Re: mismatch on route through packet/byte counts

Sat, 17 Feb 2007 10:05:04 -0800 

Hi Daniel,
this time, I captured a complete flow, including a RST from the client at dc0, which is not forwarded to the server at dc2, instead logged a state failure. 


There are three text files attached: trace on dc0, trace on dc2 and  
related console messages.


Axel

Am 14.12.2006 um 17:10 schrieb Daniel Hartmeier:


On Thu, Dec 14, 2006 at 01:11:11PM +0100, Axel Rau wrote:


I'm still hunting loose state matches.
After converting all none-protocol-specific "keep state" to either
        flags S/SAFR keep state
or
        flags S/SAFR synproxy state
, I'm still getting lots of warning like this one:

---------------------------------------------------------------------
Dec 14 11:16:47 pf: loose state match: TCP \
aaa.bbb.ccc.ddd:25 aaa.bbb.ccc.ddd:25 66.35.250.225:53336 \
[lo=3396551343 high=3396616878 win=5840 modulator=874376751] \
[lo=3752913744 high=3752919543 win=65535 modulator=3189448930] \
  9:9 R seq=3396551343 ack=3752913744 len=0 ackskew=0 pkts=8:10


For RSTs, the sequence number in the packet must match a value
precisely, I suspect this is not the case here. Unfortunately, what is
logged is not the actual sequence number of the packet.


Try to capture one such connection with tcpdump -nvvvS, from  
initial SYN

to the blocked RST, only consisting of packets that match this
connection.

I suspect the sender of the RST is incrementing the sequence number in
the RST inappropriately, or such. Hard to tell without a trace.



10:17:00.633731 192.168.220.106.49194 > 192.168.221.20.993: S [tcp sum ok] 
2634573257:2634573257(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 
1476581172 0,sackOK,eol> (DF) (ttl 64, id 24581, len 64)
10:17:00.634253 192.168.221.20.993 > 192.168.220.106.49194: S [tcp sum ok] 
1101854058:1101854058(0) ack 2634573258 win 65535 <mss 1460,nop,wscale 
0,nop,nop,timestamp 3164055978 1476581172> (ttl 63, id 57608, len 60)
10:17:00.634448 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573258:2634573258(0) ack 1101854059 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (DF) (ttl 64, id 24582, len 52)
10:17:00.635132 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573258:2634573398(140) ack 1101854059 win 65535 <nop,nop,timestamp 
1476581172 3164055978> (DF) (ttl 64, id 24583, len 192)
10:17:00.670983 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854059:1101854059(0) ack 2634573398 win 65535 <nop,nop,timestamp 3164055978 
1476581172> (ttl 63, id 48209, len 52)
10:17:00.867819 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854059:1101854197(138) ack 2634573398 win 65535 <nop,nop,timestamp 
3164055978 1476581172> (ttl 63, id 55328, len 190)
10:17:00.868017 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573398:2634573398(0) ack 1101854197 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (DF) (ttl 64, id 24584, len 52)
10:17:00.869397 192.168.220.106.49194 > 192.168.221.20.993: P [tcp sum ok] 
2634573398:2634573404(6) ack 1101854197 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (DF) (ttl 64, id 24585, len 58)
10:17:00.871208 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854197:1101854197(0) ack 2634573404 win 65535 <nop,nop,timestamp 3164055978 
1476581172> (ttl 63, id 23338, len 52)
10:17:00.871402 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573404:2634573457(53) ack 1101854197 win 65535 <nop,nop,timestamp 
1476581172 3164055978> (DF) (ttl 64, id 24586, len 105)
10:17:00.887903 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854197:1101854474(277) ack 2634573457 win 65535 <nop,nop,timestamp 
3164055978 1476581172> (ttl 63, id 63011, len 329)
10:17:00.888095 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573457:2634573457(0) ack 1101854474 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (DF) (ttl 64, id 24588, len 52)
10:17:00.889419 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573457:2634573558(101) ack 1101854474 win 65535 <nop,nop,timestamp 
1476581172 3164055978> (DF) (ttl 64, id 24589, len 153)
10:17:01.071461 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854474:1101854474(0) ack 2634573558 win 65535 <nop,nop,timestamp 3164055979 
1476581172> (ttl 63, id 56417, len 52)
10:17:01.374192 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854474:1101854527(53) ack 2634573558 win 65535 <nop,nop,timestamp 
3164055979 1476581172> (ttl 63, id 6441, len 105)
10:17:01.374358 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573558:2634573558(0) ack 1101854527 win 65535 <nop,nop,timestamp 1476581173 
3164055979> (DF) (ttl 64, id 24656, len 52)
10:17:01.375085 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573558:2634573611(53) ack 1101854527 win 65535 <nop,nop,timestamp 
1476581173 3164055979> (DF) (ttl 64, id 24657, len 105)
10:17:01.375982 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854527:1101854724(197) ack 2634573611 win 65535 <nop,nop,timestamp 
3164055979 1476581173> (ttl 63, id 12323, len 249)
10:17:01.376221 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573611:2634573611(0) ack 1101854724 win 65535 <nop,nop,timestamp 1476581173 
3164055979> (DF) (ttl 64, id 24658, len 52)
10:17:01.377190 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573611:2634573664(53) ack 1101854724 win 65535 <nop,nop,timestamp 
1476581173 3164055979> (DF) (ttl 64, id 24660, len 105)
10:17:01.471565 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854724:1101854724(0) ack 2634573664 win 65535 <nop,nop,timestamp 3164055979 
1476581173> (ttl 63, id 33299, len 52)
10:17:01.898550 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854724:1101854809(85) ack 2634573664 win 65535 <nop,nop,timestamp 
3164055980 1476581173> (ttl 63, id 51829, len 137)
10:17:01.898791 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573664:2634573664(0) ack 1101854809 win 65535 <nop,nop,timestamp 1476581174 
3164055980> (DF) (ttl 64, id 24718, len 52)
10:17:02.274974 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573664:2634573717(53) ack 1101854809 win 65535 <nop,nop,timestamp 
1476581175 3164055980> (DF) (ttl 64, id 24729, len 105)
10:17:02.297482 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854809:1101855198(389) ack 2634573717 win 65535 <nop,nop,timestamp 
3164055981 1476581175> (ttl 63, id 42604, len 441)
10:17:02.297714 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573717:2634573717(0) ack 1101855198 win 65535 <nop,nop,timestamp 1476581175 
3164055981> (DF) (ttl 64, id 24735, len 52)
10:17:03.224143 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573717:2634573770(53) ack 1101855198 win 65535 <nop,nop,timestamp 
1476581177 3164055981> (DF) (ttl 64, id 24783, len 105)
10:17:03.272199 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101855198:1101855198(0) ack 2634573770 win 65535 <nop,nop,timestamp 3164055983 
1476581177> (ttl 63, id 25096, len 52)
10:17:04.953197 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855198:1101855475(277) ack 2634573770 win 65535 <nop,nop,timestamp 
3164055986 1476581177> (ttl 63, id 8732, len 329)
10:17:04.953471 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573770:2634573770(0) ack 1101855475 win 65535 <nop,nop,timestamp 1476581181 
3164055986> (DF) (ttl 64, id 24798, len 52)
10:17:04.962397 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573770:2634573823(53) ack 1101855475 win 65535 <nop,nop,timestamp 
1476581181 3164055986> (DF) (ttl 64, id 24813, len 105)
10:17:04.963429 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855475:1101855544(69) ack 2634573823 win 65535 <nop,nop,timestamp 
3164055986 1476581181> (ttl 63, id 35389, len 121)
10:17:04.963646 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573823:2634573823(0) ack 1101855544 win 65535 <nop,nop,timestamp 1476581181 
3164055986> (DF) (ttl 64, id 24814, len 52)
10:17:07.550567 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573823:2634573860(37) ack 1101855544 win 65535 <nop,nop,timestamp 
1476581186 3164055986> (DF) (ttl 64, id 24975, len 89)
10:17:07.551444 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855544:1101855597(53) ack 2634573860 win 65535 <nop,nop,timestamp 
3164055992 1476581186> (ttl 63, id 52262, len 105)
10:17:07.551666 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573860:2634573860(0) ack 1101855597 win 65535 <nop,nop,timestamp 1476581186 
3164055992> (DF) (ttl 64, id 24976, len 52)
10:17:07.563908 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573860:2634573913(53) ack 1101855597 win 65535 <nop,nop,timestamp 
1476581186 3164055992> (DF) (ttl 64, id 24996, len 105)
10:17:07.673176 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101855597:1101855597(0) ack 2634573913 win 65535 <nop,nop,timestamp 3164055992 
1476581186> (ttl 63, id 1287, len 52)
10:17:09.485981 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855597:1101855874(277) ack 2634573913 win 65535 <nop,nop,timestamp 
3164055995 1476581186> (ttl 63, id 10046, len 329)
10:17:09.486189 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573913:2634573913(0) ack 1101855874 win 65535 <nop,nop,timestamp 1476581190 
3164055995> (DF) (ttl 64, id 25027, len 52)
10:17:09.496367 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573913:2634573966(53) ack 1101855874 win 65535 <nop,nop,timestamp 
1476581190 3164055995> (DF) (ttl 64, id 25042, len 105)
10:17:09.497287 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855874:1101855943(69) ack 2634573966 win 65535 <nop,nop,timestamp 
3164055996 1476581190> (ttl 63, id 16994, len 121)
10:17:09.497438 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573966:2634573966(0) ack 1101855943 win 65535 <nop,nop,timestamp 1476581190 
3164055996> (DF) (ttl 64, id 25043, len 52)
10:17:12.183395 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573966:2634574003(37) ack 1101855943 win 65535 <nop,nop,timestamp 
1476581195 3164055996> (DF) (ttl 64, id 25496, len 89)
10:17:12.184361 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855943:1101855996(53) ack 2634574003 win 65535 <nop,nop,timestamp 
3164056001 1476581195> (ttl 63, id 23630, len 105)
10:17:12.184560 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574003:2634574003(0) ack 1101855996 win 65535 <nop,nop,timestamp 1476581195 
3164056001> (DF) (ttl 64, id 25498, len 52)
10:17:12.199688 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574003:2634574072(69) ack 1101855996 win 65535 <nop,nop,timestamp 
1476581195 3164056001> (DF) (ttl 64, id 25522, len 121)
10:17:12.274259 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101855996:1101855996(0) ack 2634574072 win 65535 <nop,nop,timestamp 3164056001 
1476581195> (ttl 63, id 18949, len 52)
10:17:14.278606 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855996:1101856321(325) ack 2634574072 win 65535 <nop,nop,timestamp 
3164056005 1476581195> (ttl 63, id 11598, len 377)
10:17:14.278850 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574072:2634574072(0) ack 1101856321 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (DF) (ttl 64, id 25560, len 52)
10:17:14.285932 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574072:2634574125(53) ack 1101856321 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (DF) (ttl 64, id 25569, len 105)
10:17:14.382776 192.168.221.20.993 > 192.168.220.106.49194: P 
1101856321:1101856390(69) ack 2634574125 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (ttl 63, id 9556, len 121)
10:17:14.383024 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574125:2634574125(0) ack 1101856390 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (DF) (ttl 64, id 25572, len 52)
10:17:14.386221 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574125:2634574178(53) ack 1101856390 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (DF) (ttl 64, id 25575, len 105)
10:17:14.387784 192.168.221.20.993 > 192.168.220.106.49194: P 
1101856390:1101857451(1061) ack 2634574178 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (ttl 63, id 59757, len 1113)
10:17:14.388129 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574178:2634574178(0) ack 1101857451 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (DF) (ttl 64, id 25576, len 52)
10:17:14.388445 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857451:1101857520(69) ack 2634574178 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (ttl 63, id 44147, len 121)
10:17:14.388648 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574178:2634574178(0) ack 1101857520 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (DF) (ttl 64, id 25577, len 52)
10:17:14.435877 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574178:2634574215(37) ack 1101857520 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (DF) (ttl 64, id 25612, len 89)
10:17:14.439550 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857520:1101857573(53) ack 2634574215 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (ttl 63, id 52077, len 105)
10:17:14.439826 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574215:2634574215(0) ack 1101857573 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (DF) (ttl 64, id 25613, len 52)
10:17:14.441250 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574215:2634574252(37) ack 1101857573 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (DF) (ttl 64, id 25616, len 89)
10:17:14.443966 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857573:1101857674(101) ack 2634574252 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (ttl 63, id 63781, len 153)
10:17:14.444212 192.168.220.106.49194 > 192.168.221.20.993: FP 
2634574252:2634574289(37) ack 1101857573 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (DF) (ttl 64, id 25617, len 89)
10:17:14.444286 192.168.220.106.49194 > 192.168.221.20.993: R [tcp sum ok] 
2634574252:2634574252(0) win 0 (ttl 64, id 25618, len 40)
10:17:14.445655 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857674:1101857711(37) ack 2634574290 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (ttl 63, id 63094, len 89)
10:17:14.445680 192.168.221.20.993 > 192.168.220.106.49194: F [tcp sum ok] 
1101857711:1101857711(0) ack 2634574290 win 65535 <nop,nop,timestamp 3164056005 
1476581199> (ttl 63, id 34563, len 52)
10:17:14.445793 192.168.220.106.49194 > 192.168.221.20.993: R [tcp sum ok] 
2634574290:2634574290(0) win 0 (ttl 64, id 25621, len 40)
10:17:14.445923 192.168.220.106.49194 > 192.168.221.20.993: R [tcp sum ok] 
2634574290:2634574290(0) win 0 (ttl 64, id 25622, len 40)

10:17:00.633865 192.168.220.106.49194 > 192.168.221.20.993: S [tcp sum ok] 
2634573257:2634573257(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 
1476581172 0,sackOK,eol> (ttl 63, id 59163, len 64)
10:17:00.634202 192.168.221.20.993 > 192.168.220.106.49194: S [tcp sum ok] 
1101854058:1101854058(0) ack 2634573258 win 65535 <mss 1460,nop,wscale 
0,nop,nop,timestamp 3164055978 1476581172> (DF) (ttl 64, id 21260, len 60)
10:17:00.634478 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573258:2634573258(0) ack 1101854059 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (ttl 63, id 10056, len 52)
10:17:00.635160 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573258:2634573398(140) ack 1101854059 win 65535 <nop,nop,timestamp 
1476581172 3164055978> (ttl 63, id 43086, len 192)
10:17:00.670950 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854059:1101854059(0) ack 2634573398 win 65535 <nop,nop,timestamp 3164055978 
1476581172> (DF) (ttl 64, id 21261, len 52)
10:17:00.867780 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854059:1101854197(138) ack 2634573398 win 65535 <nop,nop,timestamp 
3164055978 1476581172> (DF) (ttl 64, id 21262, len 190)
10:17:00.868047 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573398:2634573398(0) ack 1101854197 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (ttl 63, id 24418, len 52)
10:17:00.869426 192.168.220.106.49194 > 192.168.221.20.993: P [tcp sum ok] 
2634573398:2634573404(6) ack 1101854197 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (ttl 63, id 22373, len 58)
10:17:00.871091 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854197:1101854197(0) ack 2634573404 win 65535 <nop,nop,timestamp 3164055978 
1476581172> (DF) (ttl 64, id 21265, len 52)
10:17:00.871432 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573404:2634573457(53) ack 1101854197 win 65535 <nop,nop,timestamp 
1476581172 3164055978> (ttl 63, id 59154, len 105)
10:17:00.887870 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854197:1101854474(277) ack 2634573457 win 65535 <nop,nop,timestamp 
3164055978 1476581172> (DF) (ttl 64, id 21267, len 329)
10:17:00.888125 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573457:2634573457(0) ack 1101854474 win 65535 <nop,nop,timestamp 1476581172 
3164055978> (ttl 63, id 18012, len 52)
10:17:00.889447 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573457:2634573558(101) ack 1101854474 win 65535 <nop,nop,timestamp 
1476581172 3164055978> (ttl 63, id 1024, len 153)
10:17:01.071271 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854474:1101854474(0) ack 2634573558 win 65535 <nop,nop,timestamp 3164055979 
1476581172> (DF) (ttl 64, id 21279, len 52)
10:17:01.374140 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854474:1101854527(53) ack 2634573558 win 65535 <nop,nop,timestamp 
3164055979 1476581172> (DF) (ttl 64, id 21295, len 105)
10:17:01.374394 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573558:2634573558(0) ack 1101854527 win 65535 <nop,nop,timestamp 1476581173 
3164055979> (ttl 63, id 34634, len 52)
10:17:01.375113 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573558:2634573611(53) ack 1101854527 win 65535 <nop,nop,timestamp 
1476581173 3164055979> (ttl 63, id 24903, len 105)
10:17:01.375951 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854527:1101854724(197) ack 2634573611 win 65535 <nop,nop,timestamp 
3164055979 1476581173> (DF) (ttl 64, id 21296, len 249)
10:17:01.376250 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573611:2634573611(0) ack 1101854724 win 65535 <nop,nop,timestamp 1476581173 
3164055979> (ttl 63, id 28780, len 52)
10:17:01.377243 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573611:2634573664(53) ack 1101854724 win 65535 <nop,nop,timestamp 
1476581173 3164055979> (ttl 63, id 16954, len 105)
10:17:01.471480 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101854724:1101854724(0) ack 2634573664 win 65535 <nop,nop,timestamp 3164055979 
1476581173> (DF) (ttl 64, id 21301, len 52)
10:17:01.898503 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854724:1101854809(85) ack 2634573664 win 65535 <nop,nop,timestamp 
3164055980 1476581173> (DF) (ttl 64, id 21317, len 137)
10:17:01.898826 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573664:2634573664(0) ack 1101854809 win 65535 <nop,nop,timestamp 1476581174 
3164055980> (ttl 63, id 14909, len 52)
10:17:02.275022 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573664:2634573717(53) ack 1101854809 win 65535 <nop,nop,timestamp 
1476581175 3164055980> (ttl 63, id 5418, len 105)
10:17:02.297445 192.168.221.20.993 > 192.168.220.106.49194: P 
1101854809:1101855198(389) ack 2634573717 win 65535 <nop,nop,timestamp 
3164055981 1476581175> (DF) (ttl 64, id 21321, len 441)
10:17:02.297744 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573717:2634573717(0) ack 1101855198 win 65535 <nop,nop,timestamp 1476581175 
3164055981> (ttl 63, id 3170, len 52)
10:17:03.224192 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573717:2634573770(53) ack 1101855198 win 65535 <nop,nop,timestamp 
1476581177 3164055981> (ttl 63, id 12803, len 105)
10:17:03.272144 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101855198:1101855198(0) ack 2634573770 win 65535 <nop,nop,timestamp 3164055983 
1476581177> (DF) (ttl 64, id 21329, len 52)
10:17:04.953138 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855198:1101855475(277) ack 2634573770 win 65535 <nop,nop,timestamp 
3164055986 1476581177> (DF) (ttl 64, id 21341, len 329)
10:17:04.953502 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573770:2634573770(0) ack 1101855475 win 65535 <nop,nop,timestamp 1476581181 
3164055986> (ttl 63, id 61047, len 52)
10:17:04.962431 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573770:2634573823(53) ack 1101855475 win 65535 <nop,nop,timestamp 
1476581181 3164055986> (ttl 63, id 51973, len 105)
10:17:04.963396 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855475:1101855544(69) ack 2634573823 win 65535 <nop,nop,timestamp 
3164055986 1476581181> (DF) (ttl 64, id 21343, len 121)
10:17:04.963675 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573823:2634573823(0) ack 1101855544 win 65535 <nop,nop,timestamp 1476581181 
3164055986> (ttl 63, id 15925, len 52)
10:17:07.550600 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573823:2634573860(37) ack 1101855544 win 65535 <nop,nop,timestamp 
1476581186 3164055986> (ttl 63, id 50455, len 89)
10:17:07.551413 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855544:1101855597(53) ack 2634573860 win 65535 <nop,nop,timestamp 
3164055992 1476581186> (DF) (ttl 64, id 21365, len 105)
10:17:07.551695 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573860:2634573860(0) ack 1101855597 win 65535 <nop,nop,timestamp 1476581186 
3164055992> (ttl 63, id 4966, len 52)
10:17:07.563945 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573860:2634573913(53) ack 1101855597 win 65535 <nop,nop,timestamp 
1476581186 3164055992> (ttl 63, id 102, len 105)
10:17:07.673142 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101855597:1101855597(0) ack 2634573913 win 65535 <nop,nop,timestamp 3164055992 
1476581186> (DF) (ttl 64, id 21366, len 52)
10:17:09.485935 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855597:1101855874(277) ack 2634573913 win 65535 <nop,nop,timestamp 
3164055995 1476581186> (DF) (ttl 64, id 21375, len 329)
10:17:09.486221 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573913:2634573913(0) ack 1101855874 win 65535 <nop,nop,timestamp 1476581190 
3164055995> (ttl 63, id 44560, len 52)
10:17:09.496397 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573913:2634573966(53) ack 1101855874 win 65535 <nop,nop,timestamp 
1476581190 3164055995> (ttl 63, id 7193, len 105)
10:17:09.497255 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855874:1101855943(69) ack 2634573966 win 65535 <nop,nop,timestamp 
3164055996 1476581190> (DF) (ttl 64, id 21376, len 121)
10:17:09.497467 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634573966:2634573966(0) ack 1101855943 win 65535 <nop,nop,timestamp 1476581190 
3164055996> (ttl 63, id 29268, len 52)
10:17:12.183428 192.168.220.106.49194 > 192.168.221.20.993: P 
2634573966:2634574003(37) ack 1101855943 win 65535 <nop,nop,timestamp 
1476581195 3164055996> (ttl 63, id 32875, len 89)
10:17:12.184315 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855943:1101855996(53) ack 2634574003 win 65535 <nop,nop,timestamp 
3164056001 1476581195> (DF) (ttl 64, id 21402, len 105)
10:17:12.184589 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574003:2634574003(0) ack 1101855996 win 65535 <nop,nop,timestamp 1476581195 
3164056001> (ttl 63, id 1631, len 52)
10:17:12.199717 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574003:2634574072(69) ack 1101855996 win 65535 <nop,nop,timestamp 
1476581195 3164056001> (ttl 63, id 58971, len 121)
10:17:12.274163 192.168.221.20.993 > 192.168.220.106.49194: . [tcp sum ok] 
1101855996:1101855996(0) ack 2634574072 win 65535 <nop,nop,timestamp 3164056001 
1476581195> (DF) (ttl 64, id 21405, len 52)
10:17:14.278565 192.168.221.20.993 > 192.168.220.106.49194: P 
1101855996:1101856321(325) ack 2634574072 win 65535 <nop,nop,timestamp 
3164056005 1476581195> (DF) (ttl 64, id 21414, len 377)
10:17:14.278879 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574072:2634574072(0) ack 1101856321 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (ttl 63, id 59248, len 52)
10:17:14.285961 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574072:2634574125(53) ack 1101856321 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (ttl 63, id 65388, len 105)
10:17:14.382744 192.168.221.20.993 > 192.168.220.106.49194: P 
1101856321:1101856390(69) ack 2634574125 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (DF) (ttl 64, id 21417, len 121)
10:17:14.383053 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574125:2634574125(0) ack 1101856390 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (ttl 63, id 58923, len 52)
10:17:14.386254 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574125:2634574178(53) ack 1101856390 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (ttl 63, id 30551, len 105)
10:17:14.387752 192.168.221.20.993 > 192.168.220.106.49194: P 
1101856390:1101857451(1061) ack 2634574178 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (DF) (ttl 64, id 21419, len 1113)
10:17:14.388158 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574178:2634574178(0) ack 1101857451 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (ttl 63, id 41536, len 52)
10:17:14.388414 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857451:1101857520(69) ack 2634574178 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (DF) (ttl 64, id 21420, len 121)
10:17:14.388676 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574178:2634574178(0) ack 1101857520 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (ttl 63, id 51739, len 52)
10:17:14.435923 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574178:2634574215(37) ack 1101857520 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (ttl 63, id 27918, len 89)
10:17:14.439515 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857520:1101857573(53) ack 2634574215 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (DF) (ttl 64, id 21426, len 105)
10:17:14.439855 192.168.220.106.49194 > 192.168.221.20.993: . [tcp sum ok] 
2634574215:2634574215(0) ack 1101857573 win 65535 <nop,nop,timestamp 1476581199 
3164056005> (ttl 63, id 45119, len 52)
10:17:14.441280 192.168.220.106.49194 > 192.168.221.20.993: P 
2634574215:2634574252(37) ack 1101857573 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (ttl 63, id 50720, len 89)
10:17:14.443935 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857573:1101857674(101) ack 2634574252 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (DF) (ttl 64, id 21427, len 153)
10:17:14.444241 192.168.220.106.49194 > 192.168.221.20.993: FP 
2634574252:2634574289(37) ack 1101857573 win 65535 <nop,nop,timestamp 
1476581199 3164056005> (ttl 63, id 56690, len 89)

10:17:14.444451 192.168.221.20.993 > 192.168.220.106.49194: P 
1101857674:1101857711(37) ack 2634574290 win 65535 <nop,nop,timestamp 
3164056005 1476581199> (DF) (ttl 64, id 21428, len 89)
10:17:14.444639 192.168.221.20.993 > 192.168.220.106.49194: F [tcp sum ok] 
1101857711:1101857711(0) ack 2634574290 win 65535 <nop,nop,timestamp 3164056005 
1476581199> (DF) (ttl 64, id 21429, len 52)
10:17:14.445825 192.168.220.106.49194 > 192.168.221.20.993: R [tcp sum ok] 
2634574290:2634574290(0) win 0 (ttl 63, id 3399, len 40)
10:17:14.445955 192.168.220.106.49194 > 192.168.221.20.993: R [tcp sum ok] 
2634574290:2634574290(0) win 0 (ttl 63, id 55163, len 40)

#  tcpdump -nvvvSi dc0 port 993 and host claudius6  >dc0.log                    
                                
tcpdump: listening on dc0, link-type EN10MB
Feb 16 10:17:14 gw2u /bsd: pf: BAD state: TCP 192.168.221.20:993 
192.168.221.20:993 192.168.220.106:49194 [lo=2634574290 high=2634639787 
win=65535 modulator=0 wscale=0] [lo=1101857674 high=1101923108 win=65535 
modulator=0 wscale=0] 7:4 R seq=2634574290 ack=1101857674 len=0 ackskew=0 
pkts=38:26 dir=in,fwd
Feb 16 10:17:14 gw2u /bsd: pf: BAD state: TCP 192.168.221.20:993 
192.168.221.20:993 192.168.220.106:49194 [lo=2634574290 high=2634639787 
win=65535 modulator=0 wscale=0] [lo=1101857674 high=1101923108 win=65535 
modulator=0 wscale=0] 7:4 R seq=2634574290 ack=1101857674 len=0 ackskew=0 
pkts=38:26 dir=in,fwd
Feb 16 10:17:14 gw2u /bsd: pf: State failure on:         |    
Feb 16 10:17:14 gw2u /bsd: pf: State failure on:         |    
^C
1810 packets received by filter
0 packets dropped by kernel


---------------------------------------------------------------------
Axel Rau, ☀Frankfurt , Germany                       +49 69 9514 18 0
























					Reply via email to