PF suddenly malfunctioned
Jason Mattax
jmattax at storytotell.org
Tue Jul 24 03:10:02 UTC 2012
On 7/23/2012 4:05 AM, Daniel Hartmeier wrote:
> If you can reliably reproduce the problem with en.wikipedia.org, I
> suggest the following:
>
> On the firewall
>
> 1) enable verbose logging with pfctl -xm
> 2) save the output of pfctl -si and netstat -s
> 3) run the following three tcpdump in parallel, and save the output:
> tcpdump -s 1600 -nvvvpSi xl0 'host 91.198.174.225'
> tcpdump -s 1600 -nvvvpSi re0 'host 91.198.174.225'
> tcpdump -s 1600 -nvvveeepi pflog0
>
> On a client
>
> 4) printf "GET /wiki/Main_Page HTTP/1.1\r\nHost: en.wikipedia.org\r\n\r\n" |
> nc -v 91.198.174.225 80 | wc -c
> 5) this should hang until some timout occurs, you need only wait 10s.
>
> Back on the firewall
>
> 6) re-run pfctl -si and netstat -s (again saving the output)
> 7) stop the tcpdumps
> 8) check /var/log/messages for anything from pf
>
> The post the outputs :)
>
> Daniel
>
The files are attached, it should be noted that I did the run I'm
posting around 21:00 according to my servers clock. There were no
messages about the above in /var/log/messages but there were some
messages from earlier in the day.
The reason it took me so long to get this posted is that I was (and
still am) getting unexpected output from the netcat above, when I run
the netcat I nearly immediately get a notice that the connection
succeeded, so I decided to look at what the server was sending me, as it
turns out it was only sending me whitespace if anything. You can see a
copy and pate of the command line below.
Thanks for looking at this.
Jason Mattax
-------------- next part --------------
Jul 23 16:24:58 stilgar kernel: pf: state reuse TCP 192.168.0.200:139 192.168.0.200:139 24.123.237.238:34820 [lo=3243560508 high=3243560510 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S
Jul 23 16:24:58 stilgar kernel: pf: state reuse TCP 192.168.0.200:139 192.168.0.200:139 24.123.237.238:34820 [lo=3243560508 high=3243560510 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S
Jul 23 16:25:04 stilgar kernel: pf: state reuse TCP 192.168.0.200:445 192.168.0.200:445 24.123.237.238:34871 [lo=3247592298 high=3247592300 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S
Jul 23 16:25:04 stilgar kernel: pf: state reuse TCP 192.168.0.200:445 192.168.0.200:445 24.123.237.238:34871 [lo=3247592298 high=3247592300 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S
Jul 23 17:53:04 stilgar kernel: pf: state reuse TCP 192.168.0.200:4899 192.168.0.200:4899 80.32.31.160:2205 [lo=47482671 high=47482673 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 10:10 S
Jul 23 17:53:05 stilgar kernel: pf: state reuse TCP 192.168.0.200:4899 192.168.0.200:4899 80.32.31.160:2205 [lo=47482671 high=47482673 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 10:10 S
-------------- next part --------------
jmattax at chani:~$ printf "GET /wiki/Main_Page HTTP/1.1\r\nHost: en.wikipedia.org\r\n\r\n" | nc -v 91.198.174.225 80
Connection to 91.198.174.225 80 port [tcp/http] succeeded!
-------------- next part --------------
tcp:
3880 packets sent
1339 data packets (297910 bytes)
41 data packets (13121 bytes) retransmitted
0 data packets unnecessarily retransmitted
3 resends initiated by MTU discovery
2374 ack-only packets (141 delayed)
0 URG only packets
0 window probe packets
63 window update packets
63 control packets
6316 packets received
1219 acks (for 300091 bytes)
46 duplicate acks
0 acks for unsent data
5390 packets (6205996 bytes) received in-sequence
5 completely duplicate packets (2920 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
24 out-of-order packets (19313 bytes)
0 packets (0 bytes) of data after window
0 window probes
6 window update packets
4 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
0 discarded due to memory problems
17 connection requests
29 connection accepts
0 bad connection attempts
0 listen queue overflows
1 ignored RSTs in the window
45 connections established (including accepts)
55 connections closed (including 4 drops)
34 connections updated cached RTT on close
36 connections updated cached RTT variance on close
5 connections updated cached ssthresh on close
1 embryonic connection dropped
1213 segments updated rtt (of 1181 attempts)
47 retransmit timeouts
3 connections dropped by rexmit timeout
0 persist timeouts
0 connections dropped by persist timeout
0 Connections (fin_wait_2) dropped because of timeout
9 keepalive timeouts
8 keepalive probes sent
1 connection dropped by keepalive
1 correct ACK header prediction
4887 correct data packet header predictions
32 syncache entries added
0 retransmitted
0 dupsyn
0 dropped
29 completed
0 bucket overflow
0 cache overflow
3 reset
0 stale
0 aborted
0 badack
0 unreach
0 zone failures
32 cookies sent
0 cookies received
0 SACK recovery episodes
0 segment rexmits in SACK recovery episodes
0 byte rexmits in SACK recovery episodes
3 SACK options (SACK blocks) received
23 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
0 packets with ECN CE bit set
0 packets with ECN ECT(0) bit set
0 packets with ECN ECT(1) bit set
0 successful ECN handshakes
0 times ECN reduced the congestion window
udp:
2751 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
1 with no checksum
146 dropped due to no socket
2474 broadcast/multicast datagrams undelivered
0 dropped due to full socket buffers
0 not for hashed pcb
131 delivered
248 datagrams output
0 times multicast source filter matched
sctp:
0 input packets
0 datagrams
0 packets that had data
0 input SACK chunks
0 input DATA chunks
0 duplicate DATA chunks
0 input HB chunks
0 HB-ACK chunks
0 input ECNE chunks
0 input AUTH chunks
0 chunks missing AUTH
0 invalid HMAC ids received
0 invalid secret ids received
0 auth failed
0 fast path receives all one chunk
0 fast path multi-part data
0 output packets
0 output SACKs
0 output DATA chunks
0 retransmitted DATA chunks
0 fast retransmitted DATA chunks
0 FR's that happened more than once to same chunk
0 intput HB chunks
0 output ECNE chunks
0 output AUTH chunks
0 ip_output error counter
Packet drop statistics:
0 from middle box
0 from end host
0 with data
0 non-data, non-endhost
0 non-endhost, bandwidth rep only
0 not enough for chunk header
0 not enough data to confirm
0 where process_chunk_drop said break
0 failed to find TSN
0 attempt reverse TSN lookup
0 e-host confirms zero-rwnd
0 midbox confirms no space
0 data did not match TSN
0 TSN's marked for Fast Retran
Timeouts:
0 iterator timers fired
0 T3 data time outs
0 window probe (T3) timers fired
0 INIT timers fired
0 sack timers fired
0 shutdown timers fired
0 heartbeat timers fired
0 a cookie timeout fired
0 an endpoint changed its cookiesecret
0 PMTU timers fired
0 shutdown ack timers fired
0 shutdown guard timers fired
0 stream reset timers fired
0 early FR timers fired
0 an asconf timer fired
0 auto close timer fired
0 asoc free timers expired
0 inp free timers expired
0 packet shorter than header
0 checksum error
0 no endpoint for port
0 bad v-tag
0 bad SID
0 no memory
0 number of multiple FR in a RTT window
0 RFC813 allowed sending
0 RFC813 does not allow sending
0 times max burst prohibited sending
0 look ahead tells us no memory in interface
0 numbers of window probes sent
0 times an output error to clamp down on next user send
0 times sctp_senderrors were caused from a user
0 number of in data drops due to chunk limit reached
0 number of in data drops due to rwnd limit reached
0 times a ECN reduced the cwnd
0 used express lookup via vtag
0 collision in express lookup
0 times the sender ran dry of user data on primary
0 same for above
0 sacks the slow way
0 window update only sacks sent
0 sends with sinfo_flags !=0
0 unordered sends
0 sends with EOF flag set
0 sends with ABORT flag set
0 times protocol drain called
0 times we did a protocol drain
0 times recv was called with peek
0 cached chunks used
0 cached stream oq's used
0 unread messages abandonded by close
0 send burst avoidance, already max burst inflight to net
0 send cwnd full avoidance, already max burst inflight to net
0 number of map array over-runs via fwd-tsn's
ip:
30044 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
9082 packets for this host
111 packets for unknown/unsupported protocol
20818 packets forwarded (0 packets fast forwarded)
33 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
4387 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
icmp:
148 calls to icmp_error
0 errors not generated in response to an icmp message
Output histogram:
echo reply: 15
destination unreachable: 148
0 messages with bad code fields
0 messages less than the minimum length
0 messages with bad checksum
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
destination unreachable: 111
echo: 15
15 message responses generated
0 invalid return addresses
0 no return routes
ICMP address mask responses are disabled
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with wrong TTL
0 messages received with bad checksum
0 V1/V2 membership queries received
0 V3 membership queries received
0 membership queries received with invalid field(s)
0 general queries received
0 group queries received
0 group-source queries received
0 group-source queries dropped
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 V3 reports received without Router Alert
0 membership reports sent
arp:
146 ARP requests sent
1627 ARP replies sent
22184 ARP requests received
7 ARP replies received
22191 ARP packets received
84 total packets dropped due to no ARP entry
69 ARP entrys timed out
0 Duplicate IPs seen
ip6:
0 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 fragments that exceeded limit
0 packets reassembled ok
0 packets for this host
0 packets forwarded
0 packets not forwardable
0 redirects sent
0 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
7 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
0 multicast packets which we don't join
Mbuf statistics:
0 one mbuf
0 one ext mbuf
0 two or more ext mbuf
0 packets whose headers are not continuous
0 tunneling packets that can't find gif
0 packets discarded because of too many headers
0 failures of source address selection
Source addresses selection rule applied:
icmp6:
0 calls to icmp6_error
0 errors not generated in response to an icmp6 message
0 errors not generated because of rate limitation
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Histogram of error messages to be generated:
0 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
0 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
0 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 bad redirect messages
0 path MTU changes
rip6:
0 messages received
0 checksum calculations on inbound
0 messages with bad checksum
0 messages dropped due to no socket
0 multicast messages dropped due to no socket
0 messages dropped due to full socket buffers
0 delivered
0 datagrams output
-------------- next part --------------
tcp:
3786 packets sent
1255 data packets (275510 bytes)
41 data packets (13121 bytes) retransmitted
0 data packets unnecessarily retransmitted
3 resends initiated by MTU discovery
2364 ack-only packets (132 delayed)
0 URG only packets
0 window probe packets
63 window update packets
63 control packets
6192 packets received
1156 acks (for 277691 bytes)
46 duplicate acks
0 acks for unsent data
5329 packets (6202824 bytes) received in-sequence
5 completely duplicate packets (2920 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
24 out-of-order packets (19313 bytes)
0 packets (0 bytes) of data after window
0 window probes
6 window update packets
4 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
0 discarded due to memory problems
17 connection requests
29 connection accepts
0 bad connection attempts
0 listen queue overflows
1 ignored RSTs in the window
45 connections established (including accepts)
55 connections closed (including 4 drops)
34 connections updated cached RTT on close
36 connections updated cached RTT variance on close
5 connections updated cached ssthresh on close
1 embryonic connection dropped
1151 segments updated rtt (of 1119 attempts)
47 retransmit timeouts
3 connections dropped by rexmit timeout
0 persist timeouts
0 connections dropped by persist timeout
0 Connections (fin_wait_2) dropped because of timeout
9 keepalive timeouts
8 keepalive probes sent
1 connection dropped by keepalive
1 correct ACK header prediction
4826 correct data packet header predictions
32 syncache entries added
0 retransmitted
0 dupsyn
0 dropped
29 completed
0 bucket overflow
0 cache overflow
3 reset
0 stale
0 aborted
0 badack
0 unreach
0 zone failures
32 cookies sent
0 cookies received
0 SACK recovery episodes
0 segment rexmits in SACK recovery episodes
0 byte rexmits in SACK recovery episodes
3 SACK options (SACK blocks) received
23 SACK options (SACK blocks) sent
0 SACK scoreboard overflow
0 packets with ECN CE bit set
0 packets with ECN ECT(0) bit set
0 packets with ECN ECT(1) bit set
0 successful ECN handshakes
0 times ECN reduced the congestion window
udp:
2751 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
1 with no checksum
146 dropped due to no socket
2474 broadcast/multicast datagrams undelivered
0 dropped due to full socket buffers
0 not for hashed pcb
131 delivered
248 datagrams output
0 times multicast source filter matched
sctp:
0 input packets
0 datagrams
0 packets that had data
0 input SACK chunks
0 input DATA chunks
0 duplicate DATA chunks
0 input HB chunks
0 HB-ACK chunks
0 input ECNE chunks
0 input AUTH chunks
0 chunks missing AUTH
0 invalid HMAC ids received
0 invalid secret ids received
0 auth failed
0 fast path receives all one chunk
0 fast path multi-part data
0 output packets
0 output SACKs
0 output DATA chunks
0 retransmitted DATA chunks
0 fast retransmitted DATA chunks
0 FR's that happened more than once to same chunk
0 intput HB chunks
0 output ECNE chunks
0 output AUTH chunks
0 ip_output error counter
Packet drop statistics:
0 from middle box
0 from end host
0 with data
0 non-data, non-endhost
0 non-endhost, bandwidth rep only
0 not enough for chunk header
0 not enough data to confirm
0 where process_chunk_drop said break
0 failed to find TSN
0 attempt reverse TSN lookup
0 e-host confirms zero-rwnd
0 midbox confirms no space
0 data did not match TSN
0 TSN's marked for Fast Retran
Timeouts:
0 iterator timers fired
0 T3 data time outs
0 window probe (T3) timers fired
0 INIT timers fired
0 sack timers fired
0 shutdown timers fired
0 heartbeat timers fired
0 a cookie timeout fired
0 an endpoint changed its cookiesecret
0 PMTU timers fired
0 shutdown ack timers fired
0 shutdown guard timers fired
0 stream reset timers fired
0 early FR timers fired
0 an asconf timer fired
0 auto close timer fired
0 asoc free timers expired
0 inp free timers expired
0 packet shorter than header
0 checksum error
0 no endpoint for port
0 bad v-tag
0 bad SID
0 no memory
0 number of multiple FR in a RTT window
0 RFC813 allowed sending
0 RFC813 does not allow sending
0 times max burst prohibited sending
0 look ahead tells us no memory in interface
0 numbers of window probes sent
0 times an output error to clamp down on next user send
0 times sctp_senderrors were caused from a user
0 number of in data drops due to chunk limit reached
0 number of in data drops due to rwnd limit reached
0 times a ECN reduced the cwnd
0 used express lookup via vtag
0 collision in express lookup
0 times the sender ran dry of user data on primary
0 same for above
0 sacks the slow way
0 window update only sacks sent
0 sends with sinfo_flags !=0
0 unordered sends
0 sends with EOF flag set
0 sends with ABORT flag set
0 times protocol drain called
0 times we did a protocol drain
0 times recv was called with peek
0 cached chunks used
0 cached stream oq's used
0 unread messages abandonded by close
0 send burst avoidance, already max burst inflight to net
0 send cwnd full avoidance, already max burst inflight to net
0 number of map array over-runs via fwd-tsn's
ip:
29911 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
8958 packets for this host
111 packets for unknown/unsupported protocol
20809 packets forwarded (0 packets fast forwarded)
33 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
4293 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
icmp:
148 calls to icmp_error
0 errors not generated in response to an icmp message
Output histogram:
echo reply: 15
destination unreachable: 148
0 messages with bad code fields
0 messages less than the minimum length
0 messages with bad checksum
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
destination unreachable: 111
echo: 15
15 message responses generated
0 invalid return addresses
0 no return routes
ICMP address mask responses are disabled
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with wrong TTL
0 messages received with bad checksum
0 V1/V2 membership queries received
0 V3 membership queries received
0 membership queries received with invalid field(s)
0 general queries received
0 group queries received
0 group-source queries received
0 group-source queries dropped
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 V3 reports received without Router Alert
0 membership reports sent
arp:
146 ARP requests sent
1626 ARP replies sent
22177 ARP requests received
7 ARP replies received
22184 ARP packets received
84 total packets dropped due to no ARP entry
69 ARP entrys timed out
0 Duplicate IPs seen
ip6:
0 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 fragments that exceeded limit
0 packets reassembled ok
0 packets for this host
0 packets forwarded
0 packets not forwardable
0 redirects sent
0 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
7 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
0 multicast packets which we don't join
Mbuf statistics:
0 one mbuf
0 one ext mbuf
0 two or more ext mbuf
0 packets whose headers are not continuous
0 tunneling packets that can't find gif
0 packets discarded because of too many headers
0 failures of source address selection
Source addresses selection rule applied:
icmp6:
0 calls to icmp6_error
0 errors not generated in response to an icmp6 message
0 errors not generated because of rate limitation
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Histogram of error messages to be generated:
0 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
0 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
0 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 bad redirect messages
0 path MTU changes
rip6:
0 messages received
0 checksum calculations on inbound
0 messages with bad checksum
0 messages dropped due to no socket
0 multicast messages dropped due to no socket
0 messages dropped due to full socket buffers
0 delivered
0 datagrams output
-------------- next part --------------
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 21:47:22 Debug: Misc
State Table Total Rate
current entries 20
searches 55249 0.7/s
inserts 1901 0.0/s
removals 1881 0.0/s
Counters
match 1917 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
-------------- next part --------------
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 21:46:41 Debug: Misc
State Table Total Rate
current entries 21
searches 55023 0.7/s
inserts 1899 0.0/s
removals 1878 0.0/s
Counters
match 1915 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
-------------- next part --------------
-------------- next part --------------
20:56:23.455030 IP (tos 0x0, ttl 64, id 50886, offset 0, flags [DF], proto TCP (6), length 60)
10.11.10.45.51996 > 91.198.174.225.80: Flags [S], cksum 0x34cc (correct), seq 3868567477, win 14600, options [mss 1460,sackOK,TS val 2384243 ecr 0,nop,wscale 4], length 0
20:56:23.633425 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->27dd)!)
91.198.174.225.80 > 10.11.10.45.51996: Flags [S.], cksum 0x95a1 (correct), seq 2727041994, ack 3868567478, win 5792, options [mss 1460,sackOK,TS val 669489983 ecr 2384243,nop,wscale 9], length 0
20:56:23.634947 IP (tos 0x0, ttl 64, id 50887, offset 0, flags [DF], proto TCP (6), length 52)
10.11.10.45.51996 > 91.198.174.225.80: Flags [.], cksum 0xd751 (correct), seq 3868567478, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0
20:56:23.635166 IP (tos 0x0, ttl 64, id 50888, offset 0, flags [DF], proto TCP (6), length 108)
10.11.10.45.51996 > 91.198.174.225.80: Flags [P.], cksum 0x6f6b (correct), seq 3868567478:3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 56
20:56:23.635810 IP (tos 0x0, ttl 64, id 50889, offset 0, flags [DF], proto TCP (6), length 52)
10.11.10.45.51996 > 91.198.174.225.80: Flags [F.], cksum 0xd718 (correct), seq 3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0
20:56:23.813427 IP (tos 0x0, ttl 52, id 49306, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->673e)!)
91.198.174.225.80 > 10.11.10.45.51996: Flags [.], cksum 0x87a3 (correct), seq 2727041995, ack 3868567478, win 12, options [nop,nop,TS val 669490001 ecr 2384288,nop,nop,sack 1 {3868567534:3868567535}], length 0
20:56:23.814752 IP (tos 0x0, ttl 52, id 49307, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->6749)!)
91.198.174.225.80 > 10.11.10.45.51996: Flags [.], cksum 0xda8b (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0
20:56:23.815233 IP (tos 0x0, ttl 52, id 49308, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->6748)!)
91.198.174.225.80 > 10.11.10.45.51996: Flags [F.], cksum 0xda8a (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0
20:56:23.816529 IP (tos 0x0, ttl 64, id 50890, offset 0, flags [DF], proto TCP (6), length 52)
10.11.10.45.51996 > 91.198.174.225.80: Flags [.], cksum 0xd6d8 (correct), seq 3868567535, ack 2727041996, win 913, options [nop,nop,TS val 2384333 ecr 669490001], length 0
-------------- next part --------------
20:56:23.455415 IP (tos 0x0, ttl 63, id 50886, offset 0, flags [DF], proto TCP (6), length 60)
192.168.0.200.64834 > 91.198.174.225.80: Flags [S], cksum 0x556d (correct), seq 3868567477, win 14600, options [mss 1460,sackOK,TS val 2384243 ecr 0,nop,wscale 4], length 0
20:56:23.633234 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60)
91.198.174.225.80 > 192.168.0.200.64834: Flags [S.], cksum 0xb642 (correct), seq 2727041994, ack 3868567478, win 5792, options [mss 1460,sackOK,TS val 669489983 ecr 2384243,nop,wscale 9], length 0
20:56:23.635087 IP (tos 0x0, ttl 63, id 50887, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.200.64834 > 91.198.174.225.80: Flags [.], cksum 0xf7f2 (correct), seq 3868567478, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0
20:56:23.635277 IP (tos 0x0, ttl 63, id 50888, offset 0, flags [DF], proto TCP (6), length 108)
192.168.0.200.64834 > 91.198.174.225.80: Flags [P.], cksum 0x900c (correct), seq 3868567478:3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 56
20:56:23.635923 IP (tos 0x0, ttl 63, id 50889, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.200.64834 > 91.198.174.225.80: Flags [F.], cksum 0xf7b9 (correct), seq 3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0
20:56:23.813258 IP (tos 0x0, ttl 53, id 49306, offset 0, flags [DF], proto TCP (6), length 64)
91.198.174.225.80 > 192.168.0.200.64834: Flags [.], cksum 0xa844 (correct), seq 2727041995, ack 3868567478, win 12, options [nop,nop,TS val 669490001 ecr 2384288,nop,nop,sack 1 {3868567534:3868567535}], length 0
20:56:23.814638 IP (tos 0x0, ttl 53, id 49307, offset 0, flags [DF], proto TCP (6), length 52)
91.198.174.225.80 > 192.168.0.200.64834: Flags [.], cksum 0xfb2c (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0
20:56:23.815114 IP (tos 0x0, ttl 53, id 49308, offset 0, flags [DF], proto TCP (6), length 52)
91.198.174.225.80 > 192.168.0.200.64834: Flags [F.], cksum 0xfb2b (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0
20:56:23.816677 IP (tos 0x0, ttl 63, id 50890, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.200.64834 > 91.198.174.225.80: Flags [.], cksum 0xf779 (correct), seq 3868567535, ack 2727041996, win 913, options [nop,nop,TS val 2384333 ecr 669490001], length 0
More information about the freebsd-pf
mailing list