dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
20

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords to johnmwilson7

MVM

to johnmwilson7

Re: How to test how many connections are being reset by RST pack

said by johnmwilson7:

Other than the standard filtering options, any tips on sourcing the resets with this tool?
RST's with a sequence number seq=0 are probably not injected. Everything else is a "maybe" so you have to look at what was happening in the conversation and decide. RST's right on the tail of a bunch of data that was not problematic are very suspicious.

My last interesting discovery is that the injected RSTs had a TTL (in the IP header) of 123. The norm TTL from my computer was 128, and my peer was often in the 110s or 100s TTL. If my peer was coming in TTL=109 but the RSTs were TTL=123, that is surely injected. HOWEVER, someone on the east coast sent me his capture file, and his RSTs that were seemingly injected all had the right TTL for his peer. I don't have enough data -- so look out for that for me.