Tim Heckman on 22 Mar 2012 17:45:43 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] web server sending TCP reset

Where are they seeing the TCP resets at?  Are they running tcpdump/wireshark on the system itself, or on the local system that's trying to connect?

Assuming the server itself has tcpdump installed you can use this to see if the server is sending any resets when someone connects to port 80 (as root):

    tcpdump 'tcp[13] & 4!=0' and port 80

Or, if they are seeing the resets on another port just change the port in the command.  What you would then want to do is have wireshark running on the local system, and see if it is getting RST packets.  If you are seeing RST packets locally, and not coming from the system, something is happening in the middle.

If you see the server sending the resets, then the plot thickens.

-Tim

---
Tim Heckman

On Thursday, March 22, 2012 at 7:41 PM, David Coulson wrote:

The 'server' IP has to send them for the RST to actually work - Curious
if it's actually the server itself sending the RST, or another device
further upstream that is intercepting. I've seen this when an ISP has
sloppy firewall rules, so they 'block' a high port such as 8080, but
don't realize legitimate clients might be using that as a source port.

On 3/22/12 5:43 PM, Carl Johnson wrote:
Some ISP's do this to subscribers as a means to block/control P2P traffic. Not sure why a server would send them though.





Sent from my Motorola DynaTAC 8000x

"Eric at Lucii.org"<eric@lucii.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A user of a site I'm developing is having connectivity problems and
they started looking at their firewall logs. They then asked the site
owner why the site was sending so many TCP RESET packets. So, he asked
me. I have no idea.... I've never heard of a web site sending TCP
RESET packets... thought that was handled at a lower level.

Sound familiar to anybody? I'm (very rapidly) out of ideas.

They're looking at it with Wireshark and will, I suppose, report back
to me at some point.


Eric
- --
# Eric Lucas
#
# "Oh, I have slipped the surly bond of earth
# And danced the skies on laughter-silvered wings...
# -- John Gillespie Magee Jr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9rmREACgkQ2sGpvXQrZ/4lbgCdFTDzDi8w1i8bgXQTYUfB9Oh0
6AQAn0iVFAee9Ak4vMlDDOOOefDftsx3
=0elW
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group --
Announcements -
General Discussion --
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
 

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug