What is this?
Gary Palmer
gpalmer at freebsd.org
Wed Feb 25 14:59:21 UTC 2015
On Wed, Feb 25, 2015 at 09:30:49PM +1100, Ian Smith wrote:
> This snippet is from an old linux 2.4 router/firewall/proxy box, usually
> clockwork. Clipped this while monitoring one night, saved it, forgot,
> but still find it curious and haven't seen anything similar before or
> since. 31.13.70.1 & 173.252.102.24 are facebook, our guy 192.168.9.21
>
> 25/9/2014 what? rpc? no rpc here even internally. .21 is a win7 box.
>
> 22:34:15.753436 IP 31.13.70.1.443 > 192.168.9.21.3721: . 21784:23236(1452) ack 15573 win 65340
> 22:34:15.753560 IP 31.13.70.1.443 > 192.168.9.21.3721: P 23236:23661(425) ack 15573 win 65340
> 22:34:15.754017 IP 192.168.9.21.3721 > 31.13.70.1.443: . ack 23661 win 65535
> 22:34:15.828235 IP 173.252.102.24.3660741704 > 192.168.9.21.2049: 735 proc-3090265999
> 22:34:15.837027 IP 192.168.9.21.2049 > 173.252.102.24.3355443200: reply Unknown rpc response code=239244857 1452
> 22:34:15.837031 IP 192.168.9.21.2049 > 173.252.102.24.1494367229: reply Unknown rpc response code=3295742795 33
> 22:34:15.875408 IP 31.13.70.1.443 > 192.168.9.21.3721: . 23661:25113(1452) ack 15573 win 65340
> 22:34:15.875552 IP 31.13.70.1.443 > 192.168.9.21.3721: P 25113:25677(564) ack 15573 win 65340
> 22:34:15.875976 IP 192.168.9.21.3721 > 31.13.70.1.443: . ack 25677 win 65535
> 22:34:16.114979 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 3841 win 64670
> 22:34:16.116361 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 3874 win 64670
> 22:34:16.117679 IP 173.252.102.24.4046617672 > 192.168.9.21.2049: 758 proc-685943137
> 22:34:16.124011 IP 192.168.9.21.2049 > 173.252.102.24.2483027968: reply Unknown rpc response code=255805058 1177
> 22:34:16.400004 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 5051 win 64670
> 22:34:20.928488 IP 173.252.102.24.2100460616 > 192.168.9.21.2049: 1410 proc-3156600121
> 22:34:20.935755 IP 192.168.9.21.2049 > 173.252.102.24.2483027968: reply Unknown rpc response code=269780798 1177
> 22:34:21.211544 IP 173.252.102.24.443 > 192.168.9.21.2049: . ack 6228 win 64670
>
> Kick me downstairs if it's just some old linux thing, especially the 2-3
> giga(what?) port numbers, but otherwise, what is this about?
Supposition: whatever you are using on Linux is seeing the 2049 port
number and trying to decode the packet as NFS traffic even though
it's not, and the port number isn't a port number at all but a NFS handle
or something, but it isn't really, it's just some data from the packet
contents that is in the location where the handle would be if the packet
were truly NFS.
Regards,
Gary
More information about the freebsd-net
mailing list