[Winpcap-users] TCP stack resets connections established byWinPCap on XP SP2

David Rodriguez davidgrs at hotmail.com
Thu Mar 16 17:47:48 GMT 2006 

Ho Jacop,

When you generate traffic using the winpcap, the system does not know about this traffic
 (the system does not expect to recieve any syn+ack because it has never been send a syn  by the system).
This is a normal behaivor. If your send a syn+ack to any machine a reset will be result.


The only solution is that you use a alternative mac address and ip adresss from your winpcap application or you can
disabled the tcp /ip stack to work with the ip of the own application, you must create a small stack of tcp/ip functions,
and arp functions like arp response and request . arp table, etc.



Regards

David Rodriguez





  ----- Original Message ----- 
  From: Jacob Gnarly 
  To: winpcap-users at winpcap.org 
  Sent: Wednesday, March 15, 2006 6:04 PM
  Subject: Re: [Winpcap-users] TCP stack resets connections established byWinPCap on XP SP2


  Well, I can't say I understand the solution but I have found the cause of the strange SYN+ACK resetting behavior: the XP firewall. I had disabled my firewall earlier in the week trying to eliminate possible causes of strange behavior. I have fixed several other bugs in the application since then but was never able to resolve the SYN+ACK -> RST problem. On a whim I turned my firewall back on and the application started working! Thanks for your help (the RFC was a good read). 

  Jacob


  On 3/15/06, Jacob Gnarly <jacob.gnarly at gmail.com> wrote:
    Thanks for the quick response. I'll check it out and post the result back to this thread.


    Jacob



    On 3/14/06, Guy Harris < guy at alum.mit.edu> wrote:
      Jacob Gnarly wrote:
      > I hope someone has already seen strange behavior like this and can point 
      > me in the right direction. I "inherited" an application which creates a
      > TCP connection with a remote host, sends a small number of packets, and
      > terminates the connection. The odd behavior that I am finding is that on 
      > some XP SP2 systems the TCP session works just like you would expect
      > while other systems have the connection terminated prematurely by the
      > originator's TCP stack.  Instead of the expected SYN/SYN_ACK/ACK 
      > handshake the originator's TCP stack generates a RST packet as soon as
      > it receives the SYN_ACK packet back from the remote system and then the
      > WinPCap program responds with an ACK packet as follows: 
      > SYN/SYN_ACK/RST/ACK.

      Capture a network trace, look at RFC 793, and see whether the sender of
      the SYN+ACK packet is violating the TCP spec in some fashion (including
      "the ACK of the SYN was already sent). 
      _______________________________________________
      Winpcap-users mailing list
      Winpcap-users at winpcap.org 
      https://www.winpcap.org/mailman/listinfo/winpcap-users







------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060316/905da52d/attachment-0001.htm

More information about the Winpcap-users mailing list