Why will a TCP Server send a FIN immediately after accepting a connection?

From the ethreal packet capture, I see the following behaviour which appears quite strange to me:

Client --> Server  [SYN]
Server --> Client  [SYN, ACK]
Client --> Server  [ACK]
Server --> Client  [FIN, ACK]
Client --> Server  [ACK]
Client --> Server  [TCP Segment of a reassembled PDU] (I don't know what this means)
Server --> Client  [RST]

Any ideas as to why this could be happening?

Also, the Server Port is 6000. Could that cause any problem?

My other doubts:

1. Why is ther开发者_JAVA技巧e a FIN, ACK? Shouldn't it be only FIN? What is the meaning of the ACK in that message?
2. Shouldn't there be a FIN from Client also?

EDIT: After some more analysis, I found if the number of file descriptors have exceeded the limit then a FIN is sent by the Server. But, in this case it doesn't appear that the file descriptors have exceeded the limit. For what other scenarios can this happen?

Upon deep analysis, the following was found to be the reason of the problem:

When a Client tries TCP connect, even if the server is not currently calling accept, the connection will pass. This will happen if server has called 'listen' function and it will keep accepting the connections till backlog limit is reached.

But, if the application process exceeds the limit of max file descriptors it can use, then when server calls accept, then it realizes that there are no file descriptors available to be allocated for the socket and fails the accept call and the TCP connection sending a FIN to other side.

I just though of posting this finding here. I am still leaving the accepted answer as that of Habbie's.

Thanks to all those who answered this question.

FIN usually means the other side called shutdown(..) on the socket.

I'm guessing the connection is being accepted by inetd or a similar daemon, which then attempts to fork and exec another program to handle the connection, and that either the fork is failing (due to resource exhaustion) or the exec is failing (due to nonexistent file, permissions error, etc.).

I think the FIN was sent by calling close() instead of shutdown().

The connection is in backlog queue; after accept(), the server decides to terminate it for whatever reason(e.g. TCP wrapper ACL or out of file descriptors). In this case, a close() decreases file descriptor(FD)'s link count by 1 to 0, so FD for this connection is fully destroyed. Afterwards the client sends data to a non-existing socket from server's point of view, server has to respond a RST.

If it was a shutdown(), server can still revive data sent by client and have to wait for FIN from client to close the connection gracefully. No RST is sent back.

p.s. close() vs shutdown()

Could be TCP wrappers. If the server process was built with libwrap support, it will accept the connection, check /etc/hosts.allow and /etc/hosts.deny, and then immediately close the connection if denied by policy.

It's easy to see if the server is using libwrap:

> ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f1562d44000)

Seems like the server calls shutdown very shortly after accepting the connection.