-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Analyzing TCP reset(RST)packets
05/23/2022 
30 People found this article helpful
383,527 Views
Description
This article explains how to analyze the TCP RST packets in Wireshark.
Resolution
A use case scenario
- Not able to access Facebook and the rest of the other websites are working fine.
- Always perform packet capture for TCP connection and review it on Wireshark.
While analyzing the packet capture select the RST packet and right-click and select Conversation filter and then select TCP.
This will filter the packets for the selected conversation only and make it easy to troubleshoot.
From the packet capture, the client sends the SYN for TCP handshake and gets RST from the server.
We will utilize the IP header portion to find if the RST was sent from outside the network or if it was sent from an Internal network device. Expanding the IP header data portion in Wireshark and going to TTL(Time To Live) value. Usually, TTL values are 255, 168, and 64 there can be many but these are 3 big numbers generally used.
So if we see the TTL value it is 64, it means the packet was not routed.
Usually, when our packet is routed and takes hops it decrements by 1 after each hop from its current TTL value until it reaches the destination. But in this case, we see the TTL value is 64 which means the packet was not routed this RST is not coming from the actual IP in the source field which is the website IP. So at this point, we know that this RST is being sent by an internal device and in question, we want to know who is sending the RST.
We will select the RST packet and analyze the layer-2 header and check the source MAC address from the source MAC address we can it as the SonicWall firewall.
So by taking a look at the firewall it was found that there was a LAN > WAN access rule which was denying traffic to that website and hence the connection was being reset by Firewall.
Post disabling the rule we were able to access the website without any issue.
NOTE: If in the above example facbook.com was not accessible and analyzing the TTL value if it was TTL=63 or any other number less than 64 so it means the packet was routed and the RST is coming from a device outside of the network.
Related Articles
- How to block like/comment/post/share features of Facebook using App Rules
- How to block various YouTube features using App Rules
- How can I enable or disable SonicWall firewall management access?
YES
NO