[lug] WRT54GL is snarfing ssh port-forwarded HTTP traffic

Jed S. Baer blug at jbaer.cotse.net
Sat Jun 9 22:11:17 MDT 2012


On Sat, 09 Jun 2012 18:53:10 -0600
David L. Anselmi wrote:

> How is the WRT sending HTTP to A?  What ports on A and the WRT?  Who
> sent the SYN to set up the connection?

There are no SYN packets. Lots of PSH and ACK though.

All the data on eth0, machine A, is going through the tunnel, AFAICT. I
just tried again, with wireshark running from just before setting up the
port forward, to getting the 400 error. The only thing unencrypted is the
initial ssh stuff, where it's doing the 'Hi I'm ssh I speak
Diffie-Hellman ...', and some SSDP traffic from the WRT, and DNS.
The http messages, which were clear as day when I was logging the loopback
device on A last time, are quite clearly not there. All traffic I see on
eth0 on A is from the ssh port on B to the port on A created by ssh for
the port forward. I've verified the port used by ssh on A using lsof.

My /var/log/apache2/access.log shows no GET requests for the time period.

I'm going to make sure ipv6 is disabled and try again -- shot in the dark?

jed



More information about the LUG mailing list