[ILUG] Re: [Q] Max number of TCP(?) packets without waiting for
an ACK(?)
[ILUG] Re: [Q] Max number of TCP(?) packets without waiting for
an ACK(?)
Paul Mullen
mullen.paul at gmail.com
Thu Dec 11 15:24:09 GMT 2008
Can I ask the obvious question? Can the mail server serve these files at
all?
Is there a problem on the mail server itself that is causing the issue
you see?
Can you run an MUA on the server to rule that out?
Paul.
Brian Foster wrote:
> (apologies for messing up the threading.)
>
> | From: Gavin McCullagh gmccullagh at gmail.com
> | Date: Thu Dec 11 13:39:03 GMT 2008
> |
> | On Thu, 11 Dec 2008, Brian Foster wrote:
> | > | I sort of imagine this means 250 packets between consecutive ACKs.
> | >
> | > that's also what I imagine the admin means.
> |
> | I think you might need the admin to get a little more specific. You're not
> | even sending data, you're just sending ACKs, so I don't see how the above
> | could be right.
>
> ( unfortunately, due to holidays &tc, I probably won't
> to be able to talk to the admin until next week? )
>
> it's entirely possible the 'tcpdump' excerpt I previously
> sent was done before Kmail hung. I just tried again, but
> this time didn't start the 'tcpdump' until the MUA clearly
> hung. I say "MUA" (instead of Kmail) because I've tried
> several now (Claws, Thunderbird, and the server's WebMail
> interface (twice, once FireFox2 and once Konqueror)).
> *all* had problems with exactly the same e-mail message.
> ( I've never used 'mutt' before, and when I tried it a
> few minutes ago, did not understand the interface or
> configuration .... ;-\ )
>
> detail-wise, I inadvertently mislead slightly earlier:
> both of the known problematic e-mails, whilst large (both
> are c.10MiB, I *think*), are large because both have a
> gigantic attachment. (in both cases it's an archive; one
> is a '.tar.gz' and the other a '.zip'). the attachment is
> what I cannot (download-and-)open or download-and-save.
>
> Konqueror's download status display did clearly indicate
> the *rate* of the download decreased (steadily?), from
> an unknown starting rate north of 6MiB and dropping to,
> ultimately, nil.
>
> in any case, below is a 'tcpdump' started after one of
> the MUA's hung (I don't recall which MUA now). except
> for replacing the DNS-names with "{xx}" (where, as before,
> "{ME}" is my workstation, &tc), this is complete and
> unedited; i.e., all traffic's shown (c.100 packets,
> c.90secs).
>
> it *is* correct there are *no* "{IT}" (IMAP server).
> none of the numeric IP- or MAC-addresses are for my
> workstation ("{ME}"). the server ("{IT}"), apparently
> inside the DMZ, is not on the 193.168.x.x local intranet.
>
> =====(cut here and below)=====( 'tcpdump -i eth0' after hang )=====
> 15:18:11.256611 arp who-has 192.168.0.58 tell 192.168.0.117
> 15:18:11.790847 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:12.075169 arp who-has 192.168.0.252 tell 192.168.0.100
> 15:18:13.804355 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:13.854590 IP {S2}.microsoft-ds > {ME}.33382: . ack 3449485938 win 65535
> 15:18:13.854609 IP {ME}.33382 > {S2}.microsoft-ds: . ack 1 win 46
> <nop,nop,timestamp 129688252 0>
> 15:18:15.817424 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:17.830862 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:19.844367 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:21.857405 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:22.940600 IP 192.168.0.103.netbios-dgm >
> 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)
> 15:18:23.870988 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:24.867826 arp who-has 192.168.0.111 tell {X1}
> 15:18:25.883986 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:26.253543 arp who-has 192.168.0.104 tell 192.168.0.117
> 15:18:26.770708 arp who-has 192.168.0.104 tell 192.168.0.58
> 15:18:27.897133 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:29.911067 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:30.529127 00:19:2f:7f:91:97 (oui Unknown) > 01:00:0c:cc:cc:cc
> (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 46
> 15:18:30.529134 00:19:2f:7f:91:97 (oui Unknown) > 01:00:0c:00:00:00
> (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 76
> 15:18:31.212314 IP 192.168.0.9 > ALL-SYSTEMS.MCAST.NET: igmp query v2
> 15:18:31.923785 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:33.937029 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:35.950771 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:37.963800 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:39.134590 IP 192.168.0.116 > 239.255.255.250: igmp v2 report
> 239.255.255.250
> 15:18:39.977586 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:40.573815 arp who-has 192.168.0.102 tell {X2}
> 15:18:41.003591 IP {ME} > 224.0.0.251: igmp v2 report 224.0.0.251
> 15:18:41.991262 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:43.116161 arp who-has 192.168.0.25 tell {X1}
> 15:18:44.003792 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:46.017114 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:46.238244 NBF Packet: Datagram
> 15:18:47.307536 arp who-has {X2} tell {X3}
> 15:18:48.030702 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:50.043655 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:51.285402 arp who-has 192.168.0.103 tell {X1}
> 15:18:52.057257 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:54.070434 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:56.083557 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:18:57.730751 arp who-has 17-mcardineau.local tell {X1}
> 15:18:58.096917 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:00.110457 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:00.537746 00:19:2f:7f:91:97 (oui Unknown) > 01:00:0c:cc:cc:cc
> (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 46
> 15:19:00.538036 00:19:2f:7f:91:97 (oui Unknown) > 01:00:0c:00:00:00
> (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 76
> 15:19:02.123745 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:02.529540 IP 10.201.1.2.https > {ME}.39787: R
> 4105525791:4105525791(0) win 0
> 15:19:04.136889 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:06.123836 IP 192.168.0.100.netbios-ns >
> 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST;
> BROADCAST
> 15:19:06.149901 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:06.198892 arp who-has 29-dgraziani.local tell {X1}
> 15:19:06.871824 IP 192.168.0.100.netbios-ns >
> 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST;
> BROADCAST
> 15:19:07.621742 IP 192.168.0.100.netbios-ns >
> 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST;
> BROADCAST
> 15:19:08.163282 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:09.021555 arp who-has 192.168.0.122 tell {X1}
> 15:19:09.906365 CDPv2, ttl: 180s, Device-ID 'CiscoSwitch'[|cdp]
> 15:19:10.195211 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:12.189956 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:12.872350 IP 192.168.0.100.netbios-ns >
> 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST;
> BROADCAST
> 15:19:13.522370 IP {ME}.32822 > {S1}.domain: 35436+ PTR?
> 58.0.168.192.in-addr.arpa. (43)
> 15:19:13.523317 IP {S1}.domain > {ME}.32822: 35436 NXDomain* 0/0/0 (43)
> 15:19:13.622073 IP 192.168.0.100.netbios-ns >
> 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST;
> BROADCAST
> 15:19:13.625489 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 58.0.168.192.in-addr.arpa. (43)
> 15:19:13.761886 IP {S2}.microsoft-ds > {ME}.33382: R 1:1(0) ack 1 win 0
> 15:19:13.761928 IP {ME}.37071 > {S2}.microsoft-ds: S
> 1983835564:1983835564(0) win 5840 <mss 1460,sackOK,timestamp 129703228
> 0,nop,wscale 7>
> 15:19:13.763255 IP {S2}.microsoft-ds > {ME}.37071: S
> 1583113749:1583113749(0) ack 1983835565 win 16384 <mss 1300,nop,wscale
> 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
> 15:19:13.763267 IP {ME}.37071 > {S2}.microsoft-ds: . ack 1 win 46
> <nop,nop,timestamp 129703228 0>
> 15:19:14.203237 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:14.372098 IP 192.168.0.100.netbios-ns >
> 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST;
> BROADCAST
> 15:19:14.629529 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 58.0.168.192.in-addr.arpa. (43)
> 15:19:16.216622 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:16.633646 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 58.0.168.192.in-addr.arpa. (43)
> 15:19:18.229795 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:18.525878 IP {ME}.32822 > {S1}.domain: 2743+ PTR?
> 117.0.168.192.in-addr.arpa. (44)
> 15:19:18.531209 IP {S1}.domain > {ME}.32822: 2743 NXDomain* 0/0/0 (44)
> 15:19:18.633755 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 117.0.168.192.in-addr.arpa. (44)
> 15:19:19.637817 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 117.0.168.192.in-addr.arpa. (44)
> 15:19:20.243531 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:21.633932 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 117.0.168.192.in-addr.arpa. (44)
> 15:19:22.256542 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:23.534187 IP {ME}.32822 > {S1}.domain: 57993+ PTR?
> 252.0.168.192.in-addr.arpa. (44)
> 15:19:23.535121 IP {S1}.domain > {ME}.32822: 57993 NXDomain* 0/0/0 (44)
> 15:19:23.638044 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 252.0.168.192.in-addr.arpa. (44)
> 15:19:24.269853 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:24.642099 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 252.0.168.192.in-addr.arpa. (44)
> 15:19:25.236830 arp who-has 192.168.0.243 tell 192.168.0.243
> 15:19:26.283058 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:26.638220 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 252.0.168.192.in-addr.arpa. (44)
> 15:19:28.296539 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:28.538518 IP {ME}.32822 > {S1}.domain: 43647+ PTR?
> 100.0.168.192.in-addr.arpa. (44)
> 15:19:28.542453 IP {S1}.domain > {ME}.32822: 43647 NXDomain* 0/0/0 (44)
> 15:19:28.646323 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 100.0.168.192.in-addr.arpa. (44)
> 15:19:29.650387 IP {ME}.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 100.0.168.192.in-addr.arpa. (44)
> 15:19:30.309912 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:30.542268 00:19:2f:7f:91:97 (oui Unknown) > 01:00:0c:cc:cc:cc
> (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 46
> 15:19:30.542515 00:19:2f:7f:91:97 (oui Unknown) > 01:00:0c:00:00:00
> (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 76
> 15:19:32.323068 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:34.336196 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:36.352507 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:38.364571 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> 15:19:40.378200 STP 802.1w, Rapid STP, Flags [Learn, Forward],
> bridge-id 8001.00:19:2f:7f:91:80.8017, length 43
> =====(cut here and above)=====( 'tcpdump -i eth0' after hang )=====
>
> unfortunately, the above is all gibberish to me. ;-\
>
>
> |[ ... ]
> | The above looks normal to me. Does it freeze at this point?
>
> I've no idea! I *had* thought the previous 'tcpdump'
> was after a hang, but (a) based on your description;
> and (b) also on the above different known-to-be-after-
> a-hang, I suspect it was during the downloading before
> the hang?
>
>
> | > |[ ... ]
> | > | This is arguably the basis of a nasty DoS attack:
> | > |
> | > | http://www.hamilton.ie/gavinmc/drop_dupack_attack/
> | >
> | > the admin did say it's a protection against some sort
> | > of attacks (he wasn't specific and I didn't ask).
> |
> | The above attack seems not to be that widely known so I'm (pleasantly)
> | surprised to hear a firewall implements a defence against it.
> | There are proposals to fix it within TCP, but it's really messy.
>
> careful! I did *NOT* say that what the firewall is
> doing is protecting against that specific DoS attack.
> all I said is the admin said it's protecting against
> *some* (unknown-to-me) attack.
>
> cheers!
> -blf-
>
>
More information about the ILUG
mailing list Read this without the formatting . 
