[PATCH] TCP window tracking patch backported from the 2.6 tree

[PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

Hi,

The TCP window tracking patch backported from the 2.6 tree can now be
found in the patch-o-matic-ng svn repository. The 2.4 version of the
nf-log patch (which is required) has been updated as well.

Please report me any success/failure reports wether it's an improvement
compared to the previous version in your environment or not.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Roberto Nibali]

Hello Jozsef,

Thanks, looks like tomorrow is another netfilter day for me.

> The TCP window tracking patch backported from the 2.6 tree can now be
> found in the patch-o-matic-ng svn repository. The 2.4 version of the
> nf-log patch (which is required) has been updated as well.

Is the conntrack_error-api still needed and if so, where can I find it? 
I'm referring to:

https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/info

> Please report me any success/failure reports wether it's an improvement
> compared to the previous version in your environment or not.

Do you happen to have a changelog written down somewhere or shall I diff 
the two linux-2.4 patches?

Regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

Hi,

On Tue, 28 Jun 2005, Roberto Nibali wrote:

> Is the conntrack_error-api still needed and if so, where can I find it?

Good catch: not required so I removed the dependency from the info
file in svn.

> > Please report me any success/failure reports wether it's an improvement
> > compared to the previous version in your environment or not.
>
> Do you happen to have a changelog written down somewhere or shall I diff
> the two linux-2.4 patches?

The last update sent to 2.6 kernel inclusion created the major difference
between the two flavours. Now they are in sync and the most important
fixes are in no particular order

- Article on which the code is based falsely
  assumed that packets must fit completely into
  the window: packets must at least overlap, logic fixed
- Reopening connections now done properly
- We handle ACK packets sent by server to late resent SYNs too
- Arbitrary RST segments could cause connection
  teardown, fixed.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Roberto Nibali]

> Good catch: not required so I removed the dependency from the info
> file in svn.

Verified. Another thing is the link to Guido's paper. For me this is not working
anymore. So instead of linking the dead (if in fact it's dead) link:

    http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz

You could do following:

a. Put a mirror link into the document, e.g:

     http://www.madison-gurkha.com/publications/tcp_filtering/tcp_filtering.ps

b. Download the PS or PDF version of the paper and put it onto the Documentation
   section under "Various other docs", ITIM:

     http://www.netfilter.org/documentation/index.html#documentation-other

This also concerns the patch IMHO, so option b is maybe preferred.

> The last update sent to 2.6 kernel inclusion created the major difference
> between the two flavours. Now they are in sync and the most important
> fixes are in no particular order

Awesome, thanks. For the record, we're talking about the following changes:

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&r1=4018&r2=4073

> - Article on which the code is based falsely
>   assumed that packets must fit completely into
>   the window: packets must at least overlap, logic fixed
> - Reopening connections now done properly
> - We handle ACK packets sent by server to late resent SYNs too
> - Arbitrary RST segments could cause connection
>   teardown, fixed.

Daniel, I hope you don't mind that I've cc'd you out of the blue sky regarding
this issue. However, I'd like you, if possible, to comment on the possible
semantic differences between the window tracking implementation in OpenBSD pf
(also based on the Guido paper) and the current netfilter one. The relevant
patch on the netfilter part can be found at:

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&view=markup

It would be nice to have a second opinion regarding the tcp state transitions,
the SACK handling and the tcp_in_window() function, which is most critical.
We're probably talking about this gem, among others:

http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/net/pf.c?rev=1.493&content-type=text/plain

If it's not possible, drop me a private email and we'll meet somewhere in Zürich
in a bar along the Limmat for a beer to discuss this ;).

Best Regards,
Roberto Nibali, ratz
-- 
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau  tel://++41 62 823 9355
http://www.terreactive.com             fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG                       Wir sichern Ihren Erfolg
-------------------------------------------------------------

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

Hi,

On Wed, 29 Jun 2005, Roberto Nibali wrote:

> Verified. Another thing is the link to Guido's paper. For me this is not working
> anymore.

Yes, it disappeared. We'll add the article to the netfilter homepage
and refer to the new link in the sources - that's the best.

> > The last update sent to 2.6 kernel inclusion created the major difference
> > between the two flavours. Now they are in sync and the most important
> > fixes are in no particular order
>
> Awesome, thanks. For the record, we're talking about the following changes:
>
> http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&r1=4018&r2=4073

Yes, exactly.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

On Wed, 29 Jun 2005, Roberto Nibali wrote:

> Daniel, I hope you don't mind that I've cc'd you out of the blue sky regarding
> this issue. However, I'd like you, if possible, to comment on the possible
> semantic differences between the window tracking implementation in OpenBSD pf
> (also based on the Guido paper) and the current netfilter one. The relevant
> patch on the netfilter part can be found at:
>
> http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&view=markup
>
> It would be nice to have a second opinion regarding the tcp state transitions,
> the SACK handling and the tcp_in_window() function, which is most critical.
> We're probably talking about this gem, among others:
>
> http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/net/pf.c?rev=1.493&content-type=text/plain

I'd be just happy to receive any opinion, critics on how the window
tracking were implemented in netfilter.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Roberto Nibali]

> found in the patch-o-matic-ng svn repository. The 2.4 version of the
> nf-log patch (which is required) has been updated as well.

The updated nf-log patch seems to be missing the neccessary symbol exports.
Please consider adding this to your linux-2.4 patch:

 --- linux-2.4.31-orig/net/netsyms.c     2005-04-04 03:42:20 +0200
+++ linux-2.4.31-pab2/net/netsyms.c     2005-06-07 12:16:04 +0200
@@ -594,6 +594,7 @@
 #endif
 #ifdef CONFIG_NETFILTER
 #include <linux/netfilter.h>
+#include <linux/netfilter_logging.h>
 EXPORT_SYMBOL(nf_register_hook);
 EXPORT_SYMBOL(nf_unregister_hook);
 EXPORT_SYMBOL(nf_register_sockopt);
@@ -607,6 +608,10 @@
 EXPORT_SYMBOL(nf_getsockopt);
 EXPORT_SYMBOL(ip_ct_attach);
 EXPORT_SYMBOL(nf_ct_attach);
+EXPORT_SYMBOL(nf_log_register);
+EXPORT_SYMBOL(nf_log_unregister);
+EXPORT_SYMBOL(nf_log_packet);
+EXPORT_SYMBOL(nf_log);
 #ifdef CONFIG_INET
 #include <linux/netfilter_ipv4.h>
 EXPORT_SYMBOL(ip_route_me_harder);

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/nf-log/linux-2.4.patch?rev=4073&r1=4018&r2=4073
also depicts this nicely as well as a failed depmod after compilation ;).

Best regards,
Roberto Nibali, ratz
-- 
-------------------------------------------------------------
addr://Rathausgasse 31, CH-5001 Aarau  tel://++41 62 823 9355
http://www.terreactive.com             fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG                       Wir sichern Ihren Erfolg
-------------------------------------------------------------

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Daniel Hartmeier]

On Wed, Jun 29, 2005 at 12:26:02PM +0200, Jozsef Kadlecsik wrote:

> > http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/tcp-window-tracking/linux-2.4.patch?rev=4073&view=markup
> >
> > It would be nice to have a second opinion regarding the tcp state transitions,
> > the SACK handling and the tcp_in_window() function, which is most critical.
> > We're probably talking about this gem, among others:
> >
> > http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/net/pf.c?rev=1.493&content-type=text/plain
> 
> I'd be just happy to receive any opinion, critics on how the window
> tracking were implemented in netfilter.

The SACK handling looks curious to me. This is the TCP Selective
Acknowledgements options, as in RFC 2018, right?

OpenBSD pf doesn't read those at all, currently. Stateful filtering
shouldn't have to know about SACK, as SACK-enabled hosts must still
honour the general rules in Guido's paper, i.e. ignoring SACK holes
doesn't break any valid SACK-enabled connection. This is unlike the
window scaling options, which the filter has to understand.

But there's one desirable thing you can do if you know about SACK holes:
you can prevent a peer from overwriting a TCP segment which has already
been (selectively) acknowledged. That is, similar to how the IP-level
reassembly in pf prevents attacks (for instance on IDSs) by weeding out
overlapping IP fragments, a TCP-level normalization could ensure that a
peer isn't allowed to overwrite TCP segments that have already been
acknowledged by the recipient. For instance, an attacker's goal might be
to take advantage of differences in how different readers will deal with
overlaps (the IDS might keep the first version, which doesn't trigger an
alarm, while the end-point host might keep the second version).

We want to implement this kind of TCP normalization eventually in pf,
and SACK makes this quite an interesting problem (i.e. should the
stateful filter use up memory to cache all SACK holes, etc.?).

Is this implemented in the netfilter patch above? Or what else do you
read SACK options for?

I don't see it caching individual SACK boundaries, there seems to be a
single 'highwater mark', as the comment explains

+   The boundaries and the conditions are changed according to RFC793:
+   the packet must intersect the window (i.e. segments may be
+   after the right or before the left edge) and thus receivers may ACK
+   segments after the right edge of the window.
+
+   	td_maxend = max(sack + max(win,1)) seen in reply packets
+	td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
+	td_maxwin += seq + len - sender.td_maxend
+			if seq + len > sender.td_maxend
+	td_end    = max(seq + len) seen in sent packets
+   
+   I.   Upper bound for valid data:	seq <= sender.td_maxend
+   II.  Lower bound for valid data:	seq + len >= sender.td_end - receiver.td_maxwin
+   III.	Upper bound for valid ack:      sack <= receiver.td_end
+   IV.	Lower bound for valid ack:	ack >= receiver.td_end - MAXACKWINDOW
+   	
+   where sack is the highest right edge of sack block found in the packet.
                      ^^^^^^^^^^^^^^^^^^

If you're using only the highest right edge, I wonder why you have to
read that at all (and don't just use normal ACKs that are sent when
there are no holes or holes are filled). Could you explain what
advantages this has? We see no problems with SACK-enabled connections in
pf, and simply ignore selective ACK options.

Daniel

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

Hi,

On Wed, 29 Jun 2005, Daniel Hartmeier wrote:

> The SACK handling looks curious to me. This is the TCP Selective
> Acknowledgements options, as in RFC 2018, right?

Yes, that's it.

> OpenBSD pf doesn't read those at all, currently. Stateful filtering
> shouldn't have to know about SACK, as SACK-enabled hosts must still
> honour the general rules in Guido's paper, i.e. ignoring SACK holes
> doesn't break any valid SACK-enabled connection. This is unlike the
> window scaling options, which the filter has to understand.
[..]

It just happens that senders send such segments which overlap the window
of the receiver, for example the right edge is actually out of window.
(That is in general a problem when an implementation follows Guido's paper
letter by letter.) And when SACK is enabled, there are holes, and such a
packet is received, the receiver notifies the sender about it in a SACK
option. As the holes are filled up, the receiver then sends a normal ACK
which acknowledges up to the highest right edge, which was actually out of
window. The whole SACK part takes into account that - it has nothing to do
with TCP normalization.

> advantages this has? We see no problems with SACK-enabled connections in
> pf, and simply ignore selective ACK options.

I suspect you haven't received reports on such problems because pf does
not log when it drops out of window segments. TCP is a robust protocol and
sometimes, by resending packets, it can overcome the situation and the
connection does not hang forever. However the window tracking patch for
netfilter lived very long time in patch-o-matic as an experimental
extension with logging out of window packets enabled. We received
complains and sometimes the reporters could supply both the logs and full
tcpdump recordings from the firewall which revealed the problem.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

On Wed, 29 Jun 2005, Roberto Nibali wrote:

> > found in the patch-o-matic-ng svn repository. The 2.4 version of the
> > nf-log patch (which is required) has been updated as well.
>
> The updated nf-log patch seems to be missing the neccessary symbol exports.
> Please consider adding this to your linux-2.4 patch:

I mixed up something then, I have even committed the patch in svn by
running the patched kernel. Sorry, expect fixed patch tomorrow.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Daniel Hartmeier]

On Thu, Jun 30, 2005 at 09:48:19AM +0200, Jozsef Kadlecsik wrote:

> > advantages this has? We see no problems with SACK-enabled connections in
> > pf, and simply ignore selective ACK options.
> 
> I suspect you haven't received reports on such problems because pf does
> not log when it drops out of window segments. TCP is a robust protocol and
> sometimes, by resending packets, it can overcome the situation and the
> connection does not hang forever. However the window tracking patch for
> netfilter lived very long time in patch-o-matic as an experimental
> extension with logging out of window packets enabled. We received
> complains and sometimes the reporters could supply both the logs and full
> tcpdump recordings from the firewall which revealed the problem.

pf can log when it drops packets that mismatch the state entry's
sequence number windows ('BAD state' log entries, generated when pfctl
-xm, debug logging, is enabled, which is disabled by default).

I've analyzed a fair number of problem reports with both tcpdumps of
connections and such out-of-window logs, but I've never seen one where
SACK holes were part of the puzzle. In some cases, one peer would simply
violate the TCP RFC and send out-of-window segments. Maybe I just didn't
make the connection between seemingly invalid behaviour and SACK holes,
but out of at least two dozen analyzed incidents, none remained
unexplained so far.

I'd be interested in an example dump and log of a connection that
demonstrates this issue, especially if it shows that the hosts
didn't violate the RFCs. Comparing, in that example, the use of a
right-most SACK hole as edge vs. a (later) plain ACK could help
understand the implications.

I'm not saying netfilter's use of the SACK holes is potentially
incorrect, but it looks somewhat suspicious to me, and that's what I'd
look at more closely. If you still have one of those examples around,
I'd love to see it :)

Daniel

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1798 bytes --]

Hi,

On Thu, 30 Jun 2005, Daniel Hartmeier wrote:

> I've analyzed a fair number of problem reports with both tcpdumps of
> connections and such out-of-window logs, but I've never seen one where
> SACK holes were part of the puzzle. In some cases, one peer would simply
> violate the TCP RFC and send out-of-window segments. Maybe I just didn't
> make the connection between seemingly invalid behaviour and SACK holes,
> but out of at least two dozen analyzed incidents, none remained
> unexplained so far.
>
> I'd be interested in an example dump and log of a connection that
> demonstrates this issue, especially if it shows that the hosts
> didn't violate the RFCs. Comparing, in that example, the use of a
> right-most SACK hole as edge vs. a (later) plain ACK could help
> understand the implications.

Attached is the anonymized txt version of a traffic dump. If the last
packet is blocked by the firewall, the session hangs on the client side.
By using the rightmost edge of the SACK blocks as ACK in calculating the
acceptable window, the connection finishes all right. (There were multiple
independent reports - this was unique being easily reproducible anytime.)

But it's as interesting for me as SACK handling that you use the original
conditions from Guido's article. However I strongly believe the boundaries
for valid data stated there are not RFC compliant: data is not required to
fit into the window, it must just overlap. Receiver even may hold segments
with higher sequence numbers for later processing. What's your opinion?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

[-- Attachment #2: sack.dump.anon --]
[-- Type: TEXT/PLAIN, Size: 52883 bytes --]

15:27:27.315245 IP (tos 0x0, ttl  64, id 35783, offset 0, flags [DF], length: 60) 1.1.1.1.4632 > 2.2.2.2.80: S [tcp sum ok] 72431051:72431051(0) win 5840 <mss 1460,sackOK,timestamp 2766486 0,nop,wscale 0>
15:27:27.322134 IP (tos 0x0, ttl 124, id 22926, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: S [tcp sum ok] 2187509889:2187509889(0) ack 72431052 win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
15:27:27.322185 IP (tos 0x0, ttl  64, id 46304, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72431052:72431052(0) ack 2187509890 win 5840 <nop,nop,timestamp 2766487 0>
15:27:27.324472 IP (tos 0x0, ttl  64, id 60798, offset 0, flags [DF], length: 606) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72431052:72431606(554) ack 2187509890 win 5840 <nop,nop,timestamp 2766487 0>
15:27:27.342107 IP (tos 0x0, ttl 124, id 22929, offset 0, flags [DF], length: 1145) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187509890:2187510983(1093) ack 72431606 win 64981 <nop,nop,timestamp 69058107 2766487>
15:27:27.342146 IP (tos 0x0, ttl  64, id 64604, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72431606:72431606(0) ack 2187510983 win 7651 <nop,nop,timestamp 2766489 69058107>
15:27:27.346133 IP (tos 0x0, ttl  64, id 38063, offset 0, flags [DF], length: 602) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72431606:72432156(550) ack 2187510983 win 7651 <nop,nop,timestamp 2766489 69058107>
15:27:27.380760 IP (tos 0x0, ttl 124, id 22938, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187510983:2187512431(1448) ack 72432156 win 64431 <nop,nop,timestamp 69058108 2766489>
15:27:27.380899 IP (tos 0x0, ttl 124, id 22939, offset 0, flags [DF], length: 1048) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187512431:2187513427(996) ack 72432156 win 64431 <nop,nop,timestamp 69058108 2766489>
15:27:27.381048 IP (tos 0x0, ttl  64, id 35703, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72432156:72432156(0) ack 2187513427 win 14480 <nop,nop,timestamp 2766493 69058108>
15:27:27.385716 IP (tos 0x0, ttl  64, id 35831, offset 0, flags [DF], length: 602) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72432156:72432706(550) ack 2187513427 win 14480 <nop,nop,timestamp 2766493 69058108>
15:27:27.395223 IP (tos 0x0, ttl 124, id 22940, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187513427:2187514875(1448) ack 72432706 win 65535 <nop,nop,timestamp 69058108 2766493>
15:27:27.402437 IP (tos 0x0, ttl 124, id 22941, offset 0, flags [DF], length: 1016) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187514875:2187515839(964) ack 72432706 win 65535 <nop,nop,timestamp 69058108 2766493>
15:27:27.402481 IP (tos 0x0, ttl  64, id 56822, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72432706:72432706(0) ack 2187515839 win 20272 <nop,nop,timestamp 2766495 69058108>
15:27:27.407944 IP (tos 0x0, ttl  64, id 32823, offset 0, flags [DF], length: 602) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72432706:72433256(550) ack 2187515839 win 20272 <nop,nop,timestamp 2766496 69058108>
15:27:27.424775 IP (tos 0x0, ttl 124, id 22950, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187515839:2187517287(1448) ack 72433256 win 64985 <nop,nop,timestamp 69058108 2766496>
15:27:27.428751 IP (tos 0x0, ttl 124, id 22951, offset 0, flags [DF], length: 989) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187517287:2187518224(937) ack 72433256 win 64985 <nop,nop,timestamp 69058108 2766496>
15:27:27.428789 IP (tos 0x0, ttl  64, id 50897, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72433256:72433256(0) ack 2187518224 win 26064 <nop,nop,timestamp 2766498 69058108>
15:27:27.432923 IP (tos 0x0, ttl  64, id 51700, offset 0, flags [DF], length: 602) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72433256:72433806(550) ack 2187518224 win 26064 <nop,nop,timestamp 2766498 69058108>
15:27:27.444407 IP (tos 0x0, ttl 124, id 22955, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187518224:2187519672(1448) ack 72433806 win 64435 <nop,nop,timestamp 69058108 2766498>
15:27:27.454207 IP (tos 0x0, ttl 124, id 22956, offset 0, flags [DF], length: 905) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187519672:2187520525(853) ack 72433806 win 64435 <nop,nop,timestamp 69058108 2766498>
15:27:27.454245 IP (tos 0x0, ttl  64, id 36140, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72433806:72433806(0) ack 2187520525 win 31856 <nop,nop,timestamp 2766500 69058108>
15:27:27.457736 IP (tos 0x0, ttl  64, id 40679, offset 0, flags [DF], length: 605) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72433806:72434359(553) ack 2187520525 win 31856 <nop,nop,timestamp 2766501 69058108>
15:27:27.470990 IP (tos 0x0, ttl 124, id 22962, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187520525:2187521973(1448) ack 72434359 win 65535 <nop,nop,timestamp 69058108 2766501>
15:27:27.482306 IP (tos 0x0, ttl 124, id 22963, offset 0, flags [DF], length: 1215) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187521973:2187523136(1163) ack 72434359 win 65535 <nop,nop,timestamp 69058108 2766501>
15:27:27.482340 IP (tos 0x0, ttl  64, id 38507, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72434359:72434359(0) ack 2187523136 win 37648 <nop,nop,timestamp 2766503 69058108>
15:27:27.486214 IP (tos 0x0, ttl  64, id 38898, offset 0, flags [DF], length: 605) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72434359:72434912(553) ack 2187523136 win 37648 <nop,nop,timestamp 2766503 69058108>
15:27:27.501106 IP (tos 0x0, ttl 124, id 22968, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187523136:2187524584(1448) ack 72434912 win 64982 <nop,nop,timestamp 69058109 2766503>
15:27:27.510277 IP (tos 0x0, ttl 124, id 22969, offset 0, flags [DF], length: 1089) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187524584:2187525621(1037) ack 72434912 win 64982 <nop,nop,timestamp 69058109 2766503>
15:27:27.510321 IP (tos 0x0, ttl  64, id 39796, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72434912:72434912(0) ack 2187525621 win 43440 <nop,nop,timestamp 2766506 69058109>
15:27:27.513854 IP (tos 0x0, ttl  64, id 63611, offset 0, flags [DF], length: 619) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72434912:72435479(567) ack 2187525621 win 43440 <nop,nop,timestamp 2766506 69058109>
15:27:27.526930 IP (tos 0x0, ttl 124, id 22972, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187525621:2187527069(1448) ack 72435479 win 64415 <nop,nop,timestamp 69058109 2766506>
15:27:27.541926 IP (tos 0x0, ttl 124, id 22973, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187527069:2187528517(1448) ack 72435479 win 64415 <nop,nop,timestamp 69058109 2766506>
15:27:27.541975 IP (tos 0x0, ttl  64, id 57774, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72435479:72435479(0) ack 2187528517 win 49232 <nop,nop,timestamp 2766509 69058109>
15:27:27.554141 IP (tos 0x0, ttl 124, id 22974, offset 0, flags [DF], length: 1208) 2.2.2.2.80 > 1.1.1.1.4632: P [tcp sum ok] 2187528517:2187529673(1156) ack 72435479 win 64415 <nop,nop,timestamp 69058109 2766506>
15:27:27.583022 IP (tos 0x0, ttl  64, id 46084, offset 0, flags [DF], length: 678) 1.1.1.1.4632 > 2.2.2.2.80: P [tcp sum ok] 72435479:72436105(626) ack 2187529673 win 52128 <nop,nop,timestamp 2766513 69058109>
15:27:27.700474 IP (tos 0x0, ttl 124, id 23038, offset 0, flags [DF], length: 52) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187529673:2187529673(0) ack 72436105 win 65535 <nop,nop,timestamp 69058111 2766513>
15:27:27.715864 IP (tos 0x0, ttl 124, id 23039, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186668963:2186670411(1448) ack 2138779303 win 64429 <nop,nop,timestamp 69058111 2766463>
15:27:27.715899 IP (tos 0x0, ttl  64, id 62352, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779303:2138779303(0) ack 2186670682 win 63712 <nop,nop,timestamp 2766526 69058111>
15:27:27.718910 IP (tos 0x0, ttl  64, id 64126, offset 0, flags [DF], length: 604) 1.1.1.1.1101 > 2.2.2.2.80: P [tcp sum ok] 2138779303:2138779855(552) ack 2186670682 win 63712 <nop,nop,timestamp 2766527 69058111>
15:27:27.740557 IP (tos 0x0, ttl 124, id 23049, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186670682:2186672130(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766527>
15:27:27.747857 IP (tos 0x0, ttl 124, id 23050, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186672130:2186673578(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766527>
15:27:27.747897 IP (tos 0x0, ttl  64, id 61397, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186673578 win 63712 <nop,nop,timestamp 2766530 69058111>
15:27:27.763219 IP (tos 0x0, ttl 124, id 23052, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186673578:2186675026(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766530>
15:27:27.778438 IP (tos 0x0, ttl 124, id 23053, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186675026:2186676474(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766530>
15:27:27.778471 IP (tos 0x0, ttl  64, id 37481, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186676474 win 63712 <nop,nop,timestamp 2766533 69058111>
15:27:27.793407 IP (tos 0x0, ttl 124, id 23054, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186676474:2186677922(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766530>
15:27:27.810378 IP (tos 0x0, ttl 124, id 23057, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186677922:2186679370(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766533>
15:27:27.810410 IP (tos 0x0, ttl  64, id 65288, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186679370 win 63712 <nop,nop,timestamp 2766536 69058111>
15:27:27.825411 IP (tos 0x0, ttl 124, id 23058, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186679370:2186680818(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766533>
15:27:27.840384 IP (tos 0x0, ttl 124, id 23059, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186680818:2186682266(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058111 2766533>
15:27:27.840413 IP (tos 0x0, ttl  64, id 41353, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186682266 win 63712 <nop,nop,timestamp 2766539 69058111>
15:27:27.856933 IP (tos 0x0, ttl 124, id 23065, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186682266:2186683714(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058112 2766536>
15:27:27.872744 IP (tos 0x0, ttl 124, id 23066, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186683714:2186685162(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058112 2766536>
15:27:27.872771 IP (tos 0x0, ttl  64, id 61068, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186685162 win 63712 <nop,nop,timestamp 2766542 69058112>
15:27:27.888777 IP (tos 0x0, ttl 124, id 23068, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186685162:2186686610(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058112 2766539>
15:27:27.905619 IP (tos 0x0, ttl 124, id 23070, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186688058:2186689506(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058112 2766542>
15:27:27.905650 IP (tos 0x0, ttl  64, id 54289, offset 0, flags [DF], length: 64) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186686610 win 63712 <nop,nop,timestamp 2766545 69058112,nop,nop,sack sack 1 {2186688058:2186689506} >
15:27:27.920423 IP (tos 0x0, ttl 124, id 23071, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186689506:2186690954(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058112 2766542>
15:27:27.920448 IP (tos 0x0, ttl  64, id 42186, offset 0, flags [DF], length: 64) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186686610 win 63712 <nop,nop,timestamp 2766547 69058112,nop,nop,sack sack 1 {2186688058:2186690954} >
15:27:27.937428 IP (tos 0x0, ttl 124, id 23072, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186690954:2186692402(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058112 2766545>
15:27:27.937461 IP (tos 0x0, ttl  64, id 43880, offset 0, flags [DF], length: 64) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186686610 win 63712 <nop,nop,timestamp 2766549 69058112,nop,nop,sack sack 1 {2186688058:2186692402} >
15:27:27.953402 IP (tos 0x0, ttl 124, id 23074, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186692402:2186693850(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058113 2766547>
15:27:27.953432 IP (tos 0x0, ttl  64, id 40636, offset 0, flags [DF], length: 64) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186686610 win 63712 <nop,nop,timestamp 2766550 69058112,nop,nop,sack sack 1 {2186688058:2186693850} >
15:27:27.968472 IP (tos 0x0, ttl 124, id 23075, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186686610:2186688058(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058113 2766549>
15:27:27.968500 IP (tos 0x0, ttl  64, id 58213, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186693850 win 57920 <nop,nop,timestamp 2766552 69058113>
15:27:27.984908 IP (tos 0x0, ttl 124, id 23078, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186693850:2186695298(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058113 2766550>
15:27:27.984939 IP (tos 0x0, ttl  64, id 38796, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186695298 win 63712 <nop,nop,timestamp 2766553 69058113>
15:27:28.000431 IP (tos 0x0, ttl 124, id 23083, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186695298:2186696746(1448) ack 2138779855 win 65535 <nop,nop,timestamp 69058113 2766552>
15:27:28.000456 IP (tos 0x0, ttl  64, id 54172, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186696746 win 63712 <nop,nop,timestamp 2766555 69058113>
15:27:28.009536 IP (tos 0x0, ttl 124, id 23087, offset 0, flags [DF], length: 793) 2.2.2.2.80 > 1.1.1.1.1101: P [tcp sum ok] 2186696746:2186697487(741) ack 2138779855 win 65535 <nop,nop,timestamp 69058113 2766553>
15:27:28.009562 IP (tos 0x0, ttl  64, id 38801, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138779855:2138779855(0) ack 2186697487 win 63712 <nop,nop,timestamp 2766556 69058113>
15:27:28.011737 IP (tos 0x0, ttl  64, id 37632, offset 0, flags [DF], length: 608) 1.1.1.1.1101 > 2.2.2.2.80: P [tcp sum ok] 2138779855:2138780411(556) ack 2186697487 win 63712 <nop,nop,timestamp 2766556 69058113>
15:27:28.026228 IP (tos 0x0, ttl 124, id 23092, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186697487:2186698935(1448) ack 2138780411 win 64979 <nop,nop,timestamp 69058113 2766556>
15:27:28.027486 IP (tos 0x0, ttl 124, id 23093, offset 0, flags [DF], length: 190) 2.2.2.2.80 > 1.1.1.1.1101: P [tcp sum ok] 2186698935:2186699073(138) ack 2138780411 win 64979 <nop,nop,timestamp 69058113 2766556>
15:27:28.027537 IP (tos 0x0, ttl  64, id 51179, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138780411:2138780411(0) ack 2186699073 win 63712 <nop,nop,timestamp 2766558 69058113>
15:27:28.061472 IP (tos 0x0, ttl  64, id 44565, offset 0, flags [DF], length: 608) 1.1.1.1.1101 > 2.2.2.2.80: P [tcp sum ok] 2138780411:2138780967(556) ack 2186699073 win 63712 <nop,nop,timestamp 2766561 69058113>
15:27:28.082122 IP (tos 0x0, ttl 124, id 23110, offset 0, flags [DF], length: 864) 2.2.2.2.80 > 1.1.1.1.1101: P [tcp sum ok] 2186699073:2186699885(812) ack 2138780967 win 64423 <nop,nop,timestamp 69058114 2766561>
15:27:28.117125 IP (tos 0x0, ttl  64, id 44702, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138780967:2138780967(0) ack 2186699885 win 63712 <nop,nop,timestamp 2766567 69058114>
15:27:28.122559 IP (tos 0x0, ttl  64, id 50815, offset 0, flags [DF], length: 607) 1.1.1.1.1101 > 2.2.2.2.80: P [tcp sum ok] 2138780967:2138781522(555) ack 2186699885 win 63712 <nop,nop,timestamp 2766567 69058114>
15:27:28.131584 IP (tos 0x0, ttl 124, id 23121, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186699885:2186701333(1448) ack 2138781522 win 65535 <nop,nop,timestamp 69058114 2766567>
15:27:28.131649 IP (tos 0x0, ttl  64, id 61516, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138781522:2138781522(0) ack 2186701333 win 63712 <nop,nop,timestamp 2766568 69058114>
15:27:28.131590 IP (tos 0x0, ttl 124, id 23122, offset 0, flags [DF], length: 153) 2.2.2.2.80 > 1.1.1.1.1101: P [tcp sum ok] 2186701333:2186701434(101) ack 2138781522 win 65535 <nop,nop,timestamp 69058114 2766567>
15:27:28.131686 IP (tos 0x0, ttl  64, id 34377, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138781522:2138781522(0) ack 2186701434 win 63712 <nop,nop,timestamp 2766568 69058114>
15:27:28.173044 IP (tos 0x0, ttl  64, id 43375, offset 0, flags [DF], length: 607) 1.1.1.1.1101 > 2.2.2.2.80: P [tcp sum ok] 2138781522:2138782077(555) ack 2186701434 win 63712 <nop,nop,timestamp 2766572 69058114>
15:27:28.182568 IP (tos 0x0, ttl 124, id 23125, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186701434:2186702882(1448) ack 2138782077 win 64980 <nop,nop,timestamp 69058115 2766572>
15:27:28.182638 IP (tos 0x0, ttl  64, id 59089, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138782077:2138782077(0) ack 2186702882 win 63712 <nop,nop,timestamp 2766573 69058115>
15:27:28.182573 IP (tos 0x0, ttl 124, id 23126, offset 0, flags [DF], length: 122) 2.2.2.2.80 > 1.1.1.1.1101: P [tcp sum ok] 2186702882:2186702952(70) ack 2138782077 win 64980 <nop,nop,timestamp 69058115 2766572>
15:27:28.182674 IP (tos 0x0, ttl  64, id 36737, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138782077:2138782077(0) ack 2186702952 win 63712 <nop,nop,timestamp 2766573 69058115>
15:27:28.222721 IP (tos 0x0, ttl  64, id 61437, offset 0, flags [DF], length: 602) 1.1.1.1.1101 > 2.2.2.2.80: P [tcp sum ok] 2138782077:2138782627(550) ack 2186702952 win 63712 <nop,nop,timestamp 2766577 69058115>
15:27:28.232270 IP (tos 0x0, ttl 124, id 23131, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.1101: . [tcp sum ok] 2186702952:2186704400(1448) ack 2138782627 win 64430 <nop,nop,timestamp 69058115 2766577>
15:27:28.232287 IP (tos 0x0, ttl 124, id 23132, offset 0, flags [DF], length: 354) 2.2.2.2.80 > 1.1.1.1.1101: P [tcp sum ok] 2186704400:2186704702(302) ack 2138782627 win 64430 <nop,nop,timestamp 69058115 2766577>
15:27:28.232358 IP (tos 0x0, ttl  64, id 60847, offset 0, flags [DF], length: 52) 1.1.1.1.1101 > 2.2.2.2.80: . [tcp sum ok] 2138782627:2138782627(0) ack 2186704702 win 63712 <nop,nop,timestamp 2766578 69058115>
15:27:28.520410 IP (tos 0x0, ttl 124, id 23169, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187529673:2187531121(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766513>
15:27:28.536250 IP (tos 0x0, ttl 124, id 23170, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187531121:2187532569(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766513>
15:27:28.536290 IP (tos 0x0, ttl  64, id 55981, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187532569 win 57920 <nop,nop,timestamp 2766608 69058119>
15:27:28.550933 IP (tos 0x0, ttl 124, id 23171, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187532569:2187534017(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766513>
15:27:28.565899 IP (tos 0x0, ttl 124, id 23172, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187534017:2187535465(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766513>
15:27:28.565924 IP (tos 0x0, ttl  64, id 47427, offset 0, flags [DF], length: 52) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187535465 win 63712 <nop,nop,timestamp 2766611 69058119>
15:27:28.581071 IP (tos 0x0, ttl 124, id 23173, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187535465:2187536913(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766513>
15:27:28.596429 IP (tos 0x0, ttl 124, id 23175, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187538361:2187539809(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766513>
15:27:28.596460 IP (tos 0x0, ttl  64, id 42171, offset 0, flags [DF], length: 64) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766614 69058119,nop,nop,sack sack 1 {2187538361:2187539809} >
15:27:28.612972 IP (tos 0x0, ttl 124, id 23202, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187547181:2187548629(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766608>
15:27:28.613002 IP (tos 0x0, ttl  64, id 44248, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766616 69058119,nop,nop,sack sack 2 {2187547181:2187548629}{2187538361:2187539809} >
15:27:28.613701 IP (tos 0x0, ttl 124, id 23204, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187550077:2187550089(12) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766608>
15:27:28.613759 IP (tos 0x0, ttl  64, id 40836, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766616 69058119,nop,nop,sack sack 3 {2187550077:2187550089}{2187547181:2187548629}{2187538361:2187539809} >
15:27:28.630443 IP (tos 0x0, ttl 124, id 23211, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187550089:2187551537(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766611>
15:27:28.630475 IP (tos 0x0, ttl  64, id 36450, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766618 69058119,nop,nop,sack sack 3 {2187550077:2187551537}{2187547181:2187548629}{2187538361:2187539809} >
15:27:28.630446 IP (tos 0x0, ttl 124, id 23214, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187554433:2187554445(12) ack 72436105 win 65535 <nop,nop,timestamp 69058119 2766611>
15:27:28.630505 IP (tos 0x0, ttl  64, id 42855, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766618 69058119,nop,nop,sack sack 3 {2187554433:2187554445}{2187550077:2187551537}{2187547181:2187548629} >
15:27:28.648020 IP (tos 0x0, ttl 124, id 23221, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187554445:2187555893(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766614>
15:27:28.648049 IP (tos 0x0, ttl  64, id 32862, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766620 69058119,nop,nop,sack sack 3 {2187554433:2187555893}{2187550077:2187551537}{2187547181:2187548629} >
15:27:28.663168 IP (tos 0x0, ttl 124, id 23222, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187555893:2187557341(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766614>
15:27:28.663198 IP (tos 0x0, ttl  64, id 57234, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766621 69058119,nop,nop,sack sack 3 {2187554433:2187557341}{2187550077:2187551537}{2187547181:2187548629} >
15:27:28.663470 IP (tos 0x0, ttl 124, id 23223, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187557341:2187557353(12) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766614>
15:27:28.663508 IP (tos 0x0, ttl  64, id 45673, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766621 69058119,nop,nop,sack sack 3 {2187554433:2187557353}{2187550077:2187551537}{2187547181:2187548629} >
15:27:28.679922 IP (tos 0x0, ttl 124, id 23225, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187557353:2187558801(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766616>
15:27:28.679947 IP (tos 0x0, ttl  64, id 59405, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766623 69058119,nop,nop,sack sack 3 {2187554433:2187558801}{2187550077:2187551537}{2187547181:2187548629} >
15:27:28.695413 IP (tos 0x0, ttl 124, id 23230, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187539809:2187541257(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766616>
15:27:28.695445 IP (tos 0x0, ttl  64, id 46139, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766624 69058119,nop,nop,sack sack 3 {2187538361:2187541257}{2187554433:2187558801}{2187550077:2187551537} >
15:27:28.709925 IP (tos 0x0, ttl 124, id 23231, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187541257:2187542705(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766616>
15:27:28.709948 IP (tos 0x0, ttl  64, id 41814, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766626 69058119,nop,nop,sack sack 3 {2187538361:2187542705}{2187554433:2187558801}{2187550077:2187551537} >
15:27:28.726437 IP (tos 0x0, ttl 124, id 23241, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187561697:2187563145(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766620>
15:27:28.726463 IP (tos 0x0, ttl  64, id 64785, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766627 69058119,nop,nop,sack sack 3 {2187561697:2187563145}{2187538361:2187542705}{2187554433:2187558801} >
15:27:28.742407 IP (tos 0x0, ttl 124, id 23242, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187563145:2187564593(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766621>
15:27:28.742431 IP (tos 0x0, ttl  64, id 36247, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766629 69058119,nop,nop,sack sack 3 {2187561697:2187564593}{2187538361:2187542705}{2187554433:2187558801} >
15:27:28.758100 IP (tos 0x0, ttl 124, id 23244, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187564593:2187566041(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058120 2766621>
15:27:28.758128 IP (tos 0x0, ttl  64, id 36527, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766631 69058119,nop,nop,sack sack 3 {2187561697:2187566041}{2187538361:2187542705}{2187554433:2187558801} >
15:27:28.775045 IP (tos 0x0, ttl 124, id 23247, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187568937:2187570385(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058121 2766626>
15:27:28.775073 IP (tos 0x0, ttl  64, id 35115, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766632 69058119,nop,nop,sack sack 3 {2187568937:2187570385}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.791085 IP (tos 0x0, ttl 124, id 23249, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187570385:2187571833(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058121 2766627>
15:27:28.791115 IP (tos 0x0, ttl  64, id 41162, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766634 69058119,nop,nop,sack sack 3 {2187568937:2187571833}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.807421 IP (tos 0x0, ttl 124, id 23256, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187571833:2187573281(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058121 2766629>
15:27:28.807450 IP (tos 0x0, ttl  64, id 57897, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766636 69058119,nop,nop,sack sack 3 {2187568937:2187573281}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.823682 IP (tos 0x0, ttl 124, id 23257, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187573281:2187574729(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058121 2766631>
15:27:28.823705 IP (tos 0x0, ttl  64, id 44988, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766637 69058119,nop,nop,sack sack 3 {2187568937:2187574729}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.840138 IP (tos 0x0, ttl 124, id 23258, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187574729:2187576177(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058121 2766632>
15:27:28.840166 IP (tos 0x0, ttl  64, id 50660, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766639 69058119,nop,nop,sack sack 3 {2187568937:2187576177}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.855279 IP (tos 0x0, ttl 124, id 23263, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187576177:2187577625(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058122 2766634>
15:27:28.855304 IP (tos 0x0, ttl  64, id 48878, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766640 69058119,nop,nop,sack sack 3 {2187568937:2187577625}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.871448 IP (tos 0x0, ttl 124, id 23265, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187577625:2187579073(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058122 2766636>
15:27:28.871475 IP (tos 0x0, ttl  64, id 53143, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766642 69058119,nop,nop,sack sack 3 {2187568937:2187579073}{2187561697:2187566041}{2187538361:2187542705} >
15:27:28.887931 IP (tos 0x0, ttl 124, id 23271, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187580521:2187581969(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058122 2766639>
15:27:28.887964 IP (tos 0x0, ttl  64, id 52018, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766644 69058119,nop,nop,sack sack 3 {2187580521:2187581969}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.903736 IP (tos 0x0, ttl 124, id 23275, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187581969:2187583417(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058122 2766640>
15:27:28.903761 IP (tos 0x0, ttl  64, id 33456, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766645 69058119,nop,nop,sack sack 3 {2187580521:2187583417}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.919406 IP (tos 0x0, ttl 124, id 23276, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187583417:2187584865(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058122 2766642>
15:27:28.919429 IP (tos 0x0, ttl  64, id 33487, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766647 69058119,nop,nop,sack sack 3 {2187580521:2187584865}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.935408 IP (tos 0x0, ttl 124, id 23284, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187584865:2187586313(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058122 2766644>
15:27:28.935438 IP (tos 0x0, ttl  64, id 65084, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766648 69058119,nop,nop,sack sack 3 {2187580521:2187586313}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.951501 IP (tos 0x0, ttl 124, id 23288, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187586313:2187587761(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766645>
15:27:28.951526 IP (tos 0x0, ttl  64, id 60719, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766650 69058119,nop,nop,sack sack 3 {2187580521:2187587761}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.967418 IP (tos 0x0, ttl 124, id 23321, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187587761:2187589209(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766647>
15:27:28.967446 IP (tos 0x0, ttl  64, id 60167, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766652 69058119,nop,nop,sack sack 3 {2187580521:2187589209}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.982930 IP (tos 0x0, ttl 124, id 23328, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187589209:2187590657(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766648>
15:27:28.982957 IP (tos 0x0, ttl  64, id 41279, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766653 69058119,nop,nop,sack sack 3 {2187580521:2187590657}{2187568937:2187579073}{2187561697:2187566041} >
15:27:28.999738 IP (tos 0x0, ttl 124, id 23331, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187590657:2187592105(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766650>
15:27:28.999765 IP (tos 0x0, ttl  64, id 43250, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766655 69058119,nop,nop,sack sack 3 {2187580521:2187592105}{2187568937:2187579073}{2187561697:2187566041} >
15:27:29.014404 IP (tos 0x0, ttl 124, id 23332, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187592105:2187593553(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766652>
15:27:29.014427 IP (tos 0x0, ttl  64, id 42403, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766656 69058119,nop,nop,sack sack 3 {2187580521:2187593553}{2187568937:2187579073}{2187561697:2187566041} >
15:27:29.030611 IP (tos 0x0, ttl 124, id 23334, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187593553:2187595001(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766653>
15:27:29.030635 IP (tos 0x0, ttl  64, id 63612, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766658 69058119,nop,nop,sack sack 3 {2187580521:2187595001}{2187568937:2187579073}{2187561697:2187566041} >
15:27:29.046420 IP (tos 0x0, ttl 124, id 23335, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187595001:2187596449(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058123 2766655>
15:27:29.046450 IP (tos 0x0, ttl  64, id 34841, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187536913 win 63712 <nop,nop,timestamp 2766659 69058119,nop,nop,sack sack 3 {2187580521:2187596449}{2187568937:2187579073}{2187561697:2187566041} >
15:27:29.061904 IP (tos 0x0, ttl 124, id 23336, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187536913:2187538361(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766655>
15:27:29.061933 IP (tos 0x0, ttl  64, id 44041, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542705 win 57920 <nop,nop,timestamp 2766661 69058124,nop,nop,sack sack 3 {2187580521:2187596449}{2187568937:2187579073}{2187561697:2187566041} >
15:27:29.062576 IP (tos 0x0, ttl 124, id 23337, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187538361:2187538373(12) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766655>
15:27:29.062604 IP (tos 0x0, ttl  64, id 50724, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542705 win 57920 <nop,nop,timestamp 2766661 69058124,nop,nop,sack sack 3 {2187538361:2187538373}{2187580521:2187596449}{2187568937:2187579073} >
15:27:29.078738 IP (tos 0x0, ttl 124, id 23338, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187538373:2187539821(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766656>
15:27:29.078765 IP (tos 0x0, ttl  64, id 62518, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542705 win 57920 <nop,nop,timestamp 2766663 69058124,nop,nop,sack sack 3 {2187538373:2187539821}{2187580521:2187596449}{2187568937:2187579073} >
15:27:29.079028 IP (tos 0x0, ttl 124, id 23339, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187539821:2187539833(12) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766656>
15:27:29.079048 IP (tos 0x0, ttl  64, id 54204, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542705 win 57920 <nop,nop,timestamp 2766663 69058124,nop,nop,sack sack 3 {2187539821:2187539833}{2187580521:2187596449}{2187568937:2187579073} >
15:27:29.094952 IP (tos 0x0, ttl 124, id 23341, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187539833:2187541281(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766658>
15:27:29.094973 IP (tos 0x0, ttl  64, id 59197, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542705 win 57920 <nop,nop,timestamp 2766664 69058124,nop,nop,sack sack 3 {2187539833:2187541281}{2187580521:2187596449}{2187568937:2187579073} >
15:27:29.110926 IP (tos 0x0, ttl 124, id 23343, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187541293:2187542741(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766659>
15:27:29.110955 IP (tos 0x0, ttl  64, id 55213, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542741 win 57884 <nop,nop,timestamp 2766666 69058124,nop,nop,sack sack 3 {2187541293:2187542705}{2187580521:2187596449}{2187568937:2187579073} >
15:27:29.110929 IP (tos 0x0, ttl 124, id 23344, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187542741:2187542753(12) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766659>
15:27:29.110987 IP (tos 0x0, ttl  64, id 43195, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187542753 win 57872 <nop,nop,timestamp 2766666 69058124,nop,nop,sack sack 2 {2187580521:2187596449}{2187568937:2187579073} >
15:27:29.127907 IP (tos 0x0, ttl 124, id 23350, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187542753:2187544201(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766661>
15:27:29.127935 IP (tos 0x0, ttl  64, id 56529, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766668 69058124,nop,nop,sack sack 2 {2187580521:2187596449}{2187568937:2187579073} >
15:27:29.142432 IP (tos 0x0, ttl 124, id 23352, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187545649:2187547097(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766661>
15:27:29.142471 IP (tos 0x0, ttl  64, id 48443, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766669 69058124,nop,nop,sack sack 3 {2187545649:2187547097}{2187580521:2187596449}{2187568937:2187579073} >
15:27:29.158436 IP (tos 0x0, ttl 124, id 23353, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187547097:2187548545(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766661>
15:27:29.158464 IP (tos 0x0, ttl  64, id 60101, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766671 69058124,nop,nop,sack sack 3 {2187547181:2187548545}{2187545649:2187548545}{2187580521:2187596449} >
15:27:29.159111 IP (tos 0x0, ttl 124, id 23374, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187571974:2187571986(12) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766663>
15:27:29.159135 IP (tos 0x0, ttl  64, id 40079, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766671 69058124,nop,nop,sack sack 3 {2187571974:2187571986}{2187568937:2187579073}{2187545649:2187548545} >
15:27:29.175445 IP (tos 0x0, ttl 124, id 23378, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187573446:2187574894(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766664>
15:27:29.175472 IP (tos 0x0, ttl  64, id 39197, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766672 69058124,nop,nop,sack sack 3 {2187573446:2187574894}{2187568937:2187579073}{2187545649:2187548545} >
15:27:29.176118 IP (tos 0x0, ttl 124, id 23379, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187574894:2187574906(12) ack 72436105 win 65535 <nop,nop,timestamp 69058124 2766664>
15:27:29.176143 IP (tos 0x0, ttl  64, id 41386, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766672 69058124,nop,nop,sack sack 3 {2187574894:2187574906}{2187568937:2187579073}{2187545649:2187548545} >
15:27:29.193453 IP (tos 0x0, ttl 124, id 23380, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187574906:2187576354(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766669>
15:27:29.193487 IP (tos 0x0, ttl  64, id 44961, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766674 69058124,nop,nop,sack sack 3 {2187574906:2187576354}{2187568937:2187579073}{2187545649:2187548545} >
15:27:29.209922 IP (tos 0x0, ttl 124, id 23382, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187576354:2187577802(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766671>
15:27:29.209948 IP (tos 0x0, ttl  64, id 53854, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766676 69058124,nop,nop,sack sack 3 {2187576354:2187577802}{2187568937:2187579073}{2187545649:2187548545} >
15:27:29.224433 IP (tos 0x0, ttl 124, id 23383, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187577802:2187579250(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766671>
15:27:29.224458 IP (tos 0x0, ttl  64, id 39179, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766677 69058124,nop,nop,sack sack 3 {2187577802:2187579073}{2187568937:2187579250}{2187545649:2187548545} >
15:27:29.240433 IP (tos 0x0, ttl 124, id 23386, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187579250:2187580698(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766672>
15:27:29.240460 IP (tos 0x0, ttl  64, id 46999, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766679 69058124,nop,nop,sack sack 3 {2187580521:2187580698}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.256646 IP (tos 0x0, ttl 124, id 23390, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187582146:2187583594(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766674>
15:27:29.256672 IP (tos 0x0, ttl  64, id 55950, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766680 69058124,nop,nop,sack sack 3 {2187582146:2187583594}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.272487 IP (tos 0x0, ttl 124, id 23391, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187583594:2187585042(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766676>
15:27:29.272514 IP (tos 0x0, ttl  64, id 50574, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766682 69058124,nop,nop,sack sack 3 {2187583594:2187585042}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.288447 IP (tos 0x0, ttl 124, id 23392, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187585042:2187586490(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058125 2766677>
15:27:29.288471 IP (tos 0x0, ttl  64, id 42193, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766684 69058124,nop,nop,sack sack 3 {2187585042:2187586490}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.318922 IP (tos 0x0, ttl 124, id 23399, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187586490:2187587938(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058126 2766679>
15:27:29.318967 IP (tos 0x0, ttl  64, id 46906, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766687 69058124,nop,nop,sack sack 3 {2187586490:2187587938}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.335402 IP (tos 0x0, ttl 124, id 23400, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187587938:2187589386(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058126 2766680>
15:27:29.335435 IP (tos 0x0, ttl  64, id 38169, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766688 69058124,nop,nop,sack sack 3 {2187587938:2187589386}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.350936 IP (tos 0x0, ttl 124, id 23401, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187589386:2187590834(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058126 2766682>
15:27:29.350962 IP (tos 0x0, ttl  64, id 42225, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766690 69058124,nop,nop,sack sack 3 {2187589386:2187590834}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.367437 IP (tos 0x0, ttl 124, id 23421, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187590834:2187592282(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058126 2766684>
15:27:29.367465 IP (tos 0x0, ttl  64, id 34156, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766692 69058124,nop,nop,sack sack 3 {2187590834:2187592282}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.397932 IP (tos 0x0, ttl 124, id 23422, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187592282:2187593730(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058126 2766687>
15:27:29.397970 IP (tos 0x0, ttl  64, id 47443, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766695 69058124,nop,nop,sack sack 3 {2187592282:2187593730}{2187568937:2187596449}{2187545649:2187548545} >
15:27:29.414427 IP (tos 0x0, ttl 124, id 23432, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187595178:2187596626(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766690>
15:27:29.414458 IP (tos 0x0, ttl  64, id 60464, offset 0, flags [DF], length: 80) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766696 69058124,nop,nop,sack sack 3 {2187595178:2187596449}{2187568937:2187596626}{2187545649:2187548545} >
15:27:29.430949 IP (tos 0x0, ttl 124, id 23433, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187596626:2187598074(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766692>
15:27:29.430997 IP (tos 0x0, ttl  64, id 64487, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766698 69058124,nop,nop,sack sack 2 {2187568937:2187598074}{2187545649:2187548545} >
15:27:29.447423 IP (tos 0x0, ttl 124, id 23443, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187598074:2187599522(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766695>
15:27:29.447452 IP (tos 0x0, ttl  64, id 32944, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766700 69058124,nop,nop,sack sack 2 {2187568937:2187599522}{2187545649:2187548545} >
15:27:29.463411 IP (tos 0x0, ttl 124, id 23463, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187599522:2187600970(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766696>
15:27:29.463440 IP (tos 0x0, ttl  64, id 59492, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766701 69058124,nop,nop,sack sack 2 {2187568937:2187600970}{2187545649:2187548545} >
15:27:29.478945 IP (tos 0x0, ttl 124, id 23464, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187600970:2187602418(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766698>

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

Hi,

On Wed, 29 Jun 2005, Roberto Nibali wrote:

> The updated nf-log patch seems to be missing the neccessary symbol exports.

The nf-log patch has been updated in svn, thank you for the reporting.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Daniel Hartmeier]

On Fri, Jul 01, 2005 at 01:58:45PM +0200, Jozsef Kadlecsik wrote:

> Attached is the anonymized txt version of a traffic dump. If the last
> packet is blocked by the firewall, the session hangs on the client side.
> By using the rightmost edge of the SACK blocks as ACK in calculating the
> acceptable window, the connection finishes all right. (There were multiple
> independent reports - this was unique being easily reproducible anytime.)
> 
> But it's as interesting for me as SACK handling that you use the original
> conditions from Guido's article. However I strongly believe the boundaries
> for valid data stated there are not RFC compliant: data is not required to
> fit into the window, it must just overlap. Receiver even may hold segments
> with higher sequence numbers for later processing. What's your opinion?

Looking at the beginning and end of your example dump:

> 15:27:27.315245 IP (tos 0x0, ttl  64, id 35783, offset 0, flags [DF], length: 60) 1.1.1.1.4632 > 2.2.2.2.80: S [tcp sum ok] 72431051:72431051(0) win 5840 <mss 1460,sackOK,timestamp 2766486 0,nop,wscale 0>
> 15:27:27.322134 IP (tos 0x0, ttl 124, id 22926, offset 0, flags [DF], length: 64) 2.2.2.2.80 > 1.1.1.1.4632: S [tcp sum ok] 2187509889:2187509889(0) ack 72431052 win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

Both peers handshake and enable SACK and window scaling (both using
factor 2^0 == 1).

It looks like a typical HTTP connection, where the server is pushing
data to the client.

> [...]

> 15:27:29.447452 IP (tos 0x0, ttl  64, id 32944, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766700 69058124,nop,nop,sack sack 2 {2187568937:2187599522}{2187545649:2187548545} >

The client fully acknowledges up to 2187544201 and advertises its window
as 56424 bytes (wscale 0).

This means the server may send data up to 2187544201 + 56424 ==
2187600625. If it sends higher segments, it's violating the advertised
window. SACK does not affect this rule, i.e. selectively acknowledged
segments are NOT exempt from this window restriction. If I should be
wrong on this, please quote an RFC.

> 15:27:29.463411 IP (tos 0x0, ttl 124, id 23463, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187599522:2187600970(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766696>

With this packet, the server is already violating the window, as
2187600970 > 2187600625.

> 15:27:29.463440 IP (tos 0x0, ttl  64, id 59492, offset 0, flags [DF], length: 72) 1.1.1.1.4632 > 2.2.2.2.80: . [tcp sum ok] 72436105:72436105(0) ack 2187544201 win 56424 <nop,nop,timestamp 2766701 69058124,nop,nop,sack sack 2 {2187568937:2187600970}{2187545649:2187548545} >

The client seems not to care, and accepts the segment, extending one
selectively acknowledged section.

> 15:27:29.478945 IP (tos 0x0, ttl 124, id 23464, offset 0, flags [DF], length: 1500) 2.2.2.2.80 > 1.1.1.1.4632: . [tcp sum ok] 2187600970:2187602418(1448) ack 72436105 win 65535 <nop,nop,timestamp 69058128 2766698>

Which encourages the server to further violate the window, 2187602418 >
2187600625.

I don't know why both client and server seem to think that selectively
acknowledged sections should not be counted as occupying the advertised
window. This is clearly wrong. A recipient stack that allocates a
specific number of bytes for one socket's receive buffer cannot pass
selectively acknowledged sections to userland (when, like in this case,
there's a hole). Hence, the selectively acknowledged sections do use up
kernel buffer memory. Maybe if an implementation uses separate buffers
for SACK sections and tcp receive buffers, it will allow this on
reception.

But it's a violation of the TCP RFC, and any sender doing this can't
expect the receiver to not drop the segments past the window. In fact, a
receipient might have a problem with such violations, and we expect the
packet filter to protect it from exploitation.

What stacks do generate (and accept) this? Do they do this on purpose?
If so, how well do they react if they get sent malicious SACK sections,
trying to use up as much buffer space as possible? Sounds like a DoS
waiting to happen.

Daniel

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[Jozsef Kadlecsik]

Hi,

On Wed, 6 Jul 2005, Daniel Hartmeier wrote:

> On Fri, Jul 01, 2005 at 01:58:45PM +0200, Jozsef Kadlecsik wrote:
>
> > Attached is the anonymized txt version of a traffic dump. If the last
> > packet is blocked by the firewall, the session hangs on the client side.
> > By using the rightmost edge of the SACK blocks as ACK in calculating the
> > acceptable window, the connection finishes all right. (There were multiple
> > independent reports - this was unique being easily reproducible anytime.)
> >
> > But it's as interesting for me as SACK handling that you use the original
> > conditions from Guido's article. However I strongly believe the boundaries
> > for valid data stated there are not RFC compliant: data is not required to
> > fit into the window, it must just overlap. Receiver even may hold segments
> > with higher sequence numbers for later processing. What's your opinion?
[...]
> I don't know why both client and server seem to think that selectively
> acknowledged sections should not be counted as occupying the advertised
> window. This is clearly wrong. A recipient stack that allocates a
> specific number of bytes for one socket's receive buffer cannot pass
> selectively acknowledged sections to userland (when, like in this case,
> there's a hole). Hence, the selectively acknowledged sections do use up
> kernel buffer memory. Maybe if an implementation uses separate buffers
> for SACK sections and tcp receive buffers, it will allow this on
> reception.
>
> But it's a violation of the TCP RFC, and any sender doing this can't
> expect the receiver to not drop the segments past the window. In fact, a
> receipient might have a problem with such violations, and we expect the
> packet filter to protect it from exploitation.

I agree that it seems to be a violation of the TCP RFC. As I wrote, what
was really strange is that if the oow packet was blocked, the connection
hanged.

> What stacks do generate (and accept) this? Do they do this on purpose?
> If so, how well do they react if they get sent malicious SACK sections,
> trying to use up as much buffer space as possible? Sounds like a DoS
> waiting to happen.

Krisztian, could you write the OS type/version on both the server and the
client?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH] TCP window tracking patch backported from the 2.6 tree

[KOVACS Krisztian]

  Hi,

2005-07-06, sze keltezéssel 13.40-kor Jozsef Kadlecsik ezt írta:
> > What stacks do generate (and accept) this? Do they do this on purpose?
> > If so, how well do they react if they get sent malicious SACK sections,
> > trying to use up as much buffer space as possible? Sounds like a DoS
> > waiting to happen.
> 
> Krisztian, could you write the OS type/version on both the server and the
> client?

  The client was Linux 2.4.25 plus a couple of other patches, neither of
which modified core TCP code. On top of that it had Jozsef's TCP window
tracking patch applied (from POM at that time).

  Unfortunately the server was completely out of our control. As it was
a public webserver, we tried Netcraft, and the results were the
following:

OS             Server              Last changed  IP address     Netblock Owner
Windows 2000   Microsoft-IIS/5.0   18-Aug-2003   XXX.XX.XX.XXX  XXXXXXXX

  So that's all I know about the server. I can provide the exact URL we
tried if anyone's interested (in private mail only). I have absolutely
no idea whether or not it is still reproducible.

-- 
 Regards,
  Krisztian Kovacs