Analise do sniff tcpdump
Bom dia a todos!
Necessito de um ajuda para analisar o sniff tcpdump no linux.
Estou tendo um problema com e-mail com um determinado cliente, e este
cliente esta me informando que o problema é aqui na empresa.
O quero saber qual é o lador que esta RESETANDO a conexão no envio
do pacote, se o lado do meu_dominio ou lado do dominio_cliente.
Segue a abaixo relatorio do Sniff meu_dominio para dominio_cliente
Os arquivo gerados abaixo são de uma conexão analisada com um sniff
no meu firewall (tcpdump)
na porta 25 com o envio de e-mail com anexo de tamanho 750 kb. Mesmo
anexo para os dois dominios.
Testes com o meu_dominio e dominio_cliente
Origem meu_dominio para dominio_cliente
tcpdump -i eth1 tcp port 25 and src host XXX.XXX.XXX.XXX( host
meu_dominio) and dst host XXX.XXX.XXXX.XXX (host dominio_cliente)
12:07:52.894744 IP meu_dominio.7692 > dominio_cliente.smtp: S
2032922388:2032922388(0) win 65535 <mss 1460,nop,nop,sackOK>
12:07:55.909873 IP meu_dominio.7692 > dominio_cliente.smtp: S
2032922388:2032922388(0) win 65535 <mss 1460,nop,nop,sackOK>
12:07:56.485210 IP meu_dominio.7692 > dominio_cliente.smtp: . ack
542263311 win 65535
12:07:59.025661 IP meu_dominio.7692 > dominio_cliente.smtp: . ack 1
win 65535
12:07:59.556358 IP meu_dominio.7692 > dominio_cliente.smtp: P 0:46
(46) ack 10 win 65526
12:08:02.152457 IP meu_dominio.7692 > dominio_cliente.smtp: P 46:168
(122) ack 181 win 65355
12:08:04.550886 IP meu_dominio.7692 > dominio_cliente.smtp: . ack 189
win 65347
12:08:06.479953 IP meu_dominio.7692 > dominio_cliente.smtp: P 168:174
(6) ack 205 win 65331
12:08:08.228053 IP meu_dominio.7692 > dominio_cliente.smtp: . 174:1134
(960) ack 251 win 65285
12:08:08.228116 IP meu_dominio.7692 > dominio_cliente.smtp: .
1134:2094(960) ack 251 win 65285
12:08:08.228184 IP meu_dominio.7692 > dominio_cliente.smtp: .
2094:3054(960) ack 251 win 65285
12:08:08.228272 IP meu_dominio.7692 > dominio_cliente.smtp: .
3054:4014(960) ack 251 win 65285
12:08:10.404237 IP meu_dominio.7692 > dominio_cliente.smtp: .
4014:4974(960) ack 251 win 65285
12:08:10.407314 IP meu_dominio.7692 > dominio_cliente.smtp: .
4974:5934(960) ack 251 win 65285
12:08:10.407366 IP meu_dominio.7692 > dominio_cliente.smtp: .
5934:6894(960) ack 251 win 65285
12:08:10.407444 IP meu_dominio.7692 > dominio_cliente.smtp: .
6894:7854(960) ack 251 win 65285
12:08:10.456859 IP meu_dominio.7692 > dominio_cliente.smtp: .
7854:8814(960) ack 251 win 65285
12:08:10.456904 IP meu_dominio.7692 > dominio_cliente.smtp: .
8814:9774(960) ack 251 win 65285
12:08:12.185487 IP meu_dominio.7692 > dominio_cliente.smtp: .
9774:10734(960) ack 251 win 65285
12:08:12.185532 IP meu_dominio.7692 > dominio_cliente.smtp: .
10734:11694(960) ack 251 win 65285
12:08:12.186186 IP meu_dominio.7692 > dominio_cliente.smtp: P
11694:12654(960) ack 251 win 65285
12:08:12.186230 IP meu_dominio.7692 > dominio_cliente.smtp: .
12654:13614(960) ack 251 win 65285
12:08:12.186792 IP meu_dominio.7692 > dominio_cliente.smtp: .
13614:14574(960) ack 251 win 65285
12:08:12.186855 IP meu_dominio.7692 > dominio_cliente.smtp: .
14574:15534(960) ack 251 win 65285
12:08:12.222920 IP meu_dominio.7692 > dominio_cliente.smtp: .
15534:16494(960) ack 251 win 65285
12:08:12.222961 IP meu_dominio.7692 > dominio_cliente.smtp: .
16494:17454(960) ack 251 win 65285
12:08:12.223185 IP meu_dominio.7692 > dominio_cliente.smtp: .
17454:18414(960) ack 251 win 65285
12:08:12.223263 IP meu_dominio.7692 > dominio_cliente.smtp: .
18414:19374(960) ack 251 win 65285
12:08:12.223475 IP meu_dominio.7692 > dominio_cliente.smtp: .
19374:20334(960) ack 251 win 65285
12:08:12.223539 IP meu_dominio.7692 > dominio_cliente.smtp: .
20334:21294(960) ack 251 win 65285
12:08:14.152592 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.156074 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.160103 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.168815 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.196345 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.213007 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.234056 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.234309 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:14.259358 IP meu_dominio.7692 > dominio_cliente.smtp: R
2032932163:2032932163(0) win 0
12:08:18.441875 IP meu_dominio.7692 > dominio_cliente.smtp: .
9774:10734(960) ack 251 win 65285
12:08:30.801452 IP meu_dominio.7692 > dominio_cliente.smtp: .
9774:10734(960) ack 251 win 65285
12:08:55.630058 IP meu_dominio.7692 > dominio_cliente.smtp: .
9774:10734(960) ack 251 win 65285
12:09:45.177842 IP meu_dominio.7692 > dominio_cliente.smtp: .
9774:10734(960) ack 251 win 65285
12:10:45.225827 IP meu_dominio.7692 > dominio_cliente.smtp: .
9774:10734(960) ack 251 win 65285
Origem dominio_cliente para meu_dominio
tcpdump -i eth1 tcp port 25 and src host XXX.XXX.XXXX.XXX(host
dominio_cliente) and dst host XXX.XXX.XXX.XXX (host dominio_cliente)
12:07:56.484986 IP dominio_cliente.smtp > meu_dominio.7692: S
542263310:542263310(0) ack 2032922389 win 3840 <mss
960,nop,nop,sackOK>
12:07:59.025452 IP dominio_cliente.smtp > meu_dominio.7692: S
542263310:542263310(0) ack 2032922389 win 3840 <mss
960,nop,nop,sackOK>
12:07:59.555710 IP dominio_cliente.smtp > meu_dominio.7692: P 1:10(9)
ack 1 win 3840
12:08:02.149990 IP dominio_cliente.smtp > meu_dominio.7692: . ack 47
win 3840
12:08:02.151459 IP dominio_cliente.smtp > meu_dominio.7692: P 10:181
(171) ack 47 win 3840
12:08:04.422964 IP dominio_cliente.smtp > meu_dominio.7692: . ack 169
win 3840
12:08:04.425484 IP dominio_cliente.smtp > meu_dominio.7692: P 181:189
(8) ack 169 win 3840
12:08:06.445341 IP dominio_cliente.smtp > meu_dominio.7692: P 189:205
(16) ack 169 win 3840
12:08:08.226633 IP dominio_cliente.smtp > meu_dominio.7692: . ack 175
win 3840
12:08:08.227259 IP dominio_cliente.smtp > meu_dominio.7692: P 205:251
(46) ack 175 win 3840
12:08:10.403892 IP dominio_cliente.smtp > meu_dominio.7692: . ack
1135 win 5760
12:08:10.406974 IP dominio_cliente.smtp > meu_dominio.7692: . ack
3055 win 9600
12:08:10.456512 IP dominio_cliente.smtp > meu_dominio.7692: . ack
4015 win 11520
12:08:12.185173 IP dominio_cliente.smtp > meu_dominio.7692: . ack
4975 win 13440
12:08:12.185846 IP dominio_cliente.smtp > meu_dominio.7692: . ack
5935 win 15360
12:08:12.186500 IP dominio_cliente.smtp > meu_dominio.7692: . ack
6895 win 17280
12:08:12.222569 IP dominio_cliente.smtp > meu_dominio.7692: . ack
7855 win 19200
12:08:12.222832 IP dominio_cliente.smtp > meu_dominio.7692: . ack
8815 win 21120
12:08:12.223204 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040
12:08:14.152523 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 1 {159869691:159870651} >
12:08:14.156025 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 1 {159869691:159871611} >
12:08:14.160063 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 1 {159869691:159872571} >
12:08:14.168775 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 1 {159869691:159873531} >
12:08:14.196299 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 1 {159869691:159874491} >
12:08:14.212953 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 2 {159875451:159876411}
{159869691:159874491} >
12:08:14.234005 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 2 {159875451:159877371}
{159869691:159874491} >
12:08:14.234267 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 3
{159878331:159879291}{159875451:159877371}{159869691:159874491} >
12:08:14.259283 IP dominio_cliente.smtp > meu_dominio.7692: . ack
9775 win 23040 <nop,nop,sack sack 3
{159878331:159880251}{159875451:159877371}{159869691:159874491} >
12:13:02.962686 IP dominio_cliente.smtp > meu_dominio.7780: S
1974633516:1974633516(0) ack 1200081353 win 3840 <mss
960,nop,nop,sackOK>
12:13:04.137939 IP dominio_cliente.smtp > meu_dominio.7780: P 1:10(9)
ack 1 win 3840
12:13:05.301775 IP dominio_cliente.smtp > meu_dominio.7780: . ack 47
win 3840
12:13:05.301924 IP dominio_cliente.smtp > meu_dominio.7780: P 10:181
(171) ack 47 win 3840
12:13:07.116650 IP dominio_cliente.smtp > meu_dominio.7780: P 181:189
(8) ack 169 win 3840
12:13:08.605668 IP dominio_cliente.smtp > meu_dominio.7780: P 189:205
(16) ack 169 win 3840
12:13:09.591805 IP dominio_cliente.smtp > meu_dominio.7780: P 205:251
(46) ack 175 win 3840
12:13:11.182318 IP dominio_cliente.smtp > meu_dominio.7780: . ack
1135 win 5760
12:13:11.190705 IP dominio_cliente.smtp > meu_dominio.7780: . ack
3055 win 9600
12:13:11.241124 IP dominio_cliente.smtp > meu_dominio.7780: . ack
4015 win 11520
12:13:12.567613 IP dominio_cliente.smtp > meu_dominio.7780: . ack
4975 win 13440
12:13:12.575604 IP dominio_cliente.smtp > meu_dominio.7780: . ack
5935 win 15360
12:13:12.585486 IP dominio_cliente.smtp > meu_dominio.7780: . ack
6895 win 17280
12:13:12.585611 IP dominio_cliente.smtp > meu_dominio.7780: . ack
7855 win 19200
12:13:12.613835 IP dominio_cliente.smtp > meu_dominio.7780: . ack
8815 win 21120
12:13:12.632058 IP dominio_cliente.smtp > meu_dominio.7780: . ack
9775 win 23040
12:13:14.008924 IP dominio_cliente.smtp > meu_dominio.7780: . ack
10735 win 24960
12:13:14.063827 IP dominio_cliente.smtp > meu_dominio.7780: . ack
11695 win 26880
12:13:14.096267 IP dominio_cliente.smtp > meu_dominio.7780: . ack
12655 win 28800
12:13:14.096268 IP dominio_cliente.smtp > meu_dominio.7780: . ack
13615 win 30720
12:13:14.096328 IP dominio_cliente.smtp > meu_dominio.7780: . ack
14575 win 32640
12:13:14.096398 IP dominio_cliente.smtp > meu_dominio.7780: . ack
15535 win 34560
12:13:14.100083 IP dominio_cliente.smtp > meu_dominio.7780: . ack
17455 win 34560
12:13:14.128117 IP dominio_cliente.smtp > meu_dominio.7780: . ack
19375 win 34560
12:13:14.152162 IP dominio_cliente.smtp > meu_dominio.7780: . ack
21295 win 34560
12:13:15.760257 IP dominio_cliente.smtp > meu_dominio.7780: . ack
23215 win 34560
12:13:15.779628 IP dominio_cliente.smtp > meu_dominio.7780: . ack
24802 win 34560
12:13:15.799946 IP dominio_cliente.smtp > meu_dominio.7780: . ack
26722 win 34560
12:13:15.819326 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688945296} >
12:13:15.823285 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688946256} >
12:13:15.828833 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688947216} >
12:13:15.844065 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688948176} >
12:13:15.848049 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688949136} >
12:13:15.868216 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688950096} >
12:13:15.879105 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688951056} >
12:13:15.882875 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688952016} >
12:13:15.907424 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688952809} >
12:13:17.280120 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688953769} >
12:13:17.299643 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688954729} >
12:13:17.300152 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688955689} >
12:13:17.300988 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688956649} >
12:13:17.315417 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688957609} >
12:13:17.325163 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688958569} >
12:13:17.505889 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688959529} >
12:13:17.506039 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688960489} >
12:13:17.506256 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688961449} >
12:13:17.506793 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688962409} >
12:13:17.507001 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688963369} >
12:13:17.512962 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688964329} >
12:13:17.513170 IP dominio_cliente.smtp > meu_dominio.7780: . ack
27682 win 34560 <nop,nop,sack sack 1 {1688944336:1688965122} >
12:16:34.026380 IP dominio_cliente.smtp > meu_dominio.7854: S
2521624132:2521624132(0) ack 3715887869 win 3840 <mss
960,nop,nop,sackOK>
12:16:36.450930 IP dominio_cliente.smtp > meu_dominio.7854: P 1:10(9)
ack 1 win 3840
12:16:38.411052 IP dominio_cliente.smtp > meu_dominio.7854: . ack 47
win 3840
12:16:38.418146 IP dominio_cliente.smtp > meu_dominio.7854: P 10:181
(171) ack 47 win 3840
12:16:39.587653 IP dominio_cliente.smtp > meu_dominio.7854: P 181:189
(8) ack 169 win 3840
12:16:40.490695 IP dominio_cliente.smtp > meu_dominio.7854: P 189:205
(16) ack 169 win 3840
12:16:41.709517 IP dominio_cliente.smtp > meu_dominio.7854: P 205:251
(46) ack 175 win 3840
Os flags da Camada são os seguinte S(SYN) Sincronização, F(FIN)
Finalização,P(PUSH) Dados, R(RESET), observe que o R(RESET)
sempre esta do lado dos servidores do domínio_cliente
Ass. Claudio Rulim
Analista de Suporte Senior
E-mail: [EMAIL PROTECTED] ou [EMAIL PROTECTED]
