Hello all! New to the list and wireshark. I am having problems with a client connection from the internet (my sonicwall tells me:
02/11/2013 14:11:29.576 Debug Network TCP connection abort received; TCP connection dropped 8.25.230.32, 49333, WAN 192.168.123.3, 443, LAN TCP Flag(s): ACK RST). So i ran wireshark and captured https traffic. I need help in determining which device (pc or sonicwall) is generating ACK RST. Can someone help me do that? Here is the start of the trouble connection and line 66 is the RST:
57 12.403536 pu.bl.ic.ip 192.168.123.3 TCP 49386 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1332 WS=8 SACK_PERM=1
58 12.403560 192.168.123.3 pu.bl.ic.ip TCP https > 49386 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=6
59 12.448002 pu.bl.ic.ip 192.168.123.3 TCP 49386 > https [ACK] Seq=1 Ack=1 Win=66560 Len=0
60 12.448387 pu.bl.ic.ip 192.168.123.3 TLSv1 Client Hello
61 12.448409 192.168.123.3 pu.bl.ic.ip TCP https > 49386 [ACK] Seq=1 Ack=149 Win=15680 Len=0
62 12.448795 192.168.123.3 pu.bl.ic.ip TLSv1 Server Hello, Change Cipher Spec, Encrypted Handshake Message
63 12.496943 pu.bl.ic.ip 192.168.123.3 TLSv1 Change Cipher Spec, Encrypted Handshake Message, Application Data
64 12.497212 192.168.123.3 192.168.123.4 TCP 47533 > https [FIN, ACK] Seq=1 Ack=1 Win=364 Len=0 TSV=73368246 TSER=1862090175
65 12.497255 192.168.123.3 192.168.123.4 TCP 47715 > https [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSV=73368246 TSER=0 WS=6
66 12.497404 192.168.123.4 192.168.123.3 TCP HTTPS > 47533 [RST] SEQ=1 WIN=0 LEN=0
67 12.497430 192.168.123.4 192.168.123.3 TCP https > 47715 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSV=1863224474 TSER=73368246 WS=6
Basically whats happening here is a connection from the internet to the sonicwall. Sonicwall passes to 192.168.123.3 and 192.168.123.3 proxies to 192.168.123.4.
My question is how do i find out what device is generating the ACK RST (line 66)?
I would be happy to send the complete log for further inspection.
