Re: tcptrace-bugs connection tracking problem or something else?

From: Shawn Ostermann (sdo@picard.cs.ohiou.edu)
Date: 10/10/03

• Next message: johnnybeis@yahoo.com: "tcptrace-bugs Stamina RX"
• Previous message: Sami Farin: "tcptrace-bugs connection tracking problem or something else?"
• Maybe in reply to: Sami Farin: "tcptrace-bugs connection tracking problem or something else?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-Id: <200310101238.h9ACcbNe009987@picard.cs.ohiou.edu>
Subject: Re: tcptrace-bugs connection tracking problem or something else? 
Date: Fri, 10 Oct 2003 08:38:37 -0400
From: Shawn Ostermann <sdo@picard.cs.ohiou.edu>

Sami Farin <safari+tcptrace@iki.fi> wrote:

> I have tarpitted (Linux 2.4 netfilter) several ports which
> I also record with tcpdump..
> However, this connection isn't recognized as one connection, why?

I divided the packets from the file into groups by 'connection', below.
What you're seeing is that the receiver has advertized a zero window,
meaning that it won't accept any more data. Every 4 or 5 minutes, the
sender is sending a zero window probe, which is always refused.

You're running up against a heuristic in tcptrace. Because tcptrace
can't be sure that it's seeing all of the packets (unlike a real tcp
stack), it's difficult to know when new connections start. The
heuristic is a little complicated, but one big part is that a long
idletime (4 minutes by default) signifies a new connection. That number
can easily be changed (on the command line in recent versions).

I'm not sure what the recommendations (rules) are for zero window
probes. I thought that they were supposed to happen faster than that.
I'll have the programming team check on that.

If this is causing you a big problem, I recommend that you grab the
latest copy and look at the '--endpoint_reuse_interval=N' option, which
fixes your problem.

KSH:masaka> tcptrace --endpoint_reuse_interval=10000 file.dmp
1 arg remaining, starting with 'file.dmp'
Ostermann's tcptrace -- version 6.4.13 -- Tue Oct 7, 2003

70 98% (1:51:23.588224)
72 packets seen, 72 TCP packets traced
elapsed wallclock time: 0:00:00.011462, 6281 pkts/sec analyzed
trace file elapsed time: 1:55:26.682184
TCP connection info:
  1: 61-250-205-100.rev.krline.net:1480 - a1ec.yhteys.mtv3.fi:ftp (a2b) 36> 36<

--sdo

17:57:53.038790 61.250.205.100.1480 > 62.236.236.161.21: S 3182287062:3182287062(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) [tos 0x20]
17:57:53.038976 62.236.236.161.21 > 61.250.205.100.1480: S 1501960069:1501960069(0) ack 3182287063 win 5 (DF) [tos 0x20]
17:57:53.432436 61.250.205.100.1480 > 62.236.236.161.21: . ack 1501960070 win 65535 (DF) [tos 0x20]
17:57:53.432578 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
17:58:02.442276 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
17:58:02.442500 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
17:58:08.870566 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
17:58:08.870704 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
17:58:21.244542 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
17:58:21.244676 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
17:58:45.684576 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
17:58:45.684710 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
17:59:34.471764 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
17:59:34.471984 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
18:01:11.028917 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
18:01:11.029049 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]
18:04:24.455716 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
18:04:24.533154 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]

18:08:26.254179 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
18:08:26.254315 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]

18:12:27.959875 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
18:12:27.960037 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]

18:16:29.763999 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
18:16:29.764193 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]

18:20:31.470765 61.250.205.100.1480 > 62.236.236.161.21: . 3182287063:3182287064(1) ack 1501960070 win 65535 (DF) [tos 0x20]
18:20:31.470915 62.236.236.161.21 > 61.250.205.100.1480: . ack 3182287063 win 0 (DF) [tos 0x20]

• Next message: johnnybeis@yahoo.com: "tcptrace-bugs Stamina RX"
• Previous message: Sami Farin: "tcptrace-bugs connection tracking problem or something else?"
• Maybe in reply to: Sami Farin: "tcptrace-bugs connection tracking problem or something else?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : 10/10/03 EDT