I have a wireshark recorded pcap file, I use bittwist/bittwiste (http://bittwist.sourceforge.net/doc.html) to alter MAC Addr, IP, TCP ports of source/destination in that pcap, the server under test is a c# tcplistener, client is the replayed packets of that pcap file by bittwist, but the 3 step handshake is never successful, what happens is the following:
Client >> SYN
SYN/ACK << Server
Client >> RST (with a seq number=1 but ack number is a huge number)
Instead of what should happen:
Client >> SYN
SYN/ACK << Server
Client >> ACK
It seems to me that the client decides to close the connection, but the client in my case is the replayed packets, which simply does the following in the first 2 packets:
Client >> SYN
Client >> ACK
so the question is why the third step is RST instead of ACK based on the pcap file?