[afnog] connection to www.cnn.com

Mikisa Richard rmikisa at bushnet.net
Wed Jun 7 09:47:06 EAT 2006


Brian Candler wrote:

>Then that's very strange. From here:
>
># tcpdump -i rl0 -n -s1500 -vX host 64.236.29.120
>tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 1500 bytes
>08:31:22.685655 IP (tos 0x10, ttl  64, id 9076, offset 0, flags [DF], proto: TCP (6), length: 64) 172.17.0.145.56724 > 64.236.29.120.80: S, cksum 0xa084 (correct), 667153185:667153185(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3627334263 0,sackOK,eol>
>        0x0000:  4510 0040 2374 4000 4006 0c2e ac11 0091  E..@#t at .@.......
>        0x0010:  40ec 1d78 dd94 0050 27c3 f321 0000 0000  @..x...P'..!....
>        0x0020:  b002 ffff a084 0000 0204 05b4 0103 0301  ................
>        0x0030:  0101 080a d834 ba77 0000 0000 0402 0000  .....4.w........
>08:31:22.773900 IP (tos 0x0, ttl  44, id 27925, offset 0, flags [none], proto: TCP (6), length: 44) 64.236.29.120.80 > 172.17.0.145.56724: S, cksum 0xd1ba (correct), 2576618102:2576618102(0) ack 667153186 win 5840 <mss 1380>
>        0x0000:  4500 002c 6d15 0000 2c06 16b1 40ec 1d78  E..,m...,... at ..x
>        0x0010:  ac11 0091 0050 dd94 9994 1276 27c3 f322  .....P.....v'.."
>        0x0020:  6012 16d0 d1ba 0000 0204 0564 6ea5       `..........dn.
>08:31:22.774041 IP (tos 0x10, ttl  64, id 9077, offset 0, flags [DF], proto: TCP (6), length: 40) 172.17.0.145.56724 > 64.236.29.120.80: ., cksum 0xfff7 (correct), ack 1 win 65535
>        0x0000:  4510 0028 2375 4000 4006 0c45 ac11 0091  E..(#u at .@..E....
>        0x0010:  40ec 1d78 dd94 0050 27c3 f322 9994 1277  @..x...P'.."...w
>        0x0020:  5010 ffff fff7 0000 0000 0000 0000       P.............
>08:31:26.506344 IP (tos 0x10, ttl  64, id 9078, offset 0, flags [DF], proto: TCP (6), length: 50) 172.17.0.145.56724 > 64.236.29.120.80: P, cksum 0x6728 (correct), 1:11(10) ack 1 win 65535
>        0x0000:  4510 0032 2376 4000 4006 0c3a ac11 0091  E..2#v at .@..:....
>        0x0010:  40ec 1d78 dd94 0050 27c3 f322 9994 1277  @..x...P'.."...w
>        0x0020:  5018 ffff 6728 0000 6173 6466 6173 6466  P...g(..asdfasdf
>        0x0030:  0d0a                                     ..
>08:31:26.593700 IP (tos 0x0, ttl  44, id 27926, offset 0, flags [none], proto: TCP (6), length: 40) 64.236.29.120.80 > 172.17.0.145.56724: ., cksum 0xe91d (correct), ack 11 win 5840
>        0x0000:  4500 0028 6d16 0000 2c06 16b4 40ec 1d78  E..(m...,... at ..x
>        0x0010:  ac11 0091 0050 dd94 9994 1277 27c3 f32c  .....P.....w'..,
>        0x0020:  5010 16d0 e91d 0000 0000 11dc f157       P............W
>08:31:26.594690 IP (tos 0x0, ttl  44, id 27927, offset 0, flags [none], proto: TCP (6), length: 311) 64.236.29.120.80 > 172.17.0.145.56724: P, cksum 0xe63f (correct), 1:272(271) ack 11 win 5840
>        0x0000:  4500 0137 6d17 0000 2c06 15a4 40ec 1d78  E..7m...,... at ..x
>        0x0010:  ac11 0091 0050 dd94 9994 1277 27c3 f32c  .....P.....w'..,
>        0x0020:  5018 16d0 e63f 0000 3c21 444f 4354 5950  P....?..<!DOCTYP
>        0x0030:  4520 4854 4d4c 2050 5542 4c49 4320 222d  E.HTML.PUBLIC."-
>        0x0040:  2f2f 4945 5446 2f2f 4454 4420 4854 4d4c  //IETF//DTD.HTML
>        0x0050:  2032 2e30 2f2f 454e 223e 0a3c 6874 6d6c  .2.0//EN">.<html
>        0x0060:  3e3c 6865 6164 3e0a 3c74 6974 6c65 3e35  ><head>.<title>5
>        0x0070:  3031 204d 6574 686f 6420 4e6f 7420 496d  01.Method.Not.Im
>        0x0080:  706c 656d 656e 7465 643c 2f74 6974 6c65  plemented</title
>        0x0090:  3e0a 3c2f 6865 6164 3e3c 626f 6479 3e0a  >.</head><body>.
>        0x00a0:  3c68 313e 4d65 7468 6f64 204e 6f74 2049  <h1>Method.Not.I
>        0x00b0:  6d70 6c65 6d65 6e74 6564 3c2f 6831 3e0a  mplemented</h1>.
>        0x00c0:  3c70 3e61 7364 6661 7364 6620 746f 202f  <p>asdfasdf.to./
>        0x00d0:  206e 6f74 2073 7570 706f 7274 6564 2e3c  .not.supported.<
>        0x00e0:  6272 202f 3e0a 3c2f 703e 0a3c 6872 3e0a  br./>.</p>.<hr>.
>        0x00f0:  3c61 6464 7265 7373 3e41 7061 6368 6520  <address>Apache.
>        0x0100:  5365 7276 6572 2061 7420 7777 772e 636e  Server.at.www.cn
>        0x0110:  6e2e 636f 6d20 506f 7274 2038 303c 2f61  n.com.Port.80</a
>        0x0120:  6464 7265 7373 3e0a 3c2f 626f 6479 3e3c  ddress>.</body><
>        0x0130:  2f68 746d 6c3e 0a                        /html>.
>08:31:26.597487 IP (tos 0x0, ttl  44, id 27928, offset 0, flags [none], proto: TCP (6), length: 40) 64.236.29.120.80 > 172.17.0.145.56724: F, cksum 0xe80d (correct), 272:272(0) ack 11 win 5840
>        0x0000:  4500 0028 6d18 0000 2c06 16b2 40ec 1d78  E..(m...,... at ..x
>        0x0010:  ac11 0091 0050 dd94 9994 1386 27c3 f32c  .....P......'..,
>        0x0020:  5011 16d0 e80d 0000 0000 434d 4afa       P.........CMJ.
>08:31:26.597622 IP (tos 0x10, ttl  64, id 9079, offset 0, flags [DF], proto: TCP (6), length: 40) 172.17.0.145.56724 > 64.236.29.120.80: ., cksum 0xfedd (correct), ack 273 win 65535
>        0x0000:  4510 0028 2377 4000 4006 0c43 ac11 0091  E..(#w at .@..C....
>        0x0010:  40ec 1d78 dd94 0050 27c3 f32c 9994 1387  @..x...P'..,....
>        0x0020:  5010 ffff fedd 0000 0000 
>
>You can see that the biggest response packet is only 0x137 = 311 bytes.
>
>It would be interesting to compare this with what you see.
>
from here..

# tcpdump -i eth0 -n -s1500 -vX host www.cnn.com
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
1500 bytes
09:29:45.164908 IP (tos 0x10, ttl  64, id 4331, offset 0, flags [DF], 
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok] 
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2822038 
0,nop,wscale 2>
        0x0000:  4510 003c 10eb 4000 4006 ade7 29dc 00fe  E..<.. at .@...)...
        0x0010:  40ec 1014 c99b 0050 8875 1f7d 0000 0000  @......P.u.}....
        0x0020:  a002 16d0 33bc 0000 0204 05b4 0402 080a  ....3...........
        0x0030:  002b 0f96 0000 0000 0103 0302            .+..........
09:29:48.164363 IP (tos 0x10, ttl  64, id 4333, offset 0, flags [DF], 
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok] 
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2825038 
0,nop,wscale 2>
        0x0000:  4510 003c 10ed 4000 4006 ade5 29dc 00fe  E..<.. at .@...)...
        0x0010:  40ec 1014 c99b 0050 8875 1f7d 0000 0000  @......P.u.}....
        0x0020:  a002 16d0 2804 0000 0204 05b4 0402 080a  ....(...........
        0x0030:  002b 1b4e 0000 0000 0103 0302            .+.N........
09:29:54.163132 IP (tos 0x10, ttl  64, id 4335, offset 0, flags [DF], 
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok] 
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2831038 
0,nop,wscale 2>
        0x0000:  4510 003c 10ef 4000 4006 ade3 29dc 00fe  E..<.. at .@...)...
        0x0010:  40ec 1014 c99b 0050 8875 1f7d 0000 0000  @......P.u.}....
        0x0020:  a002 16d0 1094 0000 0204 05b4 0402 080a  ................
        0x0030:  002b 32be 0000 0000 0103 0302            .+2.........
09:30:06.161681 IP (tos 0x10, ttl  64, id 4337, offset 0, flags [DF], 
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok] 
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2843038 
0,nop,wscale 2>
        0x0000:  4510 003c 10f1 4000 4006 ade1 29dc 00fe  E..<.. at .@...)...
        0x0010:  40ec 1014 c99b 0050 8875 1f7d 0000 0000  @......P.u.}....
        0x0020:  a002 16d0 e1b3 0000 0204 05b4 0402 080a  ................
        0x0030:  002b 619e 0000 0000 0103 0302            .+a.........
09:30:30.157751 IP (tos 0x10, ttl  64, id 4339, offset 0, flags [DF], 
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok] 
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2867038 
0,nop,wscale 2>
        0x0000:  4510 003c 10f3 4000 4006 addf 29dc 00fe  E..<.. at .@...)...
        0x0010:  40ec 1014 c99b 0050 8875 1f7d 0000 0000  @......P.u.}....
        0x0020:  a002 16d0 83f3 0000 0204 05b4 0402 080a  ................
        0x0030:  002b bf5e 0000 0000 0103 0302            .+.^........
09:31:18.150916 IP (tos 0x10, ttl  64, id 4341, offset 0, flags [DF], 
length: 60) 41.220.0.254.51611 > 64.236.16.20.80: S [tcp sum ok] 
2289377149:2289377149(0) win 5840 <mss 1460,sackOK,timestamp 2915038 
0,nop,wscale 2>
        0x0000:  4510 003c 10f5 4000 4006 addd 29dc 00fe  E..<.. at .@...)...
        0x0010:  40ec 1014 c99b 0050 8875 1f7d 0000 0000  @......P.u.}....
        0x0020:  a002 16d0 c872 0000 0204 05b4 0402 080a  .....r..........
        0x0030:  002c 7ade 0000 0000 0103 0302            .,z.........


> From what you
>say, it sounds like the SYN ACK is getting back from www.cnn.com, but not
>any subsequent ACK packets. That sounds like some very strange filtering.
>
>If .254 is a test machine that you can play with without breaking anything,
>try changing your interface MTU:
>    ifconfig eth0 mtu 576
>and then try connecting again (also with tcpdump). Once you've finished
>testing, put it back:
>    ifconfig eth0 mtu 1500
>
>However, I don't think MTU explains what you're seeing.
>
>Regards,
>
>Brian,
>
>  
>
after changing the mtu ..

 # ifconfig
eth0      Link encap:Ethernet  HWaddr 00:11:11:35:03:36
          inet addr:41.220.0.254  Bcast:41.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
          RX packets:57995 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12182064 (11.6 Mb)  TX bytes:1579273 (1.5 Mb)

and the tcpdump ...
# tcpdump -i eth0 -n -s1500 -vX host www.cnn.com
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
1500 bytes
09:37:10.135537 IP (tos 0x10, ttl  64, id 58144, offset 0, flags [DF], 
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok] 
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3267076 
0,nop,wscale 2>
        0x0000:  4510 003c e320 4000 4006 ce4d 29dc 00fe  E..<.. at .@..M)...
        0x0010:  40ec 1d78 8201 0050 a492 3924 0000 0000  @..x...P..9$....
        0x0020:  a002 0860 7fc5 0000 0204 0218 0402 080a  ...`............
        0x0030:  0031 da04 0000 0000 0103 0302            .1..........
09:37:13.135134 IP (tos 0x10, ttl  64, id 58146, offset 0, flags [DF], 
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok] 
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3270076 
0,nop,wscale 2>
        0x0000:  4510 003c e322 4000 4006 ce4b 29dc 00fe  E..<."@. at ..K)...
        0x0010:  40ec 1d78 8201 0050 a492 3924 0000 0000  @..x...P..9$....
        0x0020:  a002 0860 740d 0000 0204 0218 0402 080a  ...`t...........
        0x0030:  0031 e5bc 0000 0000 0103 0302            .1..........
09:37:19.133904 IP (tos 0x10, ttl  64, id 58148, offset 0, flags [DF], 
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok] 
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3276076 
0,nop,wscale 2>
        0x0000:  4510 003c e324 4000 4006 ce49 29dc 00fe  E..<.$@. at ..I)...
        0x0010:  40ec 1d78 8201 0050 a492 3924 0000 0000  @..x...P..9$....
        0x0020:  a002 0860 5c9d 0000 0204 0218 0402 080a  ...`\...........
        0x0030:  0031 fd2c 0000 0000 0103 0302            .1.,........
09:37:31.131444 IP (tos 0x10, ttl  64, id 58150, offset 0, flags [DF], 
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok] 
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3288076 
0,nop,wscale 2>
        0x0000:  4510 003c e326 4000 4006 ce47 29dc 00fe  E..<.&@. at ..G)...
        0x0010:  40ec 1d78 8201 0050 a492 3924 0000 0000  @..x...P..9$....
        0x0020:  a002 0860 2dbd 0000 0204 0218 0402 080a  ...`-...........
        0x0030:  0032 2c0c 0000 0000 0103 0302            .2,.........
09:37:55.128524 IP (tos 0x10, ttl  64, id 58152, offset 0, flags [DF], 
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok] 
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3312076 
0,nop,wscale 2>
        0x0000:  4510 003c e328 4000 4006 ce45 29dc 00fe  E..<.(@. at ..E)...
        0x0010:  40ec 1d78 8201 0050 a492 3924 0000 0000  @..x...P..9$....
        0x0020:  a002 0860 cffc 0000 0204 0218 0402 080a  ...`............
        0x0030:  0032 89cc 0000 0000 0103 0302            .2..........
09:38:43.120687 IP (tos 0x10, ttl  64, id 58154, offset 0, flags [DF], 
length: 60) 41.220.0.254.33281 > 64.236.29.120.80: S [tcp sum ok] 
2761046308:2761046308(0) win 2144 <mss 536,sackOK,timestamp 3360076 
0,nop,wscale 2>
        0x0000:  4510 003c e32a 4000 4006 ce43 29dc 00fe  E..<.*@. at ..C)...
        0x0010:  40ec 1d78 8201 0050 a492 3924 0000 0000  @..x...P..9$....
        0x0020:  a002 0860 147c 0000 0204 0218 0402 080a  ...`.|..........
        0x0030:  0033 454c 0000 0000 0103 0302            .3EL........

Must be noted however that since yesterday morning, the telnet nolonger 
connects at all.

# telnet www.cnn.com 80
Trying 64.236.16.20...
telnet: connect to address 64.236.16.20: Connection timed out
Trying 64.236.16.52...
telnet: connect to address 64.236.16.52: Connection timed out
Trying 64.236.16.84...


-- 
Richard




More information about the afnog mailing list