- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Analyzing TCP reset(RST)packets
05/23/2022 
1 People found this article helpful
20,094 Views
Description
This article explains how to analyze the TCP RST packets in Wireshark.
Resolution
A use case scenario
- Not able to access Facebook and the rest of the other websites are working fine.
- Always perform packet capture for TCP connection and review it on Wireshark.
While analyzing the packet capture select the RST packet and right-click and select Conversation filter and then select TCP.
This will filter the packets for the selected conversation only and make it easy to troubleshoot.
From the packet capture, the client sends the SYN for TCP handshake and gets RST from the server.
We will utilize the IP header portion to find if the RST was sent from outside the network or if it was sent from an Internal network device. Expanding the IP header data portion in Wireshark and going to TTL(Time To Live) value. Usually, TTL values are 255, 168, and 64 there can be many but these are 3 big numbers generally used.
So if we see the TTL value it is 64, it means the packet was not routed.
Usually, when our packet is routed and takes hops it decrements by 1 after each hop from its current TTL value until it reaches the destination. But in this case, we see the TTL value is 64 which means the packet was not routed this RST is not coming from the actual IP in the source field which is the website IP. So at this point, we know that this RST is being sent by an internal device and in question, we want to know who is sending the RST.
We will select the RST packet and analyze the layer-2 header and check the source MAC address from the source MAC address we can it as the SonicWall firewall.
So by taking a look at the firewall it was found that there was a LAN > WAN access rule which was denying traffic to that website and hence the connection was being reset by Firewall.
Post disabling the rule we were able to access the website without any issue.
NOTE: If in the above example facbook.com was not accessible and analyzing the TTL value if it was TTL=63 or any other number less than 64 so it means the packet was routed and the RST is coming from a device outside of the network.
Related Articles
- Firewall is not generating syslog packets
- Configuring SNMP in SonicOS
- Why is SonicWall blocking access to websites?
YES
NO