Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to interpret trace

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Thu, 25 Mar 2010 14:37:26 +1100
It is the 10.6542.44 that sent the RST. You need to check the TCP ports used to determine whether pkt 467709 was a response to 467708. (The source and dest ports should match). I suggest you turn OFF the Transport Name Resolution is preferences to make it more helpful. A RST from the server will indicate that it doesn't want you to use that connection any more. 

It could also be a RST coming from the firewall in between the client and server. This is very common if you have say a 60 minute TCP connection expiry timer (the default on Cisco PIX/ASA) and the protocol being used doesn't explicitly keep the session alive (through either application level polling or a TCP keep-alive). If you haven't used the TCP connection for over an hour, the firewall will drop all knowledge of the session, and hence your next data packet will be dropped and if the firewall is nice (rather than stealthy) tell you so via a RST.

Regards, Martin

MartinVisser99@xxxxxxxxx


On Wed, Mar 24, 2010 at 1:01 AM, George Levasseur <geolev@xxxxxxxxx> wrote:
Hi,

I am unsure of how to interpret a network trace. I understand that there is a source machine and a destination machine in the following trace snippet:

467708    620.887615    10.65.85.11    10.65.42.44    TNS    Request, Data (6), Data
467709    620.887860    10.65.42.44    10.65.85.11    TCP    ncube-lm > de-noc [RST] Seq=1 Win=0 Len=6

How should I read the above?

10.65.85.11 sends a TNS request to 10.65.42.44

Do I have that right?

I'm not sure what to make of the next line. I understand that it is a TCP reset which means TCP detected a request on a connection that was closed. Is that correct?

What I don't understand is, is there anything there that tells me who closed the connection? Is it 10.65.42.44 that closed it or 10.65.85.11?

Is the second line a response to the first line?

Any help would be greatly appreciated.

Geolev




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe