<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject:
From: Markus Röder <markus.roeder,AT,makeit4u,DOT,de>
Date: Fri, 23 Jan 2004 20:50:36 +0100

Investigating the packets, here are some captures:

        # tcpdump -pni any proto \\icmp
        tcpdump: listening on any
        18:54:05.707539 172.31.0.6 > 172.31.0.5: icmp: echo request
        18:54:05.710067 172.31.0.5 > 172.31.0.6: icmp: echo reply
        18:54:07.709638 172.31.0.6 > 172.31.0.5: icmp: echo request
        18:54:07.710062 172.31.0.5 > 172.31.0.6: icmp: echo reply
        18:54:09.712409 172.31.0.6 > 172.31.0.5: icmp: echo request
        18:54:09.716214 172.31.0.5 > 172.31.0.6: icmp: echo reply
        18:54:11.714948 172.31.0.6 > 172.31.0.5: icmp: echo request
        18:54:11.720109 172.31.0.5 > 172.31.0.6: icmp: echo reply
        18:54:13.717731 172.31.0.6 > 172.31.0.5: icmp: echo request
        18:54:13.719550 172.31.0.5 > 172.31.0.6: icmp: echo reply

Having the Window of the peer in sight, it seems that only every other ping reaches the machine.
This corresponds to the following capture:
218.8.158.194 is the peers address


        # tcpdump -pni any port 9001
        tcpdump: listening on any
        18:56:39.407175 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
        18:56:40.407878 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
        18:56:40.408342 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        18:56:41.410583 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
        18:56:42.410785 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
        18:56:42.411281 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        18:56:43.412012 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
        18:56:44.414676 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
        18:56:44.415148 172.24.130.146.9001 > 218.8.158.194.9001: udp 80

The 'pong' leaves the system through ppp0:

        # tcpdump -pni ppp0 port 9001
        tcpdump: listening on ppp0
        19:00:27.708391 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        19:00:29.710086 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        19:00:31.710094 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        19:00:33.708767 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        19:00:35.710088 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
        19:00:37.719370 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
(Doing a MASQUERADE on ppp0)

although every 10nth ping gets it's reply on eth1, but with the wrong sourceIP:

# tcpdump -pni eth1 port 9001
tcpdump: listening on eth1
19:03:54.431398 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:03:55.465837 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:03:55.466831 172.24.130.146.9001 > 218.8.158.194.9001: udp 272 (DF)
19:03:56.467172 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:03:57.468367 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:03:58.470072 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:03:59.471015 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:00.472381 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:01.473966 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:02.474999 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:03.476315 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:04.477386 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:05.478958 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:05.479774 172.24.130.146.9001 > 218.8.158.194.9001: udp 256 (DF)
19:04:06.481662 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:07.481363 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:08.482718 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:09.483777 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:10.485207 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:11.486402 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:12.487876 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:13.489062 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:14.490391 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:15.491464 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:15.492310 172.24.130.146.9001 > 218.8.158.194.9001: udp 168 (DF)
19:04:16.493233 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:17.494330 218.8.158.194.9001 > 218.8.157.154.9001: udp 80
19:04:18.495313 218.8.158.194.9001 > 218.8.157.154.9001: udp 80

I have seen quiet a few routing-scenarios, but this seems totally odd.
(Packets taking this route or the other)

At 15:41 23.01.2004 +0000, you wrote:
Markus,

So if all of the packets are being seen somewhere, where are the others?  Do
they go out eth1?  If you could experiment a little and find out which
interfaces are used both for packets coming in, and packets going out, that
might help.  It might not, but hopefully it will.

--
Mark Smith - Avco Systems Ltd
email: mark.smith,AT,avcosystems,DOT,co,DOT,uk
Tel: +44 (0)1784 430996 Fax: +44 (0)1784 431078

> -----Original Message-----
> From: Markus Roder [mailto:markus.roeder,AT,makeit4u,DOT,de
> Sent: 23 January 2004 15:35
> To: Mark Smith
> Cc: cipe-l,AT,inka,DOT,de
> Subject: RE: routing, cipe using wrong interface (long)
>
>
> Here is the tcpdump of some pings
> The odd thing is that the client send at least 4 ping packets (windows
> client), but there only show up those two outgoing packets
>
> # tcpdump -pni ppp0 port 9001
> tcpdump: listening on ppp0
> 16:28:11.950074 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
> 16:28:13.952002 172.24.130.146.9001 > 218.8.158.194.9001: udp 80
>
> At 15:14 23.01.2004 +0000, you wrote:
> >Markus,
> >
> >Can you give a sample tcpdump of packets going via ppp0?  The text will
> >probably suffice, rather than the raw packet data...


<< | Thread Index | >> ]    [ << | Date Index | >> ]