Decoding tcpdump flags
Shadow Hawkins on Tuesday, 26 November 2013 21:52:55
I have replaced the adress of the client machine with "client" and part of the remote network with "Remote"
I have a Openbsd with one connection to the internet and a /48 routed to it.
It also have two /64, "remote:0::/64" (alias remote::/64) and "remote:8000::/64"
From client (at home) I cannot ssh to remote:0::4 but I get packages back; here is tcpdump at client.
15:59:58.861549 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 44627513 ecr 0], length 0
15:59:58.898389 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22197570 ecr 44627513,nop,wscale 4], length 0
16:00:00.177602 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22197888 ecr 44627513,nop,wscale 4], length 0
16:00:01.861213 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 44630513 ecr 0], length 0
16:00:01.898031 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22198320 ecr 44627513,nop,wscale 4], length 0
16:00:02.169251 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22198388 ecr 44627513,nop,wscale 4], length 0
16:00:05.061211 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 44633713 ecr 0], length 0
16:00:05.097041 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22199120 ecr 44627513,nop,wscale 4], length 0
16:00:06.169288 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22199388 ecr 44627513,nop,wscale 4], length 0
16:00:08.261215 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,sackOK,eol], length 0
16:00:08.298172 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22199920 ecr 44627513,nop,wscale 4], length 0
16:00:11.461214 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,sackOK,eol], length 0
16:00:11.498128 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22200720 ecr 44627513,nop,wscale 4], length 0
16:00:14.170383 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22201388 ecr 44627513,nop,wscale 4], length 0
16:00:14.661237 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,sackOK,eol], length 0
16:00:14.697214 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22201520 ecr 44627513,nop,wscale 4], length 0
16:00:20.861292 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,sackOK,eol], length 0
16:00:20.897466 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22203070 ecr 44627513,nop,wscale 4], length 0
16:00:30.168515 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22205388 ecr 44627513,nop,wscale 4], length 0
16:00:33.061323 IP6 client.29562 > remote::4.ssh: Flags [S], seq 4034891391, win 65535, options [mss 1220,sackOK,eol], length 0
16:00:33.097617 IP6 remote::4.ssh > client.29562: Flags [S.], seq 753668985, ack 4034891392, win 14280, options [mss 1440,sackOK,TS val 22206120 ecr 44627513,nop,wscale 4], length 0
I can however connect to remote:8000::25
16:08:15.169373 IP6 client.48582 > remote:8000::25.ssh: Flags [S], seq 54301725, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 45123821 ecr 0], length 0
16:08:15.227855 IP6 remote:8000::25.ssh > client.48582: Flags [S.], seq 73075816, ack 54301726, win 5712, options [mss 1440,sackOK,TS val 20474041 ecr 45123821,nop,wscale 6], length 0
16:08:15.227944 IP6 client.48582 > remote:8000::25.ssh: Flags [.], ack 1, win 1038, options [nop,nop,TS val 45123879 ecr 20474041], length 0
16:08:15.307920 IP6 remote:8000::25.ssh > client.48582: Flags [P.], seq 1:33, ack 1, win 90, options [nop,nop,TS val 20474060 ecr 45123879], length 32
16:08:15.308169 IP6 client.48582 > remote:8000::25.ssh: Flags [P.], seq 1:48, ack 33, win 1038, options [nop,nop,TS val 45123959 ecr 20474060], length 47
16:08:15.367983 IP6 remote:8000::25.ssh > client.48582: Flags [.], ack 48, win 90, options [nop,nop,TS val 20474077 ecr 45123959], length 0
16:08:15.368073 IP6 client.48582 > remote:8000::25.ssh: Flags [P.], seq 48:1248, ack 33, win 1038, options [nop,nop,TS val 45124019 ecr 20474077], length 1200
16:08:15.378272 IP6 remote:8000::25.ssh > client.48582: Flags [P.], seq 33:993, ack 48, win 90, options [nop,nop,TS val 20474077 ecr 45123959], length 960
16:08:15.478217 IP6 client.48582 > remote:8000::25.ssh: Flags [P.], seq 1248:1328, ack 993, win 1038, options [nop,nop,TS val 45124130 ecr 20474077], length 80
16:08:15.530286 IP6 remote:8000::25.ssh > client.48582: Flags [.], ack 1248, win 127, options [nop,nop,TS val 20474116 ecr 45124019], length 0
16:08:15.537779 IP6 remote:8000::25.ssh > client.48582: Flags [.], ack 1328, win 127, options [nop,nop,TS val 20474118 ecr 45124130], length 0
16:08:15.548038 IP6 remote:8000::25.ssh > client.48582: Flags [P.], seq 993:1393, ack 1328, win 127, options [nop,nop,TS val 20474119 ecr 45124130], length 400
I can also see the packages on both directions on both sides of the router and on the remote::4 machine.
As far as I can tell, I have the same firewall settings for both /64's.
I can see the difference in the flags, on the non-functioning the flags are [S] and [S.], on the functioning I see [P],[P.] and [.] besides [S] and [S.]
What does that tell me?
Decoding tcpdump flags
Jeroen Massar on Wednesday, 27 November 2013 09:05:43
First of all, if you are not too familiar with tcpdump, try Wireshark, then you get a graphical interface with a lot more detail.
I get packages back
s/packages/packets/ ;)
It is surprising how many people write that though.
As far as I can tell, I have the same firewall settings for both /64's.
Without seeing the firewall settings, how do you expect us to guess what they are and/or what might be wrong with them.
Also note that the moment you introduce connection tracking things become magical.
I can see the difference in the flags, on the non-functioning the flags are [S] and [S.], on the functioning I see [P],[P.] and [.] besides [S] and [S.]
S = SYN - this starts the connection
P = PUSH - this 'pushes' data over
The problem is that when your firewall is "DROP" that you will just time out and never see the [F] FIN packet that would normally be sent to terminate a connection or the [P] for sending data.
See also Flags (9 bits) (aka Control bits) for more details about the flags.
Decoding tcpdump flags
Shadow Hawkins on Wednesday, 27 November 2013 12:56:47
<blush>
I had mistakenly given two servers the same ipv6 address
</blush>
If I do that with ipv4-addresses, I can see messages from arp about changing mac adresses for the same ip.
I did not see any error messages. Where should I look?
Strangely, ipv4 performance on some hosts were also slow, they seem to have normal speed now.
Decoding tcpdump flags
Jeroen Massar on Wednesday, 27 November 2013 16:43:07
You should get Duplicate Address Detection collisions from both systems which should be invalidating the addresses from use. (unless either system uses the alternative address).
Posting is only allowed when you are logged in. |