[c-nsp] TCP Reset
Hitesh Vinzoda
vinzoda.hitesh at gmail.com
Wed May 20 00:45:39 EDT 2009
Dear All,
I m facing a problem from some clients behaving suspiciously when they
telnet to squid proxy. ( 10.4.188.180)
After TCP Syn request by client the server is responding with RST.
Wireshark logs from client is attached. Comments are invited for this case.
Thanks in advance
Ronnie
-------------- next part --------------
No. Time Source Destination Protocol Info
6 2.188964 10.4.52.53 10.4.188.180 TCP BESApi > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460
Frame 6 (62 bytes on wire, 62 bytes captured)
Arrival Time: May 19, 2009 17:04:41.083189000
[Time delta from previous captured frame: 0.874347000 seconds]
[Time delta from previous displayed frame: 2.188964000 seconds]
[Time since reference or first frame: 2.188964000 seconds]
Frame Number: 6
Frame Length: 62 bytes
Capture Length: 62 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 (10.4.188.180)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 48
Identification: 0x1672 (5746)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdf64 [correct]
[Good: True]
[Bad : False]
Source: 10.4.52.53 (10.4.52.53)
Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt (8080), Seq: 0, Len: 0
Source port: BESApi (3408)
Destination port: http-alt (8080)
Sequence number: 0 (relative sequence number)
Header length: 28 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xbfa3 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (8 bytes)
Maximum segment size: 1460 bytes
NOP
NOP
SACK permitted
No. Time Source Destination Protocol Info
8 2.195952 10.4.188.180 10.4.52.53 TCP http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0
Frame 8 (60 bytes on wire, 60 bytes captured)
Arrival Time: May 19, 2009 17:04:41.090177000
[Time delta from previous captured frame: 0.004504000 seconds]
[Time delta from previous displayed frame: 0.006988000 seconds]
[Time since reference or first frame: 2.195952000 seconds]
Frame Number: 8
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Cisco_51:44:00 (00:18:74:51:44:00)
Address: Cisco_51:44:00 (00:18:74:51:44:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 (10.4.52.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...1 = ECN-CE: 1
Total Length: 40
Identification: 0x1d0d (7437)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5bd1 [correct]
[Good: True]
[Bad : False]
Source: 10.4.188.180 (10.4.188.180)
Destination: 10.4.52.53 (10.4.52.53)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: BESApi (3408), Seq: 1, Ack: 1, Len: 0
Source port: http-alt (8080)
Destination port: BESApi (3408)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x14 (RST, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 29141
Checksum: 0x282b [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
No. Time Source Destination Protocol Info
9 2.598052 10.4.52.53 10.4.188.180 TCP BESApi > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460
Frame 9 (62 bytes on wire, 62 bytes captured)
Arrival Time: May 19, 2009 17:04:41.492277000
[Time delta from previous captured frame: 0.402100000 seconds]
[Time delta from previous displayed frame: 0.402100000 seconds]
[Time since reference or first frame: 2.598052000 seconds]
Frame Number: 9
Frame Length: 62 bytes
Capture Length: 62 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 (10.4.188.180)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 48
Identification: 0x1676 (5750)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdf60 [correct]
[Good: True]
[Bad : False]
Source: 10.4.52.53 (10.4.52.53)
Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt (8080), Seq: 0, Len: 0
Source port: BESApi (3408)
Destination port: http-alt (8080)
Sequence number: 0 (relative sequence number)
Header length: 28 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xbfa3 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (8 bytes)
Maximum segment size: 1460 bytes
NOP
NOP
SACK permitted
[SEQ/ACK analysis]
No. Time Source Destination Protocol Info
10 2.598375 10.4.188.180 10.4.52.53 TCP http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0
Frame 10 (60 bytes on wire, 60 bytes captured)
Arrival Time: May 19, 2009 17:04:41.492600000
[Time delta from previous captured frame: 0.000323000 seconds]
[Time delta from previous displayed frame: 0.000323000 seconds]
[Time since reference or first frame: 2.598375000 seconds]
Frame Number: 10
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Cisco_51:44:00 (00:18:74:51:44:00)
Address: Cisco_51:44:00 (00:18:74:51:44:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 (10.4.52.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...1 = ECN-CE: 1
Total Length: 40
Identification: 0x1d0d (7437)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5bd1 [correct]
[Good: True]
[Bad : False]
Source: 10.4.188.180 (10.4.188.180)
Destination: 10.4.52.53 (10.4.52.53)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: BESApi (3408), Seq: 1, Ack: 1, Len: 0
Source port: http-alt (8080)
Destination port: BESApi (3408)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x14 (RST, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 29141
Checksum: 0x282b [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
No. Time Source Destination Protocol Info
15 3.144898 10.4.52.53 10.4.188.180 TCP BESApi > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460
Frame 15 (62 bytes on wire, 62 bytes captured)
Arrival Time: May 19, 2009 17:04:42.039123000
[Time delta from previous captured frame: 0.049596000 seconds]
[Time delta from previous displayed frame: 0.546523000 seconds]
[Time since reference or first frame: 3.144898000 seconds]
Frame Number: 15
Frame Length: 62 bytes
Capture Length: 62 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 (10.4.188.180)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 48
Identification: 0x167e (5758)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdf58 [correct]
[Good: True]
[Bad : False]
Source: 10.4.52.53 (10.4.52.53)
Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt (8080), Seq: 0, Len: 0
Source port: BESApi (3408)
Destination port: http-alt (8080)
Sequence number: 0 (relative sequence number)
Header length: 28 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xbfa3 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (8 bytes)
Maximum segment size: 1460 bytes
NOP
NOP
SACK permitted
[SEQ/ACK analysis]
No. Time Source Destination Protocol Info
16 3.145212 10.4.188.180 10.4.52.53 TCP http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0
Frame 16 (60 bytes on wire, 60 bytes captured)
Arrival Time: May 19, 2009 17:04:42.039437000
[Time delta from previous captured frame: 0.000314000 seconds]
[Time delta from previous displayed frame: 0.000314000 seconds]
[Time since reference or first frame: 3.145212000 seconds]
Frame Number: 16
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Cisco_51:44:00 (00:18:74:51:44:00)
Address: Cisco_51:44:00 (00:18:74:51:44:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 (10.4.52.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...1 = ECN-CE: 1
Total Length: 40
Identification: 0x1d0d (7437)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5bd1 [correct]
[Good: True]
[Bad : False]
Source: 10.4.188.180 (10.4.188.180)
Destination: 10.4.52.53 (10.4.52.53)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: BESApi (3408), Seq: 1, Ack: 1, Len: 0
Source port: http-alt (8080)
Destination port: BESApi (3408)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x14 (RST, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 29141
Checksum: 0x282b [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
More information about the cisco-nsp
mailing list