Noah Davids - Interesting Traces

Blue Bar separator


The following are traces that I have collected that demonstrate something interesting. They have been collected from a number of operating systems and with different tools so the formats will vary.
  1. Firewall Resets
    1. Reset triggered by keepalive packet after 2 hour delay
    2. Reset triggered by delay caused by retransmissions
  2. Windows 2000 Ignores an connection attempt
  3. FTP aware NAT device causes FTP process to loop for 2 days sending control messages
  4. WINS Active name error but no one else is using the name
  5. Tracing showing what it looks like when a server is hung and its connection backlog queue becomes full
    1. VOS 14.6.0 - TCP_OS
      2. - Listening on port but does not respond to SYNs
    2. VOS 14.6.0 - STCP
      3. - Listening on port but responds to SYNs with resets
    3. Microsoft Windows 2000
      4. - Listening on port but responds to SYNs with resets
    4. Linux 2.4 - Read Hat 7.2
      5. - Only the SYN is ACKed
  6. ARP reply is for the broadcast address
  7. Strange frames from a CheckPoint firewall cluster
  8. Trace shows nothing but DNS queries
  9. Faulty Dead Gateway Detection on HP UX 11x
  10. DHCP and DNS problems when a client set his personal firewall to filter more than it should
  11. A loop in the routing tables
  12. The IP address of one interface appears on the network segment of another interface when sending a limited broadcast packet on Windows 2000 server system
  13. An FTP daemon never sends a banner message so the client never prompts for a password and eventually disconnects
  14. NAT device fails to translate embedded IP address in FTP port command. The result is that the client can connect to the FTP server but can't do anything once they are connected.
  15. Every other packet transmitted from a host is being dropped
  16. Odd length packets do not get a response (destination sees CRC errors)
  17. Bogus packets in traces taken on SPAN ports
    1. Bogus Duplicate Packets
    2. Duplicate Broadcasts
  18. Sometimes the network isn't the problem
  19. ICMP Destination unreachable, fragmentation needed sent by host with wrong IP address
  20. ARP cache thrashing
  21. Ignoring Destination unreachable, fragmentation needed messages
  22. Bogus checksum errors
  23. Unicast ARP Requests
  24. Wrong router response from traceroute
  25. Host based analyzer does not show what is really sent on the wire
  26. Protocol Analyzer's expert analysis may not be so expert
  27. Wireshark incorrectly reports a bad FCS on an ARP frame
  28. Ping reports a timeout but trace shows the reply was sent
  29. Connection request receives ACK before SYN-ACK
  30. Multiple MAC addresses for the same IP address
    1. Multiple MAC adresses for the same IP address
    2. Multiple responses to an ARP request
  31. Server responds to connection request with old sequence numbers
  32. Something is rewriting sequence and acknowledgment numbers
  33. FTP server's IP address is changing in the middle of an FTP session
  34. The perils of port reuse
  35. Checksum errors
  36. TCP backlog capture
  37. Checksum errors - again
  38. Out of Order versus Retransmissions

Blue Bar separator
This page was last modified on 14-05-05
mailbox Send comments and suggestions
to noah@noahdavids.org