More Fun With tcpdump and Resets

Here is another handy little trick for tcpdump that will help you identify some potential network issues. Often times when there is some trouble along the line you will see reset connections. This happens for many reasons and can be an indication of everything form a network program to a crashed application that suddenly stops responding.

The trick I use to identify those rest connections is this

    tcpdump -n -v 'tcp[tcpflags] & (tcp-rst) != 0'

So, what does all of this mean? The -n says not to perform a DNS lookup to try to resolve the address. This slows things tremendously and can push a lot of traffic to your DNS servers depending on your network.

The -v tells it to use verbose mode, which gives you additional header information. The tcp[tcpflags] tells tcpdump to examine the tcp flags portion of the packet header to look for the (tcp-rst) flag and see if it is not set to 0, != 0.

It is important to note that using this expression requires the tcp[tcpflags] & (tcp-rst) != 0 to be enclosed in ‘ single quotes to prevent the shell from trying to interpret it.

This will show you all of the connections that are being reset across your network. Take what you see with a grain of salt, because not every connection that has a reset is necessarily a problem. If you are seeing unusually high levels of these or odd patterns of resets it might merit a deeper investigation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: