Re: please elaborate on following:

[Daniel Miller <bonsaiviking () gmail com>]

This is a TCP RST. A host can send a RST packet for any number of reasons.
Here are a few:

1. The server application called close() on the socket while there was
still data in the receive queue. This can be because of a protocol error or
other condition that the server application decides is bad enough to close
the connection without waiting for more data.

2. A firewall or IPS detects something "bad" in the connection and decides
to shut it down by issuing RSTs in both directions.

3. Network problems have mucked up the acknowledgement numbers badly enough
that the TCP stack on the server doesn't think it is recoverable.

Given that this is in Nsock, which is used by -sV and NSE, I'd guess it's
1, though there's a small chance it's 2.

Dan

On Sun, Jan 17, 2016 at 2:23 PM, Mike . <dmciscobgp () hotmail com> wrote:

> i see this alot sometimes when viewing the socket call debug output. what
> exactly does this mean and why am i seeing it?
>
>
> NSOCK INFO [5.3390s] nsock_trace_handler_callback(): Callback: READ ERROR
> [An existing connection was forcibly closed by the remote host.  (10054)]
> for EID 42 [
>
>
> i am assuming it is a RST. is it my machine? the host i am probing? do we
> get this due to protocol mismatches or deformed packet payloads? just
> curious. i don't see alot after that other than the port could still be
> open or a generic "syn-ack" for a response
>
>
> Mike
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/