[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a question about firewalls (or whatever else that might cause packet drop)



On 11/28/2012 12:04 PM, Darac Marjal wrote:
> On Wed, Nov 28, 2012 at 11:54:04AM +0000, Matej Kosik wrote:
>> Hi,
>>
>> I am experiencing some deterministic packet drop:
>> - when I tcpreplay on "lo" some pcap (0.pcap) file,
>>   that traffic does not reach listening applications
>> - when I change source IP address from whatever it was to, e.g.,
>>   10.0.10.6, 10.0.10.7 etc,
>>   then when I try to replay the modified pcap file (1.pcap),
>>   that traffic does reache applications.
>>
>> I would like to find out the cause of this.
>> The only thing which could be causing thing I was aware of was
>> "iptables". However, when I apt-get removed it, nothing changed.
>>
>> What else should I check?
> 
> Have a look at the TCP sequence numbers and the TCP Handshake.

In my case, given pcap contains only some UDP multicast traffic.
There are not TCP segments.

> To
> establish a connection:
>  * The client sends a SYN packet to the server with a random sequence
>    number (A).
>  * The server replies with a SYN-ACK packet with an acknowledgement
>    number set to one more than the client's sequence number (A + 1) 
>    and its own random sequence number (B).
>  * The client sends an ACK packet to the server with an acknowledgement
>    number set to one more than the servers sequence number (B + 1) and
>    a sequence number of the received acknowlegement number (A + 1).
> 
> So, when you replay the traffic, that third stage goes wrong (basically,
> you send the wrong B+1 value).
> 
> Have a look at
> "http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver";
> 


Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: