TCP RST Packet over than 80% captured packet

Hi All,

I had capture the packet within our intranet where I place the sniffing tool at core switch to only capture conversation between all client to one server. I had observer the almost packet was captured is TCP SYN/ACK packet and TCP RST packet. The TCP SYN packet only below then 10% of captured packet. Its is abnormal in happen in this conversation?
Dean QeMooService EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

N. SpearsSr.Net.EngCommented:
TCP RST usually occur when hosts are attempting  to connect the ports that the destination hosts are not listening on. That said there are many factors that could effect your output of the capture. Your first step would be to identify what applicaiton/services you are running on your network that could cause a host of TCP RST's

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dean QeMooService EngineerAuthor Commented:
the application running for tapping server is post system for ordering food/drink where host will request to server if the order key-in. I detected unknown service appear when the server become slow and kill it the application/server come to normal again. From the captured packet detected many TCP RST packet along time since start packet was captured
N. SpearsSr.Net.EngCommented:
Are you seeing the resets by the same destination host?  Could you share the capture file?
What sort of protections do you have now? I would highly recommend reviewing that. I would not be shocked if there were some active attack attempts taking place. But we do need more detailed data to give definitive answers.
N. SpearsSr.Net.EngCommented:
Author abandoned.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.