OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Update 3: the plot thickens. (^A^A^H junk)
From: Wietse Venema (wietseporcupine.org)
Date: Fri Mar 24 2000 - 16:16:52 CST

Gerald Richter:
> > From: Wietse Venema [mailto:wietseporcupine.org]
> > Gerald Richter:
> > > I will do this test tomorrow with them because I am out of
> > office for the
> > > whole day. Wieste, if it's ok for you I will restart the mails to
> > > nullporcupine.org tomorrow and also the tcpdumps. Then we
> > switch off the
> > > bridge at our ISP and see if this makes any difference.
> >
> > I've got tcpdump running as of 09:15 UTC-0500.
> >
>
> We have started the tests (setting the ISP's bridge policy for our mailhost
> to just forward) and I didn't see any errors so far, but we will keep trying
> until tomorrow to be sure. If there are still no errors until tomorrow, we
> switch back the bridge (to do their normal bandwidth management) and and
> then the errors should reappear...
>
> For various reasons I can not any longer use our mailhost for testing, so
> mail now comes from merkur.ecos.de, which has shown exactly the same errors
> within my tests in the last two weeks as rt-h1.ecos.de, which we used in our
> last test.

I have stopped tcpdump at 17:15 UTC-0500, and have started a new
tcpdump to record SMTP sessions with merkur.ecos.de.

> So if you still like to capture the tcpstream, please change the host to
> merkur.ecos.de. (Also I think it isn't really neccessary, because if there
> are any errors, I see it anyway in the logs)

The ISP's bridge normally rewrites every TCP packet. If it's made
transparent, then your tcpdumped packets should be the same as
mine, except for trivial differences such as the TTL field.

        Wietse