Re: something is randomly closing ssh-tunnels (was: ipfilter randomly dropping..)

On Tue, Jun 24, 2014 at 11:01:01PM +1000, Darren Reed wrote:
> From that capture file, there is only *one* packet with the FIN bit set
> (line 20076):


> 09:24:10.646480 IP (tos 0x0, ttl 64, id 6680, offset 0, flags [DF],
> proto TCP (6), length 1084)
>     85.X.X.X.22 > 77.X.X.X.59412: Flags [FP.], cksum 0x744b (correct),
> seq 8611816:8612848, ack 9744, win 4197, options [nop,nop,TS val 26 ecr
> 26], length 1032
> which suggests that it isn't aligned with the normal pattern that you
> are seeing?

Well, when everything works fine, I see two FINs when the connection
closes, one from each end.  Or did you mean something else?

> You might want to look more closely at the TCP session shutdown with
> wireshark to see what it thinks. Or a better idea would be to capture
> everything in/out of that NIC and concentrate on the part around where
> the session shuts down.

I just did a full tcpdump.  Then I filtered out the particular ssh
session, all imap and submission traffic and there was almost nothing
left except a few dns bits and two LLDP_Multicasts (?).

