First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Large number of RST-SYN

Am truing to tune this pc and not sure what and why this large number of RSTs are coming from. 

1   0.000000000 127.0.0.1   127.0.0.1   TCP 76  45689 → 42385 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4151242101 TSecr=0 WS=128
116 33.035618863    127.0.0.1   127.0.0.1   TCP 56  42385 → 39483 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Linux alaa-HP-Pavilion-dv2700-Notebook-PC 4.15.0-46-generic #49~16.04.1-Ubuntu SMP Tue Feb 12 17:44:38 UTC 2019 i686 athlon i686 GNU/Linux

Scanned with clam.

https://drive.google.com/open?id=17Wn...

aasalem's avatar
1
aasalem
asked 2019-03-18 19:08:20 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-03-19 11:06:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Maybe you could find out what application listens on port 42385.

atom's avatar
1
atom
answered 2019-03-21 10:22:44 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I think there is nothing listening on port 42385, hence the resets. I think the issue is more about what process is continually sending the SYN to port 42385, from a random bunch of ephemeral ports. I'm not sure what tools are available on Linux to help with that, maybe lsof?

grahamb's avatar grahamb (2019-03-21 10:58:38 +0000) edit
more
  • delete
add a comment see more comments
0

There is no service listening on port 42385. Not sure if you anonymized the pcap (127.0.0.1), or if you captured on localhost. Based on the delta time between SYN and RST, I tend to believe you captured on localhost. So, try to figure out which process is trying to connect to port 42385.

Run the following command and either check yourself or post here.

netstat -nap | grep 42385

Regards
Kurt

Kurt Knochner's avatar
24.7k
Kurt Knochner
answered 2019-03-21 10:57:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer