tcpdump on r81.10

Ihenock1011 · ‎2024-07-18

Hi All,

"I have a Checkpoint R81.10 gateway, and one of the servers is behind this gateway. There is an issue with the communication between two servers, and I took a TCP dump. When I open the captured data, there are a lot of TCP flags with reset [RST, ACK]. My question is, how do I know whether the reset is from the source side or the destination side, and what could be the possible reason behind this?

FYI I have attached the screenshot

Franktum · ‎2024-07-18

Hi,

One reason for RST, ACK is the destination server isn't listening through the port the source attacked. Check it out with netstat.

Regards

Ihenock1011 · ‎2024-07-19

@Franktum Yes, I did that, and the server is listening on that port.

the_rock · ‎2024-07-19

Can you email me directly and we can connect? That way you can email me the file and Im happy to check it for you. Hard to answer that question via screenshot.

Andy

the_rock · ‎2024-07-19

Just messaged you directly.

Andy

PhoneBoy · ‎2024-07-19

What it appears to mean is that previously sent data is acknowledged, but the connection is closing with a reset.
That would imply it's coming from the source.
See: https://networkengineering.stackexchange.com/questions/2012/why-do-i-see-a-rst-ack-packet-instead-of...

Lesley · ‎2024-07-19

RST is more though way to end session

sender sends: RST

receiver sends RST (ACK) back, receiver tells the sender he acknowledges the RST packet.

Therefore the connection will be close.

Better way would be FIN -> FIN ack, that is better way to close but some system do it different.

RESET could also be an indication that the port you try to connect is closed.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Are you a member of CheckMates?

tcpdump on r81.10