Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

tcpdump on r81.10

Hi All,

"I have a Checkpoint R81.10 gateway, and one of the servers is behind this gateway. There is an issue with the communication between two servers, and I took a TCP dump. When I open the captured data, there are a lot of TCP flags with reset [RST, ACK]. My question is, how do I know whether the reset is from the source side or the destination side, and what could be the possible reason behind this?

FYI I have attached the screenshot 

0 Kudos
6 Replies
Franktum
Contributor

Hi,

One reason for RST, ACK is the destination server isn't listening through the port the source attacked. Check it out with netstat.

Regards

0 Kudos
Ihenock1011
Advisor

@Franktum Yes, I did that, and the server is listening on that port.

0 Kudos
the_rock
Legend
Legend

Can you email me directly and we can connect? That way you can email me the file and Im happy to check it for you. Hard to answer that question via screenshot.

Andy

the_rock
Legend
Legend

Just messaged you directly.

Andy

0 Kudos
PhoneBoy
Admin
Admin

What it appears to mean is that previously sent data is acknowledged, but the connection is closing with a reset.
That would imply it's coming from the source.
See: https://networkengineering.stackexchange.com/questions/2012/why-do-i-see-a-rst-ack-packet-instead-of... 

0 Kudos
Lesley
Leader Leader
Leader

RST is more though way to end session

sender sends: RST

receiver sends RST (ACK) back, receiver tells the sender he acknowledges the RST packet.

Therefore the connection will be close.

Better way would be FIN -> FIN ack, that is better way to close but some system do it different.

RESET could also be an indication that the port you try to connect is closed. 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events