LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   TCPDUMP showing unknown address in capture (https://www.linuxquestions.org/questions/linux-newbie-8/tcpdump-showing-unknown-address-in-capture-923315/)

furbear1 01-11-2012 03:07 PM
TCPDUMP showing unknown address in capture
 
Howdy folks, bit of a newbie here...actually used to do Jr. Unix Admin(Solaris)/Network Engineer kind of stuff in the late 90's so I know enough to get myself into trouble but not always enough to get myself out of it.

I'm not able to see my Zend-installed Apache2 server from anywhere on the local LAN except localhost. When I run a TCPDUMP and access 'localhost' from the local browser, I get a conversation with 174.35.40.3 that traces through CDNetworks/Los Angeles with an unresolved IP address. There is no similar conversation with other hosts on the local LAN in TCPDUMP traces. No problem getting to the index page of my server but I'm a bit suspicious about what the conversation with the strange IP address is. BTW, I did disable avahi-daemon as it's not really necessary but I'm not sure if it's related.

By way of example:

12:38:14.477100 IP (tos 0x0, ttl 64, id 46176, offset 0, flags [DF], proto TCP (6), length 60)
Elvis.marknet.net.51725 > 174.35.40.3.http: Flags [S], cksum 0x7bc6 (correct), seq 1270028126, win 5840, options [mss 1460,sackOK,TS val 76587838 ecr 0,nop,wscale 7], length 0
12:38:14.523670 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60)
174.35.40.3.http > Elvis.marknet.net.51725: Flags [S.], cksum 0x9435 (correct), seq 3781842156, ack 1270028127, win 64784, options [mss 1452,sackOK,TS val 33474801 ecr 76587838,nop,wscale 7], length 0

Any clues would be much appreciated. Thanks!

mmrtnt 01-11-2012 05:29 PM
I looked at that IP address with a browser and got a login page.

Does your index.html have a username/password block on it?

unSpawn 01-11-2012 06:09 PM
Quote:
Originally Posted by furbear1 (Post 4572193)
When I (..) access 'localhost' from the local browser, I get a conversation with (..) an unresolved IP address.
If your 'lft localhost' or 'tcptraceroute localhost' leave your LAN then that sounds like local DNS misconfiguration to me.

furbear1 01-11-2012 09:11 PM
@mmrtnt - I've got no idea where that login screen comes from. The traceroute ended up at CD Network with a level3.net Los Angeles network IP resolution.

[root@Elvis logs]# traceroute 174.35.3.6
traceroute to 174.35.3.6 (174.35.3.6), 30 hops max, 60 byte packets
....
12 ae-2-70.edge2.LosAngeles9.Level3.net (4.69.144.79) 58.555 ms ae-1-60.edge2.LosAngeles9.Level3.net (4.69.144.15) 59.767 ms ae-2-70.edge2.LosAngeles9.Level3.net (4.69.144.79) 61.702 ms
13 CDNETWORKS.edge2.LosAngeles9.Level3.net (4.53.230.6) 63.673 ms 65.102 ms 66.619 ms
14 174.35.3.6 (174.35.3.6) 68.322 ms 70.270 ms 71.794 ms

As I mentioned, I still get the index.html page that is on my server. Maybe as unSpawn says, it's a DNS problem. Checking.....

furbear1 01-12-2012 02:08 PM
OK, this is my take on what's going on. The index.html page for the server is a splash page for Zend PHP Server with link graphics rather than local graphics. Soooo....when the page loads, it makes a call to a server where the graphic resides. So even though the page is on my server, not all of what's displayed is on my server. I don't have the same issue when I use my own generic index page. I learn something every day...
Thanks.


All times are GMT -5. The time now is 08:51 AM.