Mike Silbersack wrote: > > On Fri, 23 Nov 2007, Kip Macy wrote: > > > On Nov 22, 2007 12:14 PM, Ian FREISLICH <ianf_at_clue.co.za> wrote: > >> Here's a tcpdump of seamonkey trying to retrieve the document index: > >> > >> 22:07:53.728516 IP (tos 0x0, ttl 64, id 24507, offset 0, flags [DF], proto TCP (6), length 60) 196.7.162.28.50118 > 196.7.162.30.80: S, cksum 0xdbdd (cor rect), 2746220400:2746220400(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timesta mp 16267181 0> > >> 22:07:53.731512 IP (tos 0x0, ttl 64, id 36, offset 0, flags [DF], proto TC P (6), length 60) 196.7.162.30.80 > 196.7.162.28.50118: S, cksum 0xbdba (correc t), 2416404465:2416404465(0) ack 2746220401 win 8192 <mss 1460,nop,wscale 0,nop ,nop,timestamp 2333 16267181> > >> 22:07:53.731543 IP (tos 0x0, ttl 64, id 24508, offset 0, flags [DF], proto TCP (6), length 52) 196.7.162.28.50118 > 196.7.162.30.80: ., cksum 0xe8f5 (cor rect), 1:1(0) ack 1 win 8326 <nop,nop,timestamp 16267184 2333> > >> 22:07:53.731593 IP (tos 0x0, ttl 64, id 24509, offset 0, flags [DF], proto TCP (6), length 428) 196.7.162.28.50118 > 196.7.162.30.80: P 1:377(376) ack 1 win 8326 <nop,nop,timestamp 16267184 2333> > >> 22:07:53.770545 IP (tos 0x0, ttl 64, id 37, offset 0, flags [DF], proto TC P (6), length 52) 196.7.162.30.80 > 196.7.162.28.50118: ., cksum 0xe948 (correc t), 1:1(0) ack 377 win 7867 <nop,nop,timestamp 2333 16267184> > >> 22:07:54.004963 IP (tos 0x0, ttl 64, id 38, offset 0, flags [DF], proto TC P (6), length 61) 196.7.162.30.80 > 196.7.162.28.50118: P, cksum 0xcdea (correc t), 1:10(9) ack 377 win 8192 <nop,nop,timestamp 2334 16267184> > >> 22:07:54.018027 IP (tos 0x0, ttl 64, id 39, offset 0, flags [DF], proto TC P (6), length 638) 196.7.162.30.80 > 196.7.162.28.50118: RP 10:608(598) ack 377 win 8192 [!RST+ 200 OK\015\012Server: Rapid Logic/1.] > > > > Looking at your later trace, data with the RST is a red herring. The > > only thing that stands out to me as being odd and perhaps is the > > issue, is that the window size for the SYN and the ack are > > inconsistent on FreeBSD but are consistent on OS X. I'm not sure off > > hand where the number 8326 comes from. It could be that when the SIP's > > stack is generating the ack for the GET it concludes that the window > > accounting state is incorrect. > > > > Perhaps Mike can shed some light when he gets back online. > > > > > > -Kip > > The TCP window is unscaled in the SYN phase, then shifts to being scaled > afterwards. The window we're advertising must be 8236 * 2^3 = 65888. > So, that part is ok - if the phone implements tcp window scaling properly! > > The RST + Data behavior seems very odd. Ian, have you tried using nmap -O > or any other OS identification tool to see if the phone is using a known > operating system? Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-26 06:54 SAST Interesting ports on dhcp-243.clue.co.za (10.0.0.243): Not shown: 1539 closed ports, 156 filtered ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http MAC Address: 00:09:45:54:01:1C (Palmmicro Communications) Aggressive OS guesses: HP LaserJet 1320 (95%), Konica Minolta Bizhub C450 copier with (default) Emperon Controller (94%), FreeBSD 2.2.9 (x86) (94%), Minolta MagicColor 2430 printer (94%), Netgear WPN824 RangeMax WAP (92%), HP LaserJet 4600 (JetDirect) printer (90%), RICOH Aficio 1060 copier (90%), Nortel 5520 ethernet routing switch (90%), Apple Airport Express WAP v6.3 (89%), FreeBSD 4.11 (x86) (89%) No exact OS matches for host (test conditions non-ideal). Uptime: 0.022 days (since Mon Nov 26 06:22:23 2007) Network Distance: 1 hop The phone is actually an ATCom 530P Ian -- Ian FreislichReceived on Mon Nov 26 2007 - 04:00:15 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:23 UTC