| Description | This article describes how to analyze TCP RST (Reset) packets in Wireshark. |
| Scope | FortiGate. |
| Solution |
Scenario : It is not possible to access RDP for whole network. Diagram:
Solution: Always perform packet capture for TCP connection and review it on Wireshark.
Start by selecting the RST packet in the packet capture and 'right-clicking' it. Choose 'Conversation filter' and then select TCP. This filters the packets for the selected conversation to aid in troubleshooting.
In the packet capture, it is possible to observe that the client sends an SYN packet for the TCP handshake but receives an RST packet from the server.
To further investigate the source of the RST packet, focus on the IP header. It is expanding the IP header data portion in Wireshark to access the TTL (Time To Live) value.
Analyze the layer-2 header and identify the source MAC address. From the source MAC address, it is determined that the FortiGate firewall is responsible for sending the RST packet.
By disabling the specific rule, it was possible to resolve the issue, and subsequent access to the RDP (Remote Desktop Protocol) was established without any problems.
This detailed analysis highlights the process followed to identify the source of the RST packet and its resolution. |
