Getting FIN and RST flags when attempting TCP handshake in OS X - macos

Trying to establish a tcp connection between a client / server. Both machines are Macs and are on the same LAN. Server's app listens on port 12345. After receiving "SYN, ACK" from Server, I send "ACK" but then my client automatically sends a "FIN, ACK" followed by "RST, ACK". So the TCP Flow ends up being:
Client sends SYN.
SVR sends SYN, ACK.
Client sends ACK.
Client sends FIN, ACK.
Client sends RST, ACK.
SVR sends ACK.
SVR sends ACK.
Client sends RST.
Client sends RST.
From reading other posts with similar issues it sounds like this could be happening because I'm trying to manually create the handshake on the user level and the Unix kernel (operating at the system level) sees the "SYN, ACK" far before anything on the user level can respond and moves to close the connection, seeing it as open for no reason. A similar problem to what this Linux user experienced: Unwanted RST TCP packet with Scapy
Whereas iptables worked for the Linux user should I use something like pf in Mac OS X to block / drop the FIN and RST msgs? My client is running 10.9.5 and my server 10.10.3.
Here's a flow graph of the tcp communication Server is 10.0.100.5 and client is 10.0.100.4:

Related

Websocket client receive RST packet when the number of connections more than 7k

I use ws(websocket) client(github.com/gorilla/websocket, running on local host) to stress test ws server which is implemented by java Netty (running on remote centos 7.8 host with 2vcpu + 8Gb memory). Only the client start tcp keepalive mechanism.
When the number of connections more than 7k, then client side start to receive RST packet(include new and old connections).
Wireshark capture package detail
I have verified the server side's syn_recv queue and accept queue are idle during testing and no syn packet droped, no listen queue overflowed. So i need help....
This is answered here very succinctly Is there a limit on number of tcp/ip connections between machines on linux?
I believe you are running out of listening sockets.
You can use the ss command to start identifying this.
Also check /var/log/messages for max-sockets.

UDP Packets not Sending Possibly Due to Client Not Found?

I have an application that is very simple. It sends out UDP packets to a client somewhere else on the network.
The host computer is 192.168.11.66 (Windows 10), the client device is 192.168.11.65 (proprietary device).
The host pc cannot see the client device, however I know that it is on and listening to traffic. When I send UDP packets from the host, I use Wireshark and I do not see the packets being sent out. Instead I see messages from ARP trying to locate the client. I assume because ARP is unsuccessful, the host cancels the sending of the packets.
If I change the destination address of the packets to a broadcast address, all of the packets get sent and I see everything on Wireshark. I need to be able to specify the IP address of the client and have Windows send the packets regardless of whether or not it thinks the client device is on the network or not. The client device looks for UDP traffic specifically addressed to itself and the client device has no way of making itself visible on the network.
Does anyone know how to work around this?
Thank you #Remy: instead to create your own ARP record manually. – Remy Lebeau
I did not realize that I could create manual entries in the ARP. I need to read more about ARP. Adding a manual entry solved my issue. I found that you could do it using ASP -s, or add neighbor using NETSH .
Thanks!

When should an FTP server connect to FTP client after PORT command?

I want to add support for the PORT command to my FTP server. I'm reading RFC 959, but I can't figure out when it's safe to connect to the FTP client. For example, consider this sequence:
PORT 127,0,0,1,34,34
LIST
Does the FTP client start listening before issuing the PORT command, or after issuing the LIST command? Because if the server attempts to connect to the client immediately after receiving PORT, it might fail because the client might not have started listening yet.
What does the specification say? Can the server connect immediately, or should it wait until after it receives the command that will make use of the data connection?
The server shouldn't connect to the client until it gets a command that requests a data transfer, such as LIST or RETR. See section 7 of RFC 959, which shows a typical sequence of operations (RFC's didn't have the formal MUST/MAY/SHOULD specifications in those early days).
However, since the port used in the PORT command is typically an ephemeral port, the client needs to open a socket to get the OS to assign a port number. This implies that by the time the PORT command is sent, the port would have to be open. However, it's possible that it might not yet have called listen().

How to prevent Windows from sending RST packet when trying to connect to somebody via Pcap.net?

I'm trying to use Pcap.Net to open a tcp connection.
I'm sending following package:
The server is responding with:
After this, Windows on its own sends the reset packet:
Why is this happening, and how do I block this behavior?
I'm doing this on Windows 7
As Mr Harris says, you can use WinDivert to do what you want. E.g. to just do the TCP handshake, you can write something like the following:
// TCP handshake using WinDivert:
HANDLE handle = DivertOpen("inbound && tcp.SrcPort == 80 && tcp.Syn && tcp.Ack", 0, 0, 0);
DivertSend(handle, synPacket, sizeof(synPacket), dstAddr, NULL);
...
DivertRecv(handle, synAckPacket, sizeof(synAckPacket), &srcAddr, &length);
...
DivertSend(handle, ackPacket, sizeof(ackPacket), dstAddr, NULL);
...
The DivertRecv() function redirects the server response into user space before it is handled by the Windows TCP/IP stack. So no pesky TCP RST will be generated. DivertSend() injects packets.
This is the main differences between WinDivert and WinPCAP. The latter is merely a packet sniffer, whereas the former can intercept/filter/block traffic.
WinDivert is written in C so you'd need to write your own .NET wrapper.
(usual disclosure: WinDivert is my project).
Essentially, the problem is that scapy runs in user space, and the windows kernel will receive the SYN-ACK first. Your windows kernel will send a TCP RST because it won't have a socket open on the port number in question, before you have a chance to do anything with scapy.
The typical solution (in linux) is to firewall your kernel from receiving an RST packet on that TCP port (12456) while you are running the script... the problem is that I don't think Windows firewall allows you to be this granular (i.e. looking at TCP flags) for packet drops.
Perhaps the easiest solution is to do this under a linux VM and use iptables to implement the RST drops.
Either by using Boring Old Winsock to make a TCP connection to the server, rather than constructing your own TCP-over-IP-over-Ethernet packets and sending them to a server, or by somehow convincing the Windows Internet protocol stack to ignore the SYN+ACK (and all subsequent packets) you get from the server, so that it doesn't see the SYN+ACK from the server, notice that no process has tried to set up a TCP connection from 192.168.1.3:12456 to 192.168.1.1:80 using the standard in-kernel networking stack (i.e., nobody's tried to set it up using Boring Old Winsock), and send back an RST to tell the server that there's nobody listening at port 12456 on the machine.
You might be able to do the latter using WinDivert. It does not itself appear to have a .NET wrapper, so you might have to look for one if you're going to use .NET rather than Boring Old Unmanaged C or Boring Old Unmanaged C++.

Windows UDP sending problems

I have a weird behaviour on windows. I have 2 processes that are talking to each other on UDP protocol.
Scenario: 1 of the proceeses is up and the other is not. The process try to send udp message towards the one that is down. The one that is up gets from OS or soemthing else a signal for the socket to read as it got message from the other process.
How come ?
It sends a signal on the same port, but it not a real message that was sent from the other application. When trying to read it u get an excpetion of number 10054, connection reset.

Resources