[Scottish] netstat not reporting connection.

donothing successfully donothingsuccessfully at googlemail.com
Thu Aug 9 17:25:32 BST 2007


Hi Colin

Thanks for your reply.

> Not very familiar with iftop but don't both these tools report on *packets*

Yup.
That distinction eluded me. I'm still doing remedial
reading on networking.


> sure you're router's not just leaking extra echoes of other traffic through?

I'm pretty sure you're right on the leaky router theory.

I've upgraded the firmware, and enabled SPI and the packets
don't get through anymore.

So the problem is fixed.

But the mystery isn't solved...

The traffic from the 172.21s is all RST packets.
This only seems to happen when I'm accessing gmail with
https through FireFox or the Mozilla browser, not opera.

All the RST packets from the 172s occur hot on the heels of
RST packets from gmail.
Although not all of gmail's RST packets provoke a 172* RST
packet.

"""
00:18:15.922676 IP ik-in-f83.google.com.https > 192.168.0.149.48936: R
622947873:622947873(0) win 9700
00:18:15.922991 IP 172.21.18.40.11083 > 192.168.0.149.48936: R
4134315417:4134315417(0) win 0
"""

The only similar problem I could find on the web was someone
getting RSTs from 172.21s using gmail via POP and thunderbird:
http://www.dslreports.com/forum/r18039113-Something-Really-Strange-Gmail-being-compromised


> (I've got  cable using a modem rather than ADSL, but can
> see other local peoples traffic  on my interface).

Actually I'm on NTL/virgin, the router's just an Ethernet
switch/gateway thing.


So I'm thinking something in the Mozilla family's code
is provoking something on Virgin's network into sending
rogue packets.

My grand plan, if I get round to it, is to knuckle down
with wireshark and try to identify the sequence of packets
that yields the weirdness and see if I can get the
thunderbird to provoke the packets too.

Thanks to all for your helpful replies.

cheers
Harry



More information about the Scottish mailing list