LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-21-2011, 09:01 AM   #1
mcburton3
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Rep: Reputation: 1
tcpdump interpretation


Hello all,

I am trying to access CVS on a home-based Linux server over port 2401 through a firewall, but it is not working. CVS works fine if I am on my LAN, however, so I know it is not CVS. I have opened port 2401 on the firewall and used tcpdump to capture traffic and it appears the CVS protocol is tunneling okay, but it seems to go awry when my server sends some sort of message to the Internet provider DNS system (which it doesn't do when I connect from my LAN). I can't tell what the problem is other than my server resets the connection. Below are two tcpdump traces of the problem.

Do any of you know how to interpret this and understand what is going on here or have an idea of how to interpret it (other tools) for the messages in blue below? The connection reset is in red. It appears that my server is doing some sort of ARP lookup but they are TCP messages, so I am really confused. I read that Wireshark can help but I can't seemd to find a version that is an easy install on my RedHat ES4 server, and tcpdump -w <filename> is not writing any data to the file (which appears to be a common issue).

Any help you can provide is greatly appeciated. Thanks!


In these traces, 192.168.15.110 is the subnet address of my server on the LAN. 68.105.28.11 (first trace) and 68.97.134.35 (2nd trace) are the remote hosts trying to connect.

1st tcpdump Trace:
23:09:06.027569 IP 68.97.134.35.2061 > 192.168.15.110.2401: S 2372848851:2372848851(0) win 64512 <mss 1460,nop,nop,sackOK>
23:09:06.027708 IP 192.168.15.110.2401 > 68.97.134.35.2061: S 2920228069:2920228069(0) ack 2372848852 win 5840 <mss 1460,nop,nop,sackOK>
23:09:06.051615 IP 68.97.134.35.2061 > 192.168.15.110.2401: . ack 1 win 64512
23:09:06.051741 IP 68.97.134.35.2061 > 192.168.15.110.2401: P 1:65(64) ack 1 win 64512
23:09:06.051762 IP 192.168.15.110.2401 > 68.97.134.35.2061: . ack 65 win 5840
23:09:06.053010 IP 192.168.15.110.32809 > 68.105.28.11.53: 19175+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:09:06.065856 IP 68.105.28.11.53 > 192.168.15.110.32809: 19175 1/3/3 (194)
23:09:06.066122 IP 192.168.15.110.32809 > 68.105.28.11.53: 61137+ A? ip68-97-134-35.ok.ok.cox.net. (46)
23:09:06.075599 IP 68.105.28.11.53 > 192.168.15.110.32809: 61137 1/3/3 (171)
23:09:06.075750 IP 192.168.15.110.32809 > 68.105.28.11.53: 29707+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:09:06.085466 IP 68.105.28.11.53 > 192.168.15.110.32809: 29707 1/3/3 (194)

23:09:06.085900 IP 192.168.15.110.2401 > 68.97.134.35.2061: R 1:1(0) ack 65 win 5840


2nd tcpdump trace:
23:41:55.565349 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: S 3266663381:3266663381(0) win 64512 <mss 1460,nop,nop,sackOK>
23:41:55.641813 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: S 709945735:709945735(0) ack 3266663382 win 5840 <mss 1460,nop,nop,sackOK>
23:41:55.565987 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 9606+ PTR? 110.15.168.192.in-addr.arpa. (45)
23:41:55.631615 IP cdns1.cox.net.domain > 192.168.15.110.32811: 9606 NXDomain 0/1/0 (122)
23:41:55.631754 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 2291+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.641733 IP cdns1.cox.net.domain > 192.168.15.110.32811: 2291 1/3/3 (194)
23:41:55.641945 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 47545+ PTR? 11.28.105.68.in-addr.arpa. (43)
23:41:55.651228 IP cdns1.cox.net.domain > 192.168.15.110.32811: 47545 1/3/3 (179)

23:41:55.673713 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: . ack 1 win 64512
23:41:55.673962 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: P 1:65(64) ack 1 win 64512
23:41:55.673983 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: . ack 65 win 5840
23:41:55.675066 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 52806+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.683330 IP cdns1.cox.net.domain > 192.168.15.110.32811: 52806 1/3/3 (194)
23:41:55.683581 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 46756+ A? ip68-97-134-35.ok.ok.cox.net. (46)
23:41:55.694197 IP cdns1.cox.net.domain > 192.168.15.110.32811: 46756 1/3/3 (171)
23:41:55.694353 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 28342+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.703315 IP cdns1.cox.net.domain > 192.168.15.110.32811: 28342 1/3/3 (194)

23:41:55.703749 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: R 1:1(0) ack 65 win 5840
 
Old 04-21-2011, 11:13 AM   #2
ButterflyMelissa
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,766
Blog Entries: 23

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
For all I know, ARP does an occasiolan refresh to clean up the cache. It does this by sending a broadcast to the hosts. Happens all the time over here...
What you can see is a "who has" request. One host sends that request with an IP address and a "tell" in it, something like (if memory serves)

Quote:
who has 192.168.1.2 tell 192.168.1.1
That makes traffic. That you can see in the dump...

I guess that's it...try it! Enter this in the console

Quote:
tcpdump -ennqti eth0 \( arp or icmp \)
and read...

Wellness to ya!

Thor

Last edited by ButterflyMelissa; 04-21-2011 at 11:15 AM.
 
Old 04-23-2011, 03:00 AM   #3
mcburton3
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 1
Problem solved. Added "cvs:ALL" to /etc/hosts.allow.
 
1 members found this post helpful.
Old 04-23-2011, 01:12 PM   #4
ButterflyMelissa
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,766
Blog Entries: 23

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
Quote:
Problem solved. Added "cvs:ALL" to /etc/hosts.allow
Something along Occam's philosophy : simple solutions that work! Tnx for that, i learned something, here...

Thor
 
Old 04-24-2011, 10:45 PM   #5
mcburton3
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 1
Thank you Thor.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Valgrind interpretation ancou Programming 2 11-17-2010 06:15 PM
netstat interpretation twlilinux Linux - Server 6 06-17-2008 05:59 PM
c: output interpretation kpachopoulos Programming 3 08-17-2006 10:34 AM
tcpdump interpretation unixbrain Linux - Networking 7 04-28-2004 05:37 AM
sendmail logwatch interpretation jimi_j Red Hat 2 03-07-2004 08:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration