tcpdump : need one line explanation

I have problem configuring a Wireless ADSL router :
ping to www address work fine but not browsing which finish with time-out.
So I used tcpdump and tried to browse www.google.be.
Following lines were returned:
....
....
line-1= 22:48:29.492514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
proto 17, length: 75) mygateway.ar7.domain > 192.168.1.2.32813: [udp sum
ok] 62065- q: A? www.google.be. 1/0/0 www.google.be. A 1.0.0.0 (47)

line-2= 22:48:29.495631 IP (tos 0x0, ttl 64, id 43933, offset 0, flags
[DF], proto 6, length: 60) 192.168.1.2.49103 > 1.0.0.0.http: S [tcp sum ok]
2704529131:2704529131(0) win 5840 <mss 1460,sackOK,timestamp 32603510
0,nop,wscale 2>
....repeat line2......repeat line2...

What does line-2 means ?
Thanks. Cheers.

[Next time, simplify your life a bit by running
host www.google.be
That way you will get some interpretation of the DNS traffic. Also,
since DNS seems to be flakey, use tcpdump -n so tcpdump doesn't try to
resolve IP addresses.]
That said...

> line-1= 22:48:29.492514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
> proto 17, length: 75) mygateway.ar7.domain > 192.168.1.2.32813: [udp sum
> ok] 62065- q: A? www.google.be. 1/0/0 www.google.be. A 1.0.0.0 (47)
This appears to be a reply from a nameserver telling you that the IP
address for www.google.be is 1.0.0.0. This is wrong.
>
> line-2= 22:48:29.495631 IP (tos 0x0, ttl 64, id 43933, offset 0, flags
> [DF], proto 6, length: 60) 192.168.1.2.49103 > 1.0.0.0.http: S [tcp sum ok]
> 2704529131:2704529131(0) win 5840 <mss 1460,sackOK,timestamp 32603510
> 0,nop,wscale 2>
This is your web browser trying to open a TCP connection to port 80 on
1.0.0.0.
> ...repeat line2......repeat line2...
Your system will keep trying for a while.

Bruno <(E-Mail Removed)> wrote:
> I have problem configuring a Wireless ADSL router :
> ping to www address work fine but not browsing which finish with time-out.
> So I used tcpdump and tried to browse www.google.be.
> Following lines were returned:
> ...
> ...
> line-1= 22:48:29.492514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
> proto 17, length: 75) mygateway.ar7.domain > 192.168.1.2.32813: [udp sum
> ok] 62065- q: A? www.google.be. 1/0/0 www.google.be. A 1.0.0.0 (47)

> line-2= 22:48:29.495631 IP (tos 0x0, ttl 64, id 43933, offset 0, flags
> [DF], proto 6, length: 60) 192.168.1.2.49103 > 1.0.0.0.http: S [tcp sum ok]
> 2704529131:2704529131(0) win 5840 <mss 1460,sackOK,timestamp 32603510
> 0,nop,wscale 2>
> ...repeat line2......repeat line2...

> What does line-2 means ?

Not one line but ...

It means that mygateway.ar7 runs a DNS server which provided the host
192.168.1.2 with the bogus IP address 1.0.0.0 for www.google.be in
line-1 and so the TCP SYN handshake (S) fails for lack of a response.

Try disabling the DNS server on mygateway.ar7 so an ISP DNS server can
do it's job - assuming NAT or MASQUERADING is done somewhere along the
way since 192.168.1.2 is a RFC 1918 address (private) and any packet from
it would be discarded by the first properly configured Internet router.

Note:

corncob:/usr/src/linux# host 1.0.0.0
Host not found.
corncob:/usr/src/linux# host www.google.be
www.google.be is a nickname for www.google.com
www.google.com is a nickname for www.l.google.com
www.l.google.com has address 64.233.187.104
www.l.google.com has address 64.233.187.99
www.l.google.com has address 64.233.187.104
www.l.google.com has address 64.233.187.99

[If I'm wrong then I expect someone will tell us so. Hopefully, they
will also explain why.]

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"

Clifford Kite wrote:

> Bruno <(E-Mail Removed)> wrote:
>> I have problem configuring a Wireless ADSL router :
>> ping to www address work fine but not browsing which finish with
>> time-out. So I used tcpdump and tried to browse www.google.be.
>> Following lines were returned:
>> ...
>> ...
>> line-1= 22:48:29.492514 IP (tos 0x0, ttl 64, id 0, offset 0, flags
>> [DF], proto 17, length: 75) mygateway.ar7.domain > 192.168.1.2.32813:
>> [udp sum
>> ok] 62065- q: A? www.google.be. 1/0/0 www.google.be. A 1.0.0.0 (47)
>
>> line-2= 22:48:29.495631 IP (tos 0x0, ttl 64, id 43933, offset 0, flags
>> [DF], proto 6, length: 60) 192.168.1.2.49103 > 1.0.0.0.http: S [tcp sum
>> [ok]
>> 2704529131:2704529131(0) win 5840 <mss 1460,sackOK,timestamp 32603510
>> 0,nop,wscale 2>
>> ...repeat line2......repeat line2...
>
>> What does line-2 means ?
>
> Not one line but ...
>
> It means that mygateway.ar7 runs a DNS server which provided the host
> 192.168.1.2 with the bogus IP address 1.0.0.0 for www.google.be in
> line-1 and so the TCP SYN handshake (S) fails for lack of a response.
>
> Try disabling the DNS server on mygateway.ar7 so an ISP DNS server can
> do it's job - assuming NAT or MASQUERADING is done somewhere along the
> way since 192.168.1.2 is a RFC 1918 address (private) and any packet from
> it would be discarded by the first properly configured Internet router.
>
> Note:
>
> corncob:/usr/src/linux# host 1.0.0.0
> Host not found.
> corncob:/usr/src/linux# host www.google.be
> www.google.be is a nickname for www.google.com
> www.google.com is a nickname for www.l.google.com
> www.l.google.com has address 64.233.187.104
> www.l.google.com has address 64.233.187.99
> www.l.google.com has address 64.233.187.104
> www.l.google.com has address 64.233.187.99
>
> [If I'm wrong then I expect someone will tell us so. Hopefully, they
> will also explain why.]
>

I updated DNS into /etc/resolv.conf with my ISP values.
Result is :

[root@pc34ghz ~]# host www.google.be
www.google.be has address 216.239.59.147
;; Warning: Message parser reports malformed message packet.
;; connection timed out; no servers could be reached

and tcpdump reports is :
(note: any problem with ARP hereafter ?
what means 'ServFail- q:[|domain]' ?)
....
10:34:23.699202 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17,
length: 59) 192.168.1.2.32816 > mygateway.ar7.domain: [udp sum ok] 15776+
MX? www.google.be. (31)
10:34:28.657424 arp who-has 192.168.1.2 tell mygateway.ar7
10:34:28.657446 arp reply 192.168.1.2 is-at 00:50:ba:2a:64:82
10:34:28.661974 IP (tos 0x0, ttl 64, id 13690, offset 0, flags [DF], proto
17, length: 70) 192.168.1.2.32814 > mygateway.ar7.domain: [udp sum ok]
16571+ PTR? 2.1.168.192.in-addr.arpa. (42)
10:34:28.700009 IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto 17,
length: 59) 192.168.1.2.32816 > mygateway.ar7.domain: [udp sum ok] 15776+
MX? www.google.be. (31)
10:34:34.697990 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17,
length: 70) mygateway.ar7.domain > 192.168.1.2.32814: [udp sum ok] 16571
ServFail- q: PTR? 2.1.168.192.in-addr.arpa. 0/0/0 (42)
10:34:34.698031 IP (tos 0xc0, ttl 64, id 48716, offset 0, flags [none],
proto 1, length: 98) 192.168.1.2 > mygateway.ar7: icmp 78: 192.168.1.2 udp
port 32814 unreachable for IP (tos 0x0, ttl 64, id 0, offset 0, flags
[DF], proto 17, length: 70) mygateway.ar7.domain > 192.168.1.2.32814:
16571 ServFail- q:[|domain]
....

Bruno Costacurta wrote:
> Clifford Kite wrote:
>
>
>>Bruno <(E-Mail Removed)> wrote:
>>
>>>I have problem configuring a Wireless ADSL router :
>>>ping to www address work fine but not browsing which finish with
>>>time-out. So I used tcpdump and tried to browse www.google.be.
>>>Following lines were returned:
>>>...

>>
>>It means that mygateway.ar7 runs a DNS server which provided the host
>>192.168.1.2 with the bogus IP address 1.0.0.0 for www.google.be in
>>line-1 and so the TCP SYN handshake (S) fails for lack of a response.
>>
>>Try disabling the DNS server on mygateway.ar7 so an ISP DNS server can
>>do it's job - assuming NAT or MASQUERADING is done somewhere along the
>>way since 192.168.1.2 is a RFC 1918 address (private) and any packet from
>>it would be discarded by the first properly configured Internet router.
>>
>>Note:
>>
>>corncob:/usr/src/linux# host 1.0.0.0

>
> I updated DNS into /etc/resolv.conf with my ISP values.
> Result is :
>
> [root@pc34ghz ~]# host www.google.be
> www.google.be has address 216.239.59.147
> ;; Warning: Message parser reports malformed message packet.
> ;; connection timed out; no servers could be reached
>

Could you give more information about your network setup?
It looks you confused yourself.
Your adsl modem is probably able to do routing, firewall, dhcp, dns, and
perhaps even ntp.
Configure it with default values everywhere, enabling dns.
Then, on your desktop you just have to do:
dhclient <interface connected to the modem>

and everything should run smoothly. Do not try to tamper dns settings,
routes etc, or else explain why you want to.

Olivier

Olivier wrote:

> Bruno Costacurta wrote:
>> Clifford Kite wrote:
>>
>>
>>>Bruno <(E-Mail Removed)> wrote:
>>>
>>>>I have problem configuring a Wireless ADSL router :
>>>>ping to www address work fine but not browsing which finish with
>>>>time-out. So I used tcpdump and tried to browse www.google.be.
>>>>Following lines were returned:
>>>>...
>
>>>
>>>It means that mygateway.ar7 runs a DNS server which provided the host
>>>192.168.1.2 with the bogus IP address 1.0.0.0 for www.google.be in
>>>line-1 and so the TCP SYN handshake (S) fails for lack of a response.
>>>
>>>Try disabling the DNS server on mygateway.ar7 so an ISP DNS server can
>>>do it's job - assuming NAT or MASQUERADING is done somewhere along the
>>>way since 192.168.1.2 is a RFC 1918 address (private) and any packet from
>>>it would be discarded by the first properly configured Internet router.
>>>
>>>Note:
>>>
>>>corncob:/usr/src/linux# host 1.0.0.0
>
>>
>> I updated DNS into /etc/resolv.conf with my ISP values.
>> Result is :
>>
>> [root@pc34ghz ~]# host www.google.be
>> www.google.be has address 216.239.59.147
>> ;; Warning: Message parser reports malformed message packet.
>> ;; connection timed out; no servers could be reached
>>
>
> Could you give more information about your network setup?
> It looks you confused yourself.
> Your adsl modem is probably able to do routing, firewall, dhcp, dns, and
> perhaps even ntp.
> Configure it with default values everywhere, enabling dns.
> Then, on your desktop you just have to do:
> dhclient <interface connected to the modem>
>
> and everything should run smoothly. Do not try to tamper dns settings,
> routes etc, or else explain why you want to.
>
> Olivier

I tried many things.
From default values to specifics ones (ie. disabling firewall, specifying
manually DNS regarding ISP indications..) and got allways more or less same
huge amount of inconsistencies ie. some web site never works, other work
few times (especially after a reboot) or return 'time-out' or 'document
contain no data', all host commands failed to check site failed, very slow
traceroute..etc..

Note:
- another Wireless ADSL router (NetGear DG834G) I tried works perfectly !
Only with entering Internet user / password !

The problem appears to be the Wireless ADSL router istelf.
Model is D-Link DSL-G604T. IMHO a crap model.
And the update of the firmware (with a recent one from August 2005) changes
nothing noticeable.

However hereafter the 'standard' config as delivered by the router :

Destination Gateway Genmask Flags Metric Ref Use
Iface
83.134.238.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
239.0.0.0 * 255.0.0.0 U 0 0 0 br0
default ip-83-134-238-1 0.0.0.0 UG 0 0 0 ppp0

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS set 1360
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp
destination-unreachable
DROP icmp -- anywhere anywhere state INVALID

# route on the PC:
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default mygateway.ar7 0.0.0.0 UG 0 0 0 eth0

Note: router address ip-83-134-238-1 = 192.168.1.1

If you have an idea I'll appreciate...