[afnog] connection to www.cnn.com
Mikisa Richard
rmikisa at bushnet.net
Wed Jun 7 09:47:06 EAT 2006
Brian Candler wrote:
>Then that's very strange. From here:
>
># tcpdump -i rl0 -n -s1500 -vX host 64.236.29.120
>tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 1500 bytes
>08:31:22.685655 IP (tos 0x10, ttl 64, id 9076, offset 0, flags [DF], proto: TCP (6), length: 64) 172.17.0.145.56724 > 64.236.29.120.80: S, cksum 0xa084 (correct), 667153185:667153185(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3627334263 0,sackOK,eol>
> 0x0000: 4510 0040 2374 4000 4006 0c2e ac11 0091 E..@#t at .@.......
> 0x0010: 40ec 1d78 dd94 0050 27c3 f321 0000 0000 @..x...P'..!....
> 0x0020: b002 ffff a084 0000 0204 05b4 0103 0301 ................
> 0x0030: 0101 080a d834 ba77 0000 0000 0402 0000 .....4.w........
>08:31:22.773900 IP (tos 0x0, ttl 44, id 27925, offset 0, flags [none], proto: TCP (6), length: 44) 64.236.29.120.80 > 172.17.0.145.56724: S, cksum 0xd1ba (correct), 2576618102:2576618102(0) ack 667153186 win 5840 <mss 1380>
> 0x0000: 4500 002c 6d15 0000 2c06 16b1 40ec 1d78 E..,m...,... at ..x
> 0x0010: ac11 0091 0050 dd94 9994 1276 27c3 f322 .....P.....v'.."
> 0x0020: 6012 16d0 d1ba 0000 0204 0564 6ea5 `..........dn.
>08:31:22.774041 IP (tos 0x10, ttl 64, id 9077, offset 0, flags [DF], proto: TCP (6), length: 40) 172.17.0.145.56724 > 64.236.29.120.80: ., cksum 0xfff7 (correct), ack 1 win 65535
> 0x0000: 4510 0028 2375 4000 4006 0c45 ac11 0091 E..(#u at .@..E....
> 0x0010: 40ec 1d78 dd94 0050 27c3 f322 9994 1277 @..x...P'.."...w
> 0x0020: 5010 ffff fff7 0000 0000 0000 0000 P.............
>08:31:26.506344 IP (tos 0x10, ttl 64, id 9078, offset 0, flags [DF], proto: TCP (6), length: 50) 172.17.0.145.56724 > 64.236.29.120.80: P, cksum 0x6728 (correct), 1:11(10) ack 1 win 65535
> 0x0000: 4510 0032 2376 4000 4006 0c3a ac11 0091 E..2#v at .@..:....
> 0x0010: 40ec 1d78 dd94 0050 27c3 f322 9994 1277 @..x...P'.."...w
> 0x0020: 5018 ffff 6728 0000 6173 6466 6173 6466 P...g(..asdfasdf
> 0x0030: 0d0a ..
>08:31:26.593700 IP (tos 0x0, ttl 44, id 27926, offset 0, flags [none], proto: TCP (6), length: 40) 64.236.29.120.80 > 172.17.0.145.56724: ., cksum 0xe91d (correct), ack 11 win 5840
> 0x0000: 4500 0028 6d16 0000 2c06 16b4 40ec 1d78 E..(m...,... at ..x
> 0x0010: ac11 0091 0050 dd94 9994 1277 27c3 f32c .....P.....w'..,
> 0x0020: 5010 16d0 e91d 0000 0000 11dc f157 P............W
>08:31:26.594690 IP (tos 0x0, ttl 44, id 27927, offset 0, flags [none], proto: TCP (6), length: 311) 64.236.29.120.80 > 172.17.0.145.56724: P, cksum 0xe63f (correct), 1:272(271) ack 11 win 5840
> 0x0000: 4500 0137 6d17 0000 2c06 15a4 40ec 1d78 E..7m...,... at ..x
> 0x0010: ac11 0091 0050 dd94 9994 1277 27c3 f32c .....P.....w'..,
> 0x0020: 5018 16d0 e63f 0000 3c21 444f 4354 5950 P....?..<!DOCTYP
> 0x0030: 4520 4854 4d4c 2050 5542 4c49 4320 222d E.HTML.PUBLIC."-
> 0x0040: 2f2f 4945 5446 2f2f 4454 4420 4854 4d4c //IETF//DTD.HTML
> 0x0050: 2032 2e30 2f2f 454e 223e 0a3c 6874 6d6c .2.0//EN">.<html
> 0x0060: 3e3c 6865 6164 3e0a 3c74 6974 6c65 3e35 ><head>.<title>5
> 0x0070: 3031 204d 6574 686f 6420 4e6f 7420 496d 01.Method.Not.Im
> 0x0080: 706c 656d 656e 7465 643c 2f74 6974 6c65 plemented</title
> 0x0090: 3e0a 3c2f 6865 6164 3e3c 626f 6479 3e0a >.</head><body>.
> 0x00a0: 3c68 313e 4d65 7468 6f64 204e 6f74 2049 <h1>Method.Not.I
> 0x00b0: 6d70 6c65 6d65 6e74 6564 3c2f 6831 3e0a mplemented</h1>.
> 0x00c0: 3c70 3e61 7364 6661 7364 6620 746f 202f <p>asdfasdf.to./
> 0x00d0: 206e 6f74 2073 7570 706f 7274 6564 2e3c .not.supported.<
> 0x00e0: 6272 202f 3e0a 3c2f 703e 0a3c 6872 3e0a br./>.</p>.<hr>.
> 0x00f0: 3c61 6464 7265 7373 3e41 7061 6368 6520 <address>Apache.
> 0x0100: 5365 7276 6572 2061 7420 7777 772e 636e Server.at.www.cn
> 0x0110: 6e2e 636f 6d20 506f 7274 2038 303c 2f61 n.com.Port.80</a
> 0x0120: 6464 7265 7373 3e0a 3c2f 626f 6479 3e3c ddress>.</body><
> 0x0130: 2f68 746d 6c3e 0a /html>.
>08:31:26.597487 IP (tos 0x0, ttl 44, id 27928, offset 0, flags [none], proto: TCP (6), length: 40) 64.236.29.120.80 > 172.17.0.145.56724: F, cksum 0xe80d (correct), 272:272(0) ack 11 win 5840
> 0x0000: 4500 0028 6d18 0000 2c06 16b2 40ec 1d78 E..(m...,... at ..x
> 0x0010: ac11 0091 0050 dd94 9994 1386 27c3 f32c .....P......'..,
> 0x0020: 5011 16d0 e80d 0000 0000 434d 4afa P.........CMJ.
>08:31:26.597622 IP (tos 0x10, ttl 64, id 9079, offset 0, flags [DF], proto: TCP (6), length: 40) 172.17.0.145.56724 > 64.236.29.120.80: ., cksum 0xfedd (correct), ack 273 win 65535
> 0x0000: 4510 0028 2377 4000 4006 0c43 ac11 0091 E..(#w at .@..C....
> 0x0010: 40ec 1d78 dd94 0050 27c3 f32c 9994 1387 @..x...P'..,....
> 0x0020: 5010 ffff fedd 0000 0000
>
>You can see that the biggest response packet is only 0x137 = 311 bytes.
>
>It would be interesting to compare this with what you see.
>
from here..
# tcpdump -i eth0 -n -s1500 -vX host www.cnn.com
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
1500 bytes
09:29:45.164908 IP (tos 0x10, ttl 64, id 4331, offset 0, flags [DF],
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok]
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2822038
0,nop,wscale 2>
0x0000: 4510 003c 10eb 4000 4006 ade7 29dc 00fe E..<.. at .@...)...
0x0010: 40ec 1014 c99b 0050 8875 1f7d 0000 0000 @......P.u.}....
0x0020: a002 16d0 33bc 0000 0204 05b4 0402 080a ....3...........
0x0030: 002b 0f96 0000 0000 0103 0302 .+..........
09:29:48.164363 IP (tos 0x10, ttl 64, id 4333, offset 0, flags [DF],
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok]
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2825038
0,nop,wscale 2>
0x0000: 4510 003c 10ed 4000 4006 ade5 29dc 00fe E..<.. at .@...)...
0x0010: 40ec 1014 c99b 0050 8875 1f7d 0000 0000 @......P.u.}....
0x0020: a002 16d0 2804 0000 0204 05b4 0402 080a ....(...........
0x0030: 002b 1b4e 0000 0000 0103 0302 .+.N........
09:29:54.163132 IP (tos 0x10, ttl 64, id 4335, offset 0, flags [DF],
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok]
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2831038
0,nop,wscale 2>
0x0000: 4510 003c 10ef 4000 4006 ade3 29dc 00fe E..<.. at .@...)...
0x0010: 40ec 1014 c99b 0050 8875 1f7d 0000 0000 @......P.u.}....
0x0020: a002 16d0 1094 0000 0204 05b4 0402 080a ................
0x0030: 002b 32be 0000 0000 0103 0302 .+2.........
09:30:06.161681 IP (tos 0x10, ttl 64, id 4337, offset 0, flags [DF],
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok]
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2843038
0,nop,wscale 2>
0x0000: 4510 003c 10f1 4000 4006 ade1 29dc 00fe E..<.. at .@...)...
0x0010: 40ec 1014 c99b 0050 8875 1f7d 0000 0000 @......P.u.}....
0x0020: a002 16d0 e1b3 0000 0204 05b4 0402 080a ................
0x0030: 002b 619e 0000 0000 0103 0302 .+a.........
09:30:30.157751 IP (tos 0x10, ttl 64, id 4339, offset 0, flags [DF],
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok]
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2867038
0,nop,wscale 2>
0x0000: 4510 003c 10f3 4000 4006 addf 29dc 00fe E..<.. at .@...)...
0x0010: 40ec 1014 c99b 0050 8875 1f7d 0000 0000 @......P.u.}....
0x0020: a002 16d0 83f3 0000 0204 05b4 0402 080a ................
0x0030: 002b bf5e 0000 0000 0103 0302 .+.^........
09:31:18.150916 IP (tos 0x10, ttl 64, id 4341, offset 0, flags [DF],
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok]
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2915038
0,nop,wscale 2>
0x0000: 4510 003c 10f5 4000 4006 addd 29dc 00fe E..<.. at .@...)...
0x0010: 40ec 1014 c99b 0050 8875 1f7d 0000 0000 @......P.u.}....
0x0020: a002 16d0 c872 0000 0204 05b4 0402 080a .....r..........
0x0030: 002c 7ade 0000 0000 0103 0302 .,z.........
> From what you
>say, it sounds like the SYN ACK is getting back from www.cnn.com, but not
>any subsequent ACK packets. That sounds like some very strange filtering.
>
>If .254 is a test machine that you can play with without breaking anything,
>try changing your interface MTU:
> ifconfig eth0 mtu 576
>and then try connecting again (also with tcpdump). Once you've finished
>testing, put it back:
> ifconfig eth0 mtu 1500
>
>However, I don't think MTU explains what you're seeing.
>
>Regards,
>
>Brian,
>
>
>
after changing the mtu ..
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:11:35:03:36
inet addr:41.220.0.254 Bcast:41.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:57995 errors:0 dropped:0 overruns:0 frame:0
TX packets:13733 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12182064 (11.6 Mb) TX bytes:1579273 (1.5 Mb)
and the tcpdump ...
# tcpdump -i eth0 -n -s1500 -vX host www.cnn.com
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
1500 bytes
09:37:10.135537 IP (tos 0x10, ttl 64, id 58144, offset 0, flags [DF],
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok]
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3267076
0,nop,wscale 2>
0x0000: 4510 003c e320 4000 4006 ce4d 29dc 00fe E..<.. at .@..M)...
0x0010: 40ec 1d78 8201 0050 a492 3924 0000 0000 @..x...P..9$....
0x0020: a002 0860 7fc5 0000 0204 0218 0402 080a ...`............
0x0030: 0031 da04 0000 0000 0103 0302 .1..........
09:37:13.135134 IP (tos 0x10, ttl 64, id 58146, offset 0, flags [DF],
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok]
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3270076
0,nop,wscale 2>
0x0000: 4510 003c e322 4000 4006 ce4b 29dc 00fe E..<."@. at ..K)...
0x0010: 40ec 1d78 8201 0050 a492 3924 0000 0000 @..x...P..9$....
0x0020: a002 0860 740d 0000 0204 0218 0402 080a ...`t...........
0x0030: 0031 e5bc 0000 0000 0103 0302 .1..........
09:37:19.133904 IP (tos 0x10, ttl 64, id 58148, offset 0, flags [DF],
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok]
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3276076
0,nop,wscale 2>
0x0000: 4510 003c e324 4000 4006 ce49 29dc 00fe E..<.$@. at ..I)...
0x0010: 40ec 1d78 8201 0050 a492 3924 0000 0000 @..x...P..9$....
0x0020: a002 0860 5c9d 0000 0204 0218 0402 080a ...`\...........
0x0030: 0031 fd2c 0000 0000 0103 0302 .1.,........
09:37:31.131444 IP (tos 0x10, ttl 64, id 58150, offset 0, flags [DF],
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok]
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3288076
0,nop,wscale 2>
0x0000: 4510 003c e326 4000 4006 ce47 29dc 00fe E..<.&@. at ..G)...
0x0010: 40ec 1d78 8201 0050 a492 3924 0000 0000 @..x...P..9$....
0x0020: a002 0860 2dbd 0000 0204 0218 0402 080a ...`-...........
0x0030: 0032 2c0c 0000 0000 0103 0302 .2,.........
09:37:55.128524 IP (tos 0x10, ttl 64, id 58152, offset 0, flags [DF],
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok]
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3312076
0,nop,wscale 2>
0x0000: 4510 003c e328 4000 4006 ce45 29dc 00fe E..<.(@. at ..E)...
0x0010: 40ec 1d78 8201 0050 a492 3924 0000 0000 @..x...P..9$....
0x0020: a002 0860 cffc 0000 0204 0218 0402 080a ...`............
0x0030: 0032 89cc 0000 0000 0103 0302 .2..........
09:38:43.120687 IP (tos 0x10, ttl 64, id 58154, offset 0, flags [DF],
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok]
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3360076
0,nop,wscale 2>
0x0000: 4510 003c e32a 4000 4006 ce43 29dc 00fe E..<.*@. at ..C)...
0x0010: 40ec 1d78 8201 0050 a492 3924 0000 0000 @..x...P..9$....
0x0020: a002 0860 147c 0000 0204 0218 0402 080a ...`.|..........
0x0030: 0033 454c 0000 0000 0103 0302 .3EL........
Must be noted however that since yesterday morning, the telnet nolonger
connects at all.
# telnet www.cnn.com 80
Trying 64.236.16.20...
telnet: connect to address 64.236.16.20: Connection timed out
Trying 64.236.16.52...
telnet: connect to address 64.236.16.52: Connection timed out
Trying 64.236.16.84...
--
Richard
More information about the afnog
mailing list