On Thu, Jun 02, 2011 at 08:06:13PM -0500, Justin Tocci wrote:
> Apparently I cut my the last post too short to be useful. I am getting better
> at tcpdump. Here is everything I captured the last time I tried:
You still have not disabled TCP window scaling. On Linux systems:
sysctl -w net.ipv4.tcp_window_scaling=0
Window scaling confuses many routers. Also "DMZ" does not mean that your
router is not in the way, it just changes the details of the topology.
> Capture command:
> tcpdump -s 0 -w /opt/mail/dump11.txt net 208.75.76.252/32
>
> root@server:~
> $ tcpdump -AKvvr /opt/mail/dump12.txt
This is not "txt" file, it is a binary capture file. You need to make
this file available, typically by posting the URL of a "paste-bin" copy.
Not interested in your decoding of the file, need the raw data. Make
sure it contains at least one complete session (from 3-way SYN to 3-way
FIN or RST). Ideally, having found such a session extract a pure tcpdump
capture of just that session:
tcpdump -s 0 -r /file1 -w /file2 tcp port 56789
(replace 56789 by the client port used in the session). Then make "file2"
available after inspecting it with "tcpdump -r" to make sure it still
contains a complete session.
--
Viktor.
