Date: Tue, 2 Jul 2002 21:37:33 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Tom Pavel <pavel@networkphysics.com> Cc: net@FreeBSD.ORG Subject: Re: questions about TCP RST validity Message-ID: <20020702211901.O92440-100000@patrocles.silby.com> In-Reply-To: <200207020836.g628aBR64517@scout.networkphysics.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Jul 2002, Tom Pavel wrote: > > >>>>> On Mon, 1 Jul 2002, Mike Silbersack <silby@silby.com> writes: > > > > 09:05:36.961787 AA.80 > BB.61390: . 3568529946:3568531406(1460) ack 2597111 > > 261 win 4380 (DF) > > > 09:05:38.973207 AA.80 > BB.61390: . 3568529946:3568531406(1460) ack 2597111 > > 261 win 4380 (DF) > > > > Is this a real trace? It looks highly irregular to me. I don't see why > > BB isn't RSTing each packet, and AA looks to be retransmitting way too > > quickly. > > Yes, this is a real trace. And it is not a single fluke BB host > either. If you look at enough web traces, you will eventually find > such examples (it is pretty rare, though). Other OSes I was able to > test show the same behavior as AA. I included my theories about the > cause for BB's behavior (stateful firewall or modem hangup), but I > really have no info about that. > > I'm not sure why you say the retrans are too quick. The 2 above are 1 > sec and 2 sec, respectively. The rest continue exponentially. Urk. I misread the timestamps, sorry. Yes, the spacing looks correct, AA looks ok to me now. I guess the bug in BB isn't all too surprising either, sending a RST after a FIN sounds like a rare case. I suppose that the client app abruptly terminating the connection could cause it. In either case, it's likely just an off by one due to lack of accounting for the FIN. > That sounds pretty reasonable. All of the traces I have noticed came > with an "early" FIN from the web client, so even 1 byte would have > been enough in those cases. One MSS sounds like a good compromise. > > > Tom Pavel Actually, I'm thinking that one byte is probably all we'd want to stretch it, unless you have evidence of situations where > 1 byte differences have been seen. I'd also like to know which OS / stateful firewall is exhibiting the problem. If it's something really rare, the workaround might not be worth the hassle. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020702211901.O92440-100000>