Nigel Morse wrote: > > Only -p tcp --sport 80 -m state --state ! > > "ESTABLISHED, RELATED" filter, then I am > > dropping a few ACK FIN packets and a rare > > ACK PSH FIN which are not established or > > related. > > I'd be interested to know if these are windows clients, and which servers > etc? It's being caused (usually) by win32 clients not closing their side of > a TCP connection after the server has closed its side - the connection is > timeing out in the middle. > > Cheers > Nigel
Thanks. Here's a grep log for the IP's if you can footprint them. There is no web server up so maybe these are servers. Hey, these "RST" dropped through as not established or related, but no ACK PSH FIN's are dropping through as not established or related. Some ACK FIN's and ACK PSH FIN's were not est/rel earlier, I think. "MSN.com ain't done til the internet won't run". Sep 3 03:24:00 here kernel: i_s80_ack_psh?_fin IN=eth0 OUT= MAC SRC=216.55.128.33 DST=204.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=14852 DF PROTO=TCP SPT=80 DPT=34245 WINDOW=0 RES=0x00 RST URGP=0 Sep 3 04:45:04 here kernel: i_s80_ack_psh?_fin IN=eth0 OUT= MAC= SRC=216.239.37.101 DST=204.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=4063 PROTO=TCP SPT=80 DPT=34436 WINDOW=0 RES=0x00 RST URGP=0 Sep 3 05:06:55 here kernel: i_s80_ack_psh?_fin IN=eth0 OUT= MAC SRC=65.163.234.32 DST=204.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=53964 PROTO=TCP SPT=80 DPT=34441 WINDOW=0 RES=0x00 RST URGP=0 -Bob
