TCP RST Packet over than 80% captured packet

Dean QeMoo
Dean QeMoo used Ask the Experts™
on
Hi All,

I had capture the packet within our intranet where I place the sniffing tool at core switch to only capture conversation between all client to one server. I had observer the almost packet was captured is TCP SYN/ACK packet and TCP RST packet. The TCP SYN packet only below then 10% of captured packet. Its is abnormal in happen in this conversation?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr.Net.Eng
Top Expert 2011
Commented:
TCP RST usually occur when hosts are attempting  to connect the ports that the destination hosts are not listening on. That said there are many factors that could effect your output of the capture. Your first step would be to identify what applicaiton/services you are running on your network that could cause a host of TCP RST's
Dean QeMooService Engineer

Author

Commented:
the application running for tapping server is post system for ordering food/drink where host will request to server if the order key-in. I detected unknown service appear when the server become slow and kill it the application/server come to normal again. From the captured packet detected many TCP RST packet along time since start packet was captured
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Are you seeing the resets by the same destination host?  Could you share the capture file?
Distinguished Expert 2018

Commented:
What sort of protections do you have now? I would highly recommend reviewing that. I would not be shocked if there were some active attack attempts taking place. But we do need more detailed data to give definitive answers.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Author abandoned.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial