[sclug] ftp woes

Wed Aug 18 21:54:08 UTC 2004

On Mon, 16 Aug 2004 sclug at whittycat.me.uk wrote:

> 
> I'm going to need some help with this one. I have just moved to Somerset
> and now enjoy broadband from plusnet [Red Hat 8.0 -> ethernet modem -> ADSL]
> which is ok up to a point. Mozilla works but ftp doesn't and I need to
> update my web sites. (Is there a way of uploading files with Mozilla? that
> would do to be going on with.)

There is, but it uses FTP as the underlying protocol. Thus, you may find
that even if you configure it (composer->Edit->Publishing site settings), it
may not work with your current network/firewall configuration.

> What happens is that I type 
> 
> ftp ftp.plus.net 
> 
> get a prompt back, type the username, then nothing whatever happens until
> it times out. Other ftp sites like metalab.unc.edu do the same.

Sounds like some dodgy firewall between the ftp site and you. It could be
youyr ISP, but I'd put money on it being yours (including your ADSL
router/modem/firewall device).

Things I'd be looking at would be oversized packets caused by NAT (FTP uses
ASCII text to represent IP addresses and ports, so if you're translating the
address 1.1.1.1 to 100.100.100.100, the packet will take up 2+2+2+2=8 extra
bytes because '100' is two characters longer than '1'. Yes, that's pretty
sucky protocol design, right there.), possibly in combination with lack of
MSS clamping and/or dropping ICMP Type 3, Code 4 packets.

> I looked at the packets going to and fro with tcpdump but they don't
> really tell me what is happening.

Ethereal <http://www.ethereal.com> is much easier to use.

> They start with a lot of dialogue to establish a connection ending with
> their end saying

[snip]

> but it gets sent twice with no ack from their end and then something
> really strange: 
> 
> 17:31:47.329786 arp who-has pth-cdns01.plus.net tell whittycat.plus.com
> ......... at .XJPP............1 
> 
> 17:31:47.330053 arp reply pth-cdns01.plus.net is-at 0:d:88:6e:57:5e
> ...........nW^...1. at .XJPP..................... 
> 
> (pth* is the name server and whittycat.plus.com is my hostname. The mac
> address belongs to the ethernet modem.) 

Looks like your ethernet modem is being a transparent DNS proxy or
something. Eww.

> The username is then sent again: 
> 
> 17:31:47.569800 whittycat.plus.com.33172 > homepages.plus.net.ftp:
>  P 1:17(16) ack 502 win 5840 <nop,nop,timestamp 3174355 431985307> (DF)
>  [tos 0x10]
> E..D9f at .@../P.............T.........|........0o.....USER.whittyc
> at.. 
> 
> 17:31:48.010039 whittycat.plus.com.bootpc > 192.168.1.1.bootps:
>  xid:0x6261243b C:whittycat.plus.com [|bootp] (DF)
> E..H.. at .@.H.P........D.C.4......ba$;....P................ at .XJP..
> ................................................................
> ................................................................
> .................................................. 
> 
> and at this point I am quite lost. What is bootp doing? 192.168.1.1 is
> the address of the modem. Can anyone throw some light on this murky area
> and what can I do to get some more information about what is happening? 

Your host (whittycat) is probably renewing a DHCP lease obtained from your
modem.

> btw in all other matters Somerset is delightful and we've missed Reading's
> torrential rain. 
> 
> Tony Sumner 

Try again with Ethereal. ;-)

HTH,
Alex.
-- 
Alex Butcher      Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                      Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                         <http://www.assursys.com/>