Jesse Guardiani wrote: > Henrik Nordstrom wrote: > >> On Wed, 23 Feb 2005, Jesse Guardiani wrote: >> >>> tcpdump 'not ( host shannon and port 22 ) and not host 192.168.1.193 and >>> not port syslog and not port domain and not snmp and not port 3632' >>> >>> And here's the only thing I could find that looked relevent: >>> >>> 04:22:30.959889 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: >>> 120 04:22:30.961323 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, >>> length: 140 04:22:32.791481 IP 192.168.10.1 > 192.168.10.2: >>> gre-proto-0x883e 04:22:35.790420 IP 192.168.10.1 > 192.168.10.2: >>> gre-proto-0x883e 04:22:40.954870 IP 192.168.10.2.2048 > >>> 192.168.10.1.2048: UDP, length: 120 04:22:40.956378 IP 192.168.10.1.2048 >>> > 192.168.10.2.2048: UDP, length: 140 04:22:41.790316 IP 192.168.10.1 > >>> 192.168.10.2: gre-proto-0x883e 04:22:51.932636 IP 192.168.10.2.2048 > >>> 192.168.10.1.2048: UDP, length: 120 04:22:51.934544 IP 192.168.10.1.2048 >>> > 192.168.10.2.2048: UDP, length: 140 >>> >>> 192.168.10.1 is my Cisco router's LAN address. >>> Does the above mean anything to anyone? >> >> Yes. >> >> The UDP packets is the WCCP control channel >> >> The gre 0x883e is the WCCP redirected packets. >> >> You may need "-i any" argument to tcpdump to see the complete picture >> however. > > OK. New tcpdump run with "-i any" and some additional port and proto > expressions to filter out the noise: > > tcpdump -i any 'not ( host shannon and port 22) and not host 192.168.1.193 > and not port syslog and not port domain and not snmp and not port 3632 and > not port ssh and not arp' tcpdump: WARNING: Promiscuous mode not supported > on the "any" device tcpdump: verbose output suppressed, use -v or -vv for > full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), > capture size 96 bytes > > > > > > 21:55:26.259380 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 > 21:55:26.260373 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 > 21:55:29.473457 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e > 21:55:29.473457 IP 192.168.10.5.33975 > 64.233.187.104.www: S > 1830006628:1830006628(0) win 5840 <mss 1460,sackOK,timestamp 418917766 > 0,nop,wscale 2> 21:55:32.473612 IP 192.168.10.1 > 192.168.10.2: > gre-proto-0x883e 21:55:32.473612 IP 192.168.10.5.33975 > > 64.233.187.104.www: S 1830006628:1830006628(0) win 5840 <mss > 1460,sackOK,timestamp 418920766 0,nop,wscale 2> 21:55:36.844127 IP > 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 21:55:36.845296 IP > 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 21:55:38.472288 IP > 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 21:55:38.472288 IP > 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win > 5840 <mss 1460,sackOK,timestamp 418926766 0,nop,wscale 2> 21:55:47.136074 > IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 21:55:47.136921 > IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 21:55:50.470033 > IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 21:55:50.470033 IP > 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win > 5840 <mss 1460,sackOK,timestamp 418938766 0,nop,wscale 2> 21:55:57.568999 > IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 21:55:57.569869 > IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 > > 16 packets captured > 26 packets received by filter > 0 packets dropped by kernel > [21:55]jesse@rhea:[/home/jesse]# > > Judging from the ".www" lines, it looks to me like squid is attempting > to contact the remote www server, but is being intercepted and > looped back to itself by the Cisco. Is that an accurate assessment? I don't think it is anymore. It seems like the packets are just dissappearing after they hit my iptables rule. I tried placing OUTPUT and POSTROUTING LOG rules around the NAT table, and their hit counters increment if I hit the cache directly from a web browser, but if I hit it transparently the packet just dissappears after the REDIRECT to port 3128. Does anyone have squid 2.5-STABLE7 working with WCCP and linux 2.6.10? -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net
