Home page logo
/

wireshark logo Wireshark mailing list archives

Re: How to interpret trace
From: Martin Visser <martinvisser99 () gmail com>
Date: Thu, 25 Mar 2010 14:37:26 +1100

It is the 10.6542.44 that sent the RST. You need to check the TCP ports used
to determine whether pkt 467709 was a response to 467708. (The source and
dest ports should match). I suggest you turn OFF the Transport Name
Resolution is preferences to make it more helpful. A RST from the server
will indicate that it doesn't want you to use that connection any more.

It could also be a RST coming from the firewall in between the client and
server. This is very common if you have say a 60 minute TCP connection
expiry timer (the default on Cisco PIX/ASA) and the protocol being used
doesn't explicitly keep the session alive (through either application level
polling or a TCP keep-alive). If you haven't used the TCP connection for
over an hour, the firewall will drop all knowledge of the session, and hence
your next data packet will be dropped and if the firewall is nice (rather
than stealthy) tell you so via a RST.

Regards, Martin

MartinVisser99 () gmail com


On Wed, Mar 24, 2010 at 1:01 AM, George Levasseur <geolev () yahoo com> wrote:

Hi,

I am unsure of how to interpret a network trace. I understand that there is
a source machine and a destination machine in the following trace snippet:

467708    620.887615    10.65.85.11    10.65.42.44    TNS    Request, Data
(6), Data
467709    620.887860    10.65.42.44    10.65.85.11    TCP    ncube-lm >
de-noc [RST] Seq=1 Win=0 Len=6

How should I read the above?

10.65.85.11 sends a TNS request to 10.65.42.44

Do I have that right?

I'm not sure what to make of the next line. I understand that it is a TCP
reset which means TCP detected a request on a connection that was closed. Is
that correct?

What I don't understand is, is there anything there that tells me who
closed the connection? Is it 10.65.42.44 that closed it or 10.65.85.11?

Is the second line a response to the first line?

Any help would be greatly appreciated.

Geolev




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault