On Thu, Aug 5, 2010 at 7:29 AM, Bryan Talbot <btal...@aeriagames.com> wrote: > In the tcpdump listed below, isn't the next-to-the-last RST also include an > ACK of the data previously sent? If that is the case, then the client has > received all of the data and ACK'd it but then rudely closed the TCP > connection without the normal FIN exchange. Is my reading correct? > > 19:03:33.106842 IP 10.79.25.20.4266 > 10.79.6.10.80: S > 2041799057:2041799057(0) win 65535 <mss 1460,nop,nop,sackOK> > 19:03:33.106862 IP 10.79.6.10.80 > 10.79.25.20.4266: S > 266508528:266508528(0) ack 2041799058 win 5840 <mss 1460,nop,nop,sackOK> > 19:03:33.106945 IP 10.79.25.20.4266 > 10.79.6.10.80: . ack 1 win 65535 > 19:03:33.107045 IP 10.79.25.20.4266 > 10.79.6.10.80: P 1:269(268) ack 1 win > 65535 > 19:03:33.107060 IP 10.79.6.10.80 > 10.79.25.20.4266: . ack 269 win 6432 > 19:03:33.134401 IP 10.79.6.10.80 > 10.79.25.20.4266: P 1:270(269) ack 269 > win 6432 > 19:03:33.134442 IP 10.79.6.10.80 > 10.79.25.20.4266: F 270:270(0) ack 269 > win 6432 > 19:03:33.134548 IP 10.79.25.20.4266 > 10.79.6.10.80: R 269:269(0) ack 270 > win 0 > 19:03:33.134562 IP 10.79.25.20.4266 > 10.79.6.10.80: R > 2041799326:2041799326(0) win 0 > >
yes - i've encountered this myself, and after looking into the traffic, observed the very same thing from windows clients... Definitely frustrating behaviour in terms of causing all these alerts in the logs... -jf -- "Every nonfree program has a lord, a master -- and if you use the program, he is your master." --Richard Stallman "It's so hard to write a graphics driver that open-sourcing it would not help." -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228