[ale] Using tcpdump to diagnose website connecting

James P. Kinney III jkinney at localnetsolutions.com
Fri Apr 25 08:41:42 EDT 2003


Ah, HA! ECN, Explicit Congestion Notification. Under most circumstances,
it would be a good thing to get back a packet that tells you that the
route is clogged. But there are many routers that don't support it. So
if you have ecn set, those routers will puke on your packet and drop it
on the floor.

Right now (and for the forseeable future) it is best to leave that
option off.

Good hunting! I had forgotten about that as I don't even compile it in
my kernels any more.

On Thu, 2003-04-24 at 22:48, Mike Millson wrote:
> This explains it:
> 
> http://www.tcpdump.org/lists/workers/2001/06/msg00079.html
> 
> I turned ECN off as follows:
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
> 
> As soon as I did that, I'm able to view mrslim.com and mci.com.
> 
> Tomorrow I'll have to learn what ECN is and what this all means...
> 
> Mike
> 
> On Thu, 2003-04-24 at 21:59, James P. Kinney III wrote:
> > Mike,
> > 
> > That is quite strange. My only surmise is that the route to mrslim and
> > friends has a problem and is dropping the SYN request. Try a traceroute.
> > 
> > Also doublecheck your iptables rules. You may have a "drop half open
> > connections" line in there. 
> > 
> > Let us know what you find. I like puzzles. I like solutions, too. :)
> > 
> > On Thu, 2003-04-24 at 21:49, Mike Millson wrote:
> > > Thanks James,
> > > 
> > > I have no trouble browsing other sites, there's just something about
> > > that mrslim site. It also happens when I try to view mci.com. I can view
> > > it fine on my windoze machine, but the mci.com server does not respond
> > > to my SYN request on my linux box/firewall/gateway. MCI's server is
> > > Netscape-Enterprise/4.1.
> > > 
> > > Mike
> > > 
> > > On Thu, 2003-04-24 at 21:25, James P. Kinney III wrote: 
> > > > Sorry Mike. I should have also suggested to turn off the iptables for a
> > > > second and retry. That is the most likely culprit. 
> > > > 
> > > > Unless, of course you can browse to any other site already from the
> > > > Linux box BUT the mrslim.com site. In which case, I'm stumped.
> > > > 
> > > > It's not a site issue as I can get it here on a RedHat 8 box with galeon
> > > > running through a Linux NAT/firewall/gateway.
> > > > 
> > > > On Thu, 2003-04-24 at 20:56, Mike Millson wrote:
> > > > > James,
> > > > > 
> > > > > The html headers mrslim is apparently running on Apache on Unix:
> > > > > Apache/1.3.9 (Unix). Unless the header is forged, mrslim isn't on an IIS
> > > > > server.
> > > > > 
> > > > > Mike 
> > > > > 
> > > > > On Thu, 2003-04-24 at 20:14, James P. Kinney III wrote:
> > > > > > M$ has  a broken tcp stack (still). It will ignore the the initial state
> > > > > > connection flags. This is especially  problem with unpatched IIS servers
> > > > > > servers that ignore the initiating SYN/ACK on an http connection. 
> > > > > > 
> > > > > > On Thu, 2003-04-24 at 19:41, Mike Millson wrote:
> > > > > > > I have a RH 7.1 box that I am using as a router and does NAT to share my
> > > > > > > ADSL connection with a Windoze 2K machine.
> > > > > > > 
> > > > > > > I cannot connect to www.mrslim.com from the Linux box; however, I can
> > > > > > > from the Windoze box.
> > > > > > > 
> > > > > > > Using tcpdump, I see the difference in the connections is that the
> > > > > > > Windoze SYN is ACK'd, but the Linux SYN is not.
> > > > > > > 
> > > > > > > Here are the relevant tcpdump lines:
> > > > > > > 
> > > > > > > Router/Server:
> > > > > > > 16:56:08.050143 68.157.175.145.53263 > 216.237.21.5.http: SWE
> > > > > > > 1875630922:1875630922(0) win 5808 <mss 1452,sackOK,timestamp 852565069
> > > > > > > 0,nop,wscale 0> (DF)
> > > > > > > 
> > > > > > > Windoze machine:
> > > > > > > 17:05:05.346259 68.157.175.145.3490 > 216.237.21.5.http: S
> > > > > > > 3816606182:3816606182(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > > > > > > 
> > > > > > > I'm running iptables, and any packets I reject are logged. I don't see
> > > > > > > any rejected packets logged when the SYN is not answered - just the
> > > > > > > connection times out after multiple SYN requests are not answered.
> > > > > > > 
> > > > > > > Can anyone shed any light what is going on here why the Linux SYN is not
> > > > > > > being answered and how I can fix this? How come the linux box issues an
> > > > > > > SWE request instead of just S? What is SWE?
> > > > > > > 
> > > > > > > Thank you,
> > > > > > > Mike
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 

 This is a digitally signed message part




More information about the Ale mailing list