Network Device Reset Connection - microsoft/CSS_SQL_Networking_Tools GitHub Wiki
Network Device Reset Connection
This trace shows a network device, in this case a firewall between subnets, resetting a connection. Because the RESET packet comes from the middle of the network, the client trace shows it as having arrived from the server and the server trace shows it having arrived from the client.
The client IP address is 192.168.3.6. The server IP address is 192.168.111.25.
Client Trace
Frame Time Offset Source IP Dest IP Description
----- ----------- -------------- -------------- ---------------------------------------------------------------------------------------------------
--- packets are being received from the server (continuation packets), acknowledgements sent back from the client (PayLoadLen=0)
3091 78.8352820 192.168.111.25 192.168.3.6 TCP: [Bad CheckSum]Flags=...A...., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=353334171, Ack=499
3092 78.8352820 192.168.3.6 192.168.111.25 TCP:[Continuation to #3088]Flags=...AP..., SrcPort=1233, DstPort=1451, PayloadLen=1300, Seq=4997762
3104 78.9915320 192.168.111.25 192.168.3.6 TCP: [Bad CheckSum]Flags=...A...., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=353334171, Ack=499
3105 78.9915320 192.168.3.6 192.168.111.25 TCP:[Continuation to #3106]Flags=...A...., SrcPort=1233, DstPort=1451, PayloadLen=1398, Seq=4997775
--- A RESET packet is sent from the server IP address
3106 78.9915320 192.168.3.6 192.168.111.25 TCP:Flags=.....R.., SrcPort=1233, DstPort=1451, PayloadLen=0, Seq=499777541, Ack=353334171, Win=645
3115 79.2102820 192.168.111.25 192.168.3.6 TCP: [Bad CheckSum]Flags=...A...., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=353334171, Ack=499
--- And another RESET packet
3117 79.2102820 192.168.3.6 192.168.111.25 TCP:Flags=.....R.., SrcPort=1233, DstPort=1451, PayloadLen=0, Seq=499778939, Ack=353334171, Win=0 {
Server Trace
Frame Time Offset Source IP Dest IP Description
----- ----------- -------------- -------------- ---------------------------------------------------------------------------------------------------
--- Response packets are sent from the server
1574 99.1406250 192.168.3.6 192.168.111.25 TDS:Continuous Response, Version = 7.1 (0x71000001), SPID = 58, PacketID = 10, Flags=...A...., SrcP
1575 99.1718750 192.168.111.25 192.168.3.6 TCP:Flags=...A...., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=2361653353, Ack=2496793046, Win=6
1576 99.1718750 192.168.3.6 192.168.111.25 TCP:[Continuation to #1574]Flags=...A...., SrcPort=1233, DstPort=1451, PayloadLen=1398, Seq=2496799
1577 99.1718750 192.168.3.6 192.168.111.25 TCP:[Continuation to #1574]Flags=...AP..., SrcPort=1233, DstPort=1451, PayloadLen=1300, Seq=2496801
1589 99.3281250 192.168.111.25 192.168.3.6 TCP:Flags=...A...., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=2361653353, Ack=2496794346, Win=6
1590 99.3281250 192.168.3.6 192.168.111.25 TDS:Continuous Response, Version = 7.1 (0x71000001), SPID = 58, PacketID = 11, Flags=...A...., SrcP
--- Two RESET packets arrive from the client IP address
1591 99.3281250 192.168.111.25 192.168.3.6 TCP:Flags=.....R.., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=2361653353, Ack=1721097447, Win=6
1600 99.4062500 192.168.111.25 192.168.3.6 TCP:Flags=.....R.., SrcPort=1451, DstPort=1233, PayloadLen=0, Seq=2361653353, Ack=2496803936, Win=0
Explanation
Normally, if the client or the server determines the connection is bad due to dropped packets, the trace should contain some retransmitted packets before the connection is reset. In addition, the closing packet should also have the ACK flag set, e.g. ACK+RESET, or Flags = ..A..R.. as opposed to just Flags = .....R.. Normally a RESET (without the addition of the ACK) is sent by the OS when packets are received After the connection has already been closed or reset with an ACK+RESET packet.
In this case, there are no retransmitted packets, there is no ACK+RESET packet, and the client and server traces disagree with who reset the connection.
You can also see a difference in the IPV4.TimeToLive (TTL) value on the RESET packet and a regular packet from the other machine. The initial value is set by the sender and decremented each network device it crosses.
Frame: Number = 3092, Captured Frame Length = 1354, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-11-43-37-F8-A9],SourceAddress:[00-06-B1-30-8A-E8]
- Ipv4: Src = 192.168.3.6, Dest = 192.168.111.25, Next Protocol = TCP, Packet ID = 10217, Total IP Length = 1340
+ Versions: IPv4, Internet Protocol; Header Length = 20
+ DifferentiatedServicesField: DSCP: 0, ECN: 0
TotalLength: 1340 (0x53C)
Identification: 10217 (0x27E9)
+ FragmentFlags: 16384 (0x4000)
TimeToLive: 128 (0x80) <----- TTL for good packet = 128
NextProtocol: TCP, 6(0x6)
Checksum: 55906 (0xDA62)
SourceAddress: 192.168.3.6
DestinationAddress: 192.168.111.25
+ Tcp: [Continuation to #3088]Flags=...AP..., SrcPort=1233, DstPort=1451, PayloadLen=1300, Seq=499776241 - 499777541, Ack=353334171, Win=64505 (scale factor 0x0) = 64505
Frame: Number = 3106, Captured Frame Length = 62, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-11-43-37-F8-A9],SourceAddress:[00-06-B1-30-8A-E8]
- Ipv4: Src = 192.168.3.6, Dest = 192.168.111.25, Next Protocol = TCP, Packet ID = 0, Total IP Length = 40
+ Versions: IPv4, Internet Protocol; Header Length = 20
+ DifferentiatedServicesField: DSCP: 0, ECN: 0
TotalLength: 40 (0x28)
Identification: 0 (0x0)
+ FragmentFlags: 16384 (0x4000)
TimeToLive: 64 (0x40) <----- TTL for RESET packet = 64
NextProtocol: TCP, 6(0x6)
Checksum: 18272 (0x4760)
SourceAddress: 192.168.3.6
DestinationAddress: 192.168.111.25
+ Tcp: Flags=.....R.., SrcPort=1233, DstPort=1451, PayloadLen=0, Seq=499777541, Ack=353334171, Win=64505 (scale factor 0x0) = 64505