Re: 2.4.2 TCP window shrinking

[green]

Hello!

In article <[EMAIL PROTECTED]> you wrote:
>  > TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
>  > Bad, what else can I say?
> We need desperately to know exactly what OS the xxx.xxx.1.14 machine
> is running.  Because you've commented out the first two octets, I
> cannot check this myself using nmap.
Hope that helps:
TCP: peer 192.115.216.67:4965/80 shrinks window 1189646194:1024:1189647309. Bad, what 
else can I say?
TCP: peer 192.115.216.66:48184/80 shrinks window 1233448155:1024:1233449294. Bad, what 
else can I say?
TCP: peer 192.115.216.67:4388/80 shrinks window 2353869396:1024:2353870499. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072654250:512:3072655786. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072657834:512:3072659370. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072658346:0:3072659370. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072658346:512:3072659370. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126499925:512:3126501461. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126500437:0:3126501461. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126500437:512:3126501461. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126503509:512:3126504533. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126505045:512:3126505591. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126505557:0:3126505591. Bad, what 
else can I say?
TCP: peer 168.97.99.66:1759/80 shrinks window 3811940743:1460:3811943663. Bad, what 
else can I say?
TCP: peer 192.115.216.67:1117/80 shrinks window 821320812:1024:821321847. Bad, what 
else can I say?
TCP: peer 194.85.201.96:1231/80 shrinks window 1491890080:3072:1491893832. Bad, what 
else can I say?
TCP: peer 194.85.201.96:1231/80 shrinks window 1491894368:3072:1491898120. Bad, what 
else can I say?
TCP: peer 194.85.202.100:3072/80 shrinks window 1517168757:1536:1517171677. Bad, what 
else can I say?
TCP: peer 147.226.5.4:18052/80 shrinks window 3091312994:2864:3091316312. Bad, what 
else can I say?
TCP: peer 208.152.106.86:1496/80 shrinks window 1047754391:1072:1047755999. Bad, what 
else can I say?
TCP: peer 193.235.226.2:57881/80 shrinks window 3860496316:2920:3860503895. Bad, what 
else can I say?
TCP: peer 199.103.141.186:4260/80 shrinks window 1544210503:4380:1544216343. Bad, what 
else can I say?
TCP: peer 194.85.204.37:62553/80 shrinks window 1582101904:0:1582101905. Bad, what 
else can I say?
TCP: peer 168.97.99.66:4077/80 shrinks window 2705297980:1460:2705300900. Bad, what 
else can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797292442:0:3797293210. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797293978:0:3797294746. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797295514:0:3797296282. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797297050:0:3797297818. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797298586:0:3797299354. Bad, what else 
can I say?
TCP: peer 168.97.99.66:2466/80 shrinks window 879491421:1460:879494341. Bad, what else 
can I say?
TCP: peer 140.140.59.101:2839/80 shrinks window 2408864318:1460:2408867238. Bad, what 
else can I say?
TCP: peer 209.47.130.2:2166/80 shrinks window 2408449733:1072:2408450854. Bad, what 
else can I say?
TCP: peer 194.85.201.4:1988/80 shrinks window 2620331555:0:2620332323. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1988/80 shrinks window 2620333091:0:2620333859. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1988/80 shrinks window 2620334627:0:2620335395. Bad, what else 
can I say?
TCP: peer 213.189.85.106:1875/80 shrinks window 3265282896:2920:3265290197. Bad, what 
else can I say?
TCP: peer 204.100.181.6:3081/80 shrinks window 3215499301:2920:3215503041. Bad, what 
else can I say?
TCP: peer 140.228.46.0:1218/80 shrinks window 3743350500:1072:3743351700. Bad, what 
else can I say?
TCP: peer 212.248.7.86:2382/80 shrinks window 3235025401:512:3235026937. Bad, what 
else can I say?
TCP: peer 195.129.34.34:51780/80 shrinks window 1301988509:2920:1301992794. Bad, what 
else can I say?
TCP: peer 195.75.131.34:34715/80 shrinks window 4249402792:1024:4249404950. Bad, what 
else can I say?
TCP: peer 195.75.131.34:34715/80 shrinks window 4249403304:1024:4249404950. Bad, what 
else can I say?
TCP: peer 195.75.131.34:34715/80 shrinks window 4249403816:1024:4249404950. Bad, what 
else can I say?
TCP: peer 193.235.226.2:19253/80 shrinks window 180598643:2920:180603811. Bad, what 
else can I say?  
TCP: peer 194.85.202.123:1713/80 shrinks window 2313955067:0:2313955161. Bad, what 
else can I say?
TCP: peer 193.235.226.2:50139/80 shrinks window 2386493452:2920:2386498376. Bad, what 

Re: 2.4.2 TCP window shrinking

[green]

Hello!

In article [EMAIL PROTECTED] you wrote:
   TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
   Bad, what else can I say?
 We need desperately to know exactly what OS the xxx.xxx.1.14 machine
 is running.  Because you've commented out the first two octets, I
 cannot check this myself using nmap.
Hope that helps:
TCP: peer 192.115.216.67:4965/80 shrinks window 1189646194:1024:1189647309. Bad, what 
else can I say?
TCP: peer 192.115.216.66:48184/80 shrinks window 1233448155:1024:1233449294. Bad, what 
else can I say?
TCP: peer 192.115.216.67:4388/80 shrinks window 2353869396:1024:2353870499. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072654250:512:3072655786. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072657834:512:3072659370. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072658346:0:3072659370. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2228/80 shrinks window 3072658346:512:3072659370. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126499925:512:3126501461. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126500437:0:3126501461. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126500437:512:3126501461. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126503509:512:3126504533. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126505045:512:3126505591. Bad, what 
else can I say?
TCP: peer 212.100.133.70:2243/80 shrinks window 3126505557:0:3126505591. Bad, what 
else can I say?
TCP: peer 168.97.99.66:1759/80 shrinks window 3811940743:1460:3811943663. Bad, what 
else can I say?
TCP: peer 192.115.216.67:1117/80 shrinks window 821320812:1024:821321847. Bad, what 
else can I say?
TCP: peer 194.85.201.96:1231/80 shrinks window 1491890080:3072:1491893832. Bad, what 
else can I say?
TCP: peer 194.85.201.96:1231/80 shrinks window 1491894368:3072:1491898120. Bad, what 
else can I say?
TCP: peer 194.85.202.100:3072/80 shrinks window 1517168757:1536:1517171677. Bad, what 
else can I say?
TCP: peer 147.226.5.4:18052/80 shrinks window 3091312994:2864:3091316312. Bad, what 
else can I say?
TCP: peer 208.152.106.86:1496/80 shrinks window 1047754391:1072:1047755999. Bad, what 
else can I say?
TCP: peer 193.235.226.2:57881/80 shrinks window 3860496316:2920:3860503895. Bad, what 
else can I say?
TCP: peer 199.103.141.186:4260/80 shrinks window 1544210503:4380:1544216343. Bad, what 
else can I say?
TCP: peer 194.85.204.37:62553/80 shrinks window 1582101904:0:1582101905. Bad, what 
else can I say?
TCP: peer 168.97.99.66:4077/80 shrinks window 2705297980:1460:2705300900. Bad, what 
else can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797292442:0:3797293210. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797293978:0:3797294746. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797295514:0:3797296282. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797297050:0:3797297818. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1483/80 shrinks window 3797298586:0:3797299354. Bad, what else 
can I say?
TCP: peer 168.97.99.66:2466/80 shrinks window 879491421:1460:879494341. Bad, what else 
can I say?
TCP: peer 140.140.59.101:2839/80 shrinks window 2408864318:1460:2408867238. Bad, what 
else can I say?
TCP: peer 209.47.130.2:2166/80 shrinks window 2408449733:1072:2408450854. Bad, what 
else can I say?
TCP: peer 194.85.201.4:1988/80 shrinks window 2620331555:0:2620332323. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1988/80 shrinks window 2620333091:0:2620333859. Bad, what else 
can I say?
TCP: peer 194.85.201.4:1988/80 shrinks window 2620334627:0:2620335395. Bad, what else 
can I say?
TCP: peer 213.189.85.106:1875/80 shrinks window 3265282896:2920:3265290197. Bad, what 
else can I say?
TCP: peer 204.100.181.6:3081/80 shrinks window 3215499301:2920:3215503041. Bad, what 
else can I say?
TCP: peer 140.228.46.0:1218/80 shrinks window 3743350500:1072:3743351700. Bad, what 
else can I say?
TCP: peer 212.248.7.86:2382/80 shrinks window 3235025401:512:3235026937. Bad, what 
else can I say?
TCP: peer 195.129.34.34:51780/80 shrinks window 1301988509:2920:1301992794. Bad, what 
else can I say?
TCP: peer 195.75.131.34:34715/80 shrinks window 4249402792:1024:4249404950. Bad, what 
else can I say?
TCP: peer 195.75.131.34:34715/80 shrinks window 4249403304:1024:4249404950. Bad, what 
else can I say?
TCP: peer 195.75.131.34:34715/80 shrinks window 4249403816:1024:4249404950. Bad, what 
else can I say?
TCP: peer 193.235.226.2:19253/80 shrinks window 180598643:2920:180603811. Bad, what 
else can I say?  
TCP: peer 194.85.202.123:1713/80 shrinks window 2313955067:0:2313955161. Bad, what 
else can I say?
TCP: peer 193.235.226.2:50139/80 shrinks window 2386493452:2920:2386498376. Bad, what 
else can I 

Re: 2.4.2 TCP window shrinking

[David]

David S. Miller wrote:

> We need desperately to know exactly what OS the xxx.xxx.1.14 machine
> is running.  Because you've commented out the first two octets, I
> cannot check this myself using nmap.


I see them all the time on my sites.  I have active mirrors so they 
abound.  Here are a few, I've also attached nmap's guesses.

TCP: peer 148.75.156.238:1025/7000 shrinks window 
3317772066:0:3317772330. Bad, what else can I say?
TCP: peer 195.226.233.21:1774/6660 shrinks window 
2502834461:2920:2502837525. Bad, what else can I say?
TCP: peer 195.39.136.145:1702/7000 shrinks window 
2750401402:2920:2750405782. Bad, what else can I say?
TCP: peer 213.189.87.228:1190/6660 shrinks window 
2933193691:1072:2933194827. Bad, what else can I say?

#1, unknown
#2, running proxy squid/2.3.stable4, can't tell what OS is on it.
#3, unknown
#4, unknown

#2 and #4 both have the following in http headers:

Via: 1.1 netcache (NetCache 4.1R6)

-d

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[Jesse Wyant]

Similar situation here: vanilla 2.4.2, with web serving/ftp/hotline/napster/etc.,
and I get this:

TCP: peer 148.75.118.138:1360/6699 shrinks window 3200785160:0:3200795086. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3054879436:0:3054885108. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201450202:0:3201458710. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1361/6699 shrinks window 3317649733:0:3317653987. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3054934738:0:3054940410. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1357/6699 shrinks window 2520518983:0:2520527491. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3054990040:0:3054995712. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3055011310:0:3055014146. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201522520:0:3201528192. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1357/6699 shrinks window 2520598391:0:2520599809. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3055146020:0:3055148856. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1361/6699 shrinks window 3317713543:0:3317723469. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201592002:0:3201599092. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201593420:0:3201599092. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1357/6699 shrinks window 2520676381:0:2520680635. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201607600:0:3201614690. Bad, what 
else can I say?

Running nmap (v2.53) on that IP doesn't resolve to a known OS, so that doesn't help.  
Version 2.54BETA7
gives this output:

  Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
  Warning:  OS detection will be MUCH less reliable because we did not find at least 1 
open and 1 closed TCP port
  All 1534 scanned ports on vsat-148-75-118-138.ssa7.mcl.starband.net (148.75.118.138) 
are: filtered
  Remote OS guesses: Apple LaserWriter 16/600 PS, HP 6P, or HP 5 Printer, Apple 
LaserWriter 8500 (PostScript version 3010.103), MultiTech MultiVOIP Version 2.01A 
Firmware, Mulit-Tech standalone firewall box, version 3, MultiTech CommPlete (modem 
server) RAScard, Xerox 8830 Plotter, Xerox DocuPrint C55, Xerox DocuPrint N40

  Nmap run completed -- 1 IP address (1 host up) scanned in 163 seconds

So that doesn't appear to help too much either.

> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> A long time ago, in a galaxy far, far way, someone said...
> 
> >
> > Jim Woodward writes:
> >  > This has probably been covered but I saw this message in my logs and
> >  > wondered what it meant?
> >  >
> >  > TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
> >  > Bad, what else can I say?
> >  >
> >  > Is it potentially bad? - Ive only ever seen it twice with 2.4.x
> >
> > We need desperately to know exactly what OS the xxx.xxx.1.14 machine
> > is running.  Because you've commented out the first two octets, I
> > cannot check this myself using nmap.
> 
> I'm seeing similar messages on a web server running 2.4.2.
> 
> Some of hosts I've seen it with are:
> 
> 205.188.208.172
> 209.240.220.172
> 209.240.220.173
> 209.240.220.174
> 209.240.220.176
> 209.240.220.177
> 216.239.46.17
> 216.239.46.27
> 216.239.46.34
> 216.239.46.168
> 130.239.126.113
> 206.190.23.112
> 193.130.225.253
> 
> - -- 
> - --
> Phil Brutsche [EMAIL PROTECTED]
> 
> GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
> GPG key id: 50DE1CFC
> GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE6oEie/ZTSZFDeHPwRAg4UAKChgEkHgE84Q1OWsB5faZczFrFLjACdGkul
> sViRgWXfFAlKa3W9V8+RAYs=
> =wkJl
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 


Jesse Wyant - [EMAIL PROTECTED]

I never met a man I didn't want to fight.
-- Lyle Alzado, professional football lineman

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[Phil Brutsche]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

>
> Jim Woodward writes:
>  > This has probably been covered but I saw this message in my logs and
>  > wondered what it meant?
>  >
>  > TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
>  > Bad, what else can I say?
>  >
>  > Is it potentially bad? - Ive only ever seen it twice with 2.4.x
>
> We need desperately to know exactly what OS the xxx.xxx.1.14 machine
> is running.  Because you've commented out the first two octets, I
> cannot check this myself using nmap.

I'm seeing similar messages on a web server running 2.4.2.

Some of hosts I've seen it with are:

205.188.208.172
209.240.220.172
209.240.220.173
209.240.220.174
209.240.220.176
209.240.220.177
216.239.46.17
216.239.46.27
216.239.46.34
216.239.46.168
130.239.126.113
206.190.23.112
193.130.225.253

- -- 
- --
Phil Brutsche   [EMAIL PROTECTED]

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6oEie/ZTSZFDeHPwRAg4UAKChgEkHgE84Q1OWsB5faZczFrFLjACdGkul
sViRgWXfFAlKa3W9V8+RAYs=
=wkJl
-END PGP SIGNATURE-

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[David S. Miller]

Jim Woodward writes:
 > This has probably been covered but I saw this message in my logs and
 > wondered what it meant?
 > 
 > TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
 > Bad, what else can I say?
 > 
 > Is it potentially bad? - Ive only ever seen it twice with 2.4.x

We need desperately to know exactly what OS the xxx.xxx.1.14 machine
is running.  Because you've commented out the first two octets, I
cannot check this myself using nmap.

Later,
David S. Miller
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[David S. Miller]

Jim Woodward writes:
  This has probably been covered but I saw this message in my logs and
  wondered what it meant?
  
  TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
  Bad, what else can I say?
  
  Is it potentially bad? - Ive only ever seen it twice with 2.4.x

We need desperately to know exactly what OS the xxx.xxx.1.14 machine
is running.  Because you've commented out the first two octets, I
cannot check this myself using nmap.

Later,
David S. Miller
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[Phil Brutsche]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...


 Jim Woodward writes:
   This has probably been covered but I saw this message in my logs and
   wondered what it meant?
  
   TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
   Bad, what else can I say?
  
   Is it potentially bad? - Ive only ever seen it twice with 2.4.x

 We need desperately to know exactly what OS the xxx.xxx.1.14 machine
 is running.  Because you've commented out the first two octets, I
 cannot check this myself using nmap.

I'm seeing similar messages on a web server running 2.4.2.

Some of hosts I've seen it with are:

205.188.208.172
209.240.220.172
209.240.220.173
209.240.220.174
209.240.220.176
209.240.220.177
216.239.46.17
216.239.46.27
216.239.46.34
216.239.46.168
130.239.126.113
206.190.23.112
193.130.225.253

- -- 
- --
Phil Brutsche   [EMAIL PROTECTED]

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6oEie/ZTSZFDeHPwRAg4UAKChgEkHgE84Q1OWsB5faZczFrFLjACdGkul
sViRgWXfFAlKa3W9V8+RAYs=
=wkJl
-END PGP SIGNATURE-

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[Jesse Wyant]

Similar situation here: vanilla 2.4.2, with web serving/ftp/hotline/napster/etc.,
and I get this:

TCP: peer 148.75.118.138:1360/6699 shrinks window 3200785160:0:3200795086. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3054879436:0:3054885108. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201450202:0:3201458710. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1361/6699 shrinks window 3317649733:0:3317653987. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3054934738:0:3054940410. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1357/6699 shrinks window 2520518983:0:2520527491. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3054990040:0:3054995712. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3055011310:0:3055014146. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201522520:0:3201528192. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1357/6699 shrinks window 2520598391:0:2520599809. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1359/6699 shrinks window 3055146020:0:3055148856. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1361/6699 shrinks window 3317713543:0:3317723469. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201592002:0:3201599092. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201593420:0:3201599092. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1357/6699 shrinks window 2520676381:0:2520680635. Bad, what 
else can I say?
TCP: peer 148.75.118.138:1360/6699 shrinks window 3201607600:0:3201614690. Bad, what 
else can I say?

Running nmap (v2.53) on that IP doesn't resolve to a known OS, so that doesn't help.  
Version 2.54BETA7
gives this output:

  Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
  Warning:  OS detection will be MUCH less reliable because we did not find at least 1 
open and 1 closed TCP port
  All 1534 scanned ports on vsat-148-75-118-138.ssa7.mcl.starband.net (148.75.118.138) 
are: filtered
  Remote OS guesses: Apple LaserWriter 16/600 PS, HP 6P, or HP 5 Printer, Apple 
LaserWriter 8500 (PostScript version 3010.103), MultiTech MultiVOIP Version 2.01A 
Firmware, Mulit-Tech standalone firewall box, version 3, MultiTech CommPlete (modem 
server) RAScard, Xerox 8830 Plotter, Xerox DocuPrint C55, Xerox DocuPrint N40

  Nmap run completed -- 1 IP address (1 host up) scanned in 163 seconds

So that doesn't appear to help too much either.

 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 A long time ago, in a galaxy far, far way, someone said...
 
 
  Jim Woodward writes:
This has probably been covered but I saw this message in my logs and
wondered what it meant?
   
TCP: peer xxx.xxx.1.11:41154/80 shrinks window 2442047470:1072:2442050944.
Bad, what else can I say?
   
Is it potentially bad? - Ive only ever seen it twice with 2.4.x
 
  We need desperately to know exactly what OS the xxx.xxx.1.14 machine
  is running.  Because you've commented out the first two octets, I
  cannot check this myself using nmap.
 
 I'm seeing similar messages on a web server running 2.4.2.
 
 Some of hosts I've seen it with are:
 
 205.188.208.172
 209.240.220.172
 209.240.220.173
 209.240.220.174
 209.240.220.176
 209.240.220.177
 216.239.46.17
 216.239.46.27
 216.239.46.34
 216.239.46.168
 130.239.126.113
 206.190.23.112
 193.130.225.253
 
 - -- 
 - --
 Phil Brutsche [EMAIL PROTECTED]
 
 GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
 GPG key id: 50DE1CFC
 GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.4 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE6oEie/ZTSZFDeHPwRAg4UAKChgEkHgE84Q1OWsB5faZczFrFLjACdGkul
 sViRgWXfFAlKa3W9V8+RAYs=
 =wkJl
 -END PGP SIGNATURE-
 
 -
 To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
 the body of a message to [EMAIL PROTECTED]
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 


Jesse Wyant - [EMAIL PROTECTED]

I never met a man I didn't want to fight.
-- Lyle Alzado, professional football lineman

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: 2.4.2 TCP window shrinking

[David]

David S. Miller wrote:

 We need desperately to know exactly what OS the xxx.xxx.1.14 machine
 is running.  Because you've commented out the first two octets, I
 cannot check this myself using nmap.


I see them all the time on my sites.  I have active mirrors so they 
abound.  Here are a few, I've also attached nmap's guesses.

TCP: peer 148.75.156.238:1025/7000 shrinks window 
3317772066:0:3317772330. Bad, what else can I say?
TCP: peer 195.226.233.21:1774/6660 shrinks window 
2502834461:2920:2502837525. Bad, what else can I say?
TCP: peer 195.39.136.145:1702/7000 shrinks window 
2750401402:2920:2750405782. Bad, what else can I say?
TCP: peer 213.189.87.228:1190/6660 shrinks window 
2933193691:1072:2933194827. Bad, what else can I say?

#1, unknown
#2, running proxy squid/2.3.stable4, can't tell what OS is on it.
#3, unknown
#4, unknown

#2 and #4 both have the following in http headers:

Via: 1.1 netcache (NetCache 4.1R6)

-d

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/