[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    questions regarding ipmon and fragmentation
From:       Rich Sudlow <rich () nd ! edu>
Date:       2003-02-20 17:42:15
[Download RAW message or body]

I just started using ipfilter and have some basic questions regarding ipmon 
and it's output which I couldn't find in the man page.  I'm looking selected
pieces of AFS traffic (udp based) between client (samson) & server (pinky)
and am seeing fragmentation and want to make sure I fully understand what 
these log lines are saying...

In the following logged lines #1 what is the 833x mean?? dropped packets?
and then regarding the fragment...is saying that this the 
last fragment (-) with a length of 1276 and a data offset of 4440. 

1) 08:23:18.125216 833x eri0 @0:55 p samson.cc.nd.edu[129.74.36.185] -> 
pinky.helios.nd.edu[129.74.250.124] PR udp len 20 (1276) frag -1256@4440 OUT


And in the following -1:-1 means that it's using a state table rule??
and that this a fragment (probably the second fragment) of length 1480 
and a data offset of 1480 with more to follow (+-)..right??

2) 11:45:42.258053 3x eri0 @-1:-1 p samson.cc.nd.edu[129.74.36.185] -> 
pinky.helios.nd.edu[129.74.250.124] PR udp len 20 (1500) frag +-1480@1480 K-S 
K-F OUT - (I believe this was due to rule @54 below)


Rules are as follows:

@54 pass out log quick on eri0 proto udp from 129.74.36.185/32 port > 1023 to 
129.74.250.124/32 port 6999 >< 7008 keep state keep frags
@55 pass out log quick on eri0 proto udp from 129.74.36.185/32 to 
129.74.250.124/32 with frag

In general when I transfer large files I'm seeing fragmentation but not sure
why..especially when it's being generated from my machine...
and am modifying rules to pass this...Also I would like to log the fragment
id which should be in the header but it looks like this isn't possible..right??

Thanks

Rich


Rich Sudlow
University of Notre Dame
Office of Information Technologies
321 Information Technologies Center
Notre Dame, IN 46556-0539

rich@nd.edu, rich@ieee.org
(574) 631-7258 office phone
(574) 631-9283 office fax

[prev in list] [next in list] [prev in thread] [next in thread]