
   back a rst    meaning "you rang the bell but there is no one home".
   this is the most common reason you get rst packets.

2, a severe and unrecoverable tcp protocol error occured (very very
rare) and where
    rst means "something real bad happened in the tcp layer and i just
dont think its possible to recover. lets kill this
    connection and you try again and reconnect,   hopefully it will
work better next time."

3, a "shortcut" to close session.
   clueless (most often http) server implementations abuse rst as a
"quick" way to tear down tcp connections instead of the normal fin
handshake.
   this can sometimes cause "issues" and is clueless   but done by
some implementations as an "optimization".


On Tue, Apr 22, 2008 at 3:33 AM, St Onge,Adam <ASTONGE@xxxxxxxxxxxxx> wrote:
>
>
>
>
> Trying to understand what a lot of TCP Resets is indicative of?  I have a
> capture that is ~1500 frames and 85 of those are TCP.Resets.
>
>
>
> Any Ideas?
>
>
>
> Thanks,
>
>
>
> Adam
>
> ==============================================================================
> This communication, together with any attachments hereto or links contained
> herein, is for the sole use of the intended recipient(s) and may contain
> information that is confidential or legally protected. If you are not the
> intended recipient, you are hereby notified that any review, disclosure,
> copying, dissemination, distribution or use of this communication is
> STRICTLY PROHIBITED. If you have received this communication in error,
> please notify the sender immediately by return e-mail message and delete the
> original and all copies of the communication, along with any attachments
> hereto or links herein, from your system.
>
> ==============================================================================
> The Travelers e-mail system made this annotation on 04/21/08, 13:33:20.
>
>
>
> _______________________________________________
>  Wireshark-users mailing list
>  Wireshark-users@xxxxxxxxxxxxx
>  http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>