Re: "tcpflags 0x18<PUSH,ACK>; tcp_do_segment" kernel messages

From: Eygene Ryabinkin <rea-fbsd_at_codelabs.ru>
Date: Wed, 15 Aug 2007 18:56:40 +0400
Stefan, good day.

Wed, Aug 15, 2007 at 05:37:26PM +0300, Stefan Lambrev wrote:
> Now I have a tcpdump.out file and all packets are logged while this problem 
> happened.
> Here is part of the file (I hope this is enough because the file itself is 
> +150MB) :
> 
<... two connections that were closed are deleted ...>

> 16:10:13.206555 IP 192.168.13.7.60906 > 192.168.13.4.25: S 
> 219272317:219272317(0) win 65535 <mss 1460,nop,wscale 8,sackOK,timestamp 
> 108147619 0>
> 16:10:13.206789 IP 192.168.13.4.25 > 192.168.13.7.60906: S 
> 1948405606:1948405606(0) ack 219272318 win 65535 <mss 1460,nop,wscale 
> 1,nop,nop,timestamp 3042169350 108147619,sackOK,eol>
> 16:10:13.206824 IP 192.168.13.7.60906 > 192.168.13.4.25: . ack 1 win 260 
> <nop,nop,timestamp 108147620 3042169350>
> 16:10:13.208261 IP 192.168.13.4.25 > 192.168.13.7.60906: P 1:48(47) ack 1 win 
> 33304 <nop,nop,timestamp 3042169351 108147620>
> 16:10:13.208347 IP 192.168.13.7.60906 > 192.168.13.4.25: P 1:21(20) ack 48 win 
> 260 <nop,nop,timestamp 108147621 3042169351>
> 16:10:13.208690 IP 192.168.13.4.25 > 192.168.13.7.60906: P 48:74(26) ack 21 win 
> 33304 <nop,nop,timestamp 3042169352 108147621>
> 16:10:13.208715 IP 192.168.13.7.60906 > 192.168.13.4.25: P 21:27(6) ack 74 win 
> 260 <nop,nop,timestamp 108147621 3042169352>
> 16:10:13.208729 IP 192.168.13.7.60906 > 192.168.13.4.25: F 27:27(0) ack 74 win 
> 260 <nop,nop,timestamp 108147621 3042169352>
> 
> Why the flag is 'F' here ? doesn't seems normal for me :)
> 
> 16:10:13.208835 IP 192.168.13.4.25 > 192.168.13.7.60906: . ack 28 win 33301 
> <nop,nop,timestamp 3042169352 108147621>
> 16:10:13.208986 IP 192.168.13.4.25 > 192.168.13.7.60906: P 74:89(15) ack 28 win 
> 33304 <nop,nop,timestamp 3042169352 108147621>
> 16:10:13.209069 IP 192.168.13.7.60906 > 192.168.13.4.25: R 
> 219272345:219272345(0) win 0
> 16:10:13.209074 IP 192.168.13.4.25 > 192.168.13.7.60906: F 89:89(0) ack 28 win 
> 33304 <nop,nop,timestamp 3042169352 108147621>
> 16:10:13.209079 IP 192.168.13.7.60906 > 192.168.13.4.25: R 
> 219272345:219272345(0) win 0

It will be good to see SMTP protocol trace.  If you have no sensitive
data, then add '-s 1500 -X' to the tcpdump's options and show us
the output.  If you can upload the result or raw trace for the
abovementioned three connections, it will be good.  You can extract
the sessions using something like (for the last session)
'tcpdump -s 1500 -r dump.out -w session.out host 192.168.13.7 and port 60906'

Thank you.
-- 
Eygene
Received on Wed Aug 15 2007 - 12:56:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:16 UTC