From owner-freebsd-current@FreeBSD.ORG Mon Nov 26 05:00:15 2007 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B498A16A41A for ; Mon, 26 Nov 2007 05:00:15 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from munchkin.clue.co.za (munchkin.clue.co.za [66.219.59.160]) by mx1.freebsd.org (Postfix) with ESMTP id 7DD6513C465 for ; Mon, 26 Nov 2007 05:00:15 +0000 (UTC) (envelope-from ianf@clue.co.za) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=20070313; d=clue.co.za; h=Received:Received:Received:To:cc:From:Subject:In-Reply-To:X-Attribution:Date:Message-Id; b=j4DHpMjr6rkFFbxUl/HmnYSmuD7Yb4LIpYb/oZEiqp1CJIg6lDU83K4mIjb/S6aWRlejgR0wBZObtzjCSs7v4klFsY2cvZBm/gsgStDe3lD3vULCBFzmkV2yDTwyg1iK+NJk424gNECqC+fG/5bId5p0HMlJZMgKj7eZcq/7gRNjbbfcQ5TOiICf4jJ6kLybm7QWGr3DnRCUn8mYN3VRoqz9/tvHYlLCHigtVeZCv5qEerkvxd/+4U9DA9zUCWik; Received: from uucp by munchkin.clue.co.za with local-rmail (Exim 4.67) (envelope-from ) id 1IwW4n-00052p-Sc; Mon, 26 Nov 2007 05:00:11 +0000 Received: from ianf.clue.co.za ([10.0.0.6] helo=clue.co.za) by urchin.clue.co.za with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from ) id 1IwW4c-0008Sa-CI; Mon, 26 Nov 2007 04:59:58 +0000 Received: from localhost ([127.0.0.1] helo=clue.co.za) by clue.co.za with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1IwW4b-0006c2-MT; Mon, 26 Nov 2007 06:59:57 +0200 To: Mike Silbersack From: Ian FREISLICH In-Reply-To: Message from Mike Silbersack of "Sun, 25 Nov 2007 04:19:41 CST." <20071125041618.G1206@odysseus.silby.com> X-Attribution: BOFH Date: Mon, 26 Nov 2007 06:59:57 +0200 Message-Id: Cc: Kip Macy , current@freebsd.org Subject: Re: TCP RST+data! X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2007 05:00:15 -0000 Mike Silbersack wrote: > > On Fri, 23 Nov 2007, Kip Macy wrote: > > > On Nov 22, 2007 12:14 PM, Ian FREISLICH wrote: > >> Here's a tcpdump of seamonkey trying to retrieve the document index: > >> > >> 22:07:53.728516 IP (tos 0x0, ttl 64, id 24507, offset 0, flags [DF], proto TCP (6), length 60) 196.7.162.28.50118 > 196.7.162.30.80: S, cksum 0xdbdd (cor rect), 2746220400:2746220400(0) win 65535 > >> 22:07:53.731512 IP (tos 0x0, ttl 64, id 36, offset 0, flags [DF], proto TC P (6), length 60) 196.7.162.30.80 > 196.7.162.28.50118: S, cksum 0xbdba (correc t), 2416404465:2416404465(0) ack 2746220401 win 8192 > >> 22:07:53.731543 IP (tos 0x0, ttl 64, id 24508, offset 0, flags [DF], proto TCP (6), length 52) 196.7.162.28.50118 > 196.7.162.30.80: ., cksum 0xe8f5 (cor rect), 1:1(0) ack 1 win 8326 > >> 22:07:53.731593 IP (tos 0x0, ttl 64, id 24509, offset 0, flags [DF], proto TCP (6), length 428) 196.7.162.28.50118 > 196.7.162.30.80: P 1:377(376) ack 1 win 8326 > >> 22:07:53.770545 IP (tos 0x0, ttl 64, id 37, offset 0, flags [DF], proto TC P (6), length 52) 196.7.162.30.80 > 196.7.162.28.50118: ., cksum 0xe948 (correc t), 1:1(0) ack 377 win 7867 > >> 22:07:54.004963 IP (tos 0x0, ttl 64, id 38, offset 0, flags [DF], proto TC P (6), length 61) 196.7.162.30.80 > 196.7.162.28.50118: P, cksum 0xcdea (correc t), 1:10(9) ack 377 win 8192 > >> 22:07:54.018027 IP (tos 0x0, ttl 64, id 39, offset 0, flags [DF], proto TC P (6), length 638) 196.7.162.30.80 > 196.7.162.28.50118: RP 10:608(598) ack 377 win 8192 [!RST+ 200 OK\015\012Server: Rapid Logic/1.] > > > > Looking at your later trace, data with the RST is a red herring. The > > only thing that stands out to me as being odd and perhaps is the > > issue, is that the window size for the SYN and the ack are > > inconsistent on FreeBSD but are consistent on OS X. I'm not sure off > > hand where the number 8326 comes from. It could be that when the SIP's > > stack is generating the ack for the GET it concludes that the window > > accounting state is incorrect. > > > > Perhaps Mike can shed some light when he gets back online. > > > > > > -Kip > > The TCP window is unscaled in the SYN phase, then shifts to being scaled > afterwards. The window we're advertising must be 8236 * 2^3 = 65888. > So, that part is ok - if the phone implements tcp window scaling properly! > > The RST + Data behavior seems very odd. Ian, have you tried using nmap -O > or any other OS identification tool to see if the phone is using a known > operating system? Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-26 06:54 SAST Interesting ports on dhcp-243.clue.co.za (10.0.0.243): Not shown: 1539 closed ports, 156 filtered ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http MAC Address: 00:09:45:54:01:1C (Palmmicro Communications) Aggressive OS guesses: HP LaserJet 1320 (95%), Konica Minolta Bizhub C450 copier with (default) Emperon Controller (94%), FreeBSD 2.2.9 (x86) (94%), Minolta MagicColor 2430 printer (94%), Netgear WPN824 RangeMax WAP (92%), HP LaserJet 4600 (JetDirect) printer (90%), RICOH Aficio 1060 copier (90%), Nortel 5520 ethernet routing switch (90%), Apple Airport Express WAP v6.3 (89%), FreeBSD 4.11 (x86) (89%) No exact OS matches for host (test conditions non-ideal). Uptime: 0.022 days (since Mon Nov 26 06:22:23 2007) Network Distance: 1 hop The phone is actually an ATCom 530P Ian -- Ian Freislich