Re: TCP RST+data!

From: Ian FREISLICH <ianf_at_clue.co.za>
Date: Mon, 26 Nov 2007 06:59:57 +0200
Mike Silbersack wrote:
> 
> On Fri, 23 Nov 2007, Kip Macy wrote:
> 
> > On Nov 22, 2007 12:14 PM, Ian FREISLICH <ianf_at_clue.co.za> wrote:
> >> Here's a tcpdump of seamonkey trying to retrieve the document index:
> >>
> >> 22:07:53.728516 IP (tos 0x0, ttl 64, id 24507, offset 0, flags [DF], proto
 TCP (6), length 60) 196.7.162.28.50118 > 196.7.162.30.80: S, cksum 0xdbdd (cor
rect), 2746220400:2746220400(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timesta
mp 16267181 0>
> >> 22:07:53.731512 IP (tos 0x0, ttl 64, id 36, offset 0, flags [DF], proto TC
P (6), length 60) 196.7.162.30.80 > 196.7.162.28.50118: S, cksum 0xbdba (correc
t), 2416404465:2416404465(0) ack 2746220401 win 8192 <mss 1460,nop,wscale 0,nop
,nop,timestamp 2333 16267181>
> >> 22:07:53.731543 IP (tos 0x0, ttl 64, id 24508, offset 0, flags [DF], proto
 TCP (6), length 52) 196.7.162.28.50118 > 196.7.162.30.80: ., cksum 0xe8f5 (cor
rect), 1:1(0) ack 1 win 8326 <nop,nop,timestamp 16267184 2333>
> >> 22:07:53.731593 IP (tos 0x0, ttl 64, id 24509, offset 0, flags [DF], proto
 TCP (6), length 428) 196.7.162.28.50118 > 196.7.162.30.80: P 1:377(376) ack 1 
win 8326 <nop,nop,timestamp 16267184 2333>
> >> 22:07:53.770545 IP (tos 0x0, ttl 64, id 37, offset 0, flags [DF], proto TC
P (6), length 52) 196.7.162.30.80 > 196.7.162.28.50118: ., cksum 0xe948 (correc
t), 1:1(0) ack 377 win 7867 <nop,nop,timestamp 2333 16267184>
> >> 22:07:54.004963 IP (tos 0x0, ttl 64, id 38, offset 0, flags [DF], proto TC
P (6), length 61) 196.7.162.30.80 > 196.7.162.28.50118: P, cksum 0xcdea (correc
t), 1:10(9) ack 377 win 8192 <nop,nop,timestamp 2334 16267184>
> >> 22:07:54.018027 IP (tos 0x0, ttl 64, id 39, offset 0, flags [DF], proto TC
P (6), length 638) 196.7.162.30.80 > 196.7.162.28.50118: RP 10:608(598) ack 377
 win 8192 [!RST+ 200 OK\015\012Server: Rapid Logic/1.]
> >
> > Looking at your later trace, data with the RST is a red herring. The
> > only thing that stands out to me as being odd and perhaps is the
> > issue, is that the window size for the SYN and the ack are
> > inconsistent on FreeBSD but are consistent on OS X. I'm not sure off
> > hand where the number 8326 comes from. It could be that when the SIP's
> > stack is generating the ack for the GET it concludes that the window
> > accounting state is incorrect.
> >
> > Perhaps Mike can shed some light when he gets back online.
> >
> >
> > -Kip
> 
> The TCP window is unscaled in the SYN phase, then shifts to being scaled 
> afterwards.  The window we're advertising must be 8236 * 2^3 = 65888. 
> So, that part is ok - if the phone implements tcp window scaling properly!
> 
> The RST + Data behavior seems very odd.  Ian, have you tried using nmap -O 
> or any other OS identification tool to see if the phone is using a known 
> operating system?

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-26 06:54 SAST
Interesting ports on dhcp-243.clue.co.za (10.0.0.243):
Not shown: 1539 closed ports, 156 filtered ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http
MAC Address: 00:09:45:54:01:1C (Palmmicro Communications)
Aggressive OS guesses: HP LaserJet 1320 (95%), Konica Minolta Bizhub C450 copier with (default) Emperon Controller (94%), FreeBSD 2.2.9 (x86) (94%), Minolta MagicColor 2430 printer (94%), Netgear WPN824 RangeMax WAP (92%), HP LaserJet 4600 (JetDirect) printer (90%), RICOH Aficio 1060 copier (90%), Nortel 5520 ethernet routing switch (90%), Apple Airport Express WAP v6.3 (89%), FreeBSD 4.11 (x86) (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime: 0.022 days (since Mon Nov 26 06:22:23 2007)
Network Distance: 1 hop

The phone is actually an ATCom 530P

Ian

--
Ian Freislich
Received on Mon Nov 26 2007 - 04:00:15 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:23 UTC