FTP connection hangs for a second then finally connects

lsimon4180 · 10-02-2004, 10:29 AM

Hey All,

I am running a web/dns/ftp/mysql server with Fedora Core 2 and everything is running great but i had a question about the FTP connection.

I have a linksys router set to forward port 21 to my server IP (local).

I've tested the FTP connection and it goes through with no problem but it hangs for 5 seconds at the beginning when its hitting either my linksys router or the server:

Connecting to <domain.com>
Connected to <domain.com> -> IP=xxx.xxx.xxx.xxx PORT=21

and it just hangs for about 5 seconds or so and then it goes through via PASV mode.

Ive tried connecting from 2 different locations and 1 connects right through with no delay and one has a 5 sec delay and then goes through...does it have to do with firewall settings on the source connections end?

When i ftp on another computer locally it also goes right though with no problem in guessing because im already behind the firewall....

Even if I change the mode in my FTP client to PASV or PORT it still hangs at that one location for 5 sec.

Any Ideas?

Thanks,

Lenny

david_ross · 10-02-2004, 10:45 AM

Welcome to LQ.

It sounds like the ftp server is doing a dns lookup on the connecting IP so that it can be logged. It is likely that the other machines have hostnames in DNS or a hosts file yet the other one does not. You could speed it up by putting the connecting IP into your server's hosts file like:
ip.of.ft.client somedomain.com

lsimon4180 · 10-02-2004, 11:14 AM

Thanks!

Thanks for the info..

I got the IP and hostname form the location that it was hanging on and added it to the hosts file..and tried to connect again but its still hanging there....not sure if i was supposed too but i restarted named anyways after i entered the info in the hosts file... is there something else that it could be u think? or its most likely a DNS lookup issue?..its not my linksys router?

Thanks again,

Lenny

scowles · 10-02-2004, 01:04 PM

Try running the following commands (one at a time) on your FC2 system. Test after each command. No need to reboot, the change takes effect imediately.

First, lets print the current kernel values for reference just in case we want to set these values back to their original state. As root, type:

Code:

# cat /proc/sys/net/ipv4/tcp_ecn
# cat /proc/sys/net/ipv4/tcp_window_scaling

Now, one command at a time, change the value of these kernel parameters to zero and test. Note: The ecn value may already be set to zero, so there is no need to make this change.

Code:

# echo 0 > /proc/sys/net/ipv4/tcp_ecn
... test
# echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

If one of the above commands fixes your problem, you can add either the ecn or window_scaling entry to /etc/sysctl.conf to make these changes permanent.

Code:

net.ipv4.tcp_ecn = 0
net.ipv4.tcp_window_scaling = 0

To set these parameters back to their original state (without rebooting), just change the "echo 0" part of each command to the value obtained prior to making the change. i.e. "echo 1"

lsimon4180 · 10-02-2004, 01:35 PM

Thanks so much for the reply..

I looked at both of those files and they were both set to 0

So there was nothing to change....

do you think its my router..delaying the connection?

any other ideas?

Thanks,

Lenny

scowles · 10-02-2004, 04:25 PM

Sounds like its time to run tcpdump or ethereal on your server. If your not familiar with how to decode all the output, look at the times the packets were sent or received and see if you can spot the 5 second delay. i.e. packet x was sent or received at time 1:00:00, but the next packet your system sent or received was at time 1:00:05. Post a few packets before and after the packets with the time delay.

To run tcpdump:

1) If your at the console and you want to capture traffic on eth0:
# tcpdump -ni eth0 >/tmp/tcpdump.cap

2) If you are connecting into this system using ssh, you will want to filter out ssh packets from the capture, so:
# tcpdump -ni eth0 not port ssh >/tmp/tcpdump.cap

lsimon4180 · 10-02-2004, 04:55 PM

Hey thanks again...

I ran

tcpdump -ni eth0 not port ssh >/tmp/tcpdump.cap

and it just sits there when i connect via FTP

I press ctl + c and it says it captured 179 packets...how do i view them?

Lenny

scowles · 10-02-2004, 05:06 PM

Use "vi" to view the contents.

Also, I should have said this in my previous reply, but the goal here is to capture packets from the system with the delay and also from a system without the delay. Then try to spot the difference between the two captures. Obviously the source IP's will differ, but the sequence of packets (syn, syn ack, data, etc...) from both systems should be similar.

lsimon4180 · 10-02-2004, 05:13 PM

hey nevermind i was able to view them..i captured the packets to a txt file here are the results.

i replaced the source hostname with source_host
192.168.1.125 is my interal IP of my server

baguh.lenernet.net is the hostname of my server.

Does it have to do with reverse DNS on my hostname?

06:12:33.167062 IP source_host.64513 > 192.168.1.125.ssh: P 1752108024:1752108076(52) ack 1492976098 win 64503
06:12:33.167174 IP 192.168.1.125.ssh > source_host.64513: P 1:233(232) ack 52 win 27740
06:12:33.168201 IP 192.168.1.125.33545 > baguh.lenernet.net.domain: 4850+ PTR? 125.1.168.192.in-addr.arpa. (44)
06:12:33.168552 IP 192.168.1.1.33545 > 192.168.1.125.domain: 4850+ PTR? 125.1.168.192.in-addr.arpa. (44)
06:12:33.169471 IP 192.168.1.125.33543 > b.root-servers.net.domain: 63048% [1au] PTR? 125.1.168.192.in-addr.arpa. (55)
06:12:33.179081 IP source_host.64513 > 192.168.1.125.ssh: P 52:104(52) ack 233 win 64271
06:12:33.179496 IP source_host.64513 > 192.168.1.125.ssh: P 104:156(52) ack 233 win 64271
06:12:33.218318 IP 192.168.1.125.ssh > source_host.64513: . ack 156 win 27740
06:12:33.247184 IP b.root-servers.net.domain > 192.168.1.125.33543: 63048- 0/7/1 (206)
06:12:33.247783 IP 192.168.1.125.33543 > dill.arin.net.domain: 64292% [1au] PTR? 125.1.168.192.in-addr.arpa. (55)
06:12:33.310793 IP dill.arin.net.domain > 192.168.1.125.33543: 64292- 0/2/1 (115)
06:12:33.311714 IP 192.168.1.125.33543 > c.root-servers.net.domain: 16049% [1au] A? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.312071 IP 192.168.1.125.33543 > c.root-servers.net.domain: 49577% [1au] A6? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.312442 IP 192.168.1.125.33543 > c.root-servers.net.domain: 22329% [1au] A? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.312781 IP 192.168.1.125.33543 > c.root-servers.net.domain: 30842% [1au] A6? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.322821 IP c.root-servers.net.domain > 192.168.1.125.33543: 16049- 0/2/3 (131)
06:12:33.323363 IP 192.168.1.125.33543 > tld1.ultradns.net.domain: 40497% [1au] A? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.329364 IP c.root-servers.net.domain > 192.168.1.125.33543: 49577- 0/2/3 (131)
06:12:33.329731 IP 192.168.1.125.33543 > tld1.ultradns.net.domain: 41545% [1au] A6? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.336344 IP c.root-servers.net.domain > 192.168.1.125.33543: 22329- 0/2/3 (131)
06:12:33.336743 IP 192.168.1.125.33543 > tld1.ultradns.net.domain: 19024% [1au] A? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.338729 IP c.root-servers.net.domain > 192.168.1.125.33543: 30842- 0/2/3 (131)
06:12:33.339062 IP 192.168.1.125.33543 > tld1.ultradns.net.domain: 9512% [1au] A6? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.343910 IP tld1.ultradns.net.domain > 192.168.1.125.33543: 40497- 0/7/2 (256)
06:12:33.344876 IP 192.168.1.125.33543 > b.iana-servers.net.domain: 2311% [1au] A? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.345436 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 22207% [1au] A? a.iana-servers.net. (47)
06:12:33.345804 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 16708% [1au] A6? a.iana-servers.net. (47)
06:12:33.346169 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 41122% [1au] A? c.iana-servers.net. (47)
06:12:33.346567 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 53329% [1au] A6? c.iana-servers.net. (47)
06:12:33.346884 IP tld1.ultradns.net.domain > 192.168.1.125.33543: 41545- 0/7/2 (256)
06:12:33.347108 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 13010% [1au] A? rip.psg.com. (40)
06:12:33.347507 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 6505% [1au] A6? rip.psg.com. (40)
06:12:33.347884 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 22405% [1au] A? sec1.apnic.net. (43)
06:12:33.348253 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 33634% [1au] A6? sec1.apnic.net. (43)
06:12:33.348648 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 57538% [1au] A? sec3.apnic.net. (43)
06:12:33.349020 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 61537% [1au] A6? sec3.apnic.net. (43)
06:12:33.349664 IP 192.168.1.125.33543 > b.iana-servers.net.domain: 39223% [1au] A6? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.350626 IP tld1.ultradns.net.domain > 192.168.1.125.33543: 19024- 0/7/2 (256)
06:12:33.351126 IP 192.168.1.125.33543 > b.iana-servers.net.domain: 15939% [1au] A? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.354398 IP tld1.ultradns.net.domain > 192.168.1.125.33543: 9512- 0/7/2 (256)
06:12:33.354855 IP 192.168.1.125.33543 > b.iana-servers.net.domain: 29446% [1au] A6? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.462615 IP b.iana-servers.net.domain > 192.168.1.125.33543: 2311*- 1/7/5 A blackhole-1.iana.org (298)
06:12:33.463101 IP 192.168.1.125.33543 > blackhole-1.iana.org.domain: 14723% [1au] PTR? 125.1.168.192.in-addr.arpa. (55)
06:12:33.507077 IP b.iana-servers.net.domain > 192.168.1.125.33543: 39223*- 0/1/1 (107)
06:12:33.507766 IP 192.168.1.125.33543 > ns.icann.org.domain: 9130% [1au] AAAA? BLACKHOLE-1.IANA.ORG. (49)
06:12:33.511211 IP b.iana-servers.net.domain > 192.168.1.125.33543: 15939*- 1/7/5 A blackhole-2.iana.org (298)
06:12:33.514069 IP b.iana-servers.net.domain > 192.168.1.125.33543: 29446*- 0/1/1 (107)
06:12:33.514632 IP 192.168.1.125.33543 > ns.icann.org.domain: 4565% [1au] AAAA? BLACKHOLE-2.IANA.ORG. (49)
06:12:33.533603 IP blackhole-1.iana.org.domain > 192.168.1.125.33543: 14723 NXDomain*- 0/1/1 (132)
06:12:33.533877 IP 192.168.1.125.domain > 192.168.1.1.33545: 4850 NXDomain 0/1/0 (121)
06:12:33.534276 IP baguh.lenernet.net.domain > 192.168.1.125.33545: 4850 NXDomain 0/1/0 (121)
06:12:33.534785 IP 192.168.1.125.33545 > baguh.lenernet.net.domain: 4851+ PTR? 10.128.113.66.in-addr.arpa. (44)
06:12:33.535133 IP 192.168.1.1.33545 > 192.168.1.125.domain: 4851+ PTR? 10.128.113.66.in-addr.arpa. (44)
06:12:33.535483 IP 192.168.1.125.domain > 192.168.1.1.33545: 4851 1/2/0 (131)
06:12:33.535866 IP baguh.lenernet.net.domain > 192.168.1.125.33545: 4851 1/2/0 (131)
06:12:33.536398 IP 192.168.1.125.33545 > baguh.lenernet.net.domain: 4852+ PTR? 1.1.168.192.in-addr.arpa. (42)
06:12:33.536735 IP 192.168.1.1.33545 > 192.168.1.125.domain: 4852+ PTR? 1.1.168.192.in-addr.arpa. (42)
06:12:33.537179 IP 192.168.1.125.33543 > blackhole-2.iana.org.domain: 20280% [1au] PTR? 1.1.168.192.in-addr.arpa. (53)
06:12:33.551528 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 22207 FormErr- [0q] 0/0/0 (12)
06:12:33.551749 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 42908 A? a.iana-servers.net. (36)
06:12:33.551822 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 16708 FormErr- [0q] 0/0/0 (12)
06:12:33.551977 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 21454 A6? a.iana-servers.net. (36)
06:12:33.555151 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 41122 FormErr- [0q] 0/0/0 (12)
06:12:33.555319 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 10727 A? c.iana-servers.net. (36)
06:12:33.558653 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 53329 FormErr- [0q] 0/0/0 (12)
06:12:33.558800 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 51870 A6? c.iana-servers.net. (36)
06:12:33.563175 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 13010 FormErr- [0q] 0/0/0 (12)
06:12:33.563345 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 58703 A? rip.psg.com. (29)
06:12:33.566653 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 6505 FormErr- [0q] 0/0/0 (12)
06:12:33.566800 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 41718 A6? rip.psg.com. (29)
06:12:33.570703 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 22405 FormErr- [0q] 0/0/0 (12)
06:12:33.570851 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 10386 A? sec1.apnic.net. (32)
06:12:33.575689 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 33634 FormErr- [0q] 0/0/0 (12)
06:12:33.576071 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 5193 A6? sec1.apnic.net. (32)
06:12:33.578553 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 57538 FormErr- [0q] 0/0/0 (12)
06:12:33.578708 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 59607 A? sec3.apnic.net. (32)
06:12:33.582568 IP ns.icann.org.domain > 192.168.1.125.33543: 9130 FormErr- [0q] 0/0/0 (12)
06:12:33.582710 IP 192.168.1.125.33543 > ns.icann.org.domain: 17094 AAAA? BLACKHOLE-1.IANA.ORG. (38)
06:12:33.582856 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 61537 FormErr- [0q] 0/0/0 (12)
06:12:33.583004 IP 192.168.1.125.33543 > b.gtld-servers.net.domain: 41315 A6? sec3.apnic.net. (32)
06:12:33.588794 IP ns.icann.org.domain > 192.168.1.125.33543: 4565 FormErr- [0q] 0/0/0 (12)
06:12:33.588913 IP 192.168.1.125.33543 > ns.icann.org.domain: 44773 AAAA? BLACKHOLE-2.IANA.ORG. (38)
06:12:33.608755 IP blackhole-2.iana.org.domain > 192.168.1.125.33543: 20280 NXDomain*- 0/1/1 (130)
06:12:33.609065 IP 192.168.1.125.domain > 192.168.1.1.33545: 4852 NXDomain 0/1/0 (119)
06:12:33.609440 IP baguh.lenernet.net.domain > 192.168.1.125.33545: 4852 NXDomain 0/1/0 (119)
06:12:33.609826 IP 192.168.1.125.33545 > baguh.lenernet.net.domain: 4853+ PTR? 201.79.228.192.in-addr.arpa. (45)
06:12:33.610181 IP 192.168.1.1.33545 > 192.168.1.125.domain: 4853+ PTR? 201.79.228.192.in-addr.arpa. (45)
06:12:33.610660 IP 192.168.1.125.33543 > a3.NSTLD.COM.domain: 43210% [1au] PTR? 201.79.228.192.in-addr.arpa. (56)
06:12:33.653342 IP a3.NSTLD.COM.domain > 192.168.1.125.33543: 43210- 0/3/1 (137)
06:12:33.654459 IP 192.168.1.125.33543 > d.root-servers.net.domain: 43560% [1au] A? NS.ISI.EDU. (39)
06:12:33.654823 IP 192.168.1.125.33543 > d.root-servers.net.domain: 10994% [1au] A6? NS.ISI.EDU. (39)
06:12:33.655246 IP 192.168.1.125.33543 > c.gtld-servers.net.domain: 5497% [1au] A? DOT.EP.NET. (39)
06:12:33.655624 IP 192.168.1.125.33543 > c.gtld-servers.net.domain: 50811% [1au] A6? DOT.EP.NET. (39)
06:12:33.655975 IP 192.168.1.125.33543 > d.root-servers.net.domain: 45066% [1au] A? SLAVE.STH.NETNOD.SE. (48)
06:12:33.656351 IP 192.168.1.125.33543 > d.root-servers.net.domain: 55301% [1au] A6? SLAVE.STH.NETNOD.SE. (48)
06:12:33.661351 IP ns.icann.org.domain > 192.168.1.125.33543: 17094*- 0/1/0 (96)
06:12:33.669362 IP ns.icann.org.domain > 192.168.1.125.33543: 44773*- 0/1/0 (96)
06:12:33.696021 IP d.root-servers.net.domain > 192.168.1.125.33543: 43560- 0/9/10 (345)
06:12:33.696753 IP 192.168.1.125.33543 > g3.NSTLD.COM.domain: 64587% [1au] A? NS.ISI.EDU. (39)
06:12:33.696959 IP d.root-servers.net.domain > 192.168.1.125.33543: 10994- 0/9/10 (345)
06:12:33.697588 IP 192.168.1.125.33543 > g3.NSTLD.COM.domain: 39697% [1au] A6? NS.ISI.EDU. (39)
06:12:33.707894 IP c.gtld-servers.net.domain > 192.168.1.125.33543: 5497 FormErr- [0q] 0/0/0 (12)
06:12:33.708091 IP 192.168.1.125.33543 > c.gtld-servers.net.domain: 16271 A? DOT.EP.NET. (28)
06:12:33.708791 IP d.root-servers.net.domain > 192.168.1.125.33543: 45066- 0/8/9 (307)
06:12:33.709510 IP 192.168.1.125.33543 > se-dns.sth.netnod.se.domain: 37668% [1au] A? SLAVE.STH.NETNOD.SE. (48)
06:12:33.710797 IP c.gtld-servers.net.domain > 192.168.1.125.33543: 50811 FormErr- [0q] 0/0/0 (12)
06:12:33.710985 IP 192.168.1.125.33543 > c.gtld-servers.net.domain: 42161 A6? DOT.EP.NET. (28)
06:12:33.712484 IP d.root-servers.net.domain > 192.168.1.125.33543: 55301- 0/8/9 (307)
06:12:33.713035 IP 192.168.1.125.33543 > se-dns.sth.netnod.se.domain: 47853% [1au] A6? SLAVE.STH.NETNOD.SE. (48)
06:12:33.749505 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 21454- 0/4/5 (199)
06:12:33.750007 IP b.gtld-servers.net.domain > 192.168.1.125.33543: 42908- 1/4/5 A a.iana-servers.net (215)
06:12:33.750236 IP 192.168.1.125.33543 > karashi.apnic.net.domain: 38105% [1au] A6? a.iana-servers.net. (47)
06:12:33.756539 IP c.gtld-servers.net.domain > 192.168.1.125.33543: 16271- 1/2/3 A dot.ep.net (137)
06:12:33.757092 fe80::201:29ff:fe94:5736 > ff02::1:ff22:6a29: icmp6: neighbor sol: who has 2001:478:6:0:230:48ff:fe22:6a29

Thanks

scowles · 10-02-2004, 07:00 PM

I thought your problem had to do with ftp, because I don't see a single packet that pertains to ftp traffic. Plus, it looks like every packet was captured within one second at time 06:12:33. Almost all the captured packets are DNS queries to the root name servers and some are queries for IPv6 addresses, but I also see those at my end. Also, most of the DNS queries seem to be failing. i.e. NXDOMAIN. The arp for IPv6 is odd if you are not using an IPv6 address. If you are not using IPv6, then turn of IPv6 by adding the following to /etc/modules.conf. I know I had to turn off IPv6 on my Fc2 system.

alias net-pf-10 off

You'll probably have to reboot your system for the IPv6 change to take effect. Especially if you are not at the console.

If turning off IPv6 does not fix your problem, then try capturing packets again, but this time ONLY post the relevant part of the capture that pertains to FTP. The first sequence of packets should look like:

18:34:28.038326 192.168.9.21.ica > 192.168.9.3.ftp: S 349510030:349510030(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
18:34:28.038504 192.168.9.3.ftp > 192.168.9.21.ica: S 3713529224:3713529224(0) ack 349510031 win 5840 <mss 1460,nop,nop,sackOK> (DF)
18:34:28.038677 192.168.9.21.ica > 192.168.9.3.ftp: . ack 1 win 65535 (DF)

Note the FTP port after the destination IP. I'm connecting from 192.168.9.21, my FTP server is 192.168.9.3. In your case, I would be looking for a packet that has a 5 second delay from a previous packet. The delay could very well be a DNS query that times out, but finding the sequence of packets before and after the delay will help clarify where your problem is.

lsimon4180 · 10-02-2004, 07:14 PM

Hey thanks...

I don't have a modules.conf in /etc should i just create one and then enter what u mentioned b4?

is there a way to specify the FTP protocol when u do a tcpdump command so it only captures FTP info?

thanks again

Lenny

lsimon4180 · 10-02-2004, 07:16 PM

and just to make sure im capturing correctly...im running that command then trying to FTP and then canceling the tcpdump process..is this correct?

lsimon4180 · 10-02-2004, 07:18 PM

when i search for modules or modules.conf i get the following, not sure which one it might be:

./lib/modules
./downloads/proftpd-1.2.10/modules
./downloads/proftpd-1.2.10/doc/modules
./etc/gnome-vfs-2.0/modules
./etc/vfs/modules
./etc/httpd/modules
./etc/X11/gdm/modules
./usr/X11R6/lib/modules
./usr/lib/gtk-2.0/modules
./usr/lib/pango/1.4.0/modules
./usr/lib/gnome-vfs-2.0/modules
./usr/lib/libgnomeprint/2.6.0/modules
./usr/lib/vfs/modules
./usr/lib/httpd/modules
./usr/lib/gthumb/modules
./usr/share/firstboot/modules
./usr/share/doc/lm_sensors-2.8.6/doc/modules
./usr/share/doc/proftpd-1.2.10/modules
./usr/share/doc/ncurses-devel-5.4/test/modules
./proc/asound/modules
./proc/modules

scowles · 10-02-2004, 07:25 PM

Quote:

Originally posted by lsimon4180
Hey thanks...

I don't have a modules.conf in /etc should i just create one and then enter what u mentioned b4?

is there a way to specify the FTP protocol when u do a tcpdump command so it only captures FTP info?

thanks again

Lenny

Sorry, my mistake. I forgot the 2.6.x kernels use "/etc/modprobe.conf"

Added:

Yes you can specify just the ftp protocol for tcpdump, but your problem could be DNS related, arp's, etc... So its best if you capture all the packets minus your ssh session, and unfortunately, wade through all the other traffic.

For reference: tcpdump -ni eth0 tcp port ftp or tcp port ftp-data
would capture just ftp and ftp-data packets.

See: man tcpdump for other filter expressions

lsimon4180 · 10-02-2004, 10:57 PM

ok..i havent tried the IPv6 thing but i was able to get FTP logs from tcpdump..below are the results....I've replaced the source IP's with source_IP

*****This is the quick connection (no 5 sec delay)

11:48:44.711278 IP source_IP.35645 > 192.168.1.125.ftp: S 2432844624:2432844624(0)
win 5840 <mss 1460,sackOK,timestamp 123146255 0,nop,wscale 0>
11:48:44.711375 IP 192.168.1.125.ftp > source_IP.35645: S 3321662944:3321662944(0)
ack 2432844625 win 5840 <mss 1460>
11:48:44.784749 IP source_IP.35645 > 192.168.1.125.ftp: . ack 1 win 5840
11:48:44.864925 IP 192.168.1.125.ftp > source_IP.35645: P 1:69(68) ack 1 win 5840
11:48:44.937020 IP source_IP.35645 > 192.168.1.125.ftp: . ack 69 win 5840
11:48:47.351639 IP source_IP.35645 > 192.168.1.125.ftp: P 1:12(11) ack 69 win 5840
11:48:47.351722 IP 192.168.1.125.ftp > source_IP.35645: . ack 12 win 5840
11:48:47.352274 IP 192.168.1.125.ftp > source_IP.35645: P 69:102(33) ack 12 win 5840
11:48:47.440281 IP source_IP.35645 > 192.168.1.125.ftp: . ack 102 win 5840
11:48:48.557613 IP source_IP.35645 > 192.168.1.125.ftp: P 12:23(11) ack 102 win 5840
11:48:48.558365 IP 192.168.1.125.ftp > source_IP.35645: P 102:124(22) ack 23 win 5840
11:48:48.637406 IP source_IP.35645 > 192.168.1.125.ftp: . ack 124 win 5840
11:48:48.637701 IP source_IP.35645 > 192.168.1.125.ftp: P 23:29(6) ack 124 win 5840
11:48:48.637900 IP 192.168.1.125.ftp > source_IP.35645: P 124:143(19) ack 29 win 5840
11:48:48.765493 IP source_IP.35645 > 192.168.1.125.ftp: . ack 143 win 5840
11:48:50.139849 IP source_IP.35645 > 192.168.1.125.ftp: P 29:35(6) ack 143 win 5840
11:48:50.140129 IP 192.168.1.125.ftp > source_IP.35645: P 143:157(14) ack 35 win 5840
11:48:50.140323 IP 192.168.1.125.ftp > source_IP.35645: F 157:157(0) ack 35 win 5840
11:48:50.211172 IP source_IP.35645 > 192.168.1.125.ftp: . ack 157 win 5840
11:48:50.211466 IP source_IP.35645 > 192.168.1.125.ftp: F 35:35(0) ack 157 win 5840
11:48:50.211508 IP 192.168.1.125.ftp > source_IP.35645: . ack 36 win 5840
11:48:50.215716 IP source_IP.35645 > 192.168.1.125.ftp: . ack 158 win 5840

*****This is the 5 sec delay connection

11:46:22.107221 IP source_IP.51382 > 192.168.1.125.ftp: S 4122808085:4122808085(0)
win 5840 <mss 1460,sackOK,timestamp 263076933 0,nop,wscale 0>
11:46:22.107328 IP 192.168.1.125.ftp > source_IP.51382: S 3150132456:3150132456(0)
ack 4122808086 win 5840 <mss 1460>
11:46:22.119650 IP source_IP.51382 > 192.168.1.125.ftp: . ack 1 win 5840
11:46:32.125247 IP 192.168.1.125.ftp > source_IP.51382: P 1:69(68) ack 1 win 5840
11:46:32.148321 IP source_IP.51382 > 192.168.1.125.ftp: . ack 69 win 5840
11:46:34.174335 IP source_IP.51382 > 192.168.1.125.ftp: P 1:12(11) ack 69 win 5840
11:46:34.174417 IP 192.168.1.125.ftp > source_IP.51382: . ack 12 win 5840
11:46:34.174996 IP 192.168.1.125.ftp > source_IP.51382: P 69:102(33) ack 12 win 5840
11:46:34.193428 IP source_IP.51382 > 192.168.1.125.ftp: . ack 102 win 5840
11:46:35.426052 IP source_IP.51382 > 192.168.1.125.ftp: P 12:23(11) ack 102 win 5840
11:46:35.450214 IP 192.168.1.125.ftp > source_IP.51382: P 102:124(22) ack 23 win 5840
11:46:35.461349 IP source_IP.51382 > 192.168.1.125.ftp: . ack 124 win 5840
11:46:35.461655 IP source_IP.51382 > 192.168.1.125.ftp: P 23:29(6) ack 124 win 5840
11:46:35.461813 IP 192.168.1.125.ftp > source_IP.51382: P 124:143(19) ack 29 win 5840
11:46:35.508894 IP source_IP.51382 > 192.168.1.125.ftp: . ack 143 win 5840
11:46:37.378831 IP source_IP.51382 > 192.168.1.125.ftp: P 29:35(6) ack 143 win 5840
11:46:37.379163 IP 192.168.1.125.ftp > source_IP.51382: P 143:157(14) ack 35 win 5840
11:46:37.379364 IP 192.168.1.125.ftp > source_IP.51382: F 157:157(0) ack 35 win 5840
11:46:37.397290 IP source_IP.51382 > 192.168.1.125.ftp: . ack 143 win 5840
11:46:37.402301 IP source_IP.51382 > 192.168.1.125.ftp: . ack 158 win 5840
11:46:37.402606 IP source_IP.51382 > 192.168.1.125.ftp: F 35:35(0) ack 158 win 5840
11:46:37.402649 IP 192.168.1.125.ftp > source_IP.51382: . ack 36 win 5840

For some reason on the delay it took 10 sec for my ftp server to respnd back to the source IP:

11:46:22.119650 IP source_IP.51382 > 192.168.1.125.ftp: . ack 1 win 5840
11:46:32.125247 IP 192.168.1.125.ftp > source_IP.51382: P 1:69(68) ack 1 win 5840

Not sure what else we can make or try from this..

Thanks,

Lenny