Analyzing TCP reset(RST)packets
05/23/2022 1 People found this article helpful 20,094 Views
This article explains how to analyze the TCP RST packets in Wireshark.
A use case scenario
- Not able to access Facebook and the rest of the other websites are working fine.
- Always perform packet capture for TCP connection and review it on Wireshark.
While analyzing the packet capture select the RST packet and right-click and select Conversation filter and then select TCP.
This will filter the packets for the selected conversation only and make it easy to troubleshoot.
From the packet capture, the client sends the SYN for TCP handshake and gets RST from the server.
We will utilize the IP header portion to find if the RST was sent from outside the network or if it was sent from an Internal network device. Expanding the IP header data portion in Wireshark and going to TTL(Time To Live) value. Usually, TTL values are 255, 168, and 64 there can be many but these are 3 big numbers generally used.
So if we see the TTL value it is 64, it means the packet was not routed.
Usually, when our packet is routed and takes hops it decrements by 1 after each hop from its current TTL value until it reaches the destination. But in this case, we see the TTL value is 64 which means the packet was not routed this RST is not coming from the actual IP in the source field which is the website IP. So at this point, we know that this RST is being sent by an internal device and in question, we want to know who is sending the RST.
We will select the RST packet and analyze the layer-2 header and check the source MAC address from the source MAC address we can it as the SonicWall firewall.
So by taking a look at the firewall it was found that there was a LAN > WAN access rule which was denying traffic to that website and hence the connection was being reset by Firewall.
Post disabling the rule we were able to access the website without any issue.
NOTE: If in the above example facbook.com was not accessible and analyzing the TTL value if it was TTL=63 or any other number less than 64 so it means the packet was routed and the RST is coming from a device outside of the network.