Re: Timeout after DATA

Wietse Venema Sat, 15 Nov 2008 05:26:15 -0800

Petr Janda:
> Hello,
> Ive taken another tcpdump, this time with options: window scaling and
> SACK disabled.
> 
> Please let me know what you think.


After Postfix replies with "354 End data with <CR><LF>.<CR><LF>"
the client sends something that appears to start in the middle of
an email message.

MsoNormal align=3Dcenter style=3D'text-align:center'><font =<CR><LF>
size=3D3<CR><LF>
face=3D"Times New Roman"><span =<CR><LF>
...

What happens in reality is that a whole chunk of packets is missing.

First we have the TCP three-way handshake:

    04:48:34.741647 203.16.214.214.41558 > 202.76.131.108.25: S
    4022238683:4022238683(0) win 49640 <mss 1460,nop,wscale
    0,nop,nop,sackOK> (DF)

    04:48:34.741733 202.76.131.108.25 > 203.16.214.214.41558: S
    1380291408:1380291408(0) ack 4022238684 win 57344 <mss 1460>
    (DF)

    04:48:34.761488 203.16.214.214.41558 > 202.76.131.108.25: .
    ack 1 win 49640 (DF)

Then we have the SMTP handshake:

    04:48:34.802373 202.76.131.108.25 > 203.16.214.214.41558: P
    1:41(40) ack 1 win 58400 (DF)

        220 daria.webgate.net.au ESMTP Postfix

    04:48:34.822571 203.16.214.214.41558 > 202.76.131.108.25: .
    ack 41 win 49640 (DF)

    04:48:34.824326 203.16.214.214.41558 > 202.76.131.108.25: P
    1:30(29) ack 41 win 49640 (DF)

        EHLO lists.internode.on.net

    04:48:34.824534 202.76.131.108.25 > 203.16.214.214.41558: P
    41:204(163) ack 30 win 58400 (DF)

        250-daria.webgate.net.au
        250-PIPELINING
        250-SIZE 10240000
        250-ETRN
        250-AUTH PLAIN LOGIN
        250-AUTH=PLAIN LOGIN
        250-ENHANCEDSTATUSCODES
        250-8BITMIME
        250 DSN

    04:48:34.845072 203.16.214.214.41558 > 202.76.131.108.25: .
    ack 204 win 49640 (DF)

    04:48:34.847556 203.16.214.214.41558 > 202.76.131.108.25: P
    30:91(61) ack 204 win 49640 (DF)

        MAIL From:<[EMAIL PROTECTED]> SIZE=44357

    04:48:34.853278 202.76.131.108.25 > 203.16.214.214.41558: P
    204:218(14) ack 91 win 58400 (DF)

        250 2.1.0 Ok

    04:48:34.875003 203.16.214.214.41558 > 202.76.131.108.25: P
    91:145(54) ack 218 win 49640 (DF)

        RCPT To: <[EMAIL PROTECTED]>
        DATA

    04:48:34.915642 202.76.131.108.25 > 203.16.214.214.41558: P
    218:269(51) ack 145 win 58400 (DF)

        250 2.1.5 Ok
        354 End data with <CR><LF>.<CR><LF>

    04:48:34.952747 203.16.214.214.41558 > 202.76.131.108.25: P
    7445:8337(892) ack 269 win 49640 (DF)

        MsoNormal align=3Dcenter style=3D'text-align:center'><font =
        size=3D3
        face=3D"Times New Roman"><span =
        style=3D'font-size:12.0pt'>&nbsp;</span></font></p>
        ....and so on....

Note the jump in byte offsets. The RCPT+DATA packet ends at offset
145, but the "MsoNormal..." is at offset 7445.

What happened with the packets between TCP offsets 145 and 7445?

    04:48:34.952792 202.76.131.108.25 > 203.16.214.214.41558: .
    ack 145 win 58400 (DF)

The SMTP server's TCP stack says that it has not yet received data
beginning at byte offset 145.

Something is badly screwing up TCP, perhaps by throwing away packets
with flags that it does not like.

        Wietse

Re: Timeout after DATA

Reply via email to