Re: tcpdump : need one line explanation

From: Bruno Costacurta (cd1_at_biz.tiscali.be)
Date: 09/04/05 

Date: Sun, 04 Sep 2005 10:56:07 +0200

Clifford Kite wrote:

> Bruno <cd1@biz.tiscali.be> wrote:
>> I have problem configuring a Wireless ADSL router :
>> ping to www address work fine but not browsing which finish with
>> time-out. So I used tcpdump and tried to browse www.google.be.
>> Following lines were returned:
>> ...
>> ...
>> line-1= 22:48:29.492514 IP (tos 0x0, ttl 64, id 0, offset 0, flags
>> [DF], proto 17, length: 75) mygateway.ar7.domain > 192.168.1.2.32813:
>> [udp sum
>> ok] 62065- q: A? www.google.be. 1/0/0 www.google.be. A 1.0.0.0 (47)
>
>> line-2= 22:48:29.495631 IP (tos 0x0, ttl 64, id 43933, offset 0, flags
>> [DF], proto 6, length: 60) 192.168.1.2.49103 > 1.0.0.0.http: S [tcp sum
>> [ok]
>> 2704529131:2704529131(0) win 5840 <mss 1460,sackOK,timestamp 32603510
>> 0,nop,wscale 2>
>> ...repeat line2......repeat line2...
>
>> What does line-2 means ?
>
> Not one line but ...
>
> It means that mygateway.ar7 runs a DNS server which provided the host
> 192.168.1.2 with the bogus IP address 1.0.0.0 for www.google.be in
> line-1 and so the TCP SYN handshake (S) fails for lack of a response.
>
> Try disabling the DNS server on mygateway.ar7 so an ISP DNS server can
> do it's job - assuming NAT or MASQUERADING is done somewhere along the
> way since 192.168.1.2 is a RFC 1918 address (private) and any packet from
> it would be discarded by the first properly configured Internet router.
>
> Note:
>
> corncob:/usr/src/linux# host 1.0.0.0
> Host not found.
> corncob:/usr/src/linux# host www.google.be
> www.google.be is a nickname for www.google.com
> www.google.com is a nickname for www.l.google.com
> www.l.google.com has address 64.233.187.104
> www.l.google.com has address 64.233.187.99
> www.l.google.com has address 64.233.187.104
> www.l.google.com has address 64.233.187.99
>
> [If I'm wrong then I expect someone will tell us so. Hopefully, they
> will also explain why.]
>

I updated DNS into /etc/resolv.conf with my ISP values.
Result is :

[root@pc34ghz ~]# host www.google.be
www.google.be has address 216.239.59.147
;; Warning: Message parser reports malformed message packet.
;; connection timed out; no servers could be reached

and tcpdump reports is :
(note: any problem with ARP hereafter ?
what means 'ServFail- q:[|domain]' ?)
...
10:34:23.699202 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17,
length: 59) 192.168.1.2.32816 > mygateway.ar7.domain: [udp sum ok] 15776+
MX? www.google.be. (31)
10:34:28.657424 arp who-has 192.168.1.2 tell mygateway.ar7
10:34:28.657446 arp reply 192.168.1.2 is-at 00:50:ba:2a:64:82
10:34:28.661974 IP (tos 0x0, ttl 64, id 13690, offset 0, flags [DF], proto
17, length: 70) 192.168.1.2.32814 > mygateway.ar7.domain: [udp sum ok]
16571+ PTR? 2.1.168.192.in-addr.arpa. (42)
10:34:28.700009 IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto 17,
length: 59) 192.168.1.2.32816 > mygateway.ar7.domain: [udp sum ok] 15776+
MX? www.google.be. (31)
10:34:34.697990 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17,
length: 70) mygateway.ar7.domain > 192.168.1.2.32814: [udp sum ok] 16571
ServFail- q: PTR? 2.1.168.192.in-addr.arpa. 0/0/0 (42)
10:34:34.698031 IP (tos 0xc0, ttl 64, id 48716, offset 0, flags [none],
proto 1, length: 98) 192.168.1.2 > mygateway.ar7: icmp 78: 192.168.1.2 udp
port 32814 unreachable for IP (tos 0x0, ttl 64, id 0, offset 0, flags
[DF], proto 17, length: 70) mygateway.ar7.domain > 192.168.1.2.32814:
16571 ServFail- q:[|domain]
...