On Thu, Aug 5, 2010 at 7:29 AM, Bryan Talbot <btal...@aeriagames.com> wrote:
> In the tcpdump listed below, isn't the next-to-the-last RST also include an
> ACK of the data previously sent? If that is the case, then the client has
> received all of the data and ACK'd it but then rudely closed the TCP
> connection without the normal FIN exchange. Is my reading correct?
>
> 19:03:33.106842 IP 10.79.25.20.4266 > 10.79.6.10.80: S
> 2041799057:2041799057(0) win 65535 <mss 1460,nop,nop,sackOK>
> 19:03:33.106862 IP 10.79.6.10.80 > 10.79.25.20.4266: S
> 266508528:266508528(0) ack 2041799058 win 5840 <mss 1460,nop,nop,sackOK>
> 19:03:33.106945 IP 10.79.25.20.4266 > 10.79.6.10.80: . ack 1 win 65535
> 19:03:33.107045 IP 10.79.25.20.4266 > 10.79.6.10.80: P 1:269(268) ack 1 win
> 65535
> 19:03:33.107060 IP 10.79.6.10.80 > 10.79.25.20.4266: . ack 269 win 6432
> 19:03:33.134401 IP 10.79.6.10.80 > 10.79.25.20.4266: P 1:270(269) ack 269
> win 6432
> 19:03:33.134442 IP 10.79.6.10.80 > 10.79.25.20.4266: F 270:270(0) ack 269
> win 6432
> 19:03:33.134548 IP 10.79.25.20.4266 > 10.79.6.10.80: R 269:269(0) ack 270
> win 0
> 19:03:33.134562 IP 10.79.25.20.4266 > 10.79.6.10.80: R
> 2041799326:2041799326(0) win 0
>
>
yes - i've encountered this myself, and after looking into the
traffic, observed the very same thing from windows clients...
Definitely frustrating behaviour in terms of causing all these alerts
in the logs...
-jf
--
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."
--Richard Stallman
"It's so hard to write a graphics driver that open-sourcing it would not help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228
