On Wed, 25 Feb 2015 14:59:18 +0000, Gary Palmer wrote: > On Wed, Feb 25, 2015 at 09:30:49PM +1100, Ian Smith wrote: > > This snippet is from an old linux 2.4 router/firewall/proxy box, usually > > clockwork. Clipped this while monitoring one night, saved it, forgot, > > but still find it curious and haven't seen anything similar before or > > since. 31.13.70.1 & 173.252.102.24 are facebook, our guy 192.168.9.21 > > > > 25/9/2014 what? rpc? no rpc here even internally. .21 is a win7 box. > > > > 22:34:15.753436 IP 31.13.70.1.443 > 192.168.9.21.3721: . 21784:23236(1452) > > ack 15573 win 65340 > > 22:34:15.753560 IP 31.13.70.1.443 > 192.168.9.21.3721: P 23236:23661(425) > > ack 15573 win 65340 > > 22:34:15.754017 IP 192.168.9.21.3721 > 31.13.70.1.443: . ack 23661 win > > 65535 > > 22:34:15.828235 IP 173.252.102.24.3660741704 > 192.168.9.21.2049: 735 > > proc-3090265999 > > 22:34:15.837027 IP 192.168.9.21.2049 > 173.252.102.24.3355443200: reply > > Unknown rpc response code=239244857 1452 > > 22:34:15.837031 IP 192.168.9.21.2049 > 173.252.102.24.1494367229: reply > > Unknown rpc response code=3295742795 33 > > 22:34:15.875408 IP 31.13.70.1.443 > 192.168.9.21.3721: . 23661:25113(1452) > > ack 15573 win 65340 > > 22:34:15.875552 IP 31.13.70.1.443 > 192.168.9.21.3721: P 25113:25677(564) > > ack 15573 win 65340 > > 22:34:15.875976 IP 192.168.9.21.3721 > 31.13.70.1.443: . ack 25677 win > > 65535 > > 22:34:16.114979 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 3841 win > > 64670 > > 22:34:16.116361 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 3874 win > > 64670 > > 22:34:16.117679 IP 173.252.102.24.4046617672 > 192.168.9.21.2049: 758 > > proc-685943137 > > 22:34:16.124011 IP 192.168.9.21.2049 > 173.252.102.24.2483027968: reply > > Unknown rpc response code=255805058 1177 > > 22:34:16.400004 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 5051 win > > 64670 > > 22:34:20.928488 IP 173.252.102.24.2100460616 > 192.168.9.21.2049: 1410 > > proc-3156600121 > > 22:34:20.935755 IP 192.168.9.21.2049 > 173.252.102.24.2483027968: reply > > Unknown rpc response code=269780798 1177 > > 22:34:21.211544 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 6228 win > > 64670 > > > > Kick me downstairs if it's just some old linux thing, especially the 2-3 > > giga(what?) port numbers, but otherwise, what is this about? > > Supposition: whatever you are using on Linux is seeing the 2049 port > number and trying to decode the packet as NFS traffic even though > it's not, and the port number isn't a port number at all but a NFS handle > or something, but it isn't really, it's just some data from the packet > contents that is in the location where the handle would be if the packet > were truly NFS.
Ah, right, of course I should have checked /etc/services first .. nfsd 2049/sctp nfs # NFS server daemon nfsd 2049/tcp nfs # NFS server daemon nfsd 2049/udp nfs # NFS server daemon All that's running on linux is tcpdump -pn on the router - the traffic is with the win7 box - so I guess linux' tcpdump was (mis)interpreting. Seems that traffic was getting through anyway, but I didn't clip much. Thanks, Ian _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
