LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   tcpdump interpretation (http://www.linuxquestions.org/questions/linux-server-73/tcpdump-interpretation-876329/)

mcburton3 04-21-2011 08:01 AM

tcpdump interpretation
 
Hello all,

I am trying to access CVS on a home-based Linux server over port 2401 through a firewall, but it is not working. CVS works fine if I am on my LAN, however, so I know it is not CVS. I have opened port 2401 on the firewall and used tcpdump to capture traffic and it appears the CVS protocol is tunneling okay, but it seems to go awry when my server sends some sort of message to the Internet provider DNS system (which it doesn't do when I connect from my LAN). I can't tell what the problem is other than my server resets the connection. Below are two tcpdump traces of the problem.

Do any of you know how to interpret this and understand what is going on here or have an idea of how to interpret it (other tools) for the messages in blue below? The connection reset is in red. It appears that my server is doing some sort of ARP lookup but they are TCP messages, so I am really confused. I read that Wireshark can help but I can't seemd to find a version that is an easy install on my RedHat ES4 server, and tcpdump -w <filename> is not writing any data to the file (which appears to be a common issue).

Any help you can provide is greatly appeciated. Thanks!


In these traces, 192.168.15.110 is the subnet address of my server on the LAN. 68.105.28.11 (first trace) and 68.97.134.35 (2nd trace) are the remote hosts trying to connect.

1st tcpdump Trace:
23:09:06.027569 IP 68.97.134.35.2061 > 192.168.15.110.2401: S 2372848851:2372848851(0) win 64512 <mss 1460,nop,nop,sackOK>
23:09:06.027708 IP 192.168.15.110.2401 > 68.97.134.35.2061: S 2920228069:2920228069(0) ack 2372848852 win 5840 <mss 1460,nop,nop,sackOK>
23:09:06.051615 IP 68.97.134.35.2061 > 192.168.15.110.2401: . ack 1 win 64512
23:09:06.051741 IP 68.97.134.35.2061 > 192.168.15.110.2401: P 1:65(64) ack 1 win 64512
23:09:06.051762 IP 192.168.15.110.2401 > 68.97.134.35.2061: . ack 65 win 5840
23:09:06.053010 IP 192.168.15.110.32809 > 68.105.28.11.53: 19175+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:09:06.065856 IP 68.105.28.11.53 > 192.168.15.110.32809: 19175 1/3/3 (194)
23:09:06.066122 IP 192.168.15.110.32809 > 68.105.28.11.53: 61137+ A? ip68-97-134-35.ok.ok.cox.net. (46)
23:09:06.075599 IP 68.105.28.11.53 > 192.168.15.110.32809: 61137 1/3/3 (171)
23:09:06.075750 IP 192.168.15.110.32809 > 68.105.28.11.53: 29707+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:09:06.085466 IP 68.105.28.11.53 > 192.168.15.110.32809: 29707 1/3/3 (194)

23:09:06.085900 IP 192.168.15.110.2401 > 68.97.134.35.2061: R 1:1(0) ack 65 win 5840


2nd tcpdump trace:
23:41:55.565349 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: S 3266663381:3266663381(0) win 64512 <mss 1460,nop,nop,sackOK>
23:41:55.641813 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: S 709945735:709945735(0) ack 3266663382 win 5840 <mss 1460,nop,nop,sackOK>
23:41:55.565987 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 9606+ PTR? 110.15.168.192.in-addr.arpa. (45)
23:41:55.631615 IP cdns1.cox.net.domain > 192.168.15.110.32811: 9606 NXDomain 0/1/0 (122)
23:41:55.631754 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 2291+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.641733 IP cdns1.cox.net.domain > 192.168.15.110.32811: 2291 1/3/3 (194)
23:41:55.641945 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 47545+ PTR? 11.28.105.68.in-addr.arpa. (43)
23:41:55.651228 IP cdns1.cox.net.domain > 192.168.15.110.32811: 47545 1/3/3 (179)

23:41:55.673713 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: . ack 1 win 64512
23:41:55.673962 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: P 1:65(64) ack 1 win 64512
23:41:55.673983 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: . ack 65 win 5840
23:41:55.675066 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 52806+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.683330 IP cdns1.cox.net.domain > 192.168.15.110.32811: 52806 1/3/3 (194)
23:41:55.683581 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 46756+ A? ip68-97-134-35.ok.ok.cox.net. (46)
23:41:55.694197 IP cdns1.cox.net.domain > 192.168.15.110.32811: 46756 1/3/3 (171)
23:41:55.694353 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 28342+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.703315 IP cdns1.cox.net.domain > 192.168.15.110.32811: 28342 1/3/3 (194)

23:41:55.703749 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: R 1:1(0) ack 65 win 5840

Thor_2.0 04-21-2011 10:13 AM

For all I know, ARP does an occasiolan refresh to clean up the cache. It does this by sending a broadcast to the hosts. Happens all the time over here...
What you can see is a "who has" request. One host sends that request with an IP address and a "tell" in it, something like (if memory serves)

Quote:

who has 192.168.1.2 tell 192.168.1.1
That makes traffic. That you can see in the dump...

I guess that's it...try it! Enter this in the console

Quote:

tcpdump -ennqti eth0 \( arp or icmp \)
and read...

Wellness to ya! :)

Thor

mcburton3 04-23-2011 02:00 AM

Problem solved. Added "cvs:ALL" to /etc/hosts.allow.

Thor_2.0 04-23-2011 12:12 PM

Quote:

Problem solved. Added "cvs:ALL" to /etc/hosts.allow
Something along Occam's philosophy : simple solutions that work! Tnx for that, i learned something, here...

Thor

mcburton3 04-24-2011 09:45 PM

Thank you Thor.


All times are GMT -5. The time now is 11:03 AM.