Loading ...
Sorry, an error occurred while loading the content.

No Netflix, lost connection after CONNECT

Expand Messages
  • Justin Tocci
    My wife is complaining that we don t get email from Netflix anymore but I m wondering what else we re missing. Check out this smtp log: May 27 11:50:27 server
    Message 1 of 17 , May 27, 2011
    • 0 Attachment
      My wife is complaining that we don't get email from Netflix anymore but I'm wondering what else we're missing. Check out this smtp log:

      May 27 11:50:27 server postfix/smtpd[45795]: connect from mx-ecom.netflix.com[208.75.76.252]
      May 27 11:50:58 server postfix/smtpd[45795]: lost connection after CONNECT from mx-ecom.netflix.com[208.75.76.252]
      May 27 11:50:58 server postfix/smtpd[45795]: disconnect from mx-ecom.netflix.com[208.75.76.252]
      May 27 11:50:58 server postfix/smtpd[45795]: table hash:/etc/aliases(0,lock|fold_fix) has changed -- restarting
      May 27 11:50:58 server postfix/smtpd[45834]: connect from mx-ecom.netflix.com[208.75.76.252]
      May 27 11:51:59 server postfix/smtpd[45834]: lost connection after CONNECT from mx-ecom.netflix.com[208.75.76.252]
      May 27 11:51:59 server postfix/smtpd[45834]: disconnect from mx-ecom.netflix.com[208.75.76.252]

      The first delay after connect is 31 seconds, the second is 61 seconds. I am on Mac OS X Server 10.6.7. Server is working very well, Kerberos and other fragile services working perfectly. No DNS issues. Install is fairly new, we struggled a lot in the last year but bit the bullet and re-installed about a month ago with much better guidance (Lynda.com) and things have been great ever since.

      I've looked at bunch of possibilities. Load on the server is minimal. Hard drive is a G-RAID stripe configuration for speed. I disabled virus scanning and no change. Now I've even got spam checking off and still no joy. I connected via telnet and got a response instantly.

      If anyone has any ideas I'm all ears.

      Perhaps instead of randomly turning things off is there a way to find out more about what may be going on inbetween the gaps in the log? I have the log level set to DEBUG which is the highest setting in the Mac OS X Server config utility.

      Best Regards,

      Justin T
    • Jeroen Geilman
      ... netflix connects to postfix. ... netflix disconnects from postfix without sending any (valid) SMTP commands. ... postfix drops the connection. ... Please
      Message 2 of 17 , May 27, 2011
      • 0 Attachment
        On 05/28/2011 03:15 AM, Justin Tocci wrote:
        > My wife is complaining that we don't get email from Netflix anymore but I'm wondering what else we're missing. Check out this smtp log:
        >
        > May 27 11:50:27 server postfix/smtpd[45795]: connect from mx-ecom.netflix.com[208.75.76.252]

        netflix connects to postfix.

        > May 27 11:50:58 server postfix/smtpd[45795]: lost connection after CONNECT from mx-ecom.netflix.com[208.75.76.252]

        netflix disconnects from postfix without sending any (valid) SMTP commands.

        > May 27 11:50:58 server postfix/smtpd[45795]: disconnect from mx-ecom.netflix.com[208.75.76.252

        postfix drops the connection.

        > guidance (Lynda.com)

        Please refer to the official documentation at
        http://www.postfix.org/documentation.html ; online guides, howtos and
        tutorials are often confused, confusing, or plain wrong.

        > If anyone has any ideas I'm all ears.

        tcpdump(8) the connection to see what is really happening.
        If netflix doesn't send anything, ask *them* what is wrong.

        > Perhaps instead of randomly turning things off is there a way to find out more about what may be going on inbetween the gaps in the log? I have the log level set to DEBUG which is the highest setting in

        Please don't do that; it often obscures the simpler issues if you don't
        know what you're looking for (or at).


        --
        J.
      • Noel Jones
        ... Read the whole document, but this is the section you re looking for. http://www.postfix.org/DEBUG_README.html#sniffer -- Noel Jones
        Message 3 of 17 , May 27, 2011
        • 0 Attachment
          On 5/27/2011 8:15 PM, Justin Tocci wrote:
          > My wife is complaining that we don't get email from Netflix anymore but I'm wondering what else we're missing. Check out this smtp log:
          >
          > May 27 11:50:27 server postfix/smtpd[45795]: connect from mx-ecom.netflix.com[208.75.76.252]
          > May 27 11:50:58 server postfix/smtpd[45795]: lost connection after CONNECT from mx-ecom.netflix.com[208.75.76.252]
          > May 27 11:50:58 server postfix/smtpd[45795]: disconnect from mx-ecom.netflix.com[208.75.76.252]
          > May 27 11:50:58 server postfix/smtpd[45795]: table hash:/etc/aliases(0,lock|fold_fix) has changed -- restarting
          > May 27 11:50:58 server postfix/smtpd[45834]: connect from mx-ecom.netflix.com[208.75.76.252]
          > May 27 11:51:59 server postfix/smtpd[45834]: lost connection after CONNECT from mx-ecom.netflix.com[208.75.76.252]
          > May 27 11:51:59 server postfix/smtpd[45834]: disconnect from mx-ecom.netflix.com[208.75.76.252]
          >
          > The first delay after connect is 31 seconds, the second is 61 seconds. I am on Mac OS X Server 10.6.7. Server is working very well, Kerberos and other fragile services working perfectly. No DNS issues. Install is fairly new, we struggled a lot in the last year but bit the bullet and re-installed about a month ago with much better guidance (Lynda.com) and things have been great ever since.
          >
          > I've looked at bunch of possibilities. Load on the server is minimal. Hard drive is a G-RAID stripe configuration for speed. I disabled virus scanning and no change. Now I've even got spam checking off and still no joy. I connected via telnet and got a response instantly.
          >
          > If anyone has any ideas I'm all ears.
          >
          > Perhaps instead of randomly turning things off is there a way to find out more about what may be going on inbetween the gaps in the log? I have the log level set to DEBUG which is the highest setting in the Mac OS X Server config utility.
          >
          > Best Regards,
          >
          > Justin T


          Read the whole document, but this is the section you're
          looking for.

          http://www.postfix.org/DEBUG_README.html#sniffer



          -- Noel Jones
        • Justin Tocci
          I tried tcpdump and that led me to check my router for possible issues. I am now on a DMZ so that should eliminate that as a possibility. (Correct me if I m
          Message 4 of 17 , May 31, 2011
          • 0 Attachment
            I tried tcpdump and that led me to check my router for possible issues. I am now on a DMZ so that should eliminate that as a possibility. (Correct me if I'm wrong.)

            Anyway, new DMZ has been working great and network seems fine. So after work I tried to get email from Netflix again but no joy. I used debug_peer_level = 4 to get the following output:

            May 31 20:02:07 server postfix/smtpd[2333]: initializing the server-side TLS engine
            May 31 20:02:07 server postfix/smtpd[2333]: connect from mx-ecom.netflix.com[208.75.76.252]
            May 31 20:02:07 server postfix/smtpd[2333]: match_hostname: mx-ecom.netflix.com ~? 127.0.0.0/8
            May 31 20:02:07 server postfix/smtpd[2333]: match_hostaddr: 208.75.76.252 ~? 127.0.0.0/8
            May 31 20:02:07 server postfix/smtpd[2333]: match_list_match: mx-ecom.netflix.com: no match
            May 31 20:02:07 server postfix/smtpd[2333]: match_list_match: 208.75.76.252: no match
            May 31 20:02:07 server postfix/smtpd[2333]: auto_clnt_open: connected to private/anvil
            May 31 20:02:07 server postfix/smtpd[2333]: event_enable_read: fd 19
            May 31 20:02:07 server postfix/smtpd[2333]: send attr request = connect
            May 31 20:02:07 server postfix/smtpd[2333]: send attr ident = smtp:208.75.76.252
            May 31 20:02:07 server postfix/smtpd[2333]: vstream_fflush_some: fd 19 flush 42
            May 31 20:02:07 server postfix/smtpd[2333]: vstream_buf_get_ready: fd 19 got 25
            May 31 20:02:07 server postfix/smtpd[2333]: private/anvil: wanted attribute: status
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute name: status
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute value: 0
            May 31 20:02:07 server postfix/smtpd[2333]: private/anvil: wanted attribute: count
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute name: count
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute value: 1
            May 31 20:02:07 server postfix/smtpd[2333]: private/anvil: wanted attribute: rate
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute name: rate
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute value: 1
            May 31 20:02:07 server postfix/smtpd[2333]: private/anvil: wanted attribute: (list terminator)
            May 31 20:02:07 server postfix/smtpd[2333]: input attribute name: (end)
            May 31 20:02:07 server postfix/smtpd[2333]: > mx-ecom.netflix.com[208.75.76.252]: 220 server.workflowproducts.com ESMTP Postfix
            May 31 20:02:07 server postfix/smtpd[2333]: watchdog_pat: 0x100133330
            May 31 20:02:07 server postfix/smtpd[2333]: vstream_fflush_some: fd 16 flush 47
            May 31 20:02:08 server postfix/smtpd[2159]: lost connection after CONNECT from mx-ecom.netflix.com[208.75.76.252]
            May 31 20:02:08 server postfix/smtpd[2159]: disconnect from mx-ecom.netflix.com[208.75.76.252]

            Towards the end there I noticed "vstream_fflush_some" and "watchdog_pat". There isn't much to be had on google but it seems they are usually followed by a "fatal: watchdog timeout" if there were a timeout on my end.



            Regards,

            Justin T


            $ postconf -n
            biff = no
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            content_filter = smtp-amavis:[127.0.0.1]:10024
            daemon_directory = /usr/libexec/postfix
            debug_peer_level = 4
            debug_peer_list = netflix.com
            enable_server_options = yes
            header_checks = pcre:/etc/postfix/custom_header_checks
            html_directory = /usr/share/doc/postfix/html
            inet_interfaces = all
            mail_owner = _postfix
            mailbox_size_limit = 0
            mailbox_transport = dovecot
            mailq_path = /usr/bin/mailq
            manpage_directory = /usr/share/man
            message_size_limit = 0
            mydestination = $myhostname, localhost.$mydomain, workflowproducts.org, wfprod.org, wfprod.com, workflowproducts.com
            mydomain = workflowproducts.com
            mydomain_fallback = localhost
            myhostname = server.workflowproducts.com
            mynetworks = 127.0.0.0/8
            newaliases_path = /usr/bin/newaliases
            queue_directory = /private/var/spool/postfix
            readme_directory = /usr/share/doc/postfix
            recipient_delimiter = +
            relayhost =
            sample_directory = /usr/share/doc/postfix/examples
            sendmail_path = /usr/sbin/sendmail
            setgid_group = _postdrop
            smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/client_whitelist reject_unknown_client_hostname reject_rbl_client zen.spamhaus.org permit
            smtpd_enforce_tls = no
            smtpd_helo_required = yes
            smtpd_helo_restrictions = reject_unknown_hostname reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_non_fqdn_helo_hostname
            smtpd_pw_server_security_options = gssapi,cram-md5,login
            smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unlisted_recipient check_client_access hash:/etc/postfix/client_restrictions check_client_access hash:/etc/postfix/hostname_restrictions reject_unauth_destination check_policy_service unix:private/policy permit
            smtpd_sasl_auth_enable = yes
            smtpd_tls_CAfile = /etc/certificates/server.workflowproducts.com.CBC832B89B5D07F033AB998F95C4563DF981A6A8.chain.pem
            smtpd_tls_cert_file = /etc/certificates/server.workflowproducts.com.CBC832B89B5D07F033AB998F95C4563DF981A6A8.cert.pem
            smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
            smtpd_tls_key_file = /etc/certificates/server.workflowproducts.com.CBC832B89B5D07F033AB998F95C4563DF981A6A8.key.pem
            smtpd_tls_loglevel = 2
            smtpd_use_pw_server = yes
            smtpd_use_tls = yes
            tls_random_source = dev:/dev/urandom
            unknown_client_reject_code = 550
            unknown_local_recipient_reject_code = 550
            virtual_alias_maps =
          • Sahil Tandon
            ... You need to capture the packets between Netflix and your server (DMZ or elsewhere) and paste them somewhere for analysis. Use the -w flag in tcpdump to
            Message 5 of 17 , May 31, 2011
            • 0 Attachment
              On Tue, 2011-05-31 at 20:22:56 -0500, Justin Tocci wrote:

              > I tried tcpdump and that led me to check my router for possible
              > issues. I am now on a DMZ so that should eliminate that as a
              > possibility.

              You need to capture the packets between Netflix and your server (DMZ or
              elsewhere) and paste them somewhere for analysis. Use the '-w' flag in
              tcpdump to save the capture to a file.

              --
              Sahil Tandon <sahil@...>
            • Justin Tocci
              I must confess that the tcpdump output is over my head. Any help would be appreciated. I see a lot of checksums marked bad and incorrect but I have no idea
              Message 6 of 17 , Jun 2, 2011
              • 0 Attachment
                I must confess that the tcpdump output is over my head. Any help would be appreciated. I see a lot of checksums marked bad and "incorrect" but I have no idea how to fix it. I am using a Netgear FVS318G with an MTU of 1500. The only thing I found on Google was that it might mean the router is causing problems which is why I went to a DMZ setup, so the router wouldn't mess with packets.

                Tcpdump worked before I went to a DMZ setup but it didn't work the first time I tried it today. DNS is working and "dig mx-ecom.netflix.com" produced appropriate results. I used the -n flag in tcpdump to turn off dns resolution and replaced the host name with the ip address of the server and that worked. I only mention this in case it means something.

                root@server:/opt/mail
                $ tcpdump -w /opt/mail/dump6.txt -s 0 host netflix.com
                tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
                ^C0 packets captured
                549 packets received by filter
                0 packets dropped by kernel

                root@server:/opt/mail
                $ tcpdump -nw /opt/mail/dump7.txt -s 0 net 208.75.76.252/32
                tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
                ^C24 packets captured
                224677 packets received by filter
                0 packets dropped by kernel

                $ tcpdump -vvvv -r /opt/mail/dump7.txt
                reading from file /opt/mail/dump7.txt, link-type EN10MB (Ethernet)
                09:40:25.853369 IP (tos 0x0, ttl 46, id 196, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.7988 > server.workflowproducts.com.smtp: Flags [F.], cksum 0xedda (correct), seq 3280516486, ack 1181407503, win 46, length 0
                09:40:25.853403 IP (tos 0x0, ttl 64, id 40810, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->9171)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.7988: Flags [.], cksum 0x0a0f (incorrect -> 0xee08), seq 1, ack 1, win 65535, length 0
                09:40:25.853934 IP (tos 0x0, ttl 46, id 45051, offset 0, flags [DF], proto TCP (6), length 52)
                mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [S], cksum 0x3847 (correct), seq 1705566477, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                09:40:25.853969 IP (tos 0x0, ttl 64, id 65283, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->31cc)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [S.], cksum 0x0a1b (incorrect -> 0xca96), seq 265909580, ack 1705566478, win 65535, options [mss 1460,nop,wscale 2,sackOK,eol], length 0
                09:40:25.854777 IP (tos 0x0, ttl 64, id 25627, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->ccc0)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.7988: Flags [F.], cksum 0x0a0f (incorrect -> 0xee07), seq 1, ack 1, win 65535, length 0
                09:40:25.945774 IP (tos 0x0, ttl 46, id 45052, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a35 (correct), seq 1, ack 1, win 46, length 0
                09:40:25.945796 IP (tos 0x0, ttl 64, id 54885, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->5a76)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [.], cksum 0x0a0f (incorrect -> 0x0a63), seq 1, ack 1, win 65535, length 0
                09:40:25.946069 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.7988 > server.workflowproducts.com.smtp: Flags [.], cksum 0xedd9 (correct), seq 1, ack 2, win 46, length 0
                09:40:25.948733 IP (tos 0x0, ttl 64, id 30296, offset 0, flags [DF], proto TCP (6), length 86, bad cksum 0 (->ba55)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [.], cksum 0x0a3d (incorrect -> 0x6c2a), seq 1:47, ack 1, win 65535, length 46
                09:40:26.041138 IP (tos 0x0, ttl 46, id 45053, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a07 (correct), seq 1, ack 47, win 46, length 0
                09:40:26.041155 IP (tos 0x0, ttl 64, id 8764, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->e9f)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [P.], cksum 0x0a10 (incorrect -> 0x002c), seq 47:48, ack 1, win 65535, length 1
                09:40:26.129016 IP (tos 0x0, ttl 46, id 45054, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a06 (correct), seq 1, ack 48, win 46, length 0
                09:42:26.652346 IP (tos 0x0, ttl 46, id 45055, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [F.], cksum 0x0a05 (correct), seq 1, ack 48, win 46, length 0
                09:42:26.652366 IP (tos 0x0, ttl 64, id 35596, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->a5cf)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [.], cksum 0x0a0f (incorrect -> 0x0a33), seq 48, ack 2, win 65535, length 0
                09:42:26.654381 IP (tos 0x0, ttl 64, id 26128, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->cacb)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [F.], cksum 0x0a0f (incorrect -> 0x0a32), seq 48, ack 2, win 65535, length 0
                09:42:26.741904 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a04 (correct), seq 2, ack 49, win 46, length 0
                09:42:48.030188 IP (tos 0x0, ttl 46, id 36948, offset 0, flags [DF], proto TCP (6), length 52)
                mx-ecom.netflix.com.24722 > server.workflowproducts.com.smtp: Flags [S], cksum 0x4928 (correct), seq 2043554555, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                09:42:48.030224 IP (tos 0x0, ttl 64, id 38326, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->9b19)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.24722: Flags [S.], cksum 0x0a1b (incorrect -> 0x67f0), seq 73987140, ack 2043554556, win 65535, options [mss 1460,nop,wscale 2,sackOK,eol], length 0
                09:42:48.117246 IP (tos 0x0, ttl 46, id 36949, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.24722 > server.workflowproducts.com.smtp: Flags [.], cksum 0xa78e (correct), seq 1, ack 1, win 46, length 0
                09:42:48.117275 IP (tos 0x0, ttl 64, id 53187, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->6118)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.24722: Flags [.], cksum 0x0a0f (incorrect -> 0xa7bc), seq 1, ack 1, win 65535, length 0
                09:42:48.124851 IP (tos 0x0, ttl 64, id 50886, offset 0, flags [DF], proto TCP (6), length 86, bad cksum 0 (->69e7)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.24722: Flags [.], cksum 0x0a3d (incorrect -> 0x0984), seq 1:47, ack 1, win 65535, length 46
                09:42:48.211677 IP (tos 0x0, ttl 46, id 36950, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.24722 > server.workflowproducts.com.smtp: Flags [.], cksum 0xa760 (correct), seq 1, ack 47, win 46, length 0
                09:42:48.211693 IP (tos 0x0, ttl 64, id 65464, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->3122)!)
                server.workflowproducts.com.smtp > mx-ecom.netflix.com.24722: Flags [P.], cksum 0x0a10 (incorrect -> 0x9d85), seq 47:48, ack 1, win 65535, length 1
                09:42:48.299600 IP (tos 0x0, ttl 46, id 36951, offset 0, flags [DF], proto TCP (6), length 40)
                mx-ecom.netflix.com.24722 > server.workflowproducts.com.smtp: Flags [.], cksum 0xa75f (correct), seq 1, ack 48, win 46, length 0



                Regards,

                Justin T
              • Victor Duchovni
                On Thu, Jun 02, 2011 at 10:28:18AM -0500, Justin Tocci wrote: Record complete packets into a file with tcpdump -s 0 -w , make the binary packet capture
                Message 7 of 17 , Jun 2, 2011
                • 0 Attachment
                  On Thu, Jun 02, 2011 at 10:28:18AM -0500, Justin Tocci wrote:

                  Record complete packets into a file with "tcpdump -s 0 -w", make the
                  binary packet capture available. Disable TCP window scaling in your
                  kernel, it may be confusing your router.

                  The below trace is rather bizarre, something is dreadfully wrong at the
                  TCP layer.

                  > mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [S], cksum 0x3847 (correct), seq 1705566477, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                  > 09:40:25.853969 IP (tos 0x0, ttl 64, id 65283, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->31cc)!) server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [S.], cksum 0x0a1b (incorrect -> 0xca96), seq 265909580, ack 1705566478, win 65535, options [mss 1460,nop,wscale 2,sackOK,eol], length 0
                  > 09:40:25.945774 IP (tos 0x0, ttl 46, id 45052, offset 0, flags [DF], proto TCP (6), length 40) mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a35 (correct), seq 1, ack 1, win 46, length 0
                  > 09:40:25.945796 IP (tos 0x0, ttl 64, id 54885, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->5a76)!) server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [.], cksum 0x0a0f (incorrect -> 0x0a63), seq 1, ack 1, win 65535, length 0
                  > 09:40:25.948733 IP (tos 0x0, ttl 64, id 30296, offset 0, flags [DF], proto TCP (6), length 86, bad cksum 0 (->ba55)!) server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [.], cksum 0x0a3d (incorrect -> 0x6c2a), seq 1:47, ack 1, win 65535, length 46
                  > 09:40:26.041138 IP (tos 0x0, ttl 46, id 45053, offset 0, flags [DF], proto TCP (6), length 40) mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a07 (correct), seq 1, ack 47, win 46, length 0
                  > 09:40:26.041155 IP (tos 0x0, ttl 64, id 8764, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->e9f)!) server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [P.], cksum 0x0a10 (incorrect -> 0x002c), seq 47:48, ack 1, win 65535, length 1
                  > 09:40:26.129016 IP (tos 0x0, ttl 46, id 45054, offset 0, flags [DF], proto TCP (6), length 40) mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a06 (correct), seq 1, ack 48, win 46, length 0
                  > 09:42:26.652346 IP (tos 0x0, ttl 46, id 45055, offset 0, flags [DF], proto TCP (6), length 40) mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [F.], cksum 0x0a05 (correct), seq 1, ack 48, win 46, length 0
                  > 09:42:26.652366 IP (tos 0x0, ttl 64, id 35596, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->a5cf)!) server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [.], cksum 0x0a0f (incorrect -> 0x0a33), seq 48, ack 2, win 65535, length 0
                  > 09:42:26.654381 IP (tos 0x0, ttl 64, id 26128, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->cacb)!) server.workflowproducts.com.smtp > mx-ecom.netflix.com.53126: Flags [F.], cksum 0x0a0f (incorrect -> 0x0a32), seq 48, ack 2, win 65535, length 0
                  > 09:42:26.741904 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40) mx-ecom.netflix.com.53126 > server.workflowproducts.com.smtp: Flags [.], cksum 0x0a04 (correct), seq 2, ack 49, win 46, length 0

                  --
                  Viktor.
                • Thomas Berger
                  ... Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums? A: If the packets that have incorrect TCP checksums are all being sent by the machine
                  Message 8 of 17 , Jun 2, 2011
                  • 0 Attachment
                    > I must confess that the tcpdump output is over my head. Any help would be appreciated. I see a lot of checksums marked bad and "incorrect" but I have no idea how to fix it.
                    > Justin T

                    Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?
                    A: If the packets that have incorrect TCP checksums are all being sent by the machine on which Wireshark is running, this is probably because the network
                    interface on which you're capturing does TCP checksum offloading. That means that the TCP checksum is added to the packet by the network interface,
                    not by the OS's TCP/IP stack;
                    when capturing on an interface, packets being sent by the host on which you're capturing are directly handed to the capture interface by the OS,
                    which means that they are handed to the capture interface without a TCP checksum being added to them.

                    The only way to prevent this from happening would be to disable TCP checksum offloading, but
                    1. that might not even be possible on some OSes;
                    2. that could reduce networking performance significantly.


                    Source: http://www.wireshark.org/faq.html#q11.1

                    This is not a real problem, so you could use `tcpdump -K` to disable checksums.

                    Greetings
                    Thomas
                  • Justin Tocci
                    I did find out how to dump fancier output which I think someone wanted. tcpdump -AXXr /opt/mail/dump10.txt 17:08:23.323379 IP server.workflowproducts.com.smtp
                    Message 9 of 17 , Jun 2, 2011
                    • 0 Attachment
                      I did find out how to dump fancier output which I think someone wanted.

                      tcpdump -AXXr /opt/mail/dump10.txt

                      17:08:23.323379 IP server.workflowproducts.com.smtp > mx-ecom.netflix.com.29698: Flags [.], seq 1:47, ack 1, win 65535, length 46
                      0x0000: e091 f53f 1307 d49a 20fd a988 0800 4500 ...?..........E.
                      0x0010: 0056 79e8 4000 4006 0000 c0a8 2c04 d04b .Vy.@.@.....,..K
                      0x0020: 4cfc 0019 7402 284e 5605 3da6 d8f4 5010 L...t.(NV.=...P.
                      0x0030: ffff 0a3d 0000 3232 3020 7365 7276 6572 ...=..220.server
                      0x0040: 2e77 6f72 6b66 6c6f 7770 726f 6475 6374 .workflowproduct
                      0x0050: 732e 636f 6d20 4553 4d54 5020 506f 7374 s.com.ESMTP.Post
                      0x0060: 6669 780d fix.
                      17:08:23.431572 IP mx-ecom.netflix.com.29698 > server.workflowproducts.com.smtp: Flags [.], ack 47, win 46, length 0
                      0x0000: d49a 20fd a988 e091 f53f 1307 0800 4500 .........?....E.
                      0x0010: 0028 8f46 4000 2e06 b395 d04b 4cfc c0a8 .(.F@......KL...
                      0x0020: 2c04 7402 0019 3da6 d8f4 284e 5633 5010 ,.t...=...(NV3P.
                      0x0030: 002e 9c7a 0000 0000 ae55 6786 ...z.....Ug.
                      17:08:23.431592 IP server.workflowproducts.com.smtp > mx-ecom.netflix.com.29698: Flags [P.], seq 47:48, ack 1, win 65535, length 1
                      0x0000: e091 f53f 1307 d49a 20fd a988 0800 4500 ...?..........E.
                      0x0010: 0029 ce81 4000 4006 0000 c0a8 2c04 d04b .)..@.@.....,..K
                      0x0020: 4cfc 0019 7402 284e 5633 3da6 d8f4 5018 L...t.(NV3=...P.
                      0x0030: ffff 0a10 0000 0a .......
                      17:08:23.536567 IP mx-ecom.netflix.com.29698 > server.workflowproducts.com.smtp: Flags [.], ack 48, win 46, length 0
                      0x0000: d49a 20fd a988 e091 f53f 1307 0800 4500 .........?....E.
                      0x0010: 0028 8f47 4000 2e06 b394 d04b 4cfc c0a8 .(.G@......KL...
                      0x0020: 2c04 7402 0019 3da6 d8f4 284e 5634 5010 ,.t...=...(NV4P.
                      0x0030: 002e 9c79 0000 0000 33c5 eb66 ...y....3..f
                      17:08:53.164333 IP mx-ecom.netflix.com.29698 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                      0x0000: d49a 20fd a988 e091 f53f 1307 0800 4500 .........?....E.
                      0x0010: 0028 8f48 4000 2e06 b393 d04b 4cfc c0a8 .(.H@......KL...
                      0x0020: 2c04 7402 0019 3da6 d8f4 284e 5634 5011 ,.t...=...(NV4P.
                      0x0030: 002e 9c78 0000 0000 56a6 d38c ...x....V...
                      17:08:53.164352 IP server.workflowproducts.com.smtp > mx-ecom.netflix.com.29698: Flags [.], ack 2, win 65535, length 0
                      0x0000: e091 f53f 1307 d49a 20fd a988 0800 4500 ...?..........E.
                      0x0010: 0028 03b0 4000 4006 0000 c0a8 2c04 d04b .(..@.@.....,..K
                      0x0020: 4cfc 0019 7402 284e 5634 3da6 d8f5 5010 L...t.(NV4=...P.
                      0x0030: ffff 0a0f 0000 ......
                      17:08:53.164950 IP mx-ecom.netflix.com.58047 > server.workflowproducts.com.smtp: Flags [S], seq 959704267, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                      0x0000: d49a 20fd a988 e091 f53f 1307 0800 4500 .........?....E.
                      0x0010: 0034 4ba8 4000 2e06 f727 d04b 4cfc c0a8 .4K.@....'.KL...
                      0x0020: 2c04 e2bf 0019 3933 eccb 0000 0000 8002 ,.....93........
                      0x0030: 16d0 45c5 0000 0204 0564 0101 0402 0103 ..E......d......
                      0x0040: 0307 ..

                      I found out that "win" refers to window size. I have no reason to believe this is a problem because I do not know how to read this output. But I'm a good sport so I looked it up and that led me to set the following sysctl values:

                      kern.ipc.maxsockbuf=4194304
                      net.inet.tcp.recvspace=250000
                      net.inet.tcp.sendspace=250000

                      net.inet.tcp.blackhole=2
                      net.inet.udp.blackhole=1
                      net.inet.icmp.icmplim=50

                      No joy though. Netflix is still unable to complete a mail transaction.

                      If you look at the timestamps you can see in the middle the netflix server sends a packet, then waits 30 seconds, then sends another. I have no idea why.

                      I am still completely baffled. Any help would be appreciated. I can't read this output and I don't know what it is to look it up. The only readable part is "220.server.workflowproducts.com.ESMTP.Postfix." and that doesn't indicate an error from what I've been able to find. 220 seems to indicate "ready" which would be good.


                      Regards,

                      Justin T
                    • Wietse Venema
                      ... Where is the SYN handshake with the TCP-level options? Wietse
                      Message 10 of 17 , Jun 2, 2011
                      • 0 Attachment
                        Justin Tocci:
                        > I did find out how to dump fancier output which I think someone wanted.
                        >
                        > tcpdump -AXXr /opt/mail/dump10.txt
                        >
                        > 17:08:23.323379 IP server.workflowproducts.com.smtp > mx-ecom.netflix.com.29698: Flags [.], seq 1:47, ack 1, win 65535, length 46

                        Where is the SYN handshake with the TCP-level options?

                        Wietse
                      • Justin Tocci
                        Apparently I cut my the last post too short to be useful. I am getting better at tcpdump. Here is everything I captured the last time I tried: Capture command:
                        Message 11 of 17 , Jun 2, 2011
                        • 0 Attachment
                          Apparently I cut my the last post too short to be useful. I am getting better at tcpdump. Here is everything I captured the last time I tried:

                          Capture command:
                          tcpdump -s 0 -w /opt/mail/dump11.txt net 208.75.76.252/32

                          root@server:~
                          $ tcpdump -AKvvr /opt/mail/dump12.txt
                          reading from file /opt/mail/dump12.txt, link-type EN10MB (Ethernet)
                          19:27:28.397765 IP (tos 0x0, ttl 46, id 18783, offset 0, flags [DF], proto TCP (6), length 52)
                          mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [S], seq 1953720321, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                          E..4I_@....p.KL...,.....tsh..........8.....d........
                          19:27:28.397838 IP (tos 0x0, ttl 64, id 3095, offset 0, flags [DF], proto TCP (6), length 52)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [S.], seq 1089115808, ack 1953720322, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
                          E..4..@.@.....,..KL.....@...tsh.....
                          ...............
                          19:27:28.483630 IP (tos 0x0, ttl 46, id 18784, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 1, win 46, length 0
                          E..(I`@....{.KL...,.....tsh.@...P...........^.
                          19:27:28.483709 IP (tos 0x0, ttl 64, id 22785, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [.], seq 1, ack 1, win 58240, length 0
                          E..(Y.@.@.....,..KL.....@...tsh.P...
                          ...
                          19:27:28.558695 IP (tos 0x0, ttl 64, id 32537, offset 0, flags [DF], proto TCP (6), length 86)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [.], seq 1:47, ack 1, win 58240, length 46
                          E..V..@.@.....,..KL.....@...tsh.P...
                          =..220 server.workflowproducts.com ESMTP Postfix
                          19:27:28.644317 IP (tos 0x0, ttl 46, id 18785, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 47, win 46, length 0
                          E..(Ia@....z.KL...,.....tsh.@...P..........l8.
                          19:27:28.644376 IP (tos 0x0, ttl 64, id 20283, offset 0, flags [DF], proto TCP (6), length 41)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [P.], seq 47:48, ack 1, win 58240, length 1
                          E..)O;@.@.....,..KL.....@...tsh.P...
                          ...

                          19:27:28.730064 IP (tos 0x0, ttl 46, id 18786, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 48, win 46, length 0
                          E..(Ib@....y.KL...,.....tsh.@...P..........s..
                          19:27:59.156177 IP (tos 0x0, ttl 46, id 18787, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                          E..(Ic@....x.KL...,.....tsh.@...P.........G..Y
                          19:27:59.156254 IP (tos 0x0, ttl 64, id 39873, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [.], seq 48, ack 2, win 58240, length 0
                          E..(..@.@.....,..KL.....@...tsh.P...
                          ...
                          19:27:59.156688 IP (tos 0x0, ttl 46, id 8554, offset 0, flags [DF], proto TCP (6), length 52)
                          mx-ecom.netflix.com.63556 > server.workflowproducts.com.smtp: Flags [S], seq 1780206462, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                          E..4!j@...!f.KL...,..D..j..~........ ......d........
                          19:27:59.156758 IP (tos 0x0, ttl 64, id 58828, offset 0, flags [DF], proto TCP (6), length 52)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.63556: Flags [S.], seq 2026914080, ack 1780206463, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
                          E..4..@.@.....,..KL....Dx.A j.......
                          ...............
                          19:27:59.157941 IP (tos 0x0, ttl 64, id 50338, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [F.], seq 48, ack 2, win 58240, length 0
                          E..(..@.@.....,..KL.....@...tsh.P...
                          ...
                          19:27:59.246520 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [.], seq 2, ack 49, win 46, length 0
                          E..(..@...B..KL...,.....tsh.@...P......... ...
                          19:27:59.246815 IP (tos 0x0, ttl 46, id 8555, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.63556 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 1, win 46, length 0
                          E..(!k@...!q.KL...,..D..j...x.A!P.............
                          19:27:59.246853 IP (tos 0x0, ttl 64, id 33230, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.63556: Flags [.], seq 1, ack 1, win 58240, length 0
                          E..(..@.@.....,..KL....Dx.A!j...P...
                          ...
                          19:27:59.250271 IP (tos 0x0, ttl 64, id 39391, offset 0, flags [DF], proto TCP (6), length 86)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.63556: Flags [.], seq 1:47, ack 1, win 58240, length 46
                          E..V..@.@.....,..KL....Dx.A!j...P...
                          =..220 server.workflowproducts.com ESMTP Postfix
                          19:27:59.338459 IP (tos 0x0, ttl 46, id 8556, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.63556 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 47, win 46, length 0
                          E..(!l@...!p.KL...,..D..j...x.AOP.........4..l
                          19:27:59.338510 IP (tos 0x0, ttl 64, id 60544, offset 0, flags [DF], proto TCP (6), length 41)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.63556: Flags [P.], seq 47:48, ack 1, win 58240, length 1
                          E..)..@.@.....,..KL....Dx.AOj...P...
                          ...

                          19:27:59.425737 IP (tos 0x0, ttl 46, id 8557, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.63556 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 48, win 46, length 0
                          E..(!m@...!o.KL...,..D..j...x.APP.........9..]
                          19:29:00.383028 IP (tos 0x0, ttl 46, id 8558, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.63556 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                          E..(!n@...!n.KL...,..D..j...x.APP...........0.
                          19:29:00.383121 IP (tos 0x0, ttl 64, id 9980, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.63556: Flags [.], seq 48, ack 2, win 58240, length 0
                          E..(&.@.@.....,..KL....Dx.APj...P...
                          ...
                          19:29:00.384198 IP (tos 0x0, ttl 46, id 12858, offset 0, flags [DF], proto TCP (6), length 52)
                          mx-ecom.netflix.com.42039 > server.workflowproducts.com.smtp: Flags [S], seq 1096371055, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                          E..42:@......KL...,..7..AYKo...............d........
                          19:29:00.384237 IP (tos 0x0, ttl 64, id 39063, offset 0, flags [DF], proto TCP (6), length 52)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.42039: Flags [S.], seq 1569898486, ack 1096371056, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
                          E..4..@.@.....,..KL....7]...AYKp....
                          ...............
                          19:29:00.384431 IP (tos 0x0, ttl 64, id 49855, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.63556: Flags [F.], seq 48, ack 2, win 58240, length 0
                          E..(..@.@.....,..KL....Dx.APj...P...
                          ...
                          19:29:00.474464 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.63556 > server.workflowproducts.com.smtp: Flags [.], seq 2, ack 49, win 46, length 0
                          E..(..@...B..KL...,..D..j...x.AQP.........5.3.
                          19:29:00.474853 IP (tos 0x0, ttl 46, id 12859, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.42039 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 1, win 46, length 0
                          E..(2;@......KL...,..7..AYKp]...P...W.....&..J
                          19:29:00.474929 IP (tos 0x0, ttl 64, id 56305, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.42039: Flags [.], seq 1, ack 1, win 58240, length 0
                          E..(..@.@.....,..KL....7]...AYKpP...
                          ...
                          19:29:00.477964 IP (tos 0x0, ttl 64, id 47852, offset 0, flags [DF], proto TCP (6), length 86)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.42039: Flags [.], seq 1:47, ack 1, win 58240, length 46
                          E..V..@.@.....,..KL....7]...AYKpP...
                          =..220 server.workflowproducts.com ESMTP Postfix
                          19:29:00.568682 IP (tos 0x0, ttl 46, id 12860, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.42039 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 47, win 46, length 0
                          E..(2<@......KL...,..7..AYKp]..%P...V.......,-
                          19:29:00.568756 IP (tos 0x0, ttl 64, id 9667, offset 0, flags [DF], proto TCP (6), length 41)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.42039: Flags [P.], seq 47:48, ack 1, win 58240, length 1
                          E..)%.@.@.....,..KL....7]..%AYKpP...
                          ...

                          19:29:00.655916 IP (tos 0x0, ttl 46, id 12861, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.42039 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 48, win 46, length 0
                          E..(2=@......KL...,..7..AYKp]..&P...V.....K.5.
                          19:31:01.054452 IP (tos 0x0, ttl 46, id 12862, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.42039 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                          E..(2>@......KL...,..7..AYKp]..&P...V..... M..
                          19:31:01.054486 IP (tos 0x0, ttl 64, id 46655, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.42039: Flags [.], seq 48, ack 2, win 58240, length 0
                          E..(.?@.@.....,..KL....7]..&AYKqP...
                          ...
                          19:31:01.055751 IP (tos 0x0, ttl 46, id 16448, offset 0, flags [DF], proto TCP (6), length 52)
                          mx-ecom.netflix.com.61073 > server.workflowproducts.com.smtp: Flags [S], seq 1943919507, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                          E..4@@@......KL...,.....s..................d........
                          19:31:01.055786 IP (tos 0x0, ttl 64, id 6235, offset 0, flags [DF], proto TCP (6), length 52)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61073: Flags [S.], seq 353483927, ack 1943919508, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
                          E..4.[@.@.....,..KL.........s.......
                          ...............
                          19:31:01.055828 IP (tos 0x0, ttl 64, id 10076, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.42039: Flags [F.], seq 48, ack 2, win 58240, length 0
                          E..('\@.@.....,..KL....7]..&AYKqP...
                          ...
                          19:31:01.147442 IP (tos 0x0, ttl 46, id 16449, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61073 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 1, win 46, length 0
                          E..(@A@......KL...,.....s.......P..........~..
                          19:31:01.147524 IP (tos 0x0, ttl 64, id 29986, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61073: Flags [.], seq 1, ack 1, win 58240, length 0
                          E..(u"@.@.....,..KL.........s...P...
                          ...
                          19:31:01.147652 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.42039 > server.workflowproducts.com.smtp: Flags [.], seq 2, ack 49, win 46, length 0
                          E..(..@...B..KL...,..7..AYKq]..'P...V.........
                          19:31:01.152013 IP (tos 0x0, ttl 64, id 41996, offset 0, flags [DF], proto TCP (6), length 86)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61073: Flags [.], seq 1:47, ack 1, win 58240, length 46
                          E..V..@.@.....,..KL.........s...P...
                          =..220 server.workflowproducts.com ESMTP Postfix
                          19:31:01.239447 IP (tos 0x0, ttl 46, id 16450, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61073 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 47, win 46, length 0
                          E..(@B@......KL...,.....s.......P.........)e.B
                          19:31:01.239518 IP (tos 0x0, ttl 64, id 60461, offset 0, flags [DF], proto TCP (6), length 41)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61073: Flags [P.], seq 47:48, ack 1, win 58240, length 1
                          E..).-@.@.....,..KL.........s...P...
                          ...

                          19:31:01.329766 IP (tos 0x0, ttl 46, id 16451, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61073 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 48, win 46, length 0
                          E..(@C@......KL...,.....s.......P.........5.#-
                          19:31:32.160830 IP (tos 0x0, ttl 46, id 16452, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61073 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                          E..(@D@......KL...,.....s.......P.........h...
                          19:31:32.160912 IP (tos 0x0, ttl 64, id 8652, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61073: Flags [.], seq 48, ack 2, win 58240, length 0
                          E..(!.@.@.....,..KL.........s...P...
                          ...
                          19:31:32.161336 IP (tos 0x0, ttl 46, id 7125, offset 0, flags [DF], proto TCP (6), length 52)
                          mx-ecom.netflix.com.16090 > server.workflowproducts.com.smtp: Flags [S], seq 303587140, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                          E..4..@...&..KL...,.>....._D.........M.....d........
                          19:31:32.161404 IP (tos 0x0, ttl 64, id 46807, offset 0, flags [DF], proto TCP (6), length 52)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.16090: Flags [S.], seq 1037803240, ack 303587141, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
                          E..4..@.@.....,..KL...>.=....._E....
                          ...............
                          19:31:32.162375 IP (tos 0x0, ttl 64, id 63467, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.61073: Flags [F.], seq 48, ack 2, win 58240, length 0
                          E..(..@.@.....,..KL.........s...P...
                          ...
                          19:31:32.254107 IP (tos 0x0, ttl 46, id 7126, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.16090 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 1, win 46, length 0
                          E..(..@...'..KL...,.>....._E=...P............,
                          19:31:32.254174 IP (tos 0x0, ttl 64, id 13556, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.16090: Flags [.], seq 1, ack 1, win 58240, length 0
                          E..(4.@.@.....,..KL...>.=....._EP...
                          ...
                          19:31:32.254352 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.61073 > server.workflowproducts.com.smtp: Flags [.], seq 2, ack 49, win 46, length 0
                          E..(..@...B..KL...,.....s.......P..........#.u
                          19:31:32.258220 IP (tos 0x0, ttl 64, id 54956, offset 0, flags [DF], proto TCP (6), length 86)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.16090: Flags [.], seq 1:47, ack 1, win 58240, length 46
                          E..V..@.@.....,..KL...>.=....._EP...
                          =..220 server.workflowproducts.com ESMTP Postfix
                          19:31:32.343568 IP (tos 0x0, ttl 46, id 7127, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.16090 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 47, win 46, length 0
                          E..(..@...'..KL...,.>....._E=...P....o........
                          19:31:32.343631 IP (tos 0x0, ttl 64, id 25513, offset 0, flags [DF], proto TCP (6), length 41)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.16090: Flags [P.], seq 47:48, ack 1, win 58240, length 1
                          E..)c.@.@.....,..KL...>.=....._EP...
                          ...

                          19:31:32.429025 IP (tos 0x0, ttl 46, id 7128, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.16090 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 48, win 46, length 0
                          E..(..@...'..KL...,.>....._E=...P....n.....QK.
                          19:32:33.030239 IP (tos 0x0, ttl 46, id 7129, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.16090 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                          E..(..@...'..KL...,.>....._E=...P....m....W..}
                          19:32:33.030287 IP (tos 0x0, ttl 64, id 33126, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.16090: Flags [.], seq 48, ack 2, win 58240, length 0
                          E..(.f@.@.....,..KL...>.=....._FP...
                          ...
                          19:32:33.031485 IP (tos 0x0, ttl 46, id 24806, offset 0, flags [DF], proto TCP (6), length 52)
                          mx-ecom.netflix.com.48614 > server.workflowproducts.com.smtp: Flags [S], seq 1264180913, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                          E..4`.@......KL...,.....KY..........f......d........
                          19:32:33.031517 IP (tos 0x0, ttl 64, id 19530, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.16090: Flags [F.], seq 48, ack 2, win 58240, length 0
                          E..(LJ@.@.....,..KL...>.=....._FP...
                          ...
                          19:32:33.031525 IP (tos 0x0, ttl 64, id 50723, offset 0, flags [DF], proto TCP (6), length 52)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.48614: Flags [S.], seq 1154320061, ack 1264180914, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
                          E..4.#@.@.....,..KL.....D...KY......
                          ...............
                          19:32:33.119899 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.16090 > server.workflowproducts.com.smtp: Flags [.], seq 2, ack 49, win 46, length 0
                          E..(..@...B..KL...,.>....._F=...P....l.....).m
                          19:32:33.120249 IP (tos 0x0, ttl 46, id 24807, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.48614 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 1, win 46, length 0
                          E..(`.@......KL...,.....KY..D...P.............
                          19:32:33.120268 IP (tos 0x0, ttl 64, id 18491, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.48614: Flags [.], seq 1, ack 1, win 58240, length 0
                          E..(H;@.@.....,..KL.....D...KY..P...
                          ...
                          19:32:33.125416 IP (tos 0x0, ttl 64, id 22818, offset 0, flags [DF], proto TCP (6), length 86)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.48614: Flags [.], seq 1:47, ack 1, win 58240, length 46
                          E..VY"@.@.....,..KL.....D...KY..P...
                          =..220 server.workflowproducts.com ESMTP Postfix
                          19:32:33.216807 IP (tos 0x0, ttl 46, id 24808, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.48614 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 47, win 46, length 0
                          E..(`.@......KL...,.....KY..D...P..........I.i
                          19:32:33.216826 IP (tos 0x0, ttl 64, id 22138, offset 0, flags [DF], proto TCP (6), length 41)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.48614: Flags [P.], seq 47:48, ack 1, win 58240, length 1
                          E..)Vz@.@.....,..KL.....D...KY..P...
                          ...

                          19:32:33.301847 IP (tos 0x0, ttl 46, id 24809, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.48614 > server.workflowproducts.com.smtp: Flags [.], seq 1, ack 48, win 46, length 0
                          E..(`.@......KL...,.....KY..D...P...........`.
                          19:34:34.030537 IP (tos 0x0, ttl 46, id 24810, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.48614 > server.workflowproducts.com.smtp: Flags [F.], seq 1, ack 48, win 46, length 0
                          E..(`.@......KL...,.....KY..D...P.........s.2.
                          19:34:34.030569 IP (tos 0x0, ttl 64, id 18365, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.48614: Flags [.], seq 48, ack 2, win 58240, length 0
                          E..(G.@.@.....,..KL.....D...KY..P...
                          ...
                          19:34:34.031927 IP (tos 0x0, ttl 64, id 54930, offset 0, flags [DF], proto TCP (6), length 40)
                          server.workflowproducts.com.smtp > mx-ecom.netflix.com.48614: Flags [F.], seq 48, ack 2, win 58240, length 0
                          E..(..@.@.....,..KL.....D...KY..P...
                          ...
                          19:34:34.121788 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 40)
                          mx-ecom.netflix.com.48614 > server.workflowproducts.com.smtp: Flags [.], seq 2, ack 49, win 46, length 0
                          E..(..@...B..KL...,.....KY..D...P..........h..


                          Regards,

                          Justin T
                        • Victor Duchovni
                          ... You still have not disabled TCP window scaling. On Linux systems: sysctl -w net.ipv4.tcp_window_scaling=0 Window scaling confuses many routers. Also DMZ
                          Message 12 of 17 , Jun 2, 2011
                          • 0 Attachment
                            On Thu, Jun 02, 2011 at 08:06:13PM -0500, Justin Tocci wrote:

                            > Apparently I cut my the last post too short to be useful. I am getting better at tcpdump. Here is everything I captured the last time I tried:

                            You still have not disabled TCP window scaling. On Linux systems:

                            sysctl -w net.ipv4.tcp_window_scaling=0

                            Window scaling confuses many routers. Also "DMZ" does not mean that your
                            router is not in the way, it just changes the details of the topology.

                            > Capture command:
                            > tcpdump -s 0 -w /opt/mail/dump11.txt net 208.75.76.252/32
                            >
                            > root@server:~
                            > $ tcpdump -AKvvr /opt/mail/dump12.txt

                            This is not "txt" file, it is a binary capture file. You need to make
                            this file available, typically by posting the URL of a "paste-bin" copy.

                            Not interested in your decoding of the file, need the raw data. Make
                            sure it contains at least one complete session (from 3-way SYN to 3-way
                            FIN or RST). Ideally, having found such a session extract a pure tcpdump
                            capture of just that session:

                            tcpdump -s 0 -r /file1 -w /file2 tcp port 56789

                            (replace 56789 by the client port used in the session). Then make "file2"
                            available after inspecting it with "tcpdump -r" to make sure it still
                            contains a complete session.

                            --
                            Viktor.
                          • Wietse Venema
                            ... As you can see, both the sending host and the receiving host are willing to use TCP Window scaling. This feature is often mis-implemented by crappy
                            Message 13 of 17 , Jun 3, 2011
                            • 0 Attachment
                              Justin Tocci:
                              > On Jun 2, 2011, at 7:44 PM, Wietse Venema wrote:
                              >
                              > > Justin Tocci:
                              > >> I did find out how to dump fancier output which I think someone wanted.
                              > >>
                              > >> tcpdump -AXXr /opt/mail/dump10.txt
                              > >>
                              > >> 17:08:23.323379 IP server.workflowproducts.com.smtp > mx-ecom.netflix.com.29698: Flags [.], seq 1:47, ack 1, win 65535, length 46
                              > >
                              > > Where is the SYN handshake with the TCP-level options?
                              > >
                              > > Wietse
                              >
                              >
                              > I didn't want to flood the list with output so I only printed what I thoug
                              >-ht was a complete connection. I am guessing you mean I didn't show enough of
                              >- the connection. Here is everything I got in that capture:
                              >
                              > root@server:~
                              > $ tcpdump -Avvr /opt/mail/dump12.txt
                              > reading from file /opt/mail/dump12.txt, link-type EN10MB (Ethernet)
                              > 19:27:28.397765 IP (tos 0x0, ttl 46, id 18783, offset 0, flags [DF], proto TCP (6), length 52)
                              > mx-ecom.netflix.com.61142 > server.workflowproducts.com.smtp: Flags [S], cksum 0x8338 (correct), seq 1953720321, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
                              > E..4I_@....p.KL...,.....tsh..........8.....d........
                              > 19:27:28.397838 IP (tos 0x0, ttl 64, id 3095, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->24b9)!)
                              > server.workflowproducts.com.smtp > mx-ecom.netflix.com.61142: Flags [S.], cksum 0x0a1b (incorrect -> 0xc31e), seq 1089115808, ack 1953720322, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0

                              As you can see, both the sending host and the receiving host are
                              willing to use TCP Window scaling.

                              This feature is often mis-implemented by crappy firewalls and
                              routers.

                              Turn it off, as repeatedly asked by Victor.

                              Wietse
                            • Justin Tocci
                              I am on Mac OS X Server so the command to turn off window scaling is sysctl -w net.inet.tcp.rfc1323=0. I did that and it worked! Thank you Victor for the
                              Message 14 of 17 , Jun 3, 2011
                              • 0 Attachment
                                I am on Mac OS X Server so the command to turn off window scaling is sysctl -w net.inet.tcp.rfc1323=0. I did that and it worked!

                                Thank you Victor for the suggestion and your patience. And thank you very much Wietse for pointing out that I had not done it! I thought I had done that but it turns out I had set the window scaling factor (net.inet.tcp.win_scale_factor=8) and when it didn't work I dismissed it as an issue.

                                I apologize for not posting the full binary file off-list. I didn't understand the request at the time.

                                I am going to figure out how you read that TCP window scaling was turned on from my output and move on.

                                As Wietse pointed out this may be a firewall issue. I have been shopping for a better router. I have a couple customers a month ask me and all I can tell them is not to buy the one's I've used. This Netgear FVS318g has been a real pain when it comes to using VPN through it. There are no options for letting most VPN protocols through with rules so I was happy to go to DMZ for now since it let me get more of my VPN stuff working. If anyone knows of a decent firewall in the $300 or less range let me know.

                                Regards,

                                Justin T
                              • Victor Duchovni
                                ... Under $300, you generally get what you pay for. Quality firewalls tend to be $400+, a good place to start is perhaps:
                                Message 15 of 17 , Jun 3, 2011
                                • 0 Attachment
                                  On Fri, Jun 03, 2011 at 12:47:31PM -0500, Justin Tocci wrote:

                                  > If anyone knows of a decent firewall in the $300 or less range let me know.

                                  Under $300, you generally get what you pay for. Quality firewalls tend to
                                  be $400+, a good place to start is perhaps:

                                  http://www.google.com/products/catalog?q=netscreen+SRX100+price&tbm=shop&cid=5776994578843374603

                                  This is a personal opinion, not my employer's. I am suggesting the
                                  low-end of an enterprise product, since the software tends to be more
                                  robust than the high end of consumer products.

                                  --
                                  Viktor.
                                • Charles Marcus
                                  ... Far be it from me to challenge Victor on a recommendation like this, but if money is tight, for home/small business networks, I have only good things to
                                  Message 16 of 17 , Jun 3, 2011
                                  • 0 Attachment
                                    On 2011-06-03 1:47 PM, Justin Tocci wrote:
                                    > If anyone knows of a decent firewall in the $300 or less range let me know.

                                    Far be it from me to challenge Victor on a recommendation like this, but
                                    if money is tight, for home/small business networks, I have only good
                                    things to say about this combination:

                                    BUFFALO WZR-HP-G300NH (1-WAN, 4-LAN, all Gigabit ports) (@ $70)
                                    http://www.newegg.com/Product/Product.aspx?Item=N82E16833162031
                                    +
                                    Fully supports DD-WRT or OpenWRT firmware(which I prefer to the
                                    stock/DD-WRT)

                                    with either DD-WRT or OpenWRT it gives you powerful
                                    firewall/routing/VPN/wireless capabilities on a low power inexpensive
                                    SOHO box.

                                    --

                                    Best regards,

                                    Charles
                                  • Victor Duchovni
                                    ... You may be right. I was not thinking of devices with an open-source IP/firewall stack. If the hardware is OK and is fully supported by the software, the OP
                                    Message 17 of 17 , Jun 3, 2011
                                    • 0 Attachment
                                      On Fri, Jun 03, 2011 at 03:33:33PM -0400, Charles Marcus wrote:

                                      > On 2011-06-03 1:47 PM, Justin Tocci wrote:
                                      > > If anyone knows of a decent firewall in the $300 or less range let me know.
                                      >
                                      > Far be it from me to challenge Victor on a recommendation like this, but
                                      > if money is tight, for home/small business networks, I have only good
                                      > things to say about this combination:
                                      >
                                      > BUFFALO WZR-HP-G300NH (1-WAN, 4-LAN, all Gigabit ports) (@ $70)
                                      > http://www.newegg.com/Product/Product.aspx?Item=N82E16833162031
                                      > +
                                      > Fully supports DD-WRT or OpenWRT firmware(which I prefer to the
                                      > stock/DD-WRT)
                                      >
                                      > with either DD-WRT or OpenWRT it gives you powerful
                                      > firewall/routing/VPN/wireless capabilities on a low power inexpensive
                                      > SOHO box.

                                      You may be right. I was not thinking of devices with an open-source
                                      IP/firewall stack. If the hardware is OK and is fully supported by the
                                      software, the OP may get a decent, relatively cheap combination.

                                      --
                                      Viktor.
                                    Your message has been successfully submitted and would be delivered to recipients shortly.