[squid-users] mystery traffic

From: Alan Lehman <alehman_at_gbutler.com>
Date: Thu, 15 May 2008 08:04:07 -0500

While diagnosing an unrelated network problem, I ran tcpdump on my Squid
(2.5-STABLE3) box. I found the following pattern repeating several times
per second. I don't know how long this has been going on, but at least
several days. If I kill Squid, it stops.

x.x.x.99 = DMZ network port on Squid system
x.x.x.20 = Web server (IIS) on my DMZ

08:02:14.092144 x.x.x.20.https > x.x.x.99.42362: P 1759:1805(46) ack
1797 win 64233 <nop,nop,timestamp 663266 2095770651> (DF)
08:02:14.092186 x.x.x.99.42362 > x.x.x.20.https: . ack 1805 win 63712
<nop,nop,timestamp 2095770651 663266> (DF)
08:02:14.092351 x.x.x.20.https > x.x.x.99.42359: P 850:896(46) ack 795
win 64233 <nop,nop,timestamp 663266 2095770651> (DF)
08:02:14.092376 x.x.x.99.42359 > x.x.x.20.https: . ack 896 win 63712
<nop,nop,timestamp 2095770651 663266> (DF)
08:02:14.259571 x.x.x.99.42362 > x.x.x.20.https: P 1797:2005(208) ack
1805 win 63712 <nop,nop,timestamp 2095770668 663266> (DF)
08:02:14.259862 x.x.x.99.42359 > x.x.x.20.https: P 795:1017(222) ack 896
win 63712 <nop,nop,timestamp 2095770668 663266> (DF)
08:02:14.260994 x.x.x.20.https > x.x.x.99.42362: P 1805:2220(415) ack
2005 win 65535 <nop,nop,timestamp 663269 2095770668> (DF)
08:02:14.261031 x.x.x.99.42362 > x.x.x.20.https: . ack 2220 win 63712
<nop,nop,timestamp 2095770668 663269> (DF)
08:02:14.450432 x.x.x.20.https > x.x.x.99.42359: . ack 1017 win 65535
<nop,nop,timestamp 663271 2095770668> (DF)
08:02:14.450868 x.x.x.20.https > x.x.x.99.42359: P 896:1298(402) ack
1017 win 65535 <nop,nop,timestamp 663271 2095770668> (DF)
08:02:14.450890 x.x.x.99.42359 > x.x.x.20.https: . ack 1298 win 63712
<nop,nop,timestamp 2095770687 663271> (DF)
08:02:14.581353 x.x.x.99.42362 > x.x.x.20.https: P 2005:2291(286) ack
2220 win 63712 <nop,nop,timestamp 2095770700 663269> (DF)
08:02:14.581737 x.x.x.20.https > x.x.x.99.42362: P 2220:2266(46) ack
2291 win 65249 <nop,nop,timestamp 663272 2095770700> (DF)
08:02:14.581778 x.x.x.99.42362 > x.x.x.20.https: . ack 2266 win 63712
<nop,nop,timestamp 2095770700 663272> (DF)
08:02:14.755502 x.x.x.99.42362 > x.x.x.20.https: P 2291:2513(222) ack
2266 win 63712 <nop,nop,timestamp 2095770717 663272> (DF)
08:02:14.755917 x.x.x.99.42359 > x.x.x.20.https: P 1017:1303(286) ack
1298 win 63712 <nop,nop,timestamp 2095770718 663271> (DF)
08:02:14.756272 x.x.x.20.https > x.x.x.99.42359: P 1298:1344(46) ack
1303 win 65249 <nop,nop,timestamp 663273 2095770718> (DF)
08:02:14.756315 x.x.x.99.42359 > x.x.x.20.https: . ack 1344 win 63712
<nop,nop,timestamp 2095770718 663273> (DF)
08:02:14.887740 x.x.x.20.https > x.x.x.99.42362: . ack 2513 win 65027
<nop,nop,timestamp 663275 2095770717> (DF)

I have the following in squid.conf:
acl Local dst x.x.x.0/24
no_cache deny Local

It appears Squid is trying to access something on the web server, but I
don't know why. There is only very occasional traffic in access.log for
x.x.x.20. Any ideas would be most appreciated.

Alan Lehman
Received on Thu May 15 2008 - 13:05:22 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT