Nmap Development mailing list archives
Re: please elaborate on following:
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 19 Jan 2016 15:42:52 -0600
This is a TCP RST. A host can send a RST packet for any number of reasons. Here are a few: 1. The server application called close() on the socket while there was still data in the receive queue. This can be because of a protocol error or other condition that the server application decides is bad enough to close the connection without waiting for more data. 2. A firewall or IPS detects something "bad" in the connection and decides to shut it down by issuing RSTs in both directions. 3. Network problems have mucked up the acknowledgement numbers badly enough that the TCP stack on the server doesn't think it is recoverable. Given that this is in Nsock, which is used by -sV and NSE, I'd guess it's 1, though there's a small chance it's 2. Dan On Sun, Jan 17, 2016 at 2:23 PM, Mike . <dmciscobgp () hotmail com> wrote:
i see this alot sometimes when viewing the socket call debug output. what exactly does this mean and why am i seeing it? NSOCK INFO [5.3390s] nsock_trace_handler_callback(): Callback: READ ERROR [An existing connection was forcibly closed by the remote host. (10054)] for EID 42 [ i am assuming it is a RST. is it my machine? the host i am probing? do we get this due to protocol mismatches or deformed packet payloads? just curious. i don't see alot after that other than the port could still be open or a generic "syn-ack" for a response Mike _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- please elaborate on following: Mike . (Jan 17)
- Re: please elaborate on following: Daniel Miller (Jan 19)