Re: SV: "straggler" packets being logged

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2018-10-06 at 21:40 +0200, Jozsef Kadlecsik wrote:
> A tcpdump
> recording 
> with the netfilter logs is required to tell what's really happened

Here's an example:

19:49:05.296910 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [S], seq 361548306, win 65535, options [mss 1220,sackOK,TS val 139507576 ecr 0,nop,wscale 6], length 0
19:49:05.308519 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [S.], seq 2647812448, ack 361548307, win 28560, options [mss 1440,sackOK,TS val 1418337744 ecr 139507576,nop,wscale 9], length 0
19:49:05.356030 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 1, win 1144, options [nop,nop,TS val 139507596 ecr 1418337744], length 0
19:49:05.360060 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [P.], seq 1:175, ack 1, win 1144, options [nop,nop,TS val 139507597 ecr 1418337744], length 174
19:49:05.370627 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [.], ack 175, win 58, options [nop,nop,TS val 1418337760 ecr 139507597], length 0
19:49:05.372296 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [.], seq 1:1209, ack 175, win 58, options [nop,nop,TS val 1418337760 ecr 139507597], length 1208
19:49:05.372991 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [.], seq 1209:2417, ack 175, win 58, options [nop,nop,TS val 1418337760 ecr 139507597], length 1208
19:49:05.373246 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [.], seq 2417:3625, ack 175, win 58, options [nop,nop,TS val 1418337760 ecr 139507597], length 1208
19:49:05.373462 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [.], seq 3625:4833, ack 175, win 58, options [nop,nop,TS val 1418337760 ecr 139507597], length 1208
19:49:05.373676 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 4833:4981, ack 175, win 58, options [nop,nop,TS val 1418337760 ecr 139507597], length 148
19:49:05.374960 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 1209, win 1182, options [nop,nop,TS val 139507601 ecr 1418337760], length 0
19:49:05.375152 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 2417, win 1220, options [nop,nop,TS val 139507601 ecr 1418337760], length 0
19:49:05.375360 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 3625, win 1257, options [nop,nop,TS val 139507601 ecr 1418337760], length 0
19:49:05.375552 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 4833, win 1295, options [nop,nop,TS val 139507601 ecr 1418337760], length 0
19:49:05.376588 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 4981, win 1333, options [nop,nop,TS val 139507601 ecr 1418337760], length 0
19:49:05.427537 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [P.], seq 175:301, ack 4981, win 1333, options [nop,nop,TS val 139507614 ecr 1418337760], length 126
19:49:05.438224 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 4981:5239, ack 301, win 58, options [nop,nop,TS val 1418337777 ecr 139507614], length 258
19:49:05.439524 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 5239, win 1371, options [nop,nop,TS val 139507617 ecr 1418337777], length 0
19:49:05.443307 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [P.], seq 301:354, ack 5239, win 1371, options [nop,nop,TS val 139507618 ecr 1418337777], length 53
19:49:05.455903 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 5239:5296, ack 354, win 58, options [nop,nop,TS val 1418337781 ecr 139507618], length 57
19:49:05.457385 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [P.], seq 354:600, ack 5296, win 1371, options [nop,nop,TS val 139507621 ecr 1418337781], length 246
19:49:05.468648 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 5296:5334, ack 600, win 60, options [nop,nop,TS val 1418337784 ecr 139507621], length 38
19:49:05.469123 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 5334:5949, ack 600, win 60, options [nop,nop,TS val 1418337784 ecr 139507621], length 615
19:49:05.470104 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [P.], seq 600:638, ack 5334, win 1371, options [nop,nop,TS val 139507625 ecr 1418337784], length 38
19:49:05.509583 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 5949, win 1408, options [nop,nop,TS val 139507635 ecr 1418337784], length 0
19:49:05.519791 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [.], ack 638, win 60, options [nop,nop,TS val 1418337797 ecr 139507625], length 0
19:49:05.665879 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [P.], seq 638:923, ack 5949, win 1408, options [nop,nop,TS val 139507674 ecr 1418337797], length 285
19:49:05.676732 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 5949:6192, ack 923, win 63, options [nop,nop,TS val 1418337836 ecr 139507674], length 243
19:49:05.677980 IP6 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172 > 2a04:4e42:1e::323.https: Flags [.], ack 6192, win 1446, options [nop,nop,TS val 139507677 ecr 1418337836], length 0
19:59:05.676219 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418487836 ecr 139507677], length 58
19:59:05.676553 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6250:6281, ack 923, win 63, options [nop,nop,TS val 1418487836 ecr 139507677], length 31
19:59:05.676712 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [F.], seq 6281, ack 923, win 63, options [nop,nop,TS val 1418487836 ecr 139507677], length 0
19:59:05.742295 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [F.], seq 6281, ack 923, win 63, options [nop,nop,TS val 1418487853 ecr 139507677], length 0
19:59:05.978059 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418487912 ecr 139507677], length 58
19:59:06.457970 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418488032 ecr 139507677], length 58
19:59:07.418091 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418488272 ecr 139507677], length 58
19:59:09.306023 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418488744 ecr 139507677], length 58
19:59:13.241971 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418489728 ecr 139507677], length 58
19:59:20.921996 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418491648 ecr 139507677], length 58
19:59:36.026013 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418495424 ecr 139507677], length 58
20:00:07.001961 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418503168 ecr 139507677], length 58
20:01:08.442170 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418518528 ecr 139507677], length 58
20:03:09.273993 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418548736 ecr 139507677], length 58
20:05:10.106022 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418578944 ecr 139507677], length 58
20:07:10.938037 IP6 2a04:4e42:1e::323.https > 2001:abcd:1234:9876:80ff:7163:ca19:ad06.52172: Flags [P.], seq 6192:6250, ack 923, win 63, options [nop,nop,TS val 1418609152 ecr 139507677], length 58

with the following netfilter log entries:

Oct  8 20:03:09 gw kernel: [1478139.220900] Shorewall:net2loc:DROP:IN=eth0.2 OUT=br-lan MAC=6c:b0:ce:f5:1e:4b:00:c1:b1:60:a4:19:86:dd:60:08:01:ae SRC=2a04:4e42:001e:0000:0000:0000:0000:0323 DST=2001:abcd:1234:9876:80ff:7163:ca19:ad06 LEN=130 TC=0 HOPLIMIT=60 FLOWLBL=524718 PROTO=TCP SPT=443 DPT=52172 WINDOW=63 RES=0x00 ACK PSH URGP=0 
Oct  8 20:05:10 gw kernel: [1478260.051342] Shorewall:net2loc:DROP:IN=eth0.2 OUT=br-lan MAC=6c:b0:ce:f5:1e:4b:00:c1:b1:60:a4:19:86:dd:60:07:6b:6d SRC=2a04:4e42:001e:0000:0000:0000:0000:0323 DST=2001:abcd:1234:9876:80ff:7163:ca19:ad06 LEN=130 TC=0 HOPLIMIT=60 FLOWLBL=486253 PROTO=TCP SPT=443 DPT=52172 WINDOW=63 RES=0x00 ACK PSH URGP=0 
Oct  8 20:07:10 gw kernel: [1478380.881750] Shorewall:net2loc:DROP:IN=eth0.2 OUT=br-lan MAC=6c:b0:ce:f5:1e:4b:00:c1:b1:60:a4:19:86:dd:60:05:cf:c5 SRC=2a04:4e42:001e:0000:0000:0000:0000:0323 DST=2001:abcd:1234:9876:80ff:7163:ca19:ad06 LEN=130 TC=0 HOPLIMIT=60 FLOWLBL=380869 PROTO=TCP SPT=443 DPT=52172 WINDOW=63 RES=0x00 ACK PSH URGP=0 

Most noteworthy thing is that the host that initiated the TCP session
didn't send a FIN packet to complete the close.  Or at least it didn't
make it to the "outgoing" interface of the iptables router, where the
tcpdump above was done.  But it was while waiting for that final FIN,
that iptables logged some of the TCP re-transmissions from the
shutdown-initiator.  Shouldn't conntrack be keeping the session open
during that window (i.e. at least until ~20:07:11) so that all of those
re-transmissions make it to the receiving host?

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux