From owner-freebsd-current@FreeBSD.ORG Sun Nov 25 10:26:25 2007 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93F5116A419 for ; Sun, 25 Nov 2007 10:26:25 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.freebsd.org (Postfix) with SMTP id 490E713C465 for ; Sun, 25 Nov 2007 10:26:25 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 648 invoked from network); 25 Nov 2007 10:19:40 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 25 Nov 2007 10:19:40 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sun, 25 Nov 2007 04:19:41 -0600 (CST) From: Mike Silbersack To: Kip Macy In-Reply-To: Message-ID: <20071125041618.G1206@odysseus.silby.com> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Ian FREISLICH , current@freebsd.org Subject: Re: TCP RST+data! X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2007 10:26:25 -0000 On Fri, 23 Nov 2007, Kip Macy wrote: > On Nov 22, 2007 12:14 PM, Ian FREISLICH wrote: >> Here's a tcpdump of seamonkey trying to retrieve the document index: >> >> 22:07:53.728516 IP (tos 0x0, ttl 64, id 24507, offset 0, flags [DF], proto TCP (6), length 60) 196.7.162.28.50118 > 196.7.162.30.80: S, cksum 0xdbdd (correct), 2746220400:2746220400(0) win 65535 >> 22:07:53.731512 IP (tos 0x0, ttl 64, id 36, offset 0, flags [DF], proto TCP (6), length 60) 196.7.162.30.80 > 196.7.162.28.50118: S, cksum 0xbdba (correct), 2416404465:2416404465(0) ack 2746220401 win 8192 >> 22:07:53.731543 IP (tos 0x0, ttl 64, id 24508, offset 0, flags [DF], proto TCP (6), length 52) 196.7.162.28.50118 > 196.7.162.30.80: ., cksum 0xe8f5 (correct), 1:1(0) ack 1 win 8326 >> 22:07:53.731593 IP (tos 0x0, ttl 64, id 24509, offset 0, flags [DF], proto TCP (6), length 428) 196.7.162.28.50118 > 196.7.162.30.80: P 1:377(376) ack 1 win 8326 >> 22:07:53.770545 IP (tos 0x0, ttl 64, id 37, offset 0, flags [DF], proto TCP (6), length 52) 196.7.162.30.80 > 196.7.162.28.50118: ., cksum 0xe948 (correct), 1:1(0) ack 377 win 7867 >> 22:07:54.004963 IP (tos 0x0, ttl 64, id 38, offset 0, flags [DF], proto TCP (6), length 61) 196.7.162.30.80 > 196.7.162.28.50118: P, cksum 0xcdea (correct), 1:10(9) ack 377 win 8192 >> 22:07:54.018027 IP (tos 0x0, ttl 64, id 39, offset 0, flags [DF], proto TCP (6), length 638) 196.7.162.30.80 > 196.7.162.28.50118: RP 10:608(598) ack 377 win 8192 [!RST+ 200 OK\015\012Server: Rapid Logic/1.] > > Looking at your later trace, data with the RST is a red herring. The > only thing that stands out to me as being odd and perhaps is the > issue, is that the window size for the SYN and the ack are > inconsistent on FreeBSD but are consistent on OS X. I'm not sure off > hand where the number 8326 comes from. It could be that when the SIP's > stack is generating the ack for the GET it concludes that the window > accounting state is incorrect. > > Perhaps Mike can shed some light when he gets back online. > > > -Kip The TCP window is unscaled in the SYN phase, then shifts to being scaled afterwards. The window we're advertising must be 8236 * 2^3 = 65888. So, that part is ok - if the phone implements tcp window scaling properly! The RST + Data behavior seems very odd. Ian, have you tried using nmap -O or any other OS identification tool to see if the phone is using a known operating system? -Mike