[EMAIL PROTECTED] wrote:
> Hello all, this is regarding a problem I've been having and getting help
> about on this list. Specificaly, a site we host that, when visited,
> often returns a Netscape error: "Connection reset by peer". It's for this
> domain and this domain only and its owner is getting understandably upset.
> I did some packet logging to see what was going on and I thought I'd share
> the results in case anyone here can interperet them better than I (very
> likely). I'm assuming that the (DF) flags are signifigant, but I don't
> know what they mean.
They aren't significant; TCP packets always have the DF flag set. It
stands for `don't fragment'. It means that a router won't fragment a
packet if it's larger than the MTU of the outbound interface. Instead,
it will send an error back the the sender. The sender will then break
the TCP stream up into smaller packets. This is known as `path MTU
discovery'.
> One interesting thing is that although the browser
> got that "connection reset" error, and I'd never clicked reload to load
> the page, as soon as I click "ok", the tcpdump showed in one big "burp"
> of data, a page of packets as thoguh I'd successfully pulled it up. Also,
> the exact text of the error specifies "while Netscape was recieving data"
> so apparently the connection is established, but then something being sent
> confuses the browser (this works with IE, too. Not just Netscape) which
> refuses to accept/translate any of the packets being sent. Possible?
> Anyway. Here's excerpt:
>
> 22:58:06.292440 ppp-20.internet-frontier.net.62411 > www.unionjobs.com.80: S
>1944225:1944225(0) win 8192 <mss 1460> (DF)
> 22:58:06.292440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62411: R 0:0(0)
>ack 1944226 win 0
> 22:58:06.872440 ppp-20.internet-frontier.net.62412 > www.unionjobs.com.80: S
>1944225:1944225(0) win 8192 <mss 1460> (DF)
> 22:58:06.872440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62412: R 0:0(0)
>ack 1944226 win 0
> 22:58:07.472440 ppp-20.internet-frontier.net.62413 > www.unionjobs.com.80: S
>1944225:1944225(0) win 8192 <mss 1460> (DF)
> 22:58:07.472440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62413: R 0:0(0)
>ack 1944226 win 0
> 22:58:08.072440 ppp-20.internet-frontier.net.62414 > www.unionjobs.com.80: S
>1944225:1944225(0) win 8192 <mss 1460> (DF)
> 22:58:08.072440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62414: R 0:0(0)
>ack 1944226 win 0
Up to this point, it's consistent. ppp-20 tries to initiate a
connection to www.unionjobs.com:80, and www.unionjobs.com sends back a
RST (which usually indicates that nothing is listening on that port).
> 22:58:08.232440 ppp-20.internet-frontier.net.62414 > www.unionjobs.com.80: S
>1946168:1946168(0) win 8192 <mss 1460> (DF)
This is a bit odd. ppp-20 tries again to initiate the connection from
the same port, but with a different initial sequence number. Maybe it
just didn't get the last RST.
> 22:58:08.232440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62414: R 0:0(0)
>ack 1944 win 0
Is the `ack 1944' a cut-and-paste error? One would think that it would
be `ack 1944226'.
> 22:58:08.272440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62410: S
>2790906700:2790906700(0) ack 1937196 win 32736 <mss 1460>
This one packet doesn't follow the same pattern as the rest. It's
actually acknowledging a connection (one from port 62410, which isn't
shown above).
> 22:58:08.422440 ppp-20.internet-frontier.net.62410 > www.unionjobs.com.80: R
>1937196:1937196(0) win 0
Except that ppp-20 no longer considers this connection valid, so it
sends a RST.
> 22:58:11.182440 ppp-20.internet-frontier.net.62415 > www.unionjobs.com.80: S
>1946168:1946168(0) win 8192 <mss 1460> (DF)
> 22:58:11.182440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62415: R 0:0(0)
>ack 1946169 win 0
> 22:58:11.782440 ppp-20.internet-frontier.net.62416 > www.unionjobs.com.80: S
>1946168:1946168(0) win 8192 <mss 1460> (DF)
> 22:58:11.782440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62416: R 0:0(0)
>ack 1946169 win 0
> 22:58:12.372440 ppp-20.internet-frontier.net.62417 > www.unionjobs.com.80: S
>1946168:1946168(0) win 8192 <mss 1460> (DF)
> 22:58:12.372440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62417: R 0:0(0)
>ack 1946169 win 0
> 22:58:12.542440 ppp-20.internet-frontier.net.62417 > www.unionjobs.com.80: S
>1950484:1950484(0) win 8192 <mss 1460> (DF)
> 22:58:12.542440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62417: R 0:0(0)
>ack 4317 win 0
> 22:58:15.482440 ppp-20.internet-frontier.net.62418 > www.unionjobs.com.80: S
>1950484:1950484(0) win 8192 <mss 1460> (DF)
> 22:58:15.482440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62418: R 0:0(0)
>ack 1950485 win 0
> 22:58:15.482440 ppp-20.internet-frontier.net.62418 > www.unionjobs.com.80: S
>1950484:1950484(0) win 8192 <mss 1460> (DF)
> 22:58:15.482440 www.unionjobs.com.80 > ppp-20.internet-frontier.net.62418: R 0:0(0)
>ack 1950485 win 0
> 22:58:16.082440 ppp-20.internet-frontier.net.62419 > www.unionjobs.com.80: S
>1950484:1950484(0) win 8192 <mss 1460> (DF)
Again, this is all following the same pattern as before (apart from
the `ack 4317', which seems wrong).
> As usual, I'm open to suggestions and growing more desperate by the hour.
> Help! =:)
OK, just to be really, really clear on this: You haven't assigned the
IP address for www.unionjobs.com to another host by mistake, have you?
(If you're running DHCP/BOOTP, ensure that dhcpd/bootpd won't give out
this address to a client).
This really looks like another host (which isn't running an httpd) has
been allocated this IP address.
I take it that you are using IP-based virtual hosts (i.e. you have
allocated multiple IP addresses to virtual interfaces on the web
server), right?
Are you using BindAddress (other than `BindAddress *') in httpd.conf?
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
