Wireshark-users: Re: [Wireshark-users] who sends RST packets? UNIX box or application? Troublesho
From: bart sikkes <b.sikkes@xxxxxxxxx>
Date: Wed, 15 Dec 2010 19:13:46 +0100
would have been more useful if you kept the source and destination ip
info. because it seems to me that the source send a syn and
destination sends a syn and ack back and then the source is sending
the reset (based on port info).

beyond that enough stuff to check. you could run wirehsark (or tcpdump
or such) on the solaris box and see if it does indeed send the reset.
beyond that:
- can other systems use the solaris box?
- are there any firewalls or such in between?
- has to solaris box itself some firewall or hosts.allow sort of setup?
- when you port scan the solaris box, is port 446 reported as listening?

good luck,
bart

On Wed, Dec 15, 2010 at 3:20 PM, Sven Aluoor <aluoor@xxxxxxxxx> wrote:
> Hi folks
>
> I have here a box with Cisco's IOS which makes SCEP (Simple
> Certificate Enrollment Protocol) request with Dst Port 446 to a
> Solaris box with RSA Keon.
>
> Apache is listening:
>
> $ netstat -an | grep 446
>      *.446                *.*                0      0 49152      0 LISTEN
>
> nothing in layer 7 log files:
>
> $ ls -lrt scep-*
> -rw-r-----   1 root     root           0 Jan  20  2008 scep-error.log
> -rw-r-----   1 root     root           0 Jan  20 2008 scep-access.log
>
> snoop output (analyzed with Wireshark, see screenshot[0]).
>
> I see that the source sends a SYN package and the destination box
> answers with Reset. How to see if the reset comes from application
> (RSA Keon) or the UNIX Box? I guess it is not the application because
> of empty log file. Any other hints on troubleshooting this?
>
> cheers Sven
>
> [0] http://i.imgur.com/ZbEeh.png
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>