Why are some tcp packets with the RST flag classified as new incoming connection?
While looking through my iptables log, I keep observing periodically incoming connections with the RESET flag being set from a few ip addresses within my ISP's network. This is a sample tcpdump on one of those connections:
22:18:13.026881 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [S] seq 3805987202 win 29200 options [mss 1460 sackOK TS val 3031189 ecr 0 nop wscale 7] length 0
22:18:13.032076 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [S.] seq 738249760 ack 3805987203 win 29200 options [mss 1460 nop nop sackOK nop wscale 6] length 0
22:18:13.032151 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738249761 ack 1 win 229 length 0
22:18:13.032415 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805987203:3805987396 ack 1 win 229 length 193
22:18:13.036553 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] 3805987396 ack 194 win 473 length 0
22:18:13.042920 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] seq 738249761:738251221 ack 194 win 473 length 1460
22:18:13.042979 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738251221 ack 1461 win 251 length 0
22:18:13.043133 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738251221:738251809 ack 194 win 473 length 588
....
22:20:10.652745 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254876 ack 5116 win 365 length 0
22:21:09.649107 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988348:3805988389 ack 5116 win 365 length 41
22:21:09.657454 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738254876:738254921 ack 1187 win 509 length 45
22:21:09.657498 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254921 ack 5161 win 365 length 0
22:21:09.657612 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988389:3805988434 ack 5161 win 365 length 45
22:21:09.657748 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [FP.] seq 3805988434:3805988465 ack 5161 win 365 length 31
22:21:09.660431 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [F.] seq 738254921 ack 1187 win 509 length 0
22:21:09.660467 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254922 ack 5162 win 365 length 0
22:21:09.667156 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667923 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667971 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254922 win 0 length 0
The tcp sequence number is continuous. Shouldn't it be considered as part of an established connection using the rule in iptables below:
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
tcp tcpdump
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
migrated from networkengineering.stackexchange.com May 15 '14 at 10:16
This question came from our site for network engineers.
add a comment |
While looking through my iptables log, I keep observing periodically incoming connections with the RESET flag being set from a few ip addresses within my ISP's network. This is a sample tcpdump on one of those connections:
22:18:13.026881 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [S] seq 3805987202 win 29200 options [mss 1460 sackOK TS val 3031189 ecr 0 nop wscale 7] length 0
22:18:13.032076 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [S.] seq 738249760 ack 3805987203 win 29200 options [mss 1460 nop nop sackOK nop wscale 6] length 0
22:18:13.032151 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738249761 ack 1 win 229 length 0
22:18:13.032415 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805987203:3805987396 ack 1 win 229 length 193
22:18:13.036553 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] 3805987396 ack 194 win 473 length 0
22:18:13.042920 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] seq 738249761:738251221 ack 194 win 473 length 1460
22:18:13.042979 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738251221 ack 1461 win 251 length 0
22:18:13.043133 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738251221:738251809 ack 194 win 473 length 588
....
22:20:10.652745 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254876 ack 5116 win 365 length 0
22:21:09.649107 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988348:3805988389 ack 5116 win 365 length 41
22:21:09.657454 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738254876:738254921 ack 1187 win 509 length 45
22:21:09.657498 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254921 ack 5161 win 365 length 0
22:21:09.657612 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988389:3805988434 ack 5161 win 365 length 45
22:21:09.657748 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [FP.] seq 3805988434:3805988465 ack 5161 win 365 length 31
22:21:09.660431 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [F.] seq 738254921 ack 1187 win 509 length 0
22:21:09.660467 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254922 ack 5162 win 365 length 0
22:21:09.667156 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667923 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667971 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254922 win 0 length 0
The tcp sequence number is continuous. Shouldn't it be considered as part of an established connection using the rule in iptables below:
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
tcp tcpdump
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
migrated from networkengineering.stackexchange.com May 15 '14 at 10:16
This question came from our site for network engineers.
Comcast in the mid 200x's was doing this for connections it suspected were P2P. Not sure if that is still the case - intermediate network devices or security software might do this. An iptables workaround for Linux systems was possible by ignoring incoming RST's that were also new.
– LawrenceC
Dec 24 '18 at 22:51
add a comment |
While looking through my iptables log, I keep observing periodically incoming connections with the RESET flag being set from a few ip addresses within my ISP's network. This is a sample tcpdump on one of those connections:
22:18:13.026881 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [S] seq 3805987202 win 29200 options [mss 1460 sackOK TS val 3031189 ecr 0 nop wscale 7] length 0
22:18:13.032076 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [S.] seq 738249760 ack 3805987203 win 29200 options [mss 1460 nop nop sackOK nop wscale 6] length 0
22:18:13.032151 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738249761 ack 1 win 229 length 0
22:18:13.032415 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805987203:3805987396 ack 1 win 229 length 193
22:18:13.036553 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] 3805987396 ack 194 win 473 length 0
22:18:13.042920 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] seq 738249761:738251221 ack 194 win 473 length 1460
22:18:13.042979 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738251221 ack 1461 win 251 length 0
22:18:13.043133 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738251221:738251809 ack 194 win 473 length 588
....
22:20:10.652745 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254876 ack 5116 win 365 length 0
22:21:09.649107 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988348:3805988389 ack 5116 win 365 length 41
22:21:09.657454 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738254876:738254921 ack 1187 win 509 length 45
22:21:09.657498 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254921 ack 5161 win 365 length 0
22:21:09.657612 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988389:3805988434 ack 5161 win 365 length 45
22:21:09.657748 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [FP.] seq 3805988434:3805988465 ack 5161 win 365 length 31
22:21:09.660431 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [F.] seq 738254921 ack 1187 win 509 length 0
22:21:09.660467 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254922 ack 5162 win 365 length 0
22:21:09.667156 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667923 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667971 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254922 win 0 length 0
The tcp sequence number is continuous. Shouldn't it be considered as part of an established connection using the rule in iptables below:
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
tcp tcpdump
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
While looking through my iptables log, I keep observing periodically incoming connections with the RESET flag being set from a few ip addresses within my ISP's network. This is a sample tcpdump on one of those connections:
22:18:13.026881 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [S] seq 3805987202 win 29200 options [mss 1460 sackOK TS val 3031189 ecr 0 nop wscale 7] length 0
22:18:13.032076 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [S.] seq 738249760 ack 3805987203 win 29200 options [mss 1460 nop nop sackOK nop wscale 6] length 0
22:18:13.032151 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738249761 ack 1 win 229 length 0
22:18:13.032415 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805987203:3805987396 ack 1 win 229 length 193
22:18:13.036553 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] 3805987396 ack 194 win 473 length 0
22:18:13.042920 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [.] seq 738249761:738251221 ack 194 win 473 length 1460
22:18:13.042979 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738251221 ack 1461 win 251 length 0
22:18:13.043133 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738251221:738251809 ack 194 win 473 length 588
....
22:20:10.652745 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254876 ack 5116 win 365 length 0
22:21:09.649107 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988348:3805988389 ack 5116 win 365 length 41
22:21:09.657454 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [P.] seq 738254876:738254921 ack 1187 win 509 length 45
22:21:09.657498 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254921 ack 5161 win 365 length 0
22:21:09.657612 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [P.] seq 3805988389:3805988434 ack 5161 win 365 length 45
22:21:09.657748 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [FP.] seq 3805988434:3805988465 ack 5161 win 365 length 31
22:21:09.660431 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [F.] seq 738254921 ack 1187 win 509 length 0
22:21:09.660467 IP 192.168.1.2.43948 > XX.XX.X.103.443: Flags [.] 738254922 ack 5162 win 365 length 0
22:21:09.667156 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667923 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254921 win 0 length 0
22:21:09.667971 IP XX.XX.X.103.443 > 192.168.1.2.43948: Flags [R] seq 738254922 win 0 length 0
The tcp sequence number is continuous. Shouldn't it be considered as part of an established connection using the rule in iptables below:
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
tcp tcpdump
tcp tcpdump
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
asked May 15 '14 at 7:57
Question OverflowQuestion Overflow
4462722
4462722
migrated from networkengineering.stackexchange.com May 15 '14 at 10:16
This question came from our site for network engineers.
migrated from networkengineering.stackexchange.com May 15 '14 at 10:16
This question came from our site for network engineers.
Comcast in the mid 200x's was doing this for connections it suspected were P2P. Not sure if that is still the case - intermediate network devices or security software might do this. An iptables workaround for Linux systems was possible by ignoring incoming RST's that were also new.
– LawrenceC
Dec 24 '18 at 22:51
add a comment |
Comcast in the mid 200x's was doing this for connections it suspected were P2P. Not sure if that is still the case - intermediate network devices or security software might do this. An iptables workaround for Linux systems was possible by ignoring incoming RST's that were also new.
– LawrenceC
Dec 24 '18 at 22:51
Comcast in the mid 200x's was doing this for connections it suspected were P2P. Not sure if that is still the case - intermediate network devices or security software might do this. An iptables workaround for Linux systems was possible by ignoring incoming RST's that were also new.
– LawrenceC
Dec 24 '18 at 22:51
Comcast in the mid 200x's was doing this for connections it suspected were P2P. Not sure if that is still the case - intermediate network devices or security software might do this. An iptables workaround for Linux systems was possible by ignoring incoming RST's that were also new.
– LawrenceC
Dec 24 '18 at 22:51
add a comment |
3 Answers
3
active
oldest
votes
A TCP Reset is an un-acknowledged method of terminating a TCP connection. Typically reserved for the case that something went wrong, and needing a quick way to start over (after the RST).
If in the midst of your TCP connection, if you receive a RST from the same Protocol, Source IP, Source Port, Destination IP, Destination Port (known also as a Five-Tuple), you would classify that packet as being received "within" the established connection.
If, however, you are the entity sending the RST, you would instantly purge your connection information after sending the RST. If, at that point, the other end decided to send a TCP RST, upon receiving it you would have no knowledge of that particular "Five-Tuple" (since you just purged that knowledge), so you would consider the packet you just received a "New" connection -- which would than instantly be purged from your connection table again, since that is what should be done in response to a RST packet.
So in short, to answer your question. Your machine would mark a RST packet as a new connection if it had no prior knowledge of the connection (aka, the five-tuple) within which the RST was sent.
answered May 15 '14 at 16:21
EddieEddie
1618
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
add a comment |
Looks like the server is hard closing the connection.
Here's some info on TCP RST:
TCP uses the RST (Reset) bit in the TCP header to reset a TCP
connection. Resets are appropriately sent in response to a
connection request to a nonexistent connection, for example. The TCP
receiver of the reset aborts the TCP connection, and notifies the
application [RFC793, RFC1122, Ste94].
Also this thread seems related and pertinent: What is the reason and how to avoid the [FIN, ACK] , [RST] and [RST, ACK]
edited May 23 '17 at 12:41
Community♦
1
answered May 15 '14 at 15:24
MarkMark
712
add a comment |
I've observed this behaviour with some clients on my network when I had for one segment MTU mismatch -- normal MTU is 1500, but the segment's routers had 1300 eventually timing out client's packets and PUSH'es not reaching their destination and the other side started to RST. Fixing the MTU for the segment let the problem go away.
answered Dec 24 '18 at 22:44
SergueiSerguei
1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f753750%2fwhy-are-some-tcp-packets-with-the-rst-flag-classified-as-new-incoming-connection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
A TCP Reset is an un-acknowledged method of terminating a TCP connection. Typically reserved for the case that something went wrong, and needing a quick way to start over (after the RST).
If in the midst of your TCP connection, if you receive a RST from the same Protocol, Source IP, Source Port, Destination IP, Destination Port (known also as a Five-Tuple), you would classify that packet as being received "within" the established connection.
If, however, you are the entity sending the RST, you would instantly purge your connection information after sending the RST. If, at that point, the other end decided to send a TCP RST, upon receiving it you would have no knowledge of that particular "Five-Tuple" (since you just purged that knowledge), so you would consider the packet you just received a "New" connection -- which would than instantly be purged from your connection table again, since that is what should be done in response to a RST packet.
So in short, to answer your question. Your machine would mark a RST packet as a new connection if it had no prior knowledge of the connection (aka, the five-tuple) within which the RST was sent.
answered May 15 '14 at 16:21
EddieEddie
1618
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
add a comment |
A TCP Reset is an un-acknowledged method of terminating a TCP connection. Typically reserved for the case that something went wrong, and needing a quick way to start over (after the RST).
If in the midst of your TCP connection, if you receive a RST from the same Protocol, Source IP, Source Port, Destination IP, Destination Port (known also as a Five-Tuple), you would classify that packet as being received "within" the established connection.
If, however, you are the entity sending the RST, you would instantly purge your connection information after sending the RST. If, at that point, the other end decided to send a TCP RST, upon receiving it you would have no knowledge of that particular "Five-Tuple" (since you just purged that knowledge), so you would consider the packet you just received a "New" connection -- which would than instantly be purged from your connection table again, since that is what should be done in response to a RST packet.
So in short, to answer your question. Your machine would mark a RST packet as a new connection if it had no prior knowledge of the connection (aka, the five-tuple) within which the RST was sent.
answered May 15 '14 at 16:21
EddieEddie
1618
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
add a comment |
A TCP Reset is an un-acknowledged method of terminating a TCP connection. Typically reserved for the case that something went wrong, and needing a quick way to start over (after the RST).
If in the midst of your TCP connection, if you receive a RST from the same Protocol, Source IP, Source Port, Destination IP, Destination Port (known also as a Five-Tuple), you would classify that packet as being received "within" the established connection.
If, however, you are the entity sending the RST, you would instantly purge your connection information after sending the RST. If, at that point, the other end decided to send a TCP RST, upon receiving it you would have no knowledge of that particular "Five-Tuple" (since you just purged that knowledge), so you would consider the packet you just received a "New" connection -- which would than instantly be purged from your connection table again, since that is what should be done in response to a RST packet.
So in short, to answer your question. Your machine would mark a RST packet as a new connection if it had no prior knowledge of the connection (aka, the five-tuple) within which the RST was sent.
answered May 15 '14 at 16:21
EddieEddie
1618
A TCP Reset is an un-acknowledged method of terminating a TCP connection. Typically reserved for the case that something went wrong, and needing a quick way to start over (after the RST).
If in the midst of your TCP connection, if you receive a RST from the same Protocol, Source IP, Source Port, Destination IP, Destination Port (known also as a Five-Tuple), you would classify that packet as being received "within" the established connection.
If, however, you are the entity sending the RST, you would instantly purge your connection information after sending the RST. If, at that point, the other end decided to send a TCP RST, upon receiving it you would have no knowledge of that particular "Five-Tuple" (since you just purged that knowledge), so you would consider the packet you just received a "New" connection -- which would than instantly be purged from your connection table again, since that is what should be done in response to a RST packet.
So in short, to answer your question. Your machine would mark a RST packet as a new connection if it had no prior knowledge of the connection (aka, the five-tuple) within which the RST was sent.
answered May 15 '14 at 16:21
EddieEddie
1618
answered May 15 '14 at 16:21
EddieEddie
1618
answered May 15 '14 at 16:21
EddieEddie
1618
answered May 15 '14 at 16:21
EddieEddie
1618
1618
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
add a comment |
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
Thanks for clarifying the part on RST. As you can see from the above, my machine did not send any RST packet. This is done by the other party thrice. The first two are being recorded as NEW incoming. The last one seems to fall under established as it is not logged by iptables. Shouldn't the connection be purged immediately after both parties send FIN?
– Question Overflow
May 16 '14 at 2:01
add a comment |
Looks like the server is hard closing the connection.
Here's some info on TCP RST:
TCP uses the RST (Reset) bit in the TCP header to reset a TCP
connection. Resets are appropriately sent in response to a
connection request to a nonexistent connection, for example. The TCP
receiver of the reset aborts the TCP connection, and notifies the
application [RFC793, RFC1122, Ste94].
Also this thread seems related and pertinent: What is the reason and how to avoid the [FIN, ACK] , [RST] and [RST, ACK]
edited May 23 '17 at 12:41
Community♦
1
answered May 15 '14 at 15:24
MarkMark
712
add a comment |
Looks like the server is hard closing the connection.
Here's some info on TCP RST:
TCP uses the RST (Reset) bit in the TCP header to reset a TCP
connection. Resets are appropriately sent in response to a
connection request to a nonexistent connection, for example. The TCP
receiver of the reset aborts the TCP connection, and notifies the
application [RFC793, RFC1122, Ste94].
Also this thread seems related and pertinent: What is the reason and how to avoid the [FIN, ACK] , [RST] and [RST, ACK]
edited May 23 '17 at 12:41
Community♦
1
answered May 15 '14 at 15:24
MarkMark
712
add a comment |
Looks like the server is hard closing the connection.
Here's some info on TCP RST:
TCP uses the RST (Reset) bit in the TCP header to reset a TCP
connection. Resets are appropriately sent in response to a
connection request to a nonexistent connection, for example. The TCP
receiver of the reset aborts the TCP connection, and notifies the
application [RFC793, RFC1122, Ste94].
Also this thread seems related and pertinent: What is the reason and how to avoid the [FIN, ACK] , [RST] and [RST, ACK]
edited May 23 '17 at 12:41
Community♦
1
answered May 15 '14 at 15:24
MarkMark
712
Looks like the server is hard closing the connection.
Here's some info on TCP RST:
TCP uses the RST (Reset) bit in the TCP header to reset a TCP
connection. Resets are appropriately sent in response to a
connection request to a nonexistent connection, for example. The TCP
receiver of the reset aborts the TCP connection, and notifies the
application [RFC793, RFC1122, Ste94].
Also this thread seems related and pertinent: What is the reason and how to avoid the [FIN, ACK] , [RST] and [RST, ACK]
edited May 23 '17 at 12:41
Community♦
1
answered May 15 '14 at 15:24
MarkMark
712
edited May 23 '17 at 12:41
Community♦
1
edited May 23 '17 at 12:41
Community♦
1
edited May 23 '17 at 12:41
Community♦
1
1
answered May 15 '14 at 15:24
MarkMark
712
answered May 15 '14 at 15:24
MarkMark
712
answered May 15 '14 at 15:24
MarkMark
712
712
add a comment |
add a comment |
I've observed this behaviour with some clients on my network when I had for one segment MTU mismatch -- normal MTU is 1500, but the segment's routers had 1300 eventually timing out client's packets and PUSH'es not reaching their destination and the other side started to RST. Fixing the MTU for the segment let the problem go away.
answered Dec 24 '18 at 22:44
SergueiSerguei
1
add a comment |
I've observed this behaviour with some clients on my network when I had for one segment MTU mismatch -- normal MTU is 1500, but the segment's routers had 1300 eventually timing out client's packets and PUSH'es not reaching their destination and the other side started to RST. Fixing the MTU for the segment let the problem go away.
answered Dec 24 '18 at 22:44
SergueiSerguei
1
add a comment |
I've observed this behaviour with some clients on my network when I had for one segment MTU mismatch -- normal MTU is 1500, but the segment's routers had 1300 eventually timing out client's packets and PUSH'es not reaching their destination and the other side started to RST. Fixing the MTU for the segment let the problem go away.
answered Dec 24 '18 at 22:44
SergueiSerguei
1
I've observed this behaviour with some clients on my network when I had for one segment MTU mismatch -- normal MTU is 1500, but the segment's routers had 1300 eventually timing out client's packets and PUSH'es not reaching their destination and the other side started to RST. Fixing the MTU for the segment let the problem go away.
answered Dec 24 '18 at 22:44
SergueiSerguei
1
answered Dec 24 '18 at 22:44
SergueiSerguei
1
answered Dec 24 '18 at 22:44
SergueiSerguei
1
answered Dec 24 '18 at 22:44
SergueiSerguei
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f753750%2fwhy-are-some-tcp-packets-with-the-rst-flag-classified-as-new-incoming-connection%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Comcast in the mid 200x's was doing this for connections it suspected were P2P. Not sure if that is still the case - intermediate network devices or security software might do this. An iptables workaround for Linux systems was possible by ignoring incoming RST's that were also new.
– LawrenceC
Dec 24 '18 at 22:51