What’s That NetScaler Reset Packet?

https://www.citrix.com/blogs/2014/05/20/whats-that-netscaler-reset-packet/

A few weeks ago I wrote a blog post on how to empower and extend your default Wireshark configuration titled NetScaler + Wireshark = A Perfect Combination! I’d like to follow up that post with this article which focuses on how to interpret some of the data that you may see in a NetScaler trace.

The TCP Reset [RST]

Quick Tip: If you want a general overview of what a TCP reset is, then please visit the following URL to gain some high level insight: http://en.wikipedia.org/wiki/TCP_reset_attack

There are numerous different reasons for why a TCP reset [RST] may have occurred, but understanding why the [RST] was issued by one of the TCP end-points will provide you with insight into why a particular TCP communication flow was stopped.

As a note, a TCP [FIN] is similar to a TCP [RST] in that they both conclude a TCP communication. However, [FIN]’s are the gracious means of ending the communication and a [RST] is a rather abrupt method for terminating the communication, perhaps similar to slamming the door or hanging up the phone rather abruptly.

OK, so you’ve taken a NetScaler trace and you’d like to see if there are any TCP [RST]’s in the trace. Simply put the following filter expression (tcp.flags.reset == 1) into Wireshark and click “Apply”:

If there are any TCP [RST]’s from applying the filter, you’ll see them in the presented output, coupled with also seeing the SOURCE IP address which sent the [RST]:

Highlight the packet row with the actual [RST] and look at the packet detail pane under Transmission Control Protocol. You’ll see that the TCP Reset flag is set with the (1) value:

Now that you’ve seen that a particular HOST has issued a [RST], how do you determine what the reason was for the end of communication? Well, in the previous graphic you can see additional detail included in the “Info” section, such as the Seq, Win and Lenrespectively.

Make note of the “Win” field. In the example provided you can see that the value is Win=9700. This field gives you the NetScaler-assigned code for the actual [RST].

When you see a TCP [RST] issued, jot down the Win value and then reference the following chart to see why the [RST] was issued:

================= End

What’s That NetScaler Reset Packet?的更多相关文章

  1. 常见web服务器错误

    参考地址:http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5     10 Status Code Definitions ...

  2. RFC 2616

    Network Working Group R. Fielding Request for Comments: 2616 UC Irvine Obsoletes: 2068 J. Gettys Cat ...

  3. PHP header() http各种状态码大全查询

    PHP header()the function declaration: void header ( string string [, bool replace [, int http_respon ...

  4. 即时通信系统Openfire分析之八:集群管理

    前言 在第六章<路由表>中,客户端进行会话时,首先要获取对方的Session实例.获取Session实例的方法,是先查找本地路由表,若找不到,则通过路由表中的缓存数据,由定位器获取. 路由 ...

  5. Peer-to-Peer (P2P) communication across middleboxes

    Internet Draft                                                   B. FordDocument: draft-ford-midcom- ...

  6. Google Quic协议

    0x01 Quic QUIC协议于2012年实现,2015年提交RFC草案,它是Goolge为了解决当今WEB应用常见的传输层和应用层问题而提出的,从分层结构上可以看做是TCP+TLS+HTTP2的集 ...

  7. RFC2616-HTTP1.1-Status Code(状态码规定部分—单词注释版)

    part of Hypertext Transfer Protocol -- HTTP/1.1RFC 2616 Fielding, et al. 10 Status Code Definitions ...

  8. HTTP 1.0 Status Code Definitions

    part of Hypertext Transfer Protocol -- HTTP/1.1RFC 2616 Fielding, et al. 10 Status Code Definitions ...

  9. 逆向路由器固件之敏感信息泄露 Part2

    之前的文章中详细介绍了各种解包路由器固件的工具.解包之后就获得了固件中的文件.下一步就是分析文件寻找漏洞了.这次分析的目标是Trendnet路由器,分析的漏洞是一个远程获取路由器权限的漏洞. 初步分析 ...

随机推荐

  1. 青岛Uber优步司机奖励政策(8/10-8/16)

    亲爱的Uber青岛优步的大司机朋友们,又到了每周发布奖励细则的时刻啦!下一周的奖励与上周有所不同,请一定要仔细按照自己的情况阅读!另外,之前参与过投票并表示想加入新小时保底政策的老司机朋友们从本周起, ...

  2. spring之HttpInvoker

    一.HttpInvoker是常用的Java同构系统之间方法调用实现方案,是众多Spring项目中的一个子项目.顾名思义,它通过HTTP通信即可实现两个Java系统之间的远程方法调用,使得系统之间的通信 ...

  3. (转)EDM邮件制作规范完整版

    转载:http://www.maildesign.cn/archives/1380 在我们的日常工作中,经常需要发送邮件和我们的会员沟通.如注册确认.营销推广等.这些由站方发给会员的信件,往往纯文本格 ...

  4. HTML5心得

    1. 在做登录或搜索框的时候,可以为input加上autofocus属性,这样打开页面焦点自动在登录框或搜索框中.减少用户不必要的定位点击. 如<label>Search:<inpu ...

  5. 深入理解java虚拟机学习笔记(一)

    第二章 Java内存区域与内存溢出异常 运行时数据区域 程序计数器(Program Counter Register) 程序计数器:当前线程所执行的字节码行号指示器.各条线程之间计数器互不影响,独立存 ...

  6. java基础-Comparator接口与Collections实现排序算法

    java 排序Comparable和Comparator使用 java提供了两个排序用的接口Comparable和Comparator,一般情况下使用区别如下: Comparable 接口用于类的固定 ...

  7. ubuntu ssh配置

    Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over ...

  8. Ubuntu—终端命令调整窗口的大小

    1,查看窗口大小 current 1280x768 是我当前电脑的窗口大小,下面提供的是可以修改的窗口大小. $ xrandr 2.修改窗口大小 示例: $ xrandr -s 1024x768

  9. jquery取radio单选按钮

    // var strMess = '<%=Exchange() %>';//            if (strMess == "兑换成功") {//         ...

  10. Hadoop,MapReduce操作Mysql

    前以前帖子介绍,怎样读取文本数据源和多个数据源的合并:http://www.cnblogs.com/liqizhou/archive/2012/05/15/2501835.html 这一个博客介绍一下 ...