From: Jay Levitt <lists-netfilter@shopwatch.org>
To: netfilter@lists.netfilter.org
Subject: Re: RST instead of FIN?
Date: Sun, 11 Apr 2004 14:01:20 -0400 [thread overview]
Message-ID: <06fa01c41fee$fe77d440$9701a8c0@office> (raw)
In-Reply-To: 1081677639.2013.11.camel@grendel
Chris Brenton wrote:
> On Sat, 2004-04-10 at 14:33, Jay Levitt wrote:
> >
> > sourceforge: [SYN]
> > me: [SYN, ACK]
> > sourceforge: [ACK]
> > [SMTP conversation ensues, switches to TLS, sends me an e-mail. at
> > the end..]
> > me: [RST]
>
> Weird. Are you sure this is not a RST/ACK?
Yep. It's an RST only.
>
> > sourceforge: [FIN, ACK]
>
> Looks like the RST was ignored (although hard to say since you did not
> include time stamps). Does the source MAC on the RST match your system?
Sorry about that - I can't figure out how to get an abbreviated output from
Ethereal so I just retyped it. I've included the full output of the last
few packets below, although I see now that timestamps are still missing!...
The RST was sent within microseconds of the last packet received. The
source MAC is my own....
OOH! Looks like I read this wrong the first time. The first RST is me, for
reasons unknown, and the second two are sourceforge. That's even weirder.
With timestamps:
#753 17:20:34.230099 sourceforge: last data packet of message body
#754 17:20:34.230181 me: RST
#755 17:20:34.230538 sourceforge: FIN, ACK
#756 17:20:34.318588 sourceforge: RST
#757 17:20:34.319745 sourceforge: RST
> When I've seen this in the past its been an IDS or IPS attempting to
> reset the session due to a suspicious payload, but they get the sequence
> numbers wrong. Thus the RST/ACK gets ignored and the session continues.
Interesting. I'm not running an IDS/IPS. Perhaps sourceforge is, but that
doesn't explain my sending the RST...
> > me: [RST]
> > me: [RST]
>
> If this is an RST rather than a RST/ACK, it could be your system is
> losing session info and handling the ACKs like they are new packets
> (maybe some kind of broken IP wrapper application?).
No wrappers installed here.. just iptables.
> The second RST is
> *really* odd as its an error packet without any stimulus. That's not
> suppose to happen.
Agreed..
> I'm guessing this is not the kernel or Sendmail, but I'm honestly not
> sure what it is.
Any ideas where I might seek out other experts?
Thanks for the help...
Jay
-------------------------
Frame 753 (95 bytes on wire, 95 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007464, Ack: 3573134794, Len: 29
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007464
Next sequence number: 2495007493
Acknowledgement number: 3573134794
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 14480
Checksum: 0x4684 (correct)
Options: (12 bytes)
Simple Mail Transfer Protocol
Frame 754 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:50:2c:01:62:8e, Dst: 00:20:78:d0:44:8f
Internet Protocol, Src Addr: 192.168.1.150 (192.168.1.150), Dst Addr:
66.35.250.206 (66.35.250.206)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 42185 (42185),
Seq: 3573134794, Ack: 0, Len: 0
Source port: smtp (25)
Destination port: 42185 (42185)
Sequence number: 3573134794
Header length: 20 bytes
Flags: 0x0004 (RST)
Window size: 0
Checksum: 0x8109 (correct)
Frame 755 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007493, Ack: 3573134794, Len: 0
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007493
Acknowledgement number: 3573134794
Header length: 32 bytes
Flags: 0x0011 (FIN, ACK)
Window size: 14480
Checksum: 0x877f (correct)
Options: (12 bytes)
Frame 756 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007464, Ack: 0, Len: 0
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007464
Header length: 20 bytes
Flags: 0x0004 (RST)
Window size: 0
Checksum: 0xac2e (correct)
Frame 757 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007464, Ack: 0, Len: 0
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007464
Header length: 20 bytes
Flags: 0x0004 (RST)
Window size: 0
Checksum: 0xac2e (correct)
next prev parent reply other threads:[~2004-04-11 18:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-10 18:33 RST instead of FIN? Jay Levitt
2004-04-10 22:54 ` Antony Stone
2004-04-11 5:41 ` Jay Levitt
2004-04-11 10:00 ` Chris Brenton
2004-04-11 18:01 ` Jay Levitt [this message]
2004-04-12 19:33 ` Ranjeet Shetye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='06fa01c41fee$fe77d440$9701a8c0@office' \
--to=lists-netfilter@shopwatch.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.