What’s That NetScaler Reset Packet?

https://www.citrix.com/blogs/2014/05/20/whats-that-netscaler-reset-packet/

A few weeks ago I wrote a blog post on how to empower and extend your default Wireshark configuration titled NetScaler + Wireshark = A Perfect Combination! I’d like to follow up that post with this article which focuses on how to interpret some of the data that you may see in a NetScaler trace.

The TCP Reset [RST]

Quick Tip: If you want a general overview of what a TCP reset is, then please visit the following URL to gain some high level insight: http://en.wikipedia.org/wiki/TCP_reset_attack

There are numerous different reasons for why a TCP reset [RST] may have occurred, but understanding why the [RST] was issued by one of the TCP end-points will provide you with insight into why a particular TCP communication flow was stopped.

As a note, a TCP [FIN] is similar to a TCP [RST] in that they both conclude a TCP communication. However, [FIN]’s are the gracious means of ending the communication and a [RST] is a rather abrupt method for terminating the communication, perhaps similar to slamming the door or hanging up the phone rather abruptly.

OK, so you’ve taken a NetScaler trace and you’d like to see if there are any TCP [RST]’s in the trace. Simply put the following filter expression (tcp.flags.reset == 1) into Wireshark and click “Apply”:

If there are any TCP [RST]’s from applying the filter, you’ll see them in the presented output, coupled with also seeing the SOURCE IP address which sent the [RST]:

Highlight the packet row with the actual [RST] and look at the packet detail pane under Transmission Control Protocol. You’ll see that the TCP Reset flag is set with the (1) value:

Now that you’ve seen that a particular HOST has issued a [RST], how do you determine what the reason was for the end of communication? Well, in the previous graphic you can see additional detail included in the “Info” section, such as the Seq, Win and Lenrespectively.

Make note of the “Win” field. In the example provided you can see that the value is Win=9700. This field gives you the NetScaler-assigned code for the actual [RST].

When you see a TCP [RST] issued, jot down the Win value and then reference the following chart to see why the [RST] was issued:

================= End

What’s That NetScaler Reset Packet?的更多相关文章

  1. 常见web服务器错误

    参考地址:http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5     10 Status Code Definitions ...

  2. RFC 2616

    Network Working Group R. Fielding Request for Comments: 2616 UC Irvine Obsoletes: 2068 J. Gettys Cat ...

  3. PHP header() http各种状态码大全查询

    PHP header()the function declaration: void header ( string string [, bool replace [, int http_respon ...

  4. 即时通信系统Openfire分析之八:集群管理

    前言 在第六章<路由表>中,客户端进行会话时,首先要获取对方的Session实例.获取Session实例的方法,是先查找本地路由表,若找不到,则通过路由表中的缓存数据,由定位器获取. 路由 ...

  5. Peer-to-Peer (P2P) communication across middleboxes

    Internet Draft                                                   B. FordDocument: draft-ford-midcom- ...

  6. Google Quic协议

    0x01 Quic QUIC协议于2012年实现,2015年提交RFC草案,它是Goolge为了解决当今WEB应用常见的传输层和应用层问题而提出的,从分层结构上可以看做是TCP+TLS+HTTP2的集 ...

  7. RFC2616-HTTP1.1-Status Code(状态码规定部分—单词注释版)

    part of Hypertext Transfer Protocol -- HTTP/1.1RFC 2616 Fielding, et al. 10 Status Code Definitions ...

  8. HTTP 1.0 Status Code Definitions

    part of Hypertext Transfer Protocol -- HTTP/1.1RFC 2616 Fielding, et al. 10 Status Code Definitions ...

  9. 逆向路由器固件之敏感信息泄露 Part2

    之前的文章中详细介绍了各种解包路由器固件的工具.解包之后就获得了固件中的文件.下一步就是分析文件寻找漏洞了.这次分析的目标是Trendnet路由器,分析的漏洞是一个远程获取路由器权限的漏洞. 初步分析 ...

随机推荐

  1. 宁波Uber优步司机奖励政策(12月21日到12月27日)

    滴快车单单2.5倍,注册地址:http://www.udache.com/ 如何注册Uber司机(全国版最新最详细注册流程)/月入2万/不用抢单:http://www.cnblogs.com/mfry ...

  2. CF 810 D. Glad to see you!

    codeforces 810 D. Glad to see you! http://codeforces.com/contest/810/problem/D 题意 大小为k的集合,元素的范围都在[1, ...

  3. PHP中URL字符串与关联数组的互相转换

    转换PHP数组为查询字符串放到URL中 $data = array( 'apikey'=>'xg6tr7k', 'user'=>'abcd', 'email'=>'root@exam ...

  4. vs2015 mvc项目数据迁移报错

    第一次做个mvc项目玩玩,然后需要数据迁移,也没做过,就百度找怎么数据迁移, 找到的方法是: 如果数据是在类库项目里就在‘程序包管理控制台’输入:enable-migrations -ContextT ...

  5. 使用Unity创建依赖注入

        这篇文章翻译自<Dependency Injection With Unity>第三章.文中提到的类似"前几节"的内容您不必在意,相信您可以看懂的. P.S:如 ...

  6. libevent学习一

    常见的异步IO存在的问题:   1.使用 fcntl(fd, F_SETFL, O_NONBLOCK);,为什么在处理上效率不好.       a.在没有数据可读写的时候,循环会不停执行,浪费掉大部分 ...

  7. Mac环境下RabbitMq安装与测试教程

    RabbitMq安装与测试教程 Installing on Mac I. 安装 123456789 brew install rabbitmq ## 进入安装目录cd /usr/local/Cella ...

  8. netty in action 笔记 二

    netty的数据容器 网络数据的基本单位大多为字节,Java NIO 提供了ByteBuffer 作为它的字节容器,但使用起来过于复杂和繁琐.在Netty中, ByteBuffer 替代品是ByteB ...

  9. HADOOP docker(九):hdfs权限

    1. 概述2. 用户身份标识3. 组映射4.关于权限的实现5.文件系统API的变更6.应用程序shell的变更7.超级用户8.ACLs9.ACL 文件系统API10.ACL命令11.参数配置12.总结 ...

  10. 软件管理——rpm&dpkg、yum&apt-get

    一般来说著名的linux系统基本上分两大类: 1. RedHat系列:Redhat.Centos.Fedora等 2. Debian系列:Debian.Ubuntu等 一.RedHat 系列     ...