From owner-freebsd-current@FreeBSD.ORG Wed Aug 15 14:56:49 2007 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC1F016A417 for ; Wed, 15 Aug 2007 14:56:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 880FC13C48A for ; Wed, 15 Aug 2007 14:56:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=Yt2XS9FL45ibNDiXA9QfG1neYR1gg8swSm8V+DfWjMZS+jJhnWU29kUuQSaftAhcJiAVOBCk34lJ/15eJiYr4jOkJLsgIfXp/TWWp/xiPuxiGUUyNSMsgtKso5DunR9pehsZwtgZAUTeUxonvimTWkWponrqpXBml/QUcKfvcpw=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1ILKIf-0009gZ-Dc; Wed, 15 Aug 2007 18:56:45 +0400 Date: Wed, 15 Aug 2007 18:56:40 +0400 From: Eygene Ryabinkin To: Stefan Lambrev Message-ID: <20070815145640.GQ988@void.codelabs.ru> References: <20070806224112.GA21876@muon.bluestop.org> <20070807073920.GV50228@void.codelabs.ru> <46C18B60.8050400@moneybookers.com> <20070814145759.GB25169@void.codelabs.ru> <20070814193150.GA21553@rot26.obsecurity.org> <46C30FA6.7060108@moneybookers.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <46C30FA6.7060108@moneybookers.com> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-1.9 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: current@freebsd.org, Kris Kennaway Subject: Re: "tcpflags 0x18; tcp_do_segment" kernel messages X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 14:56:49 -0000 Stefan, good day. Wed, Aug 15, 2007 at 05:37:26PM +0300, Stefan Lambrev wrote: > Now I have a tcpdump.out file and all packets are logged while this problem > happened. > Here is part of the file (I hope this is enough because the file itself is > +150MB) : > <... two connections that were closed are deleted ...> > 16:10:13.206555 IP 192.168.13.7.60906 > 192.168.13.4.25: S > 219272317:219272317(0) win 65535 108147619 0> > 16:10:13.206789 IP 192.168.13.4.25 > 192.168.13.7.60906: S > 1948405606:1948405606(0) ack 219272318 win 65535 1,nop,nop,timestamp 3042169350 108147619,sackOK,eol> > 16:10:13.206824 IP 192.168.13.7.60906 > 192.168.13.4.25: . ack 1 win 260 > > 16:10:13.208261 IP 192.168.13.4.25 > 192.168.13.7.60906: P 1:48(47) ack 1 win > 33304 > 16:10:13.208347 IP 192.168.13.7.60906 > 192.168.13.4.25: P 1:21(20) ack 48 win > 260 > 16:10:13.208690 IP 192.168.13.4.25 > 192.168.13.7.60906: P 48:74(26) ack 21 win > 33304 > 16:10:13.208715 IP 192.168.13.7.60906 > 192.168.13.4.25: P 21:27(6) ack 74 win > 260 > 16:10:13.208729 IP 192.168.13.7.60906 > 192.168.13.4.25: F 27:27(0) ack 74 win > 260 > > Why the flag is 'F' here ? doesn't seems normal for me :) > > 16:10:13.208835 IP 192.168.13.4.25 > 192.168.13.7.60906: . ack 28 win 33301 > > 16:10:13.208986 IP 192.168.13.4.25 > 192.168.13.7.60906: P 74:89(15) ack 28 win > 33304 > 16:10:13.209069 IP 192.168.13.7.60906 > 192.168.13.4.25: R > 219272345:219272345(0) win 0 > 16:10:13.209074 IP 192.168.13.4.25 > 192.168.13.7.60906: F 89:89(0) ack 28 win > 33304 > 16:10:13.209079 IP 192.168.13.7.60906 > 192.168.13.4.25: R > 219272345:219272345(0) win 0 It will be good to see SMTP protocol trace. If you have no sensitive data, then add '-s 1500 -X' to the tcpdump's options and show us the output. If you can upload the result or raw trace for the abovementioned three connections, it will be good. You can extract the sessions using something like (for the last session) 'tcpdump -s 1500 -r dump.out -w session.out host 192.168.13.7 and port 60906' Thank you. -- Eygene