TCP Analysis Based on Flags
In this post we will try to understand the if there is no communication between client and servers which are in some VMs and on some registered ports.
If we have tested up till layer 3 that there is no issue in PING and TRACE between the source and destination and still communication is not happening now the role of understanding TCP Packet capture comes into picture.
There may be many reasons of this , what i am discussing here is one of them and mostly which i have handled.
I asked to get a TCP dump from both source and destination machine.
When i read a TCP dump in wireshark what i observe is: I am seeing lots of TCP re-transmissions for SYN packet and reply is coming as RST, ACK . Like as below.
This is very interesting , if we have a good understanding of these TCP flags we will able to identify the issue otherwise we will keep this on troubleshooting from the network side and will never be able to identify the issue . Lets see when this RST , ACK flags came and what does this mean.
- The ACKnowledgement flag is used to acknowledge the successful receipt of packets.
- The reset flag is used when a segment arrives that is not intended for the current connection
Analysis RST/ACK
- A closed port will send back a RST/ACK to a TCP request
- If a worm is scanning a large block of living hosts, those hosts with closed ports would send back a RST/ACK
- If a destination host receives too many RST/ACK responses, this destination IP is very likely infected with a worm
So if we conclude , what the above concepts says and what the issue we are facing , we can surely say that the source is trying establish a connection by sending the SYN packet and the destination is not listening on that port or that port is closed , that is why the destination is sending the RST,ACK in reply of that syn packet.
1 more thing if we want to see the RST , ACK is of the which SYN packet , we can get into the detail of that packet and in the last you will observe the "This is an ACK of the segment in frame xyz" , so in this way we can observe that for each SYN frame reply is RST,ACK of that frame. Below is the capture what we will see in the detail of RST,ACK
Hope this post helps , whenever someone comes across like this type of scenario.
Thanks
All comments are welcome.
No comments:
Post a Comment