From owner-freebsd-net Tue Jul 2 19:34:44 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8192537B405 for ; Tue, 2 Jul 2002 19:34:39 -0700 (PDT) Received: from patrocles.silby.com (d111.as6.nwbl0.wi.voyager.net [169.207.128.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67BE843E54 for ; Tue, 2 Jul 2002 19:34:37 -0700 (PDT) (envelope-from silby@silby.com) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g632bacv093085; Tue, 2 Jul 2002 21:37:36 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g632bXX9093082; Tue, 2 Jul 2002 21:37:35 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 2 Jul 2002 21:37:33 -0500 (CDT) From: Mike Silbersack To: Tom Pavel Cc: net@FreeBSD.ORG Subject: Re: questions about TCP RST validity In-Reply-To: <200207020836.g628aBR64517@scout.networkphysics.com> Message-ID: <20020702211901.O92440-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Jul 2002, Tom Pavel wrote: > > >>>>> On Mon, 1 Jul 2002, Mike Silbersack writes: > > > > 09:05:36.961787 AA.80 > BB.61390: . 3568529946:3568531406(1460) ack 2597111 > > 261 win 4380 (DF) > > > 09:05:38.973207 AA.80 > BB.61390: . 3568529946:3568531406(1460) ack 2597111 > > 261 win 4380 (DF) > > > > Is this a real trace? It looks highly irregular to me. I don't see why > > BB isn't RSTing each packet, and AA looks to be retransmitting way too > > quickly. > > Yes, this is a real trace. And it is not a single fluke BB host > either. If you look at enough web traces, you will eventually find > such examples (it is pretty rare, though). Other OSes I was able to > test show the same behavior as AA. I included my theories about the > cause for BB's behavior (stateful firewall or modem hangup), but I > really have no info about that. > > I'm not sure why you say the retrans are too quick. The 2 above are 1 > sec and 2 sec, respectively. The rest continue exponentially. Urk. I misread the timestamps, sorry. Yes, the spacing looks correct, AA looks ok to me now. I guess the bug in BB isn't all too surprising either, sending a RST after a FIN sounds like a rare case. I suppose that the client app abruptly terminating the connection could cause it. In either case, it's likely just an off by one due to lack of accounting for the FIN. > That sounds pretty reasonable. All of the traces I have noticed came > with an "early" FIN from the web client, so even 1 byte would have > been enough in those cases. One MSS sounds like a good compromise. > > > Tom Pavel Actually, I'm thinking that one byte is probably all we'd want to stretch it, unless you have evidence of situations where > 1 byte differences have been seen. I'd also like to know which OS / stateful firewall is exhibiting the problem. If it's something really rare, the workaround might not be worth the hassle. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message