Re: debian + hostapd + pptp = pptp random disconnect

To: debian-russian@lists.debian.org
Subject: Re: debian + hostapd + pptp = pptp random disconnect
From: Eugene Berdnikov <bd4@protva.ru>
Date: Mon, 14 May 2012 16:36:24 +0400
Message-id: <[🔎] 20120514123624.GB7579@protva.ru>
In-reply-to: <[🔎] CAG0qy5LQj9e8HWsMTceiS=weScYgdraAfFepS5npMpGt4RpeTA@mail.gmail.com>
References: <[🔎] CAG0qy5JUG7AMv5RFsE1cZEqcRZPtYOvjow8obgtAS9F_n4QmiA@mail.gmail.com> <[🔎] CAG0qy5LQj9e8HWsMTceiS=weScYgdraAfFepS5npMpGt4RpeTA@mail.gmail.com>

On Mon, May 14, 2012 at 02:13:26PM +0300, Gary Trotcko wrote:
> Хм, собственно вот, но... ((
> 
> cat /var/log/messages | grep pppd
> May 14 13:30:46 debian pppd[11352]: Modem hangup
> May 14 13:30:46 debian pppd[11352]: Connect time 4.6 minutes.
> May 14 13:30:46 debian pppd[11352]: Sent 34894 bytes, received 61693 bytes.
> May 14 13:30:47 debian pppd[11352]: Connection terminated.
> May 14 13:30:48 debian pppd[11352]: Using interface ppp0
> May 14 13:30:48 debian pppd[11352]: Connect: ppp0 <--> /dev/pts/0
> May 14 13:30:56 debian pppd[11352]: CHAP authentication succeeded: Welcome.
> May 14 13:30:56 debian pppd[11352]: CHAP authentication succeeded
> May 14 13:30:56 debian pppd[11352]: local  IP address 80.242.110.65
> May 14 13:30:56 debian pppd[11352]: remote IP address 195.66.139.28
> 
> tcpdump -i eth0 tcp port 1723
> 13:29:30.676173 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [P.], seq 4103653949:4103653965, ack 4202577046, win 3650, options
> [nop,nop,TS val 32806508 ecr 654449703], length 16: pptp
> CTRL_MSGTYPE=ECHORQ ID(3)
> 13:29:55.662113 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [P.], seq 0:16, ack 1, win 3650, options [nop,nop,TS val 32811781 ecr
> 654449703], length 16: pptp CTRL_MSGTYPE=ECHORQ ID(3)
> 13:29:55.662446 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [.], ack 16, win 62, options [nop,nop,TS val 654458202 ecr
> 32811781,nop,nop,sack 1 {0:16}], length 0
> 13:29:55.739219 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [P.], seq 1:21, ack 16, win 62, options [nop,nop,TS val 654458210 ecr
> 32811781], length 20: pptp CTRL_MSGTYPE=ECHORP ID(3) RESULT_CODE(1)
> ERR_CODE(0)
> 13:29:55.739405 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [.], ack 21, win 3650, options [nop,nop,TS val 32812773 ecr
> 654458210], length 0

> 13:30:46.979768 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [F.], seq 21, ack 16, win 62, options [nop,nop,TS val 654463334 ecr
> 32812773], length 0

 Собственно, содержательная часть начинается с этого FINa (последний пакет).
 Сервер закрыл коннекцию без видимых причин. Отправляйте этот дамп
 провайдеру в качестве рекламации (желательно добавить ещё -vv -s0)
 и спрашивайте, какого чёрта так происходит.

> 13:30:46.980456 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [P.], seq 16:32, ack 22, win 3650, options [nop,nop,TS val 32825584
> ecr 654463334], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(0)
> 13:30:46.981123 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [F.], seq 32, ack 22, win 3650, options [nop,nop,TS val 32825584 ecr
> 654463334], length 0
> 13:30:47.188552 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [F.], seq 21, ack 16, win 62, options [nop,nop,TS val 654463355 ecr
> 32812773], length 0
> 13:30:47.188877 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [.], ack 22, win 3650, options [nop,nop,TS val 32825636 ecr
> 654463355,nop,nop,sack 1 {21:22}], length 0
> 13:30:47.608535 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [F.], seq 21, ack 16, win 62, options [nop,nop,TS val 654463397 ecr
> 32812773], length 0
> 13:30:47.608775 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [.], ack 22, win 3650, options [nop,nop,TS val 32825741 ecr
> 654463397,nop,nop,sack 1 {21:22}], length 0
> 13:30:48.448503 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [F.], seq 21, ack 16, win 62, options [nop,nop,TS val 654463481 ecr
> 32812773], length 0
> 13:30:50.128529 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [F.], seq 21, ack 16, win 62, options [nop,nop,TS val 654463649 ecr
> 32812773], length 0
> 13:30:53.498452 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [F.], seq 21, ack 16, win 62, options [nop,nop,TS val 654463986 ecr
> 32812773], length 0

 Судя по пачке FINов от сервера, для которых нет никаких видимых на
 стороне клиента причин (т.е. отправленных от 192.168.120.184 на сервер
 пакетов), а также по аналогичной пачке RST ниже, похоже, что какой-то
 промежуточный узел активно закрывает коннекцию от имени клиента.
 То есть соединения портятся "злоумышленником", в качестве которого может
 выступать прослушивающий соединения мониторинговый софт. Есть вирусы,
 пытающиеся перехватывать трафик для поиска адресов e-mail, паролей
 и прочего, они иногда так глючат.

> 13:30:55.665424 IP 192.168.120.184.56438 > 192.168.117.211.1723: Flags
> [.], ack 22, win 3650, options [nop,nop,TS val 32825951 ecr
> 654463481,nop,nop,sack 1 {21:22}], length 0
> 13:30:55.665534 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [R], seq 4202577067, win 0, length 0
> 13:30:55.665542 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [R], seq 4202577067, win 0, length 0
> 13:30:55.665564 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [R], seq 4202577067, win 0, length 0
> 13:30:55.665572 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [R], seq 4202577067, win 0, length 0
> 13:30:55.666073 IP 192.168.117.211.1723 > 192.168.120.184.56438: Flags
> [R], seq 4202577067, win 0, length 0
-- 
 Eugene Berdnikov

Reply to:

References:
- debian + hostapd + pptp = pptp random disconnect
  - From: Gary Trotcko <teegor38@gmail.com>
- Re: debian + hostapd + pptp = pptp random disconnect
  - From: Gary Trotcko <teegor38@gmail.com>

Prev by Date: не работает debmirror через rsync
Next by Date: Re: debian + hostapd + pptp = pptp random disconnect
Previous by thread: Re: debian + hostapd + pptp = pptp random disconnect
Next by thread: Re: debian + hostapd + pptp = pptp random disconnect
Index(es):
- Date
- Thread