On Thu, 20 Jul 2006, Steve Welham wrote: > Get tcpdumps on both router interfaces with and without the "reassemble > tcp" option. Do this for a similar file on both a working website and > broken (ebay) website.
I have now. Got a dump of the following request (all on a single line): wget -nd -O /dev/null -Y off "http://de.ebayobjects.com/6k;h=v7/3429/0/0/%2a/b;32478602;0-0;0;8693398;13191-275/73;16963851/16981746/1;;~sscs=%3fhttp://listings.ebay.de/_W0QQsocmdZListingItemList?sofocus=so&sbrftog=1&catref=C3&fccl=1&from=R2&fcl=4&socmd=ListingItemList&satitle=&sacat=25863%26catref%3DC6&fsop=1%26fsoo%3D1&fgtp=&a6=-24&a56=-24&a51=-24&a45419=-24&gcs=1884&pfid=2674&reqtype=2&pfmode=1&alist=a6%2Ca56%2Ca51%2Ca3801%2Ca45419&pf_query=&sargn=-1%26saslc%3D3&sascs=2&ga10244=10425&saslt=2&saprclo=&saprchi=&so=Artikel+anzeigen"; This is just an URL of one of the ad images displayed on the right hand side on ebay.de. With reassemble tcp I get reproducible timeouts. > Then load the comparable captures into Ethereal/Wireshark and stare at > them until it makes sense :-) Well, both dumps of working and timing out requests are really quite similiar with two notable exceptions: With reassemble tcp, the received HTTP response packets (HTTP 1.1 ...) have a BAD packet checksum! However, this is not true all the time, just sometimes. Would have been to easy anyways... Interestingly though, the delay between the last packet sent (usually an ACK) and the next packet received (HTTP continuation) is most of the time surprisingly long, ranging from tenths of a second, a couple of seconds and upto over a minute and even longer when wget finally times out with a read error. Without reassemble tcp, there are no checksum errors and no long delays, everything is usually well below 10 ms then. Can somebody draw some conclusions from this behaviour? Or at least have a good guess? ;-) I've also tried 'set debug load' if pf.conf because of Daniel's suggestion in this thread. Occasionally I get a "loose state match" but the syslog timestamps do not really correlate with the dump timestamps (all ntp synced). I've saved all the tcpdumps and the wget logs in case somebody wants to examine them. Just tell me and I'll email them. Walter
