Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-21-2011, 09:01 AM
|
#1
|
LQ Newbie
Registered: Apr 2011
Posts: 13
Rep:
|
tcpdump interpretation
Hello all,
I am trying to access CVS on a home-based Linux server over port 2401 through a firewall, but it is not working. CVS works fine if I am on my LAN, however, so I know it is not CVS. I have opened port 2401 on the firewall and used tcpdump to capture traffic and it appears the CVS protocol is tunneling okay, but it seems to go awry when my server sends some sort of message to the Internet provider DNS system (which it doesn't do when I connect from my LAN). I can't tell what the problem is other than my server resets the connection. Below are two tcpdump traces of the problem.
Do any of you know how to interpret this and understand what is going on here or have an idea of how to interpret it (other tools) for the messages in blue below? The connection reset is in red. It appears that my server is doing some sort of ARP lookup but they are TCP messages, so I am really confused. I read that Wireshark can help but I can't seemd to find a version that is an easy install on my RedHat ES4 server, and tcpdump -w <filename> is not writing any data to the file (which appears to be a common issue).
Any help you can provide is greatly appeciated. Thanks!
In these traces, 192.168.15.110 is the subnet address of my server on the LAN. 68.105.28.11 (first trace) and 68.97.134.35 (2nd trace) are the remote hosts trying to connect.
1st tcpdump Trace:
23:09:06.027569 IP 68.97.134.35.2061 > 192.168.15.110.2401: S 2372848851:2372848851(0) win 64512 <mss 1460,nop,nop,sackOK>
23:09:06.027708 IP 192.168.15.110.2401 > 68.97.134.35.2061: S 2920228069:2920228069(0) ack 2372848852 win 5840 <mss 1460,nop,nop,sackOK>
23:09:06.051615 IP 68.97.134.35.2061 > 192.168.15.110.2401: . ack 1 win 64512
23:09:06.051741 IP 68.97.134.35.2061 > 192.168.15.110.2401: P 1:65(64) ack 1 win 64512
23:09:06.051762 IP 192.168.15.110.2401 > 68.97.134.35.2061: . ack 65 win 5840
23:09:06.053010 IP 192.168.15.110.32809 > 68.105.28.11.53: 19175+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:09:06.065856 IP 68.105.28.11.53 > 192.168.15.110.32809: 19175 1/3/3 (194)
23:09:06.066122 IP 192.168.15.110.32809 > 68.105.28.11.53: 61137+ A? ip68-97-134-35.ok.ok.cox.net. (46)
23:09:06.075599 IP 68.105.28.11.53 > 192.168.15.110.32809: 61137 1/3/3 (171)
23:09:06.075750 IP 192.168.15.110.32809 > 68.105.28.11.53: 29707+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:09:06.085466 IP 68.105.28.11.53 > 192.168.15.110.32809: 29707 1/3/3 (194)
23:09:06.085900 IP 192.168.15.110.2401 > 68.97.134.35.2061: R 1:1(0) ack 65 win 5840
2nd tcpdump trace:
23:41:55.565349 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: S 3266663381:3266663381(0) win 64512 <mss 1460,nop,nop,sackOK>
23:41:55.641813 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: S 709945735:709945735(0) ack 3266663382 win 5840 <mss 1460,nop,nop,sackOK>
23:41:55.565987 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 9606+ PTR? 110.15.168.192.in-addr.arpa. (45)
23:41:55.631615 IP cdns1.cox.net.domain > 192.168.15.110.32811: 9606 NXDomain 0/1/0 (122)
23:41:55.631754 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 2291+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.641733 IP cdns1.cox.net.domain > 192.168.15.110.32811: 2291 1/3/3 (194)
23:41:55.641945 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 47545+ PTR? 11.28.105.68.in-addr.arpa. (43)
23:41:55.651228 IP cdns1.cox.net.domain > 192.168.15.110.32811: 47545 1/3/3 (179)
23:41:55.673713 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: . ack 1 win 64512
23:41:55.673962 IP ip68-97-134-35.ok.ok.cox.net.2486 > 192.168.15.110.cvspserver: P 1:65(64) ack 1 win 64512
23:41:55.673983 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: . ack 65 win 5840
23:41:55.675066 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 52806+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.683330 IP cdns1.cox.net.domain > 192.168.15.110.32811: 52806 1/3/3 (194)
23:41:55.683581 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 46756+ A? ip68-97-134-35.ok.ok.cox.net. (46)
23:41:55.694197 IP cdns1.cox.net.domain > 192.168.15.110.32811: 46756 1/3/3 (171)
23:41:55.694353 IP 192.168.15.110.32811 > cdns1.cox.net.domain: 28342+ PTR? 35.134.97.68.in-addr.arpa. (43)
23:41:55.703315 IP cdns1.cox.net.domain > 192.168.15.110.32811: 28342 1/3/3 (194)
23:41:55.703749 IP 192.168.15.110.cvspserver > ip68-97-134-35.ok.ok.cox.net.2486: R 1:1(0) ack 65 win 5840
|
|
|
04-21-2011, 11:13 AM
|
#2
|
Senior Member
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,766
|
For all I know, ARP does an occasiolan refresh to clean up the cache. It does this by sending a broadcast to the hosts. Happens all the time over here...
What you can see is a "who has" request. One host sends that request with an IP address and a "tell" in it, something like (if memory serves)
Quote:
who has 192.168.1.2 tell 192.168.1.1
|
That makes traffic. That you can see in the dump...
I guess that's it...try it! Enter this in the console
Quote:
tcpdump -ennqti eth0 \( arp or icmp \)
|
and read...
Wellness to ya!
Thor
Last edited by ButterflyMelissa; 04-21-2011 at 11:15 AM.
|
|
|
04-23-2011, 03:00 AM
|
#3
|
LQ Newbie
Registered: Apr 2011
Posts: 13
Original Poster
Rep:
|
Problem solved. Added "cvs:ALL" to /etc/hosts.allow.
|
|
1 members found this post helpful.
|
04-23-2011, 01:12 PM
|
#4
|
Senior Member
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,766
|
Quote:
Problem solved. Added "cvs:ALL" to /etc/hosts.allow
|
Something along Occam's philosophy : simple solutions that work! Tnx for that, i learned something, here...
Thor
|
|
|
04-24-2011, 10:45 PM
|
#5
|
LQ Newbie
Registered: Apr 2011
Posts: 13
Original Poster
Rep:
|
Thank you Thor.
|
|
|
All times are GMT -5. The time now is 08:40 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|