Re: mystery traffic

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Alan Lehman wrote:
> While diagnosing an unrelated network problem, I ran tcpdump on my Squid
> (2.5-STABLE3) box. I found the following pattern repeating several times
> per second. I don't know how long this has been going on, but at least
> several days. If I kill Squid, it stops.
>
> x.x.x.99 = DMZ network port on Squid system 
> x.x.x.20 = Web server (IIS) on my DMZ
>
> 08:02:14.092144 x.x.x.20.https > x.x.x.99.42362: P 1759:1805(46) ack
> 1797 win 64233 <nop,nop,timestamp 663266 2095770651> (DF)
> 08:02:14.092186 x.x.x.99.42362 > x.x.x.20.https: . ack 1805 win 63712
> <nop,nop,timestamp 2095770651 663266> (DF)
> 08:02:14.092351 x.x.x.20.https > x.x.x.99.42359: P 850:896(46) ack 795
> win 64233 <nop,nop,timestamp 663266 2095770651> (DF)
> 08:02:14.092376 x.x.x.99.42359 > x.x.x.20.https: . ack 896 win 63712
> <nop,nop,timestamp 2095770651 663266> (DF)
> 08:02:14.259571 x.x.x.99.42362 > x.x.x.20.https: P 1797:2005(208) ack
> 1805 win 63712 <nop,nop,timestamp 2095770668 663266> (DF)
> 08:02:14.259862 x.x.x.99.42359 > x.x.x.20.https: P 795:1017(222) ack 896
> win 63712 <nop,nop,timestamp 2095770668 663266> (DF)
> 08:02:14.260994 x.x.x.20.https > x.x.x.99.42362: P 1805:2220(415) ack
> 2005 win 65535 <nop,nop,timestamp 663269 2095770668> (DF)
> 08:02:14.261031 x.x.x.99.42362 > x.x.x.20.https: . ack 2220 win 63712
> <nop,nop,timestamp 2095770668 663269> (DF)
> 08:02:14.450432 x.x.x.20.https > x.x.x.99.42359: . ack 1017 win 65535
> <nop,nop,timestamp 663271 2095770668> (DF)
> 08:02:14.450868 x.x.x.20.https > x.x.x.99.42359: P 896:1298(402) ack
> 1017 win 65535 <nop,nop,timestamp 663271 2095770668> (DF)
> 08:02:14.450890 x.x.x.99.42359 > x.x.x.20.https: . ack 1298 win 63712
> <nop,nop,timestamp 2095770687 663271> (DF)
> 08:02:14.581353 x.x.x.99.42362 > x.x.x.20.https: P 2005:2291(286) ack
> 2220 win 63712 <nop,nop,timestamp 2095770700 663269> (DF)
> 08:02:14.581737 x.x.x.20.https > x.x.x.99.42362: P 2220:2266(46) ack
> 2291 win 65249 <nop,nop,timestamp 663272 2095770700> (DF)
> 08:02:14.581778 x.x.x.99.42362 > x.x.x.20.https: . ack 2266 win 63712
> <nop,nop,timestamp 2095770700 663272> (DF)
> 08:02:14.755502 x.x.x.99.42362 > x.x.x.20.https: P 2291:2513(222) ack
> 2266 win 63712 <nop,nop,timestamp 2095770717 663272> (DF)
> 08:02:14.755917 x.x.x.99.42359 > x.x.x.20.https: P 1017:1303(286) ack
> 1298 win 63712 <nop,nop,timestamp 2095770718 663271> (DF)
> 08:02:14.756272 x.x.x.20.https > x.x.x.99.42359: P 1298:1344(46) ack
> 1303 win 65249 <nop,nop,timestamp 663273 2095770718> (DF)
> 08:02:14.756315 x.x.x.99.42359 > x.x.x.20.https: . ack 1344 win 63712
> <nop,nop,timestamp 2095770718 663273> (DF)
> 08:02:14.887740 x.x.x.20.https > x.x.x.99.42362: . ack 2513 win 65027
> <nop,nop,timestamp 663275 2095770717> (DF)
>
> I have the following in squid.conf:
> acl Local dst x.x.x.0/24
> no_cache deny Local

All that does is stop squid caching/storing things locally. Traffic 
through squid is not affected. For that you need http_access.

> It appears Squid is trying to access something on the web server, but I
> don't know why. There is only very occasional traffic in access.log for
> x.x.x.20. Any ideas would be most appreciated.
>
> Alan Lehman

2.5 is so ancient not many of us are familiar with it.

Amos
--
Please use Squid 2.6.STABLE20 or 3.0.STABLE5