From: Jay Levitt <lists-netfilter@shopwatch.org>
To: netfilter@lists.netfilter.org
Subject: Re: RST instead of FIN?
Date: Sun, 11 Apr 2004 14:01:20 -0400 [thread overview]
Message-ID: <06fa01c41fee$fe77d440$9701a8c0@office> (raw)
In-Reply-To: 1081677639.2013.11.camel@grendel
Chris Brenton wrote:
> On Sat, 2004-04-10 at 14:33, Jay Levitt wrote:
> >
> > sourceforge: [SYN]
> > me: [SYN, ACK]
> > sourceforge: [ACK]
> > [SMTP conversation ensues, switches to TLS, sends me an e-mail. at
> > the end..]
> > me: [RST]
>
> Weird. Are you sure this is not a RST/ACK?
Yep. It's an RST only.
>
> > sourceforge: [FIN, ACK]
>
> Looks like the RST was ignored (although hard to say since you did not
> include time stamps). Does the source MAC on the RST match your system?
Sorry about that - I can't figure out how to get an abbreviated output from
Ethereal so I just retyped it. I've included the full output of the last
few packets below, although I see now that timestamps are still missing!...
The RST was sent within microseconds of the last packet received. The
source MAC is my own....
OOH! Looks like I read this wrong the first time. The first RST is me, for
reasons unknown, and the second two are sourceforge. That's even weirder.
With timestamps:
#753 17:20:34.230099 sourceforge: last data packet of message body
#754 17:20:34.230181 me: RST
#755 17:20:34.230538 sourceforge: FIN, ACK
#756 17:20:34.318588 sourceforge: RST
#757 17:20:34.319745 sourceforge: RST
> When I've seen this in the past its been an IDS or IPS attempting to
> reset the session due to a suspicious payload, but they get the sequence
> numbers wrong. Thus the RST/ACK gets ignored and the session continues.
Interesting. I'm not running an IDS/IPS. Perhaps sourceforge is, but that
doesn't explain my sending the RST...
> > me: [RST]
> > me: [RST]
>
> If this is an RST rather than a RST/ACK, it could be your system is
> losing session info and handling the ACKs like they are new packets
> (maybe some kind of broken IP wrapper application?).
No wrappers installed here.. just iptables.
> The second RST is
> *really* odd as its an error packet without any stimulus. That's not
> suppose to happen.
Agreed..
> I'm guessing this is not the kernel or Sendmail, but I'm honestly not
> sure what it is.
Any ideas where I might seek out other experts?
Thanks for the help...
Jay
-------------------------
Frame 753 (95 bytes on wire, 95 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007464, Ack: 3573134794, Len: 29
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007464
Next sequence number: 2495007493
Acknowledgement number: 3573134794
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 14480
Checksum: 0x4684 (correct)
Options: (12 bytes)
Simple Mail Transfer Protocol
Frame 754 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:50:2c:01:62:8e, Dst: 00:20:78:d0:44:8f
Internet Protocol, Src Addr: 192.168.1.150 (192.168.1.150), Dst Addr:
66.35.250.206 (66.35.250.206)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 42185 (42185),
Seq: 3573134794, Ack: 0, Len: 0
Source port: smtp (25)
Destination port: 42185 (42185)
Sequence number: 3573134794
Header length: 20 bytes
Flags: 0x0004 (RST)
Window size: 0
Checksum: 0x8109 (correct)
Frame 755 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007493, Ack: 3573134794, Len: 0
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007493
Acknowledgement number: 3573134794
Header length: 32 bytes
Flags: 0x0011 (FIN, ACK)
Window size: 14480
Checksum: 0x877f (correct)
Options: (12 bytes)
Frame 756 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007464, Ack: 0, Len: 0
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007464
Header length: 20 bytes
Flags: 0x0004 (RST)
Window size: 0
Checksum: 0xac2e (correct)
Frame 757 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:20:78:d0:44:8f, Dst: 00:50:2c:01:62:8e
Internet Protocol, Src Addr: 66.35.250.206 (66.35.250.206), Dst Addr:
192.168.1.150 (192.168.1.150)
Transmission Control Protocol, Src Port: 42185 (42185), Dst Port: smtp (25),
Seq: 2495007464, Ack: 0, Len: 0
Source port: 42185 (42185)
Destination port: smtp (25)
Sequence number: 2495007464
Header length: 20 bytes
Flags: 0x0004 (RST)
Window size: 0
Checksum: 0xac2e (correct)
next prev parent reply other threads:[~2004-04-11 18:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-10 18:33 RST instead of FIN? Jay Levitt
2004-04-10 22:54 ` Antony Stone
2004-04-11 5:41 ` Jay Levitt
2004-04-11 10:00 ` Chris Brenton
2004-04-11 18:01 ` Jay Levitt [this message]
2004-04-12 19:33 ` Ranjeet Shetye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='06fa01c41fee$fe77d440$9701a8c0@office' \
--to=lists-netfilter@shopwatch.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox