On Tue, April 18, 2017 3:46 pm, Reyk Floeter wrote:
>
>> Am 18.04.2017 um 20:53 schrieb trondd <[email protected]>:
>>
>> I have an OpenBSD httpd(8) web server hosting security/clamav main.cvd
>> and
>> daily.cvd files. Upon upgrading to 6.1, freshclam can no longer
>> successfully fetch the cvd files.
>>
>> Freshclam does a request for the first 512 bytes of the files to check
>> the
>> dates in their header. Then pulls the rest of the file if needed. It
>> looks like it pulls the *whole* file again. It doesn't pick up where it
>> left off.
>>
>> With httpd from 6.0, fully patched, this was working fine. Whith 6.1,
>> freshclam would request the 512 chunk, then timeout with "nonblock_recv:
>> recv timing out (30 secs)".
>>
>> Knowing there were a couple of changes to ranges in httpd, I started
>> rolling things back. I took out the pipelining fix:
>> http://marc.info/?l=openbsd-cvs&m=148607400902939&w=2
>>
>> Which didn't help. Then I also took out the range rewrite:
>> http://marc.info/?l=openbsd-cvs&m=148587359420912&w=2
>>
>> And bingo. Freshclam happily pulled it's now much out of date daily
>> database. :)
>>
>> I don't know if freshclam is doing something wacky here or if it's
>> httpd.
>> It does return the requested byte range, and I was able to pull a range
>> with curl as well. I don't know another test case for this off hand.
>>
>
> Do you have any more details like request/response HTTP headers with old
> and new code?
>
> Reyk
>
Yes. Hopefully these attach properly. Only have access to web mail from
here so scream at me if all you get is garbage and I can resend properly
later.
ASCII output from the tcpdump showing success and failure cases. I have
the full binary pcaps if needed. Comparing quickly, I see 6.1 sends the
Partial Content response header in a seperate packet from the content.
Previous code didn't do that.
Tim.
Apr 18 14:46:43.193474 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 74:
172.25.87.253.36732 > 172.25.87.91.80: S [tcp sum ok] 3129109532:3129109532(0)
win 29200 <mss 1460,sackOK,timestamp 3036950978 0,nop,wscale 7> (DF) (ttl 64,
id 24030, len 60)
.PVSS..PV..Y..E..<].@[email protected][.|.P..l.......r.12.........
..1.........
Apr 18 14:46:43.375068 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 78:
172.25.87.91.80 > 172.25.87.253.36732: S [tcp sum ok] 4257186703:4257186703(0)
ack 3129109533 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 4072752100 3036950978> (ttl 64, id 51915, len 64)
.PV..Y.PVSS...E..@[email protected][..W..P.|[email protected].................
..C...1.
Apr 18 14:46:43.375489 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36732 > 172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229
<nop,nop,timestamp 3036951213 4072752100> (DF) (ttl 64, id 24031, len 52)
.PVSS..PV..Y..E..4].@[email protected][.|.P..l..........8.....
..2...C.
Apr 18 14:46:43.375506 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 285:
172.25.87.253.36732 > 172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229
<nop,nop,timestamp 3036951213 4072752100> (DF) (ttl 64, id 24032, len 271)
.PVSS..PV..Y..E...].@.@..}..W...W[.|.P..l.........wy.....
..2...C.GET /main.cld HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
Apr 18 14:46:43.376135 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 644:
172.25.87.91.80 > 172.25.87.253.36732: P [bad tcp cksum 9f4! -> d979]
1:579(578) ack 220 win 271 <nop,nop,timestamp 4072752100 3036951213> (ttl 64,
id 54869, len 630)
[email protected][..W..P.|......l..... ......
..C...2.HTTP/1.0 404 Not Found
Date: Tue, 18 Apr 2017 18:46:43 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 427
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>404 Not Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>404 Not Found</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
Apr 18 14:46:43.376185 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36732: F [bad tcp cksum 7b2! -> 14f0]
579:579(0) ack 220 win 271 <nop,nop,timestamp 4072752100 3036951213> (ttl 64,
id 45714, len 52)
[email protected][..W..P.|......l............
..C...2.
Apr 18 14:46:43.376729 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36732 > 172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 579 win
238 <nop,nop,timestamp 3036951214 4072752100> (DF) (ttl 64, id 24033, len 52)
.PVSS..PV..Y..E..4].@[email protected][.|.P..l................
..2...C.
Apr 18 14:46:43.376738 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36732 > 172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 580 win
238 <nop,nop,timestamp 3036951214 4072752100> (DF) (ttl 64, id 24034, len 52)
.PVSS..PV..Y..E..4].@[email protected][.|.P..l................
..2...C.
Apr 18 14:46:43.376743 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 74:
172.25.87.253.36734 > 172.25.87.91.80: S [tcp sum ok] 183614203:183614203(0)
win 29200 <mss 1460,sackOK,timestamp 3036951214 0,nop,wscale 7> (DF) (ttl 64,
id 34901, len 60)
.PVSS..PV..Y..E..<.U@[email protected][.~.P
.........r............
..2.........
Apr 18 14:46:43.376928 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36732: . [bad tcp cksum 7b2! -> 14ee]
580:580(0) ack 221 win 271 <nop,nop,timestamp 4072752100 3036951214> (ttl 64,
id 10812, len 52)
.PV..Y.PVSS...E..4*<[email protected][..W..P.|......l............
..C...2.
Apr 18 14:46:43.376962 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 78:
172.25.87.91.80 > 172.25.87.253.36734: S [tcp sum ok] 3436916395:3436916395(0)
ack 183614204 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp
2882579297 3036951214> (ttl 64, id 34415, len 64)
[email protected][email protected][..W..P.~....
.....@.^7.................
...a..2.
Apr 18 14:46:43.377311 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36734 > 172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229
<nop,nop,timestamp 3036951215 2882579297> (DF) (ttl 64, id 34902, len 52)
.PVSS..PV..Y..E..4.V@[email protected][.~.P
............".....
..2....a
Apr 18 14:46:43.377346 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 285:
172.25.87.253.36734 > 172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229
<nop,nop,timestamp 3036951215 2882579297> (DF) (ttl 64, id 34903, len 271)
.PVSS..PV..Y..E....W@[email protected][.~.P
...........=Z.....
..2....aGET /main.cvd HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
Apr 18 14:46:43.377835 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 834:
172.25.87.91.80 > 172.25.87.253.36734: P [bad tcp cksum ab2! -> 24dc]
1:769(768) ack 220 win 271 <nop,nop,timestamp 2882579297 3036951215> (ttl 64,
id 34254, len 820)
[email protected][..W..P.~....
.......
......
...a..2.HTTP/1.0 206 Partial Content
Connection: close
Content-Length: 512
Content-Range: bytes 0-511/109143933
Content-Type: application/octet-stream
Date: Tue, 18 Apr 2017 18:46:43 GMT
Last-Modified: Tue, 18 Apr 2017 18:00:04 GMT
Server: OpenBSD httpd
ClamAV-VDB:16 Mar 2016 23-17
+0000:57:4218790:60:06386f34a16ebeea2733ab037f0536be:AIzk/LYbX8K9OEbR5GMyJ6LWTqSu9ffa5bONcA0FN3+onMlZ2BMRzuyvVURBvAZvOaGPdtMBcgDJSl7fGxDfcxRWhIrQ98f8FPdAQaFPgWu3EX46ufw+IRZnM4irKKYuh1GdCIbsGs6jejWo9iNErsbDqkFSobVBkUJYxBgvqfd:amishhammer:1458170226
Apr 18 14:46:43.377864 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36734: F [bad tcp cksum 7b2! -> da1c]
769:769(0) ack 220 win 271 <nop,nop,timestamp 2882579297 3036951215> (ttl 64,
id 18352, len 52)
.PV..Y.PVSS...E..4G...@.+...W[..W..P.~..1.
..............
...a..2.
Apr 18 14:46:43.378370 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36734 > 172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 769 win
241 <nop,nop,timestamp 3036951216 2882579297> (DF) (ttl 64, id 34904, len 52)
.PVSS..PV..Y..E..4.X@[email protected][.~.P
.....1......:.....
..2....a
Apr 18 14:46:43.378387 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36734 > 172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 770 win
241 <nop,nop,timestamp 3036951216 2882579297> (DF) (ttl 64, id 34905, len 52)
.PVSS..PV..Y..E..4.Y@[email protected][.~.P
.....1......8.....
..2....a
Apr 18 14:46:43.378592 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36734: . [bad tcp cksum 7b2! -> da1a]
770:770(0) ack 221 win 271 <nop,nop,timestamp 2882579297 3036951216> (ttl 64,
id 17661, len 52)
.PV..Y.PVSS...E..4D...@..<..W[..W..P.~..1.
..............
...a..2.
Apr 18 14:46:43.379075 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 74:
172.25.87.253.36736 > 172.25.87.91.80: S [tcp sum ok] 3536452455:3536452455(0)
win 29200 <mss 1460,sackOK,timestamp 3036951216 0,nop,wscale 7> (DF) (ttl 64,
id 51671, len 60)
.PVSS..PV..Y..E..<..@[email protected][...P...g......r............
..2.........
Apr 18 14:46:43.379262 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 78:
172.25.87.91.80 > 172.25.87.253.36736: S [tcp sum ok] 2229953923:2229953923(0)
ack 3536452456 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3044495043 3036951216> (ttl 64, id 32686, len 64)
.PV..Y.PVSS...E..@....@..~..W[..W..P....e....h..@....................
.wN...2.
Apr 18 14:46:43.379725 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36736 > 172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229
<nop,nop,timestamp 3036951217 3044495043> (DF) (ttl 64, id 51672, len 52)
.PVSS..PV..Y..E..4..@[email protected]`..W...W[...P...h..e.....9......
..2..wN.
Apr 18 14:46:43.379742 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 286:
172.25.87.253.36736 > 172.25.87.91.80: P [tcp sum ok] 1:221(220) ack 1 win 229
<nop,nop,timestamp 3036951217 3044495043> (DF) (ttl 64, id 51673, len 272)
.PVSS..PV..Y..E.....@[email protected][...P...h..e......f.....
..2..wN.GET /daily.cld HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Tue, 11 Apr 2017 04:45:12 GMT
Apr 18 14:46:43.380255 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 644:
172.25.87.91.80 > 172.25.87.253.36736: P [bad tcp cksum 9f4! -> fb2a]
1:579(578) ack 221 win 271 <nop,nop,timestamp 3044495043 3036951217> (ttl 64,
id 31753, len 630)
.PV..Y.PVSS...E..v| [email protected][..W..P....e....D.... ......
.wN...2.HTTP/1.0 404 Not Found
Date: Tue, 18 Apr 2017 18:46:43 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 427
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>404 Not Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>404 Not Found</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
Apr 18 14:46:43.380298 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36736: F [bad tcp cksum 7b2! -> 36a1]
579:579(0) ack 221 win 271 <nop,nop,timestamp 3044495043 3036951217> (ttl 64,
id 31271, len 52)
.PV..Y.PVSS...E..4z'[email protected][..W..P....g....D...........
.wN...2.
Apr 18 14:46:43.380779 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36736 > 172.25.87.91.80: . [tcp sum ok] 221:221(0) ack 579 win
238 <nop,nop,timestamp 3036951218 3044495043> (DF) (ttl 64, id 51674, len 52)
.PVSS..PV..Y..E..4..@[email protected]^..W...W[...P...D..g.....6......
..2..wN.
Apr 18 14:46:43.380792 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36736 > 172.25.87.91.80: F [tcp sum ok] 221:221(0) ack 580 win
238 <nop,nop,timestamp 3036951218 3044495043> (DF) (ttl 64, id 51675, len 52)
.PVSS..PV..Y..E..4..@[email protected]]..W...W[...P...D..g.....6......
..2..wN.
Apr 18 14:46:43.380801 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 74:
172.25.87.253.36738 > 172.25.87.91.80: S [tcp sum ok] 1890315643:1890315643(0)
win 29200 <mss 1460,sackOK,timestamp 3036951218 0,nop,wscale 7> (DF) (ttl 64,
id 57289, len 60)
.PVSS..PV..Y..E..<..@[email protected][...Pp..{......r............
..2.........
Apr 18 14:46:43.380990 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36736: . [bad tcp cksum 7b2! -> 369f]
580:580(0) ack 222 win 271 <nop,nop,timestamp 3044495043 3036951218> (ttl 64,
id 14559, len 52)
.PV..Y.PVSS...E..48...@.:Z..W[..W..P....g....E...........
.wN...2.
Apr 18 14:46:43.381024 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 78:
172.25.87.91.80 > 172.25.87.253.36738: S [tcp sum ok] 3358268948:3358268948(0)
ack 1890315644 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 3880206722 3036951218> (ttl 64, id 497, len 64)
.PV..Y.PVSS...E..@[email protected]<..W[..W..P...+..p..|..@. ..................
.GA...2.
Apr 18 14:46:43.381644 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36738 > 172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229
<nop,nop,timestamp 3036951219 3880206722> (DF) (ttl 64, id 57290, len 52)
.PVSS..PV..Y..E..4..@[email protected][...Pp..|.+.............
..2..GA.
Apr 18 14:46:43.381659 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 286:
172.25.87.253.36738 > 172.25.87.91.80: P [tcp sum ok] 1:221(220) ack 1 win 229
<nop,nop,timestamp 3036951219 3880206722> (DF) (ttl 64, id 57291, len 272)
.PVSS..PV..Y..E.....@[email protected][...Pp..|.+......*......
..2..GA.GET /daily.cvd HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Tue, 11 Apr 2017 04:45:12 GMT
Apr 18 14:46:43.382333 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 833:
172.25.87.91.80 > 172.25.87.253.36738: P [bad tcp cksum ab1! -> 2d60]
1:768(767) ack 221 win 271 <nop,nop,timestamp 3880206722 3036951219> (ttl 64,
id 51263, len 819)
[email protected][..W..P...+..p..X....
......
.GA...2.HTTP/1.0 206 Partial Content
Connection: close
Content-Length: 512
Content-Range: bytes 0-511/49739900
Content-Type: application/octet-stream
Date: Tue, 18 Apr 2017 18:46:43 GMT
Last-Modified: Tue, 18 Apr 2017 18:00:02 GMT
Server: OpenBSD httpd
ClamAV-VDB:18 Apr 2017 08-56
-0400:23308:2053631:63:6eb4db1d352aae30a5dae362c8bda91b:H6vwyAbBxgYvQqdWATot2igNjCfHhCABZMHX8E6SiHgNK4fWSyybiqfjhELV/NjTnyLUSSMA2bvEgx46WPmgpX+1irN653ZSKyOMXyGs1NiwNeDCGFpwJVdZwlI2LqjHVxUJiNs2Iy7Y8sJJFLGZLubG4rU5hc5KNDWp9xKHqk:neo:1492520191
Apr 18 14:46:43.382365 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36738: F [bad tcp cksum 7b2! -> 8589]
768:768(0) ack 221 win 271 <nop,nop,timestamp 3880206722 3036951219> (ttl 64,
id 50782, len 52)
.PV..Y.PVSS...E..4.^[email protected][..W..P...+!.p..X...........
.GA...2.
Apr 18 14:46:43.382844 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36738 > 172.25.87.91.80: . [tcp sum ok] 221:221(0) ack 768 win
241 <nop,nop,timestamp 3036951220 3880206722> (DF) (ttl 64, id 57292, len 52)
.PVSS..PV..Y..E..4..@[email protected][...Pp..X.+!............
..2..GA.
Apr 18 14:46:43.382861 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36738 > 172.25.87.91.80: F [tcp sum ok] 221:221(0) ack 769 win
241 <nop,nop,timestamp 3036951220 3880206722> (DF) (ttl 64, id 57293, len 52)
.PVSS..PV..Y..E..4..@[email protected][...Pp..X.+!............
..2..GA.
Apr 18 14:46:43.382893 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 74:
172.25.87.253.36740 > 172.25.87.91.80: S [tcp sum ok] 4210228745:4210228745(0)
win 29200 <mss 1460,sackOK,timestamp 3036951220 0,nop,wscale 7> (DF) (ttl 64,
id 52413, len 60)
.PVSS..PV..Y..E..<..@[email protected][...P... ......r.]..........
..2.........
Apr 18 14:46:43.383108 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 66:
172.25.87.91.80 > 172.25.87.253.36738: . [bad tcp cksum 7b2! -> 8587]
769:769(0) ack 222 win 271 <nop,nop,timestamp 3880206722 3036951220> (ttl 64,
id 28288, len 52)
[email protected][..W..P...+!.p..Y...........
.GA...2.
Apr 18 14:46:43.383147 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 78:
172.25.87.91.80 > 172.25.87.253.36740: S [tcp sum ok] 592174374:592174374(0)
ack 4210228746 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
6,nop,nop,timestamp 162981045 3036951220> (ttl 64, id 946, len 64)
.PV..Y.PVSS...E..@[email protected]{..W[..W..P..#K.&...
..@....................
.....2.
Apr 18 14:46:43.383592 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 66:
172.25.87.253.36740 > 172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229
<nop,nop,timestamp 3036951221 162981045> (DF) (ttl 64, id 52414, len 52)
.PVSS..PV..Y..E..4..@[email protected][...P...
#K.'...........
..2. ...
Apr 18 14:46:43.383609 00:50:56:a2:e3:59 00:50:56:53:53:06 0800 216:
172.25.87.253.36740 > 172.25.87.91.80: P [tcp sum ok] 1:151(150) ack 1 win 229
<nop,nop,timestamp 3036951221 162981045> (DF) (ttl 64, id 52415, len 202)
.PVSS..PV..Y..E.....@[email protected][...P...
#K.'.....g.....
..2. ...GET /daily.cvd HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Apr 18 14:46:43.383981 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 276:
172.25.87.91.80 > 172.25.87.253.36740: P [bad tcp cksum 884! -> d93f]
1:211(210) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl 64, id
51876, len 262)
[email protected][..W..P..#K.'...............
.....2.HTTP/1.0 200 OK
Connection: close
Content-Length: 49739900
Content-Type: application/octet-stream
Date: Tue, 18 Apr 2017 18:46:43 GMT
Last-Modified: Tue, 18 Apr 2017 18:00:02 GMT
Server: OpenBSD httpd
Apr 18 14:46:43.384278 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 1514:
172.25.87.91.80 > 172.25.87.253.36740: . [bad tcp cksum d5a! -> a61]
211:1659(1448) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl
64, id 6228, len 1500)
[email protected]=..W[..W..P..#K..........
Z.....
.....2.ClamAV-VDB:18 Apr 2017 08-56
-0400:23308:2053631:63:6eb4db1d352aae30a5dae362c8bda91b:H6vwyAbBxgYvQqdWATot2igNjCfHhCABZMHX8E6SiHgNK4fWSyybiqfjhELV/NjTnyLUSSMA2bvEgx46WPmgpX+1irN653ZSKyOMXyGs1NiwNeDCGFpwJVdZwlI2LqjHVxUJiNs2Iy7Y8sJJFLGZLubG4rU5hc5KNDWp9xKHqk:neo:1492520191
............[s.H.?........a..QS....;AK....F..v..)Te.h.(6.J.\[email protected]....=..0..-...U.._eQ'.7..Wo....#8.d..
a.............x{...N.&....y..bz......l../...X.y(.......& ."8
.M..-.xu..h.'[email protected]!..u.L......=...@&0...@.)..#.....sr.oB........QJG..
.n6.`r..&..y
+..y...&.
.
........u.p.Uf.|
6.r.#...E^C.[,k...z.es.....0.]^.A.@^C..0E....G....qS.Yf.F..|.=..|.`....~..BpX.we+ac>!....MXW...]XB..^.
.....!o...l....L..A..v.....p....F..D.......C..Me...6a]...|...2.FM....P.+.f....k..".P.)
....5V.1.|...S.....VE.54.]...Y.S-....w..
[email protected]..
w.Y.."..f.,BU.
[email protected]&g.=V. .D.b_.Ye.
..,/...;~
.1.....jUl..f..[..#hB8."...,...^.......Kr....T........o.....VUn...z]
HV....=5
l.:Z..v.w.c.vZ.y!...t..C....E^C..}n.r......^.>....Z......,.
.!T`M
[email protected]=.)....Rk.^S.hc.`]#.r...y..%............>..a...h.X#4.......`.`U..m..N..-.....J.Y.
...m...n..Pe..L. %B..a..MXw...
T..0...Q.z]UX:..Y.o.G....(.)..4.M..Uc..*.W...,/.&...&........J.A..}[...
..q....
Apr 18 14:46:43.384368 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 1514:
172.25.87.91.80 > 172.25.87.253.36740: . [bad tcp cksum d5a! -> 564f]
1659:3107(1448) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl
64, id 37713, len 1500)
.PV..Y.PVSS...E....Q..@..?..W[..W..P..#K..........
Z.....
.....2...Y.
<.....^...~...a......2M^C.Z......g]7p.w.W..W9.M
.(vV...i.MX....qke.u.<W.f..#hB8....z5..v4..`\.G9.Ex.f..^..Z.P.h..i..Y`^E..D..q...C.,.y.P7..SxE_......nJ..b.!x.U.&;..a......X.&...;S.....P.!.hw.M....~.w.;.".qQ.#...4v......T.P.)..u.*..)...w
.5....Qx]:......nE.N.....L.l......`s.0./b.2.... [email protected].,.6..L]..P...F...w5.
.....z.....>.7..P.wyi.#.C;%Sn`U...e
y.T..m+Fh.X........
}...P>..u..wP.j..&.e..gyi.bs...<qO...,*4
.....nL...v.]p\....>.x.....h....;h....wX.3.p....!x0..o#g^...........B....v.m>s.y
.=....S^.A.xd......1...s.x.e.."o.ga....!.
..M'.)7..Z...9.kU.S..u...F....y|.4`.....V..|k..t`C...k.P.
.M^..=..N..V.l.
.P...8.....1..'..3._......t>[email protected]...}.R..w.YB..<.!T.:.`C....#.ehr..*L....w.."..+...Km.f....r.....].>O..^.....M+.wG.a....
=V[...]...!T......|...O.....Y
...%.....E'..#.Sn.a...&..vAZ..'\.......&@m6G`.w.e...
gX...C.&.GQ'....U..wU..].66;..&.)C..**Ly.6wx....+.K......y(....k....f..
..2o..e...|.;.w...&[email protected]......&..;...m..6A....r...L.L.P.&z..[........
!..:w.ySCm..W.c..>.......r...;.26..nV..|...$.N...b...............u....*Z...*/...tX6.<,.}^.A.X..+...._.G.....JV..Z^5.r.w..t..H@..$.l..`.s......<.L.$...#.K0........VU...>...
e...:......Z_n.,6.ZgE^/ .m.. ..V.hi...&a../......{.....l.m...j..>by..
OT.......j,-B.`..#....M"....D....i..;[email protected].}....&x........<...1=......s_..I.q...G....MXW....
.{...E.g.f....j..;....X...n.Y..sG.9x..Jf..hd.p.{..LQ.X".J.....8.F...y.X.X...
b.
Apr 18 14:46:43.384390 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 1514:
172.25.87.91.80 > 172.25.87.253.36740: . [bad tcp cksum d5a! -> 9b80]
3107:4555(1448) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl
64, id 54451, len 1500)
[email protected][..W..P..#K.I........
Z.....
.....2.3..h..5U..U..y.e..u..P7.im..1........z..L.U....V.........e..^..-.+m.2..xX..!T...2U.
..*..6..{........k.Xa.G..'....t......s.:k.+...c
C.@......}..].>...Z...@.....)].OU.6.=..n.XB..wj.v)...}X7.j.m.....k...`.!.k.........KSm..l..
.....P...Ua6`.
0e....%.M...........D...b..y.*....>...Gg...[.....................V...0...bQ..k]c....M.........v2.W...WM.....^%oj,|.9.{.......lC.V...oQ......N....g.2C.u.W-..r|...u..[...u^....V.b.G...>....y..L}.;,...&+.j.....r2T..dh.4."S:.....BS..d..l(..a..v..S:.qe*...l..{...{...Y`........5.#p......j...?,.|.........>.x.n...3...rgUL.......-M..IP....f.O...h.<......P.t.Z....i..6
.....s..D"....n.>.\.....)][|.....T......a...
...|...v. ....{.u..:A...&_...6.
.M...5.....i..V.......P.f....Py
M..3Vm...g-6T6U([email protected]..
...Uxgz.]......^F..\.^....L.5.....b.D.>2P7.2w...............H...f.m..7......)<.>o....O..k.K../h.-.........>T.=.7...G.....,..P.....{.j!...{........................]^....E^..B.LV..j..9.l....P.@&.....
%.~...n..Ty..u..=..e.U..}..:.fd/gf........M...L.....fQa;.
..>.&<..."...L.l............e{...`....B(6..........#0.............d...Y..+.`x.....=.C...>T..S....L....}..<;....1..."...
Ve...4.;.m...*(Ci.r...M....a.MXG..(.n..e.}...c.j.Z..`.
U...l...!kW..u...O....Si..V..XU.v,..3T...*.....Y.....P.)w.n......G68....c^.U...n]`
.c.r..b].)7...`..........e.b.y.......U{...
Q..lX...'3.....S.f7qx..1.yx.{....`.z.67.`.................r.,.Y{^?&..d....+;...,/M..|....-ai~
...\.....W...:.OX.X..I. ....Fa.U[.....e.2
Apr 18 14:46:43.384409 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 1514:
172.25.87.91.80 > 172.25.87.253.36740: . [bad tcp cksum d5a! -> 2219]
4555:6003(1448) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl
64, id 20081, len 1500)
.PV..Y.PVSS...E...Nq..@.. ..W[..W..P..#K..........
Z.....
.....2..v.l.P.....e.u..l.....t..c.|..h._d.;.C....z.........X.u.m..UX....M..........u......9.......Yv.7.....L..K+.xI....EX.-v|{....
.r.E..T....\......D..1g(C..A-\s..:+..u7ky.KD.....?.*..b...{w......
......B...!.q{>.g...!....w..C^.`.MX...f
V..4
>9..#V...~....=..:...:..x.....MXo3..Lp{..w...c..V0.u.".w`.....T.4y y
>~]....Mi.tO.[..w.....W.....K...NC...k...]7T...`Q#.U.lZ...Qn...*...PA....>.....L_.U.......i...<lO..B..|Z>..P..d..`l..wO..g....`..._..N^..n....t...=n...uh.....[..Z...G...Y...:........%(.R./..IS.3......=..]Z..$wO.N....b.;...\...EM.v....Y.B...|.
.r..U..*z.p..`....`[lv..s.w.).t..
..8zjI].J.%..>T6/.v,.;R.q.M.^Td....
.`CY...........e....B}.(v....9.K_..../.n?...S..^......-.....^c..(..BSa......U......*T..#0w...?z..}......6].........m.-G....Vg..q..m......<..C.....k..:_..........Y..uy....v.mv...jZ.}..../6q..Q.........L2..n.g..h...G...1E...
q..w..~.l..io....a{......B........,...[.&..)F.....k.......o....M.D......d.M.*...w.
_.%.....v.}^.Ry
.,..e[..
.ek.h.....L..a.]....Wv...Sv..d.xt...~..5jA..<..i.X.Y.j.@Y.*...[.G..
..ZW.P.>.-/....M...w.O....U.VX5..=....}.^....A.l....^.E...O._... ..
.S...&/...:.}..c..d....h..F.rU.........^.W..Mn.>..4..V.V.NKNt.%Va.....lK...!T..C.~.H..^...i..$/...............
:[email protected]{[email protected].......[Y{...Q'd.~.....`.
[G.....(.?..]5].O.."Ta}.(6]..CW$fX.x..@./.U.U..%....@|...=.)..u.>.Xy..>.y....6....q.M.m`G......n.....t.E/.."[email protected].........}...4....,.j..v*Gmk.i..>....9%.
.2.w..B..c]w..;.....
Apr 18 14:46:43.384436 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 1514:
172.25.87.91.80 > 172.25.87.253.36740: . [bad tcp cksum d5a! -> c438]
6003:7451(1448) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl
64, id 30685, len 1500)
[email protected][..W..P..#K..........
Z.....
.....2..5mt...yiC.
.i......hj...`.....6{........w[.........F.oy..p.^...n..Z...
_"4..|.....]<...yQD.B./..T..P..*oz#\UXc............
...6&/. Q.p.%><vP......>........5...X....M^...z..w.7..2...?........X.y...B.u.;
u]......0M..U.......k..........O...I.?!..
U.5.d.~.....*.h.:.....F...}K...l..a
}....=V...w'.m]".}.....X..L...&/........;.{b....V..l..........u=.>T;.t..n...<r..}a..
7d....B....K...... c..x..i8.y....02..u..ei....S.Q...U....iAc.u..[.; @
.C.......SX.m.^/L..T:...#[........NW..~|{;....".J....d.n6....nn..../a:..bO..v2..389.......|r;...
....].G0.....&....9.Ln/......|......d..b........'..9.?.\E.......l...x>9........Woa~>.........s8..8...`|u...[...On.f|;.Nf..........n<...;x?.._..o...3._}.?O.N.`2..Ona...v2.MN..[.^.\L'.G0.:.xw:.z{.o....z.....|r
..#..O.w{.............j>~3...?.........../..................%..Oo'p;......[....o..Ln..o/.W'..>{.....s.x...`v~..............
.N.&'....#.x.......I...9\......&'..l|..f....'...G...f<...[8........W.oa.0...k..8.......l.....................;....^\......?..[._}................zD..m..S...v.s..........t..b..k.x....o.t|9~;..E[%........f7.......W'....||....l..w...t|.3...t6.z.]...[.n6..[.^.:2...v..q.g......z6..38...p}...f2.z..........W...w.....o..z6..`.n6.O.&...c....\...|z{...\.......w./tl~
.7...|...vCz%..>....+......y.{..j?..x.o&.+...8.MN.q....l...u..[.....:.j......G.....m..x.*6..:.jYC..cXWp..}...h..8..".....c......K...w....&Z......6...]Wqc.......".{l....}i>!.M.4..1p{a...)..s.t{X........m...9=.F.f..{Xz......X7
Apr 18 14:46:43.384449 00:50:56:53:53:06 00:50:56:a2:e3:59 0800 1514:
172.25.87.91.80 > 172.25.87.253.36740: . [bad tcp cksum d5a! -> bb65]
7451:8899(1448) ack 151 win 271 <nop,nop,timestamp 162981045 3036951221> (ttl
64, id 18815, len 1500)
.PV..Y.PVSS...E...I...@.$...W[..W..P..#K.A........
Z.....
.....2.Q.v....u.5.........n/..7P..A..{.tgV.X.]...llJ...y.P/..pmb...G....m:...y..V.
y..........u{.....lX..k...PbK.w..,..j([email protected]|..m..x9...l..{..i...]?....z....E...y?...aX....i..........=....EXu.|.l..u.~]...".f...W......
....!_....cKg.....8...
.3Dh.m...en..W..Yu7..a.D...)....3..#v.1...{.=..9..G...N..o...E...`.{.#...Q.....&.!...h.*.............|....=..w......"T..."..:..a.%.M....J..F.ep..S.-.2...}..*9zf..4..S[~An......7...w.......{.......
[email protected]...........
r.6.,6..,...).{.{.............%O....g..lXW.Y..x...u..4.(C..(..U."/.v.>........x.%d.-....-r...P...5.
....aa...
.u...no.wwH.....p..........U..}...Q/.z
.M.*.."..=.(.~.:.+..D...8.=.S....G%Z.....y..n.6.U...=T.,.J.......
nSbo...0.l.j.......+....w.G.......^u..........>....~....
.`.X.....:."..l.I..B.0..I...........I.D.?8..
.....cn..u....e........{....M.v..n.r`{.V.."..:....K...b.-D.....7..oc.4.....Oyy.{.v.W..])Q....Z...7....]8............Kh._......3y.9.K..7........OJ....?.sR.......oR..xU.#T..GR...BR.9.SF$W.......i.!."a.....U#..R.D.
d$..%<.,.^[.3c9g.....DX..TN..M....M.U.b.;v.].J...1.1...a.b.x...*.H.WVH..Kx.\...".&.&"..H....T..S.
..3........Ta.\B.Ge.:....f.....,f.S..'.C.,.$Q2.....`.H...2.3...V..h.,..Y.h+...Gx......Z..-\...2BT.".....Jl.ef.$.P+.W.Z...U.\,.......3/Q)J,.[...KNR.S......Xx$.QI..>..U
S.......a...2mi.8.....Wg).D2.9Mm.......P).......-..Knel%7FxT*..2.,.5c.....:..4.q....Z..2&.-..h....C.s/b...mB.%.M.QT).d.v..
And lots more data...1492545617.354943 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 74:
172.25.87.251.49942 > 172.25.87.91.80: S [tcp sum ok] 3097595766:3097595766(0)
win 29200 <mss 1460,sackOK,timestamp 2333601502 0,nop,wscale 7> (DF) (ttl 64,
id 25000, len 60)
.PVSS..PV.....E..<a.@[email protected][...P...v......r.H..........
............
0.018776 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 78: 172.25.87.91.80 >
172.25.87.251.49942: S [tcp sum ok] 3321130527:3321130527(0) ack 3097595767 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3494527956
2333601502> (ttl 64, id 37628, len 64)
.PV....PVSS...E..@[email protected][..W..P....n....w..@. ..................
.JC.....
0.000781 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49942 >
172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229 <nop,nop,timestamp
2333601618 3494527956> (DF) (ttl 64, id 25001, len 52)
.PVSS..PV.....E..4a.@[email protected][...P...w..n .....0.....
...R.JC.
0.000017 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 285: 172.25.87.251.49942 >
172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229 <nop,nop,timestamp
2333601618 3494527956> (DF) (ttl 64, id 25002, len 271)
.PVSS..PV.....E...a.@[email protected][...P...w..n .....q.....
...R.JC.GET /main.cld HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
0.002066 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 644: 172.25.87.91.80 >
172.25.87.251.49942: P [bad tcp cksum 9f2! -> 6979] 1:579(578) ack 220 win 271
<nop,nop,timestamp 3494527957 2333601618> (ttl 64, id 61232, len 630)
[email protected][..W..P....n ...R.... ......
.JC....RHTTP/1.0 404 Not Found
Date: Tue, 18 Apr 2017 20:00:17 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 427
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>404 Not Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>404 Not Found</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
0.000184 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49942: F [bad tcp cksum 7b0! -> 9ce7] 579:579(0) ack 220 win 271
<nop,nop,timestamp 3494527957 2333601618> (ttl 64, id 65019, len 52)
[email protected]?..W[..W..P....pb...R...........
.JC....R
0.000510 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49942 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 579 win 238 <nop,nop,timestamp
2333601621 3494527957> (DF) (ttl 64, id 25003, len 52)
.PVSS..PV.....E..4a.@[email protected][...P...R..pb...........
...U.JC.
0.000149 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49942 >
172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 580 win 238 <nop,nop,timestamp
2333601621 3494527957> (DF) (ttl 64, id 25004, len 52)
.PVSS..PV.....E..4a.@[email protected][...P...R..pc...........
...U.JC.
0.000059 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49942: . [bad tcp cksum 7b0! -> 9ce3] 580:580(0) ack 221 win 271
<nop,nop,timestamp 3494527957 2333601621> (ttl 64, id 10554, len 52)
.PV....PVSS...E..4):[email protected][..W..P....pc...S...........
.JC....U
0.000146 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 74: 172.25.87.251.49944 >
172.25.87.91.80: S [tcp sum ok] 2840028106:2840028106(0) win 29200 <mss
1460,sackOK,timestamp 2333601621 0,nop,wscale 7> (DF) (ttl 64, id 35999, len 60)
.PVSS..PV.....E..<..@[email protected][...P.Gc.......r..~.........
...U........
0.000061 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 78: 172.25.87.91.80 >
172.25.87.251.49944: S [tcp sum ok] 2157016543:2157016543(0) ack 2840028107 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3915303509
2333601621> (ttl 64, id 560, len 64)
[email protected][email protected][[email protected].................
.^.U...U
0.000383 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49944 >
172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229 <nop,nop,timestamp
2333601622 3915303509> (DF) (ttl 64, id 36000, len 52)
.PVSS..PV.....E..4..@[email protected][...P.Gc...u.....y>.....
...V.^.U
0.000025 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 285: 172.25.87.251.49944 >
172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229 <nop,nop,timestamp
2333601622 3915303509> (DF) (ttl 64, id 36001, len 271)
.PVSS..PV.....E.....@[email protected][...P.Gc...u......u.....
...V.^.UGET /main.cvd HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
0.001310 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 322: 172.25.87.91.80 >
172.25.87.251.49944: P [bad tcp cksum 8b0! -> 2c80] 1:257(256) ack 220 win 271
<nop,nop,timestamp 3915303509 2333601622> (ttl 64, id 57421, len 308)
[email protected][..W..P....u..Gd............
.^.U...VHTTP/1.0 206 Partial Content
Connection: close
Content-Length: 512
Content-Range: bytes 0-511/109143933
Content-Type: application/octet-stream
Date: Tue, 18 Apr 2017 20:00:17 GMT
Last-Modified: Tue, 18 Apr 2017 20:00:06 GMT
Server: OpenBSD httpd
0.000295 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49944 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 257 win 237 <nop,nop,timestamp
2333601624 3915303509> (DF) (ttl 64, id 36002, len 52)
.PVSS..PV.....E..4..@[email protected][...P.Gd...v.....wY.....
...X.^.U
0.000051 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 578: 172.25.87.91.80 >
172.25.87.251.49944: P [bad tcp cksum 9b0! -> 18ae] 257:769(512) ack 220 win
271 <nop,nop,timestamp 3915303509 2333601624> (ttl 64, id 50771, len 564)
[email protected][..W..P....v..Gd..... ......
.^.U...XClamAV-VDB:16 Mar 2016 23-17
+0000:57:4218790:60:06386f34a16ebeea2733ab037f0536be:AIzk/LYbX8K9OEbR5GMyJ6LWTqSu9ffa5bONcA0FN3+onMlZ2BMRzuyvVURBvAZvOaGPdtMBcgDJSl7fGxDfcxRWhIrQ98f8FPdAQaFPgWu3EX46ufw+IRZnM4irKKYuh1GdCIbsGs6jejWo9iNErsbDqkFSobVBkUJYxBgvqfd:amishhammer:1458170226
0.000323 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49944 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 769 win 245 <nop,nop,timestamp
2333601624 3915303509> (DF) (ttl 64, id 36003, len 52)
.PVSS..PV.....E..4..@[email protected][...P.Gd...x.....uQ.....
...X.^.U
30.030310 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49944 >
172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 769 win 245 <nop,nop,timestamp
2333631654 3915303509> (DF) (ttl 64, id 36004, len 52)
.PVSS..PV.....E..4..@[email protected][...P.Gd...x............
..d..^.U
0.000175 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49944: . [bad tcp cksum 7b0! -> ffab] 769:769(0) ack 221 win 271
<nop,nop,timestamp 3915303569 2333631654> (ttl 64, id 28862, len 52)
.PV....PVSS...E..4p...@..}..W[..W..P....x..Gd............
.^....d.
5.002053 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 74: 172.25.87.251.49946 >
172.25.87.91.80: S [tcp sum ok] 2158310066:2158310066(0) win 29200 <mss
1460,sackOK,timestamp 2333636656 0,nop,wscale 7> (DF) (ttl 64, id 19074, len 60)
.PVSS..PV.....E..<J.@[email protected][...P..2.......r.T[.........
..x0........
0.000223 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 78: 172.25.87.91.80 >
172.25.87.251.49946: S [tcp sum ok] 1425013547:1425013547(0) ack 2158310067 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3874856988
2333636656> (ttl 64, id 40649, len 64)
.PV....PVSS...E..@[email protected][..W..P..T..+..2...@..'.................
......x0
0.000648 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49946 >
172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229 <nop,nop,timestamp
2333636657 3874856988> (DF) (ttl 64, id 19075, len 52)
.PVSS..PV.....E..4J.@[email protected][...P..2.T..,...........
..x1....
0.000017 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 285: 172.25.87.251.49946 >
172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229 <nop,nop,timestamp
2333636657 3874856988> (DF) (ttl 64, id 19076, len 271)
.PVSS..PV.....E...J.@[email protected][...P..2.T..,....|T.....
..x1....GET /main.cld HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
0.000545 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 644: 172.25.87.91.80 >
172.25.87.251.49946: P [bad tcp cksum 9f2! -> eb58] 1:579(578) ack 220 win 271
<nop,nop,timestamp 3874856988 2333636657> (ttl 64, id 39492, len 630)
[email protected][..W..P..T..,..3..... ......
......x1HTTP/1.0 404 Not Found
Date: Tue, 18 Apr 2017 20:00:52 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 427
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>404 Not Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>404 Not Found</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
0.000046 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49946: F [bad tcp cksum 7b0! -> 19cb] 579:579(0) ack 220 win 271
<nop,nop,timestamp 3874856988 2333636657> (ttl 64, id 22550, len 52)
.PV....PVSS...E..4X...@..%..W[..W..P..T..n..3............
......x1
0.000426 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49946 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 579 win 238 <nop,nop,timestamp
2333636658 3874856988> (DF) (ttl 64, id 19077, len 52)
.PVSS..PV.....E..4J.@[email protected][...P..3.T..n...........
..x2....
0.000018 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49946 >
172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 580 win 238 <nop,nop,timestamp
2333636658 3874856988> (DF) (ttl 64, id 19078, len 52)
.PVSS..PV.....E..4J.@[email protected][...P..3.T..o...........
..x2....
0.000140 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 74: 172.25.87.251.49948 >
172.25.87.91.80: S [tcp sum ok] 2619812669:2619812669(0) win 29200 <mss
1460,sackOK,timestamp 2333636659 0,nop,wscale 7> (DF) (ttl 64, id 21262, len 60)
.PVSS..PV.....E..<S.@.@..$..W...W[...P.'+=......r.@I.........
..x3........
0.000077 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49946: . [bad tcp cksum 7b0! -> 19c9] 580:580(0) ack 221 win 271
<nop,nop,timestamp 3874856988 2333636658> (ttl 64, id 37390, len 52)
.PV....PVSS...E..4....@..,..W[..W..P..T..o..3............
......x2
0.000038 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 78: 172.25.87.91.80 >
172.25.87.251.49948: S [tcp sum ok] 3102731860:3102731860(0) ack 2619812670 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1445866743
2333636659> (ttl 64, id 21184, len 64)
.PV....PVSS...E..@R...@. o..W[..W..P.....T.'+>[email protected]..................
V.,...x3
0.000377 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49948 >
172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229 <nop,nop,timestamp
2333636659 1445866743> (DF) (ttl 64, id 21263, len 52)
.PVSS..PV.....E..4S.@.@..+..W...W[...P.'+>...U...........
..x3V.,.
0.000012 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 285: 172.25.87.251.49948 >
172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229 <nop,nop,timestamp
2333636659 1445866743> (DF) (ttl 64, id 21264, len 271)
.PVSS..PV.....E...S.@[email protected][...P.'+>...U...........
..x3V.,.GET /main.cvd HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
0.000963 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 322: 172.25.87.91.80 >
172.25.87.251.49948: P [bad tcp cksum 8b0! -> 6e03] 1:257(256) ack 220 win 271
<nop,nop,timestamp 1445866743 2333636659> (ttl 64, id 58817, len 308)
[email protected][..W..P.....U.',............
V.,...x3HTTP/1.0 206 Partial Content
Connection: close
Content-Length: 512
Content-Range: bytes 0-511/109143933
Content-Type: application/octet-stream
Date: Tue, 18 Apr 2017 20:00:52 GMT
Last-Modified: Tue, 18 Apr 2017 20:00:06 GMT
Server: OpenBSD httpd
0.000437 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49948 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 257 win 237 <nop,nop,timestamp
2333636660 1445866743> (DF) (ttl 64, id 21265, len 52)
.PVSS..PV.....E..4S.@.@..)..W...W[...P.',....U...........
..x4V.,.
0.000160 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 578: 172.25.87.91.80 >
172.25.87.251.49948: P [bad tcp cksum 9b0! -> 5536] 257:769(512) ack 220 win
271 <nop,nop,timestamp 1445866743 2333636660> (ttl 64, id 30160, len 564)
[email protected][..W..P.....U.',..... ......
V.,...x4ClamAV-VDB:16 Mar 2016 23-17
+0000:57:4218790:60:06386f34a16ebeea2733ab037f0536be:AIzk/LYbX8K9OEbR5GMyJ6LWTqSu9ffa5bONcA0FN3+onMlZ2BMRzuyvVURBvAZvOaGPdtMBcgDJSl7fGxDfcxRWhIrQ98f8FPdAQaFPgWu3EX46ufw+IRZnM4irKKYuh1GdCIbsGs6jejWo9iNErsbDqkFSobVBkUJYxBgvqfd:amishhammer:1458170226
0.000360 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49948 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 769 win 245 <nop,nop,timestamp
2333636661 1445866743> (DF) (ttl 64, id 21266, len 52)
.PVSS..PV.....E..4S.@.@..(..W...W[...P.',....U...........
..x5V.,.
30.020727 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49948 >
172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 769 win 245 <nop,nop,timestamp
2333666682 1445866743> (DF) (ttl 64, id 21267, len 52)
.PVSS..PV.....E..4S.@.@..'..W...W[...P.',....U....<......
...zV.,.
0.000160 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49948: . [bad tcp cksum 7b0! -> 3c3c] 769:769(0) ack 221 win 271
<nop,nop,timestamp 1445866803 2333666682> (ttl 64, id 30945, len 52)
[email protected][..W..P.....U.',............
V.-3...z
5.002344 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 74: 172.25.87.251.49996 >
172.25.87.91.80: S [tcp sum ok] 4216187497:4216187497(0) win 29200 <mss
1460,sackOK,timestamp 2333671684 0,nop,wscale 7> (DF) (ttl 64, id 60269, len 60)
.PVSS..PV.....E..<.m@[email protected][.L.P.M.i......r............
............
0.000203 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 78: 172.25.87.91.80 >
172.25.87.251.49996: S [tcp sum ok] 2826075449:2826075449(0) ack 4216187498 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1456298716
2333671684> (ttl 64, id 9543, len 64)
.PV....PVSS...E..@%[email protected][..W..P.L.r}9.M.j..@....................
V.Z.....
0.000624 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49996 >
172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229 <nop,nop,timestamp
2333671685 1456298716> (DF) (ttl 64, id 60270, len 52)
.PVSS..PV.....E..4.n@[email protected][.L.P.M.j.r}:....a......
....V.Z.
0.000017 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 285: 172.25.87.251.49996 >
172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229 <nop,nop,timestamp
2333671685 1456298716> (DF) (ttl 64, id 60271, len 271)
.PVSS..PV.....E....o@[email protected][.L.P.M.j.r}:...........
....V.Z.GET /main.cld HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
0.000518 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 644: 172.25.87.91.80 >
172.25.87.251.49996: P [bad tcp cksum 9f2! -> 2acc] 1:579(578) ack 220 win 271
<nop,nop,timestamp 1456298716 2333671685> (ttl 64, id 39925, len 630)
[email protected][..W..P.L.r}:.M.E.... ......
V.Z.....HTTP/1.0 404 Not Found
Date: Tue, 18 Apr 2017 20:01:27 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 427
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>404 Not Found</title>
<style type="text/css"><!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
--></style>
</head>
<body>
<h1>404 Not Found</h1>
<hr>
<address>OpenBSD httpd</address>
</body>
</html>
0.000381 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49996: F [bad tcp cksum 7b0! -> 5e3c] 579:579(0) ack 220 win 271
<nop,nop,timestamp 1456298716 2333671685> (ttl 64, id 64528, len 52)
[email protected]*..W[..W..P.L.r.|.M.E...........
V.Z.....
0.000296 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49996 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 579 win 238 <nop,nop,timestamp
2333671686 1456298716> (DF) (ttl 64, id 60272, len 52)
.PVSS..PV.....E..4.p@[email protected][.L.P.M.E.r.|....^].....
....V.Z.
0.000473 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49996 >
172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 580 win 238 <nop,nop,timestamp
2333671687 1456298716> (DF) (ttl 64, id 60273, len 52)
.PVSS..PV.....E..4.q@[email protected][.L.P.M.E.r.}....^Z.....
....V.Z.
0.000068 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 74: 172.25.87.251.49998 >
172.25.87.91.80: S [tcp sum ok] 698483125:698483125(0) win 29200 <mss
1460,sackOK,timestamp 2333671687 0,nop,wscale 7> (DF) (ttl 64, id 178, len 60)
.PVSS..PV.....E..<..@[email protected][.N.P).........r.SP.........
............
0.000047 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49996: . [bad tcp cksum 7b0! -> 5e39] 580:580(0) ack 221 win 271
<nop,nop,timestamp 1456298716 2333671687> (ttl 64, id 4106, len 52)
.PV....PVSS...E..4.
[email protected][..W..P.L.r.}.M.F...........
V.Z.....
0.000085 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 78: 172.25.87.91.80 >
172.25.87.251.49998: S [tcp sum ok] 2562563964:2562563964(0) ack 698483126 win
16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3600247221
2333671687> (ttl 64, id 42774, len 64)
.PV....PVSS...E..@[email protected][..W..P.N...|).....@....................
..i.....
0.000733 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49998 >
172.25.87.91.80: . [tcp sum ok] 1:1(0) ack 1 win 229 <nop,nop,timestamp
2333671688 3600247221> (DF) (ttl 64, id 179, len 52)
.PVSS..PV.....E..4..@[email protected][.N.P)......}....z......
......i.
0.000011 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 285: 172.25.87.251.49998 >
172.25.87.91.80: P [tcp sum ok] 1:220(219) ack 1 win 229 <nop,nop,timestamp
2333671688 3600247221> (DF) (ttl 64, id 180, len 271)
.PVSS..PV.....E.....@[email protected][.N.P)......}...........
......i.GET /main.cvd HTTP/1.0
Host: obsd-build.llan.ll.mit.edu
User-Agent: ClamAV/0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Connection: close
Range: bytes=0-511
If-Modified-Since: Wed, 16 Mar 2016 23:17:06 GMT
0.000379 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 322: 172.25.87.91.80 >
172.25.87.251.49998: P [bad tcp cksum 8b0! -> 2dee] 1:257(256) ack 220 win 271
<nop,nop,timestamp 3600247221 2333671688> (ttl 64, id 57832, len 308)
[email protected][..W..P.N...})..............
..i.....HTTP/1.0 206 Partial Content
Connection: close
Content-Length: 512
Content-Range: bytes 0-511/109143933
Content-Type: application/octet-stream
Date: Tue, 18 Apr 2017 20:01:27 GMT
Last-Modified: Tue, 18 Apr 2017 20:00:06 GMT
Server: OpenBSD httpd
0.000623 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49998 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 257 win 237 <nop,nop,timestamp
2333671689 3600247221> (DF) (ttl 64, id 181, len 52)
.PVSS..PV.....E..4..@[email protected][.N.P)......}....x......
... ..i.
0.000130 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 578: 172.25.87.91.80 >
172.25.87.251.49998: P [bad tcp cksum 9b0! -> 1a1f] 257:769(512) ack 220 win
271 <nop,nop,timestamp 3600247221 2333671689> (ttl 64, id 44957, len 564)
[email protected][..W..P.N...})....... ......
..i.... ClamAV-VDB:16 Mar 2016 23-17
+0000:57:4218790:60:06386f34a16ebeea2733ab037f0536be:AIzk/LYbX8K9OEbR5GMyJ6LWTqSu9ffa5bONcA0FN3+onMlZ2BMRzuyvVURBvAZvOaGPdtMBcgDJSl7fGxDfcxRWhIrQ98f8FPdAQaFPgWu3EX46ufw+IRZnM4irKKYuh1GdCIbsGs6jejWo9iNErsbDqkFSobVBkUJYxBgvqfd:amishhammer:1458170226
0.000596 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49998 >
172.25.87.91.80: . [tcp sum ok] 220:220(0) ack 769 win 245 <nop,nop,timestamp
2333671689 3600247221> (DF) (ttl 64, id 182, len 52)
.PVSS..PV.....E..4..@[email protected][.N.P)......}....v......
... ..i.
30.023652 00:50:56:87:1f:bc 00:50:56:53:53:06 0800 66: 172.25.87.251.49998 >
172.25.87.91.80: F [tcp sum ok] 220:220(0) ack 769 win 245 <nop,nop,timestamp
2333701713 3600247221> (DF) (ttl 64, id 183, len 52)
.PVSS..PV.....E..4..@[email protected][.N.P)......}.....y.....
..vQ..i.
0.000086 00:50:56:53:53:06 00:50:56:87:1f:bc 0800 66: 172.25.87.91.80 >
172.25.87.251.49998: . [bad tcp cksum 7b0! -> 123] 769:769(0) ack 221 win 271
<nop,nop,timestamp 3600247281 2333701713> (ttl 64, id 19808, len 52)
.PV....PVSS...E..4M`..@.%...W[..W..P.N...})..............
..i...vQ
