[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf sending an ACK storm?!



On Thu, Nov 28, 2002 at 07:53:57PM +0059, Jedi/Sector One wrote:
> > The ssh connection to synchron<->brutus isn't by any chance filtered
> > statefully, using modulate state? :)
> 
>   It is.
Can you try to get a tcpdump -nvvvpSi $INT (-S shows absolute sequence
numbers), ideally a couple of packets before pf is disabled, when the
endless repetition begins? And show the pfctl -vss entry for the ssh
state.
Can you repeat it reliably, or did it happen just once?
Even if unmodulated packets, by pure chance, have close enough sequence
numbers so the stacks consider them late arrivals, each stack would only
retransmit after it got a packet from the peer, and that wouldn't
saturate the link. Very odd indeed :)
Daniel