Some rules of thumb are as follows:
- In case an SYN packet is answered with RST, look for the firewall that blocks the port numbers.
- Triple SYN without any answer occurs either due to an application that didn't respond, or a firewall that blocks the request on a specific port.
- Always verify that you have Network Address Translation (NAT), port forwarding, and mechanisms that play with TCP or UDP ports. These mechanisms can interfere with the standard operation of TCP.
When the TCP endpoints establish a new TCP connection, the sequence number in the SYN packet will start with an arbitrary number and will be sequentially incremented by 1 for every 1 byte. For ease of analysis, Wireshark replaces the sequence number with a relative sequence number in such a way that the SYN packet will start with a sequence number of 0 and increment sequentially.
In the preceding screenshot, it can be observed that the sequence number is set to 0 and marked as (relative sequence number). This is not the real sequence number exchanged by the TCP endpoints. The original sequence number can be retained by disabling the Relative Sequence number option in Protocol Preferences.
Follow these steps to disable the option:
- Go to Preference
- Click on Protocols and then select TCP
- Disable relative sequence numbers