Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)

Friday, 17 February 2012

Traffic for virtual host: explained




Above is the tcpdump which shows the TCP triple handshake of the process:
1>     The first packet with time stamp as 19:44:44.524107 Packet hits the CR on PORT B (IN) from 10.103.4.250 with source port as 59261 and its going to 10.103.4.11 and destination port is 3389. The flags sets are SYN[S]. The sequence number of the packet is 10988617 and window size of the packet is 8192. You can also find the MSS of the packet as 1460.
2>     CR has now changed the destination IP of the packet as the internal server IP i.e. 10.10.1.2 from 10.103.4.11 and the destination port still remain the same as 3389 and other parameters are still same. The time stamp of the packet is 19:44:44.524276
3>     The third packet with time stamp as 19:44:44.524606 is the SYN/ACK packet received from the 10.10.1.2 with SYN as 2506618164 and the ACK as 10988618.
4>     The third packet source IP will be NAT with 10.103.4.11 and sent out on port B. This packet is still SYN/ACK with time stamp 19:44:44.524679
5>     The packet received is final ACK of the tcp triple handshake with ACK. The time stamp of this packet is 19:44:44.528029
6>     Sixth packet is the inbound NAT to the internal server.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)