Hello guys! I was troubleshooting an app that wasnt working inside a customer network, but something wasnt right. Logs didnts any show kind of blocks so I decided to move to tcpdump.
abc:/home/login # tcpdump -ni eth0 host 192.168.5.140
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:49:46.193243 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [S], seq 4188319957, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:49:46.254389 IP 178.68.95.3.8017 > 192.168.5.140.49721: Flags [S.], seq 2457564383, ack 4188319958, win 64240, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:49:46.254983 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [.], ack 1, win 256, length 0
11:49:46.255670 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 1:52, ack 1, win 256, length 51
11:49:46.342076 IP 178.68.95.3.8017 > 192.168.5.140.49721: Flags [P.], seq 1:11, ack 52, win 64189, length 10
11:49:46.348332 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 52:75, ack 11, win 256, length 23
11:49:46.404257 IP 178.68.95.3.8017 > 192.168.5.140.49721: Flags [P.], seq 11:19, ack 75, win 64166, length 8
11:49:46.404916 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:46.703744 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:47.312194 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:48.513373 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:48.660513 IP 178.68.95.3.8017 > 192.168.5.140.49721: Flags [P.], seq 11:19, ack 75, win 64166, length 8
11:49:48.661006 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [.], ack 19, win 256, options [nop,nop,sack 1 {11:19}], length 0
11:49:49.714592 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:50.915823 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:53.333809 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:49:53.473207 IP 178.68.95.3.8017 > 192.168.5.140.49721: Flags [P.], seq 11:19, ack 75, win 64166, length 8
11:49:53.473740 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [.], ack 19, win 256, options [nop,nop,sack 1 {11:19}], length 0
11:49:58.138704 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [P.], seq 75:112, ack 19, win 256, length 37
11:50:03.102174 IP 178.68.95.3.8017 > 192.168.5.140.49721: Flags [P.], seq 11:19, ack 75, win 64166, length 8
11:50:03.102587 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [.], ack 19, win 256, options [nop,nop,sack 1 {11:19}], length 0
11:50:07.748368 IP 192.168.5.140.49721 > 178.68.95.3.8017: Flags [R.], seq 112, ack 19, win 0, length 0
Take a look at the red line. It resends the packet sometimes but then, in line green, it acks "75" and not "112".
The weird part is if this machine is connected directly to internet, it works.
If he picks another machine inside the network (thus behind the firewall) it works too.
As you can see in the lines below, it tries many times until a RST is sent.
What the...? [:S]
This thread was automatically locked due to age.