Google
  Web www.spinics.net

Re: conntrack and ESTABLISHED / UNREPLIED connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On Wed, 9 Jul 2008, Robert L Mathews wrote:

> > Is the RST segment valid? Could you create a dump file using the '-S' flag
> > of tcpdump so that not relative but absolute sequence numbers are printed?
> 
> Sure thing; here's another one with -S:
> 
>  http://tigertech.net/20080709.tcpdump.server.txt

The end of the TCP session is as follows:

08:55:16.499702 IP 64.62.209.98.443 > 96.221.109.137.49553: P 
716440962:716440999(37) ack 2354211888 win 71 
<nop,nop,timestamp 140394633 528033351>

Server sends data still pending to the client.

08:55:16.499799 IP 64.62.209.98.443 > 96.221.109.137.49553: F 
716440999:716440999(0) ack 2354211888 win 71 
<nop,nop,timestamp 140394633 528033351>

Then the server sends a connection termination request.

08:55:16.500008 IP 96.221.109.137.49553 > 64.62.209.98.443: F 
2354211888:2354211888(0) ack 716440962 win 65535 
<nop,nop,timestamp 528033351 140394349>

Client did not receive the last two packets from the server but sends
a connection termination request too.

08:55:16.500037 IP 64.62.209.98.443 > 96.221.109.137.49553: . ack 
2354211889 win 71 <nop,nop,timestamp 140394633 528033351>

Server ACKs that it received the FIN packet from the client.

08:55:16.529487 IP 96.221.109.137.49553 > 64.62.209.98.443: R 
2354211888:2354211888(0) win 0

Client sends RST, which is out of (before) the window (left edge is at 
2354211889), thus ignored by the server.

08:55:16.740815 IP 64.62.209.98.443 > 96.221.109.137.49553: P 
716440962:716440999(37) ack 2354211889 win 71 
<nop,nop,timestamp 140394693 528033351>

Server tries to send the data still pending.

You wrote the client runs Mac OS X 10.4.11. I don't really know what's 
wrong with it but it seems as a client related issue - or an ISP between 
the client and server which tries to generate fake RST packets to tear 
down connections.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Linux Netfilter Development]     [Linux Kernel Development]     [TCP/IP Books]     [Linux Resources]     [LARTC]     [Home]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Powered by Linux