Hi Lior, Assuming that the 6 TCP packets below are contiguous in the TCP stream, it's pretty clear that no actual date are being sent from 10.210.86.39 (the client) to 10.210.84.7 (the server).
The first 3 packets ([SYN], [SYN,ACK] and [ACK]) are the usual TCP "handshake" which starts a TCP session. But that is immediately followed by a [FIN,ACK] from the client to the server -- the [FIN, ACK] says "I'm done" (and by the way, "I got your last packet"). The last 2 packets are just the standard end of a session. So I would say that the Java client is simply not sending any actual data of any kind to the remote clamd. But clamd is listening on port 3310 (or at least something is) or else the "handshake" wouldn't have happened. Paul P.S. If any real data were transferred, viewing the PCAP file via the Wireshark GUI would likely be a powerful analytical tool! ------------------------------------- On Tue, 9 Dec 2025 17:13:42 +0200 Lior Koskas <[email protected]> wrote: > Thank you for your suggestion. I created a pcap file and I see a lot of > lines like this: > > > 1689 46.344568 10.210.86.39 10.210.84.7 TCP 80 14952 → 3310 [SYN] Seq=0 > Win=8961 Len=0 MSS=8361 SACK_PERM TSval=2413887455 TSecr=0 WS=1 > 1690 46.344586 10.210.84.7 10.210.86.39 TCP 80 3310 → 14952 [SYN, ACK] > Seq=0 Ack=1 Win=62643 Len=0 MSS=8961 SACK_PERM TSval=1236561427 > TSecr=2413887455 WS=128 > 1691 46.345415 10.210.86.39 10.210.84.7 TCP 72 14952 → 3310 [ACK] Seq=1 > Ack=1 Win=8961 Len=0 TSval=2413887456 TSecr=1236561427 > 1692 46.345468 10.210.86.39 10.210.84.7 TCP 72 14952 → 3310 [FIN, ACK] > Seq=1 Ack=1 Win=8961 Len=0 TSval=2413887456 TSecr=1236561427 > 1693 46.345575 10.210.84.7 10.210.86.39 TCP 72 3310 → 14952 [FIN, ACK] > Seq=1 Ack=2 Win=62720 Len=0 TSval=1236561428 TSecr=2413887456 > 1694 46.346108 10.210.86.39 10.210.84.7 TCP 72 14952 → 3310 [ACK] Seq=2 > Ack=2 Win=8960 Len=0 TSval=2413887457 TSecr=1236561428 > > On Thu, Dec 4, 2025 at 4:42 AM Paul Kosinski <[email protected]> wrote: > > > Have you tried watching network traffic with Wireshark (or TCPdump) for > > both the telnet and Java attempts? Perhaps that would show something. E.g., > > the Java client doesn't send anything, or does send something but it's > > wrong. > > > > And, of course, if you also run clamdscan itself, you can see what the > > correct interaction is. > > > > P.S. I find Wireshark gives much more detail than TCPdump, and you can > > even change what you look at after the fact, if you capture a PCAP output > > file during the test. > > > > > > On Wed, 3 Dec 2025 17:46:36 +0200 > > Lior Koskas via clamav-users <[email protected]> wrote: > > > > > Hi, > > > > > > I'm running ClamAv on Kubernetes. The image tag is clamav/clamav:1.5.1. I > > > have a Java app based SpringBoot that communicates with ClamAV. > > > When I'm trying to scan a file using my Java app The app hangs up at this > > > line: > > > > > > ClamavClient clamScan = new ClamavClient(url, port); > > > > > > clamScan.ping(); // hangs up > > > > > > When I'm running the telnet command to my URL the command run as > > expected. > > > > > > My clamd config file: > > > > > > ############################## > > > # Network Settings (TCP mode) > > > ############################## > > > TCPSocket 3310 > > > TCPAddr 0.0.0.0 > > > LocalSocket /run/clamav/clamd.sock > > > LocalSocketGroup clamav > > > LocalSocketMode 666 > > > > > > ############################## > > > # Logging > > > ############################## > > > # LogFile /var/log/clamav/clamd.log > > > LogFileUnlock yes > > > LogTime yes > > > LogVerbose no # Change to "yes" for debug > > > ExtendedDetectionInfo yes > > > LogVerbose yes # Enable verbose for debugging > > > > > > ############################## > > > # Performance & Limits > > > ############################## > > > MaxScanSize 200M > > > MaxFileSize 100M > > > StreamMaxLength 150M > > > MaxRecursion 20 > > > MaxFiles 10000 > > > MaxScanTime 120000 # 120 seconds > > > ReadTimeout 120 > > > IdleTimeout 60 > > > > > > ############################## > > > # Heuristics / Features > > > ############################## > > > ScanArchive yes > > > ScanOLE2 yes > > > ScanPDF yes > > > ScanSWF yes > > > ScanHWP3 yes > > > HeuristicScanPrecedence yes > > > > > > ############################## > > > # Misc > > > ############################## > > > Foreground yes > > > User clamav > > > SelfCheck 3600 # Every 60 minutes > > > > > > My freshclam config file: > > > > > > ############### > > > # Database Updates > > > ############### > > > DatabaseOwner clamav > > > Checks 12 # every 2 hours > > > > > > DatabaseMirror database.clamav.net > > > DNSDatabaseInfo current.cvd.clamav.net > > > > > > ############### > > > # Logging > > > ############### > > > UpdateLogFile /var/log/clamav/freshclam.log > > > LogVerbose yes > > > > > > > _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
