|reply to funchords |
Re: How to test how many connections are being reset by RST pack
My next step will be to install WireShark and view the traffic to see what I can see. I am used to using Ethereal on my Linux box, but I can run WireShark on Windows. Other than the standard filtering options, any tips on sourcing the resets with this tool?
John M. Wilson
Yarmouth Port, MA
said by johnmwilson7:RST's with a sequence number seq=0 are probably not injected. Everything else is a "maybe" so you have to look at what was happening in the conversation and decide. RST's right on the tail of a bunch of data that was not problematic are very suspicious.
Other than the standard filtering options, any tips on sourcing the resets with this tool?
My last interesting discovery is that the injected RSTs had a TTL (in the IP header) of 123. The norm TTL from my computer was 128, and my peer was often in the 110s or 100s TTL. If my peer was coming in TTL=109 but the RSTs were TTL=123, that is surely injected. HOWEVER, someone on the east coast sent me his capture file, and his RSTs that were seemingly injected all had the right TTL for his peer. I don't have enough data -- so look out for that for me.
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report.