[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a question about firewalls (or whatever else that might cause packet drop)

On Wed, Nov 28, 2012 at 11:54:04AM +0000, Matej Kosik wrote:
> Hi,
> I am experiencing some deterministic packet drop:
> - when I tcpreplay on "lo" some pcap (0.pcap) file,
>   that traffic does not reach listening applications
> - when I change source IP address from whatever it was to, e.g.,
>, etc,
>   then when I try to replay the modified pcap file (1.pcap),
>   that traffic does reache applications.
> I would like to find out the cause of this.
> The only thing which could be causing thing I was aware of was
> "iptables". However, when I apt-get removed it, nothing changed.
> What else should I check?

Have a look at the TCP sequence numbers and the TCP Handshake. To
establish a connection:
 * The client sends a SYN packet to the server with a random sequence
   number (A).
 * The server replies with a SYN-ACK packet with an acknowledgement
   number set to one more than the client's sequence number (A + 1) 
   and its own random sequence number (B).
 * The client sends an ACK packet to the server with an acknowledgement
   number set to one more than the servers sequence number (B + 1) and
   a sequence number of the received acknowlegement number (A + 1).

So, when you replay the traffic, that third stage goes wrong (basically,
you send the wrong B+1 value).

Have a look at

Attachment: signature.asc
Description: Digital signature

Reply to: