Date: Thu, 10 Jan 2002 13:34:01 +0100 From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: freebsd-security@freebsd.org Subject: Fw: Re: LAST_ACK traffic? Message-ID: <20020110133401.0b440c90.kzaraska@student.uci.agh.edu.pl>
next in thread | raw e-mail | index | archive | help
On Mon, 7 Jan 2002 14:36:11 -0200 (BRST) Paulo Fragoso wrote: > Hi, > > In our network there are some workstation under a firewall, today we ware > looking our internal traffic, there was one workstation sending packets > to one webserver at 200kbps: > > roto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 0 0 our.work.station.1412 200.226.137.10.80 LAST_ACK > > The user that workstation was using Opera 6.0 for linux (on FreeBSD > 4.4-RELEASE). The strange traffic had started after the he closed the > opera. > > Are there any secure problem with this? Why our workstation was send > packets of LAST_ACK whithout any processes bound at 1412 (checked with > lsof)? According to W.R.Stevens "TCP/IP Illustrated", fig.18.13 this is a closed socket, still living in kernel after opera was closed and awaiting the final ACK packet from the remote server to shut down. If this ACK does not arrive I guess kernel should time out and shut it down anyhow. This socket should not be able to transmit anything. BTW, netstat does not show you the network traffic, it only shows you what state each socket is in (you may have an ESTABLISHED socket and no transmission). If you want to see what is really going on the wire you should use tool like tcpdump or ethereal. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020110133401.0b440c90.kzaraska>