Solved: Re: ASA Packet Capture Question

Hawk · ‎08-13-2018

When running a capture & viewing output directly on shell, after a tcp handshake is made I always see pushes of data & sometimes resets e.g P (push) and R (reset). Are these cisco proprietary terms? Push & Reset? I ask because when I am looking at an actual pcap capture on wireshark (lets say I capture an SSH session to a server on a DMZ), I don't see these terms used on pcaps. I only notice them on thw ASA shell captures. Are these cisco proprietary terms?

Dan Lukes · ‎08-13-2018

PUSH (PSH) is TCP attribute of same kind as RST. Just other bit of same byte of TCP header. Read here for more. Both attributes (and even others) are shown in Wireshark (PSH is so common, so it's not shown on INFO column, but is shown in packet details).

RST always mean aborted connection and should not be seen in typical stream (if seen, such connection is over).

View solution in original post

Dennis Mink · ‎08-13-2018

as far as i know, push must be a term Cisco uses, TCP RST (Reset) is something you will see in wireshark.

Please remember to rate useful posts, by clicking on the stars below.

Dan Lukes · ‎08-13-2018

PUSH (PSH) is TCP attribute of same kind as RST. Just other bit of same byte of TCP header. Read here for more. Both attributes (and even others) are shown in Wireshark (PSH is so common, so it's not shown on INFO column, but is shown in packet details).

RST always mean aborted connection and should not be seen in typical stream (if seen, such connection is over).