[squid-users] Re: Re: Re: WCCP + squid 2.5-STABLE7 + linux 2.6.10

Henrik Nordstrom wrote:

> On Wed, 23 Feb 2005, Jesse Guardiani wrote:
>
>> tcpdump 'not ( host shannon and port 22 ) and not host 192.168.1.193 and
>> not port syslog and not port domain and not snmp and not port 3632'
>>
>> And here's the only thing I could find that looked relevent:
>>
>> 04:22:30.959889 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length:
>> 120 04:22:30.961323 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP,
>> length: 140 04:22:32.791481 IP 192.168.10.1 > 192.168.10.2:
>> gre-proto-0x883e 04:22:35.790420 IP 192.168.10.1 > 192.168.10.2:
>> gre-proto-0x883e 04:22:40.954870 IP 192.168.10.2.2048 >
>> 192.168.10.1.2048: UDP, length: 120 04:22:40.956378 IP 192.168.10.1.2048
>> > 192.168.10.2.2048: UDP, length: 140 04:22:41.790316 IP 192.168.10.1 >
>> 192.168.10.2: gre-proto-0x883e 04:22:51.932636 IP 192.168.10.2.2048 >
>> 192.168.10.1.2048: UDP, length: 120 04:22:51.934544 IP 192.168.10.1.2048
>> > 192.168.10.2.2048: UDP, length: 140
>>
>> 192.168.10.1 is my Cisco router's LAN address.
>> Does the above mean anything to anyone?
>
> Yes.
>
> The UDP packets is the WCCP control channel
>
> The gre 0x883e is the WCCP redirected packets.
>
> You may need "-i any" argument to tcpdump to see the complete picture
> however.

OK. New tcpdump run with "-i any" and some additional port and proto
expressions to filter out the noise:

tcpdump -i any 'not ( host shannon and port 22) and not host 192.168.1.193 and not port syslog and not port domain and not snmp and not port 3632 and not port ssh and not arp'
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

21:55:26.259380 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120
21:55:26.260373 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140
21:55:29.473457 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e
21:55:29.473457 IP 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win 5840 <mss 1460,sackOK,timestamp 418917766 0,nop,wscale 2>
21:55:32.473612 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e
21:55:32.473612 IP 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win 5840 <mss 1460,sackOK,timestamp 418920766 0,nop,wscale 2>
21:55:36.844127 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120
21:55:36.845296 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140
21:55:38.472288 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e
21:55:38.472288 IP 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win 5840 <mss 1460,sackOK,timestamp 418926766 0,nop,wscale 2>
21:55:47.136074 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120
21:55:47.136921 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140
21:55:50.470033 IP 192.168.10.1 > 192.168.10.2: gre-proto-0x883e
21:55:50.470033 IP 192.168.10.5.33975 > 64.233.187.104.www: S 1830006628:1830006628(0) win 5840 <mss 1460,sackOK,timestamp 418938766 0,nop,wscale 2>
21:55:57.568999 IP 192.168.10.2.2048 > 192.168.10.1.2048: UDP, length: 120
21:55:57.569869 IP 192.168.10.1.2048 > 192.168.10.2.2048: UDP, length: 140

16 packets captured
26 packets received by filter
0 packets dropped by kernel
[21:55]jesse@rhea:[/home/jesse]#

Judging from the ".www" lines, it looks to me like squid is attempting
to contact the remote www server, but is being intercepted and
looped back to itself by the Cisco. Is that an accurate assessment?

If so, how do you recommend I fix it? Place the squid proxy on a
different subnet from the clients?

If not, what's happening?

Thanks!

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net