Jesse Guardiani wrote:
> Henrik Nordstrom wrote:
>
>> On Wed, 23 Feb 2005, Jesse Guardiani wrote:
>>
>>> tcpdump 'not ( host shannon and port 22 ) and not host 192.168.1.193 and
>>> not port syslog and not port domain and not snmp and not port 3632'
>>>
>>> And here's the only thing I could find that looked relevent:
>>>
>>> 04:22:30.959889 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length:
>>> 120 04:22:30.961323 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP,
>>> length: 140 04:22:32.791481 IP 192.168.10.1 > 192.168.10.2:
>>> gre-proto-0x883e 04:22:35.790420 IP 192.168.10.1 > 192.168.10.2:
>>> gre-proto-0x883e 04:22:40.954870 IP 192.168.10.2.2048 >
>>> 192.168.10.1.2048: UDP, length: 120 04:22:40.956378 IP 192.168.10.1.2048
>>> > 192.168.10.2.2048: UDP, length: 140 04:22:41.790316 IP 192.168.10.1 >
>>> 192.168.10.2: gre-proto-0x883e 04:22:51.932636 IP 192.168.10.2.2048 >
>>> 192.168.10.1.2048: UDP, length: 120 04:22:51.934544 IP 192.168.10.1.2048
>>> > 192.168.10.2.2048: UDP, length: 140
>>>
>>> 192.168.10.1 is my Cisco router's LAN address.
>>> Does the above mean anything to anyone?
>>
>> Yes.
>>
>> The UDP packets is the WCCP control channel
>>
>> The gre 0x883e is the WCCP redirected packets.
>>
>> You may need "-i any" argument to tcpdump to see the complete picture
>> however.
>
> OK. New tcpdump run with "-i any" and some additional port and proto
> expressions to filter out the noise:
>
> tcpdump -i any 'not ( host shannon and port 22) and not host 192.168.1.193
> and not port syslog and not port domain and not snmp and not port 3632 and
> not port ssh and not arp' tcpdump: WARNING: Promiscuous mode not supported
> on the "any" device tcpdump: verbose output suppressed, use -v or -vv for
> full protocol decode listening on any, link-type LINUX_SLL (Linux cooked),
> capture size 96 bytes
>
>
>
>
>
> 21:55:26.259380 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120
> 21:55:26.260373 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140
> 21:55:29.473457 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e
> 21:55:29.473457 IP 192.168.10.5.33975 > 64.233.187.104.www: S
> 1830006628:1830006628(0) win 5840 <mss 1460,sackOK,timestamp 418917766
> 0,nop,wscale 2> 21:55:32.473612 IP 192.168.10.1 > 192.168.10.2:
> gre-proto-0x883e 21:55:32.473612 IP 192.168.10.5.33975 >
> 64.233.187.104.www: S 1830006628:1830006628(0) win 5840 <mss
> 1460,sackOK,timestamp 418920766 0,nop,wscale 2> 21:55:36.844127 IP
> 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 21:55:36.845296 IP
> 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 21:55:38.472288 IP
> 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 21:55:38.472288 IP
> 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win
> 5840 <mss 1460,sackOK,timestamp 418926766 0,nop,wscale 2> 21:55:47.136074
> IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 21:55:47.136921
> IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140 21:55:50.470033
> IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e 21:55:50.470033 IP
> 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win
> 5840 <mss 1460,sackOK,timestamp 418938766 0,nop,wscale 2> 21:55:57.568999
> IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120 21:55:57.569869
> IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140
>
> 16 packets captured
> 26 packets received by filter
> 0 packets dropped by kernel
> [21:55]jesse@rhea:[/home/jesse]#
>
> Judging from the ".www" lines, it looks to me like squid is attempting
> to contact the remote www server, but is being intercepted and
> looped back to itself by the Cisco. Is that an accurate assessment?
I don't think it is anymore. It seems like the packets are just dissappearing
after they hit my iptables rule. I tried placing OUTPUT and POSTROUTING LOG
rules around the NAT table, and their hit counters increment if I hit the
cache directly from a web browser, but if I hit it transparently the packet
just dissappears after the REDIRECT to port 3128.
Does anyone have squid 2.5-STABLE7 working with WCCP and linux 2.6.10?
-- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.netReceived on Thu Feb 24 2005 - 15:10:30 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST