MySQL Madness
Scott Howard
scott at doc.net.au
Fri Apr 29 04:33:08 UTC 2011
On Thu, Apr 28, 2011 at 8:40 PM, Joe Renwick <joe at gonetforward.com> wrote:
> Packet "1" is Syn from MySQL client to Server
> Packet "2" is Syn/Ack from Server
> Packet "3" is a TCP Push! ??? HERE IS WHERE I AM CONFUSED
>
The "Push" is a red herring here. Push is an historic flag that is (almost)
always ignored now days, but for historic reasons almost every TCP packet
has it set.
So packet 3 isn't really a "Push" packet, but it IS a data packet :
3: 21:49:13.462210 74.81.76.195.3306 > 8.25.42.100.32929: P
2601320300:2601320363(63) ack 4107544001 win 46 <nop,nop,timestamp
2581054349 2065216038>
The "(63)" means the packet has 63 bytes of data in it. So if there's
something strange happening here, it's that the server is sending a data
packet before it gets the 3rd packet in the 3-way handshake.
Whilst that's definitely strange, it's probably legal. It's definitely
legal to include data in the SYN-ACK packet itself (and even, I think, in
the initial SYN packet!) although I've never seen anything that implements
that.
In this case, the data isn't in the SYN-ACK itself but in a packet following
it. I'm not sure if that's legal or not, but I can't see why it wouldn't be.
My firewall is dropping packet "3" as it is not happy there is a push going
> on before it sees the completed handshake.
Not at all surprising. Most firewalls will drop anything that's even
slightly unexpected, and this would certainly fit into that category - even
if it's legal.
Scott.
More information about the NANOG
mailing list