[Chilli] CoovaChilli Kernel Mode issue

Steffen Dettmer steffen.dettmer at nomadrail.com
Wed Apr 9 10:12:36 UTC 2014


* Phyo Wai Soe [mailto:phyo.w.soe at frontiir.net]:
> Hi Steffen,
>
> We did tcpdumps on the Coova's tunnel interface and on clients. We found many duplicate acknowledgements and "TCP Previous segment lost" messages before the server sent reset packets to the client.

Hi,

thanks for the information! I don't understand the traces, same
packets look really strange, don't they?

> 20:50:26.524474 IP 192.168.99.2.34415 > 192.168.99.1.3990: Flags [S], seq 2120304631, win 14600, options [mss 1460,sackOK,TS val 14568535 ecr 0,nop,wscale 3], length 0
> 20:50:26.524499 IP 192.168.99.1.3990 > 192.168.99.2.34415: Flags [S.], seq 3365942092, ack 2120304632, win 14480, options [mss 1460,sackOK,TS val 3557659 ecr 14568535,nop,wscale 3], length 0
> 20:50:26.529791 IP 192.168.99.2.34415 > 192.168.99.1.3990: Flags [.], ack 1, win 1825, options [nop,nop,TS val 14568535 ecr 3557659], length 0
> 20:50:26.530550 IP 192.168.99.2.34415 > 192.168.99.1.3990: Flags [.], ack 1, win 1825, options [nop,nop,TS val 14568535 ecr 3557659], length 0

Yeah, this looks like a duplication... The timing is interesting, 0.7 ms.
In order of magnitude of a LAN, seems to bit too long for a local
package duplication effect.

looks like a working connection without any data (yet).
The ack of #3 and #4 are adjusted by tcpdump and look good.

Then the second connection on the new port:

> 20:50:26.531265 IP 192.168.99.2.34416 > 192.168.99.1.3990: Flags [S], seq 2564554410, win 14600, options [mss 1460,sackOK,TS val 14568536 ecr 0,nop,wscale 3], length 0
> 20:50:26.531286 IP 192.168.99.1.3990 > 192.168.99.2.34416: Flags [S.], seq 1593443429, ack 2564554411, win 14480, options [mss 1460,sackOK,TS val 3557661 ecr 14568536,nop,wscale 3], length 0
> 20:50:26.531548 IP 192.168.99.2.34416 > 192.168.99.1.3990: Flags [.], ack 933068581, win 1825, options [nop,nop,TS val 14568536 ecr 3557660], length 0

this looks odd, the ack number seems not to match anything, from
the client, 0.26ms (half the time as before) after the SYNACK.

> 20:50:26.531563 IP 192.168.99.1.3990 > 192.168.99.2.34416: Flags [R], seq 2526512010, win 0, length 0

This sequence number also is out of order (out of any receive
window we saw) but has no ACK set, as it is not part of an
established connection. Strange.

> 20:50:26.532146 IP 192.168.99.2.34416 > 192.168.99.1.3990: Flags [P.], seq 1:683, ack 933068581, win 1825, options [nop,nop,TS val 14568537 ecr 3557660], length 682
> 20:50:26.532158 IP 192.168.99.1.3990 > 192.168.99.2.34416: Flags [R], seq 2526512010, win 0, length 0

Interesting timing, 0.02ms, or maybe duplication after 0.59ms.

Do you know an explanation for all that?

Steffen



More information about the Chilli mailing list