On Mar 25, 2010, at 15:03 , Bardur Arantsson wrote:
On 2010-02-24 20:50, Brandon S. Allbery KF8NH wrote:
tcpdump 'host ps3 and tcp[tcpflags] & 0x27 != 0'
The only striking thing I can see about the dump is that there are 22 (conspicuously close to 16) sequences like:
19:45:30.135291 IP 192.168.0.115.64931 > gwendolyn.9000: Flags [R], seq 2112225068, win 0, length 0 19:45:30.135295 IP 192.168.0.115.64931 > gwendolyn.9000: Flags [R], seq 2112225068, win 0, length 0 19:45:30.135299 IP 192.168.0.115.64931 > gwendolyn.9000: Flags [R], seq 2112225068, win 0, length 0 19:45:30.135302 IP 192.168.0.115.64931 > gwendolyn.9000: Flags [R], seq 2112225068, win 0, length 0
The above is a single socket: the source and destination ports are the same for all 4 traces. More useful, from the dump, is:
19:44:41.774161 IP 192.168.0.115.65265 > gwendolyn.9000: Flags [F.], seq 231, ack 1073301, win 41124, options [nop,nop,TS val 0 ecr 95041042], length 0
which is where the PS/3 sent a FIN telling gwendolyn to close the socket. It then follows that with a bunch of RST packets, the first of which is in sequence with the above FIN (suggesting the PS/3 responded to the continued attempt to send by dropping the socket on the floor instead of by resending the FIN) and the rest are "this port is closed" RSTs, presumably due to 22 attempts to continue sending data. This is somewhat poor on the part of the PS/3, but understandable given that it's essentially an embedded device. It would be interesting to see what the data around there was, but that's not easy to do without recording all of it. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH