On Wed, Feb 25, 2015 at 09:30:49PM +1100, Ian Smith wrote: > This snippet is from an old linux 2.4 router/firewall/proxy box, usually > clockwork. Clipped this while monitoring one night, saved it, forgot, > but still find it curious and haven't seen anything similar before or > since. 31.13.70.1 & 173.252.102.24 are facebook, our guy 192.168.9.21 > > 25/9/2014 what? rpc? no rpc here even internally. .21 is a win7 box. > > 22:34:15.753436 IP 31.13.70.1.443 > 192.168.9.21.3721: . 21784:23236(1452) > ack 15573 win 65340 > 22:34:15.753560 IP 31.13.70.1.443 > 192.168.9.21.3721: P 23236:23661(425) ack > 15573 win 65340 > 22:34:15.754017 IP 192.168.9.21.3721 > 31.13.70.1.443: . ack 23661 win 65535 > 22:34:15.828235 IP 173.252.102.24.3660741704 > 192.168.9.21.2049: 735 > proc-3090265999 > 22:34:15.837027 IP 192.168.9.21.2049 > 173.252.102.24.3355443200: reply > Unknown rpc response code=239244857 1452 > 22:34:15.837031 IP 192.168.9.21.2049 > 173.252.102.24.1494367229: reply > Unknown rpc response code=3295742795 33 > 22:34:15.875408 IP 31.13.70.1.443 > 192.168.9.21.3721: . 23661:25113(1452) > ack 15573 win 65340 > 22:34:15.875552 IP 31.13.70.1.443 > 192.168.9.21.3721: P 25113:25677(564) ack > 15573 win 65340 > 22:34:15.875976 IP 192.168.9.21.3721 > 31.13.70.1.443: . ack 25677 win 65535 > 22:34:16.114979 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 3841 win > 64670 > 22:34:16.116361 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 3874 win > 64670 > 22:34:16.117679 IP 173.252.102.24.4046617672 > 192.168.9.21.2049: 758 > proc-685943137 > 22:34:16.124011 IP 192.168.9.21.2049 > 173.252.102.24.2483027968: reply > Unknown rpc response code=255805058 1177 > 22:34:16.400004 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 5051 win > 64670 > 22:34:20.928488 IP 173.252.102.24.2100460616 > 192.168.9.21.2049: 1410 > proc-3156600121 > 22:34:20.935755 IP 192.168.9.21.2049 > 173.252.102.24.2483027968: reply > Unknown rpc response code=269780798 1177 > 22:34:21.211544 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 6228 win > 64670 > > Kick me downstairs if it's just some old linux thing, especially the 2-3 > giga(what?) port numbers, but otherwise, what is this about?
Supposition: whatever you are using on Linux is seeing the 2049 port number and trying to decode the packet as NFS traffic even though it's not, and the port number isn't a port number at all but a NFS handle or something, but it isn't really, it's just some data from the packet contents that is in the location where the handle would be if the packet were truly NFS. Regards, Gary _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
