Re: ipf - RST packet w. sequence num.

To: tech-net%NetBSD.org@localhost
Subject: Re: ipf - RST packet w. sequence num.
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Tue, 17 Nov 2009 17:00:31 -0500 (EST)

> # tcpdump -n -p -vvv tcp port 18000
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 14:05:19.645888 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP 
> (6), length 64) IP0.65351 > IP1.18000: S, cksum 0x8a20 (correct), 
> 3076040396:3076040396(0) win 32768 <mss 1380,nop,wscale 
> 3,sackOK,nop,nop,nop,nop,timestamp 1 0>
> 14:05:19.646079 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP 
> (6), length 40) IP1.18000 > IP0.65351: R, cksum 0x83a3 (correct), 0:0(0) ack 
> 3076040397 win 0

> # tcpdump -n -p -vvv tcp port 18000
> tcpdump: listening on rtk0, link-type EN10MB (Ethernet), capture size 96 bytes
> 20:09:20.158824 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP 
> (6), length 64) IP0.65351 > IP1.18000: S, cksum 0xbda7 (correct), 
> 2102555286:2102555286(0) win 32768 <mss 1460,nop,wscale 
> 3,sackOK,nop,nop,nop,nop,timestamp 1 0>
> 20:09:20.451227 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP 
> (6), length 40) IP1.18000 > IP0.65351: R, cksum 0xa7f2 (correct), 
> 810606391:810606391(0) ack 2102555287 win 0

> Although the other_comp is sending the RST packet with sequence
> number 0 [...]

It probably is not.  tcpdump normally silently converts TCP sequence
numbers to relative numbers, ie it subtracts the base sequence number
for the connection as learned from the first packet seen on the
connection.  This is not, however, done for the initial packet, ie, the
one from which tcpdump learns the base sequence number

Try tcpdumping a successful connection and looking at the sequence
numbers.  Here's an example I generated just now by running a server on
10.0.1.1 port 12345 which just did "echo foo", then connecting to it
from 10.0.1.2:

(captured on 10.0.1.1)

17:04:43.763725 10.0.1.2.65347 > 10.0.1.1.12345: S 887782560:887782560(0) win 
16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 5826875 0>
17:04:43.767954 10.0.1.1.12345 > 10.0.1.2.65347: S 1041287611:1041287611(0) ack 
887782561 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 5619379 5826875> 
(DF)
17:04:43.768673 10.0.1.2.65347 > 10.0.1.1.12345: . ack 1 win 17520 
<nop,nop,timestamp 5826875 5619379>
17:04:45.762192 10.0.1.1.12345 > 10.0.1.2.65347: P 1:5(4) ack 1 win 17520 
<nop,nop,timestamp 5619383 0> (DF)
17:04:45.763800 10.0.1.1.12345 > 10.0.1.2.65347: F 5:5(0) ack 1 win 17520 
<nop,nop,timestamp 5619383 0> (DF)
17:04:45.764519 10.0.1.2.65347 > 10.0.1.1.12345: . ack 6 win 17520 
<nop,nop,timestamp 5826879 5619383>
17:04:45.766145 10.0.1.2.65347 > 10.0.1.1.12345: F 1:1(0) ack 6 win 17520 
<nop,nop,timestamp 5826879 5619383>
17:04:45.768961 10.0.1.1.12345 > 10.0.1.2.65347: . ack 2 win 17520 
<nop,nop,timestamp 5619383 5826879> (DF)

(captured on 10.0.1.2):

17:04:43.760448 10.0.1.2.65347 > 10.0.1.1.12345: S 887782560:887782560(0) win 
16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 5826875 0>
17:04:43.765337 10.0.1.1.12345 > 10.0.1.2.65347: S 1041287611:1041287611(0) ack 
887782561 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 5619379 5826875> 
(DF)
17:04:43.765422 10.0.1.2.65347 > 10.0.1.1.12345: . ack 1 win 17520 
<nop,nop,timestamp 5826875 5619379>
17:04:45.759527 10.0.1.1.12345 > 10.0.1.2.65347: P 1:5(4) ack 1 win 17520 
<nop,nop,timestamp 5619383 0> (DF)
17:04:45.761151 10.0.1.1.12345 > 10.0.1.2.65347: F 5:5(0) ack 1 win 17520 
<nop,nop,timestamp 5619383 0> (DF)
17:04:45.761217 10.0.1.2.65347 > 10.0.1.1.12345: . ack 6 win 17520 
<nop,nop,timestamp 5826879 5619383>
17:04:45.762757 10.0.1.2.65347 > 10.0.1.1.12345: F 1:1(0) ack 6 win 17520 
<nop,nop,timestamp 5826879 5619383>
17:04:45.766312 10.0.1.1.12345 > 10.0.1.2.65347: . ack 2 win 17520 
<nop,nop,timestamp 5619383 5826879> (DF)

Note how the sequence numbers in each direction, after the initial
packet each way, are printed as small integers.

The tcpdump I have here has an option, -S, which disables this.  Given
the difference in output format, yours is clearly a different version,
but you might look for an option with similar semantics in yours.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: ipf - RST packet w. sequence num.
  - From: rudolf

References:
- ipf - RST packet w. sequence num.
  - From: rudolf

Prev by Date: ipf - RST packet w. sequence num.
Next by Date: Re: ipf - RST packet w. sequence num.
Previous by Thread: ipf - RST packet w. sequence num.
Next by Thread: Re: ipf - RST packet w. sequence num.
Indexes:

Home | Main Index | Thread Index | Old Index