What’s That NetScaler Reset Packet?

https://www.citrix.com/blogs/2014/05/20/whats-that-netscaler-reset-packet/

A few weeks ago I wrote a blog post on how to empower and extend your default Wireshark configuration titled NetScaler + Wireshark = A Perfect Combination! I’d like to follow up that post with this article which focuses on how to interpret some of the data that you may see in a NetScaler trace.

The TCP Reset [RST]

Quick Tip: If you want a general overview of what a TCP reset is, then please visit the following URL to gain some high level insight: http://en.wikipedia.org/wiki/TCP_reset_attack

There are numerous different reasons for why a TCP reset [RST] may have occurred, but understanding why the [RST] was issued by one of the TCP end-points will provide you with insight into why a particular TCP communication flow was stopped.

As a note, a TCP [FIN] is similar to a TCP [RST] in that they both conclude a TCP communication. However, [FIN]’s are the gracious means of ending the communication and a [RST] is a rather abrupt method for terminating the communication, perhaps similar to slamming the door or hanging up the phone rather abruptly.

OK, so you’ve taken a NetScaler trace and you’d like to see if there are any TCP [RST]’s in the trace. Simply put the following filter expression (tcp.flags.reset == 1) into Wireshark and click “Apply”:

If there are any TCP [RST]’s from applying the filter, you’ll see them in the presented output, coupled with also seeing the SOURCE IP address which sent the [RST]:

Highlight the packet row with the actual [RST] and look at the packet detail pane under Transmission Control Protocol. You’ll see that the TCP Reset flag is set with the (1) value:

Now that you’ve seen that a particular HOST has issued a [RST], how do you determine what the reason was for the end of communication? Well, in the previous graphic you can see additional detail included in the “Info” section, such as the Seq, Win and Lenrespectively.

Make note of the “Win” field. In the example provided you can see that the value is Win=9700. This field gives you the NetScaler-assigned code for the actual [RST].

When you see a TCP [RST] issued, jot down the Win value and then reference the following chart to see why the [RST] was issued:

================= End

What’s That NetScaler Reset Packet?的更多相关文章

  1. 常见web服务器错误

    参考地址:http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5     10 Status Code Definitions ...

  2. RFC 2616

    Network Working Group R. Fielding Request for Comments: 2616 UC Irvine Obsoletes: 2068 J. Gettys Cat ...

  3. PHP header() http各种状态码大全查询

    PHP header()the function declaration: void header ( string string [, bool replace [, int http_respon ...

  4. 即时通信系统Openfire分析之八:集群管理

    前言 在第六章<路由表>中,客户端进行会话时,首先要获取对方的Session实例.获取Session实例的方法,是先查找本地路由表,若找不到,则通过路由表中的缓存数据,由定位器获取. 路由 ...

  5. Peer-to-Peer (P2P) communication across middleboxes

    Internet Draft                                                   B. FordDocument: draft-ford-midcom- ...

  6. Google Quic协议

    0x01 Quic QUIC协议于2012年实现,2015年提交RFC草案,它是Goolge为了解决当今WEB应用常见的传输层和应用层问题而提出的,从分层结构上可以看做是TCP+TLS+HTTP2的集 ...

  7. RFC2616-HTTP1.1-Status Code(状态码规定部分—单词注释版)

    part of Hypertext Transfer Protocol -- HTTP/1.1RFC 2616 Fielding, et al. 10 Status Code Definitions ...

  8. HTTP 1.0 Status Code Definitions

    part of Hypertext Transfer Protocol -- HTTP/1.1RFC 2616 Fielding, et al. 10 Status Code Definitions ...

  9. 逆向路由器固件之敏感信息泄露 Part2

    之前的文章中详细介绍了各种解包路由器固件的工具.解包之后就获得了固件中的文件.下一步就是分析文件寻找漏洞了.这次分析的目标是Trendnet路由器,分析的漏洞是一个远程获取路由器权限的漏洞. 初步分析 ...

随机推荐

  1. 天津市人民优步Uber司机奖励政策(8.31-9.6)

    "*结算周期为周一凌晨4点至下周一凌晨4点 滴滴快车单单2.5倍,注册地址:http://www.udache.com/ 如何注册Uber司机(全国版最新最详细注册流程)/月入2万/不用抢单 ...

  2. Java:IDEA设置虚拟机运行时参数

    第一步:打开“Run->Edit Configurations”菜单 第二步:选择“VM Options”选项,输入你要设置的VM参数 第三步:点击“OK”.“Apply”后设置完成

  3. UItraIso 制作ubentu 系统失败

    设备忙,请退出所有正在运行的应用程序,按确定按钮重试. 解决方法: 不要使用UItraIso,不知道为什么一直不行.重启了电脑几次都不行.用Rufus吧 https://rufus.ie/ 注意: r ...

  4. Intellij打包jar文件,“java.lang.SecurityException: Invalid signature file digest for Manifest main attrib

    下面是使用Intellij 打包jar文件的步骤,之后会有运行jar文件时遇到的错误. 打包完成. ================================================== ...

  5. Redis系列七 主从复制(Master/Slave)

    主从复制(Master/Slave) 1.是什么 也就是我们所说的主从复制,主机数据更新后根据配置和策略,自动同步到备机的master/slaver机制,Master以写为主,Slave以读为主. 2 ...

  6. rsync同步的艺术

    转自:http://roclinux.cn/?p=2643 如果你是一位运维工程师,你很可能会面对几十台.几百台甚至上千台服务器,除了批量操作外,环境同步.数据同步也是必不可少的技能. 说到“同步”, ...

  7. Java子类与父类之间的类型转换

    1.向上转换 父类的引用变量指向子类变量时,子类对象向父类对象向上转换.从子类向父类的转换不需要什么限制,只需直接蒋子类实例赋值给父类变量即可,这也是Java中多态的实现机制. 2.向下转换 在父类变 ...

  8. Selenium(Python)调用pywin32上传图片

    import unittestfrom time import sleep import osfrom selenium import webdriverimport win32apiimport w ...

  9. lintcode413 反转整数

    反转整数   将一个整数中的数字进行颠倒,当颠倒后的整数溢出时,返回 0 (标记为 32 位整数). 您在真实的面试中是否遇到过这个题? Yes 样例 给定 x = 123,返回 321 给定 x = ...

  10. 数据库Mysql的学习(三)-各种约束

    删除数据库表 drop table [if exists] 表一,表二.....; 表分区:比如图书信息表有1000万个图书信息,如何优化他,其中一种方式就是表分区.就是把一张表的数据分成多个区块,这 ...