Endian Modifying Packet!

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Endian Modifying Packet!

Scott Howell-6
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Matt Hayes
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Scott Howell-6
Absolutely, pretty much everything works except for one type of call.  Either way, it is somewhat irrelevant.  In this scenario I did the two capture simultaneously at eth1 (WAN) in the Endian and on the IP-PBX.  I compared the two captures side by side and here is the difference . . . This is the identical packet on each of the interfaces which is going out to the ITSP.  You can see in the second capture (External on Endian) how the (c) has changed.  

I am completely lost . . It is my understanding there is no "SIP Helper/Proxy" in this release and I'm not a linux expert, but this seems to be the case best I can tell.  I can think of no other reason why the Endian would change this, or why it would change to this bogus IP even if there was a proxy?

Internal 

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 69.61.101.90
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 69.61.xx.xx
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 69.61.xx.xx
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 69.61.xx.xx

External Endian Interface

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 134.2.0.0
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 134.2.0.0
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 134.2.0.0
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 134.2.0.0

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:41 AM, Matt Hayes <[hidden email]> wrote:
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Matt Hayes
This cuts off, but I just ssh'd into my Endian and did lsmod | grep sip and here's my results:

nf_nat_sip              3710  0
nf_conntrack_sip       10485  1 nf_nat_sip
nf_nat                 10267  9 iptable_nat,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_tftp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda
nf_conntrack           38475  23 xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_conntrack_netbios_ns,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_h323,nf_conntrack_h323,nf_nat_ftp,nf_conntrack_ftp,nf_nat_amanda,nf_nat,nf_conntrack_amanda,nf_conntrack_ipv4


The reason that the sip proxy was removed is that now there's a sip conntrack module in iptables.  Unfortunately, I have yet to setup a true IP PBX behind Endian.   I know others have, however, as you can tell, this mailing list and any other support medium for the community edition of Endian is shit anymore.

-Matt


On Thu, May 30, 2013 at 8:46 AM, Scott Howell <[hidden email]> wrote:
Absolutely, pretty much everything works except for one type of call.  Either way, it is somewhat irrelevant.  In this scenario I did the two capture simultaneously at eth1 (WAN) in the Endian and on the IP-PBX.  I compared the two captures side by side and here is the difference . . . This is the identical packet on each of the interfaces which is going out to the ITSP.  You can see in the second capture (External on Endian) how the (c) has changed.  

I am completely lost . . It is my understanding there is no "SIP Helper/Proxy" in this release and I'm not a linux expert, but this seems to be the case best I can tell.  I can think of no other reason why the Endian would change this, or why it would change to this bogus IP even if there was a proxy?

Internal 

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 69.61.101.90
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 69.61.xx.xx
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 69.61.xx.xx
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 69.61.xx.xx

External Endian Interface

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 134.2.0.0
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 134.2.0.0
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 134.2.0.0
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 134.2.0.0

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:41 AM, Matt Hayes <[hidden email]> wrote:
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Scott Howell-6
Thank a lot Matt for the info.  At least this gives me something else to look into before I yank the Endian.  I will begin some research now and see if this is where the problem lies.

As far as this mailing list and the forums you are correct it it garbage.  I don't really understand why though.  I have tried just about every open source UTM on the market and all their communities are vibrant.  The Endian stacks up well against all of them yet the community is non-existent.  It's a shame for such a well polished product in so many ways.

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 9:57 AM, Matt Hayes <[hidden email]> wrote:
This cuts off, but I just ssh'd into my Endian and did lsmod | grep sip and here's my results:

nf_nat_sip              3710  0
nf_conntrack_sip       10485  1 nf_nat_sip
nf_nat                 10267  9 iptable_nat,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_tftp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda
nf_conntrack           38475  23 xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_conntrack_netbios_ns,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_h323,nf_conntrack_h323,nf_nat_ftp,nf_conntrack_ftp,nf_nat_amanda,nf_nat,nf_conntrack_amanda,nf_conntrack_ipv4


The reason that the sip proxy was removed is that now there's a sip conntrack module in iptables.  Unfortunately, I have yet to setup a true IP PBX behind Endian.   I know others have, however, as you can tell, this mailing list and any other support medium for the community edition of Endian is shit anymore.

-Matt


On Thu, May 30, 2013 at 8:46 AM, Scott Howell <[hidden email]> wrote:
Absolutely, pretty much everything works except for one type of call.  Either way, it is somewhat irrelevant.  In this scenario I did the two capture simultaneously at eth1 (WAN) in the Endian and on the IP-PBX.  I compared the two captures side by side and here is the difference . . . This is the identical packet on each of the interfaces which is going out to the ITSP.  You can see in the second capture (External on Endian) how the (c) has changed.  

I am completely lost . . It is my understanding there is no "SIP Helper/Proxy" in this release and I'm not a linux expert, but this seems to be the case best I can tell.  I can think of no other reason why the Endian would change this, or why it would change to this bogus IP even if there was a proxy?

Internal 

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 69.61.101.90
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 69.61.xx.xx
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 69.61.xx.xx
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 69.61.xx.xx

External Endian Interface

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 134.2.0.0
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 134.2.0.0
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 134.2.0.0
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 134.2.0.0

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:41 AM, Matt Hayes <[hidden email]> wrote:
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Matt Hayes
I completely agree.  I love the product, just wish the community edition had more attention.  In the past few years the support in the community has just gone way down hill.  It used to be quite active.


On Thu, May 30, 2013 at 11:54 AM, Scott Howell <[hidden email]> wrote:
Thank a lot Matt for the info.  At least this gives me something else to look into before I yank the Endian.  I will begin some research now and see if this is where the problem lies.

As far as this mailing list and the forums you are correct it it garbage.  I don't really understand why though.  I have tried just about every open source UTM on the market and all their communities are vibrant.  The Endian stacks up well against all of them yet the community is non-existent.  It's a shame for such a well polished product in so many ways.

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 9:57 AM, Matt Hayes <[hidden email]> wrote:
This cuts off, but I just ssh'd into my Endian and did lsmod | grep sip and here's my results:

nf_nat_sip              3710  0
nf_conntrack_sip       10485  1 nf_nat_sip
nf_nat                 10267  9 iptable_nat,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_tftp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda
nf_conntrack           38475  23 xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_conntrack_netbios_ns,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_h323,nf_conntrack_h323,nf_nat_ftp,nf_conntrack_ftp,nf_nat_amanda,nf_nat,nf_conntrack_amanda,nf_conntrack_ipv4


The reason that the sip proxy was removed is that now there's a sip conntrack module in iptables.  Unfortunately, I have yet to setup a true IP PBX behind Endian.   I know others have, however, as you can tell, this mailing list and any other support medium for the community edition of Endian is shit anymore.

-Matt


On Thu, May 30, 2013 at 8:46 AM, Scott Howell <[hidden email]> wrote:
Absolutely, pretty much everything works except for one type of call.  Either way, it is somewhat irrelevant.  In this scenario I did the two capture simultaneously at eth1 (WAN) in the Endian and on the IP-PBX.  I compared the two captures side by side and here is the difference . . . This is the identical packet on each of the interfaces which is going out to the ITSP.  You can see in the second capture (External on Endian) how the (c) has changed.  

I am completely lost . . It is my understanding there is no "SIP Helper/Proxy" in this release and I'm not a linux expert, but this seems to be the case best I can tell.  I can think of no other reason why the Endian would change this, or why it would change to this bogus IP even if there was a proxy?

Internal 

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 69.61.101.90
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 69.61.xx.xx
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 69.61.xx.xx
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 69.61.xx.xx

External Endian Interface

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 134.2.0.0
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 134.2.0.0
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 134.2.0.0
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 134.2.0.0

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:41 AM, Matt Hayes <[hidden email]> wrote:
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Scott Howell-6
BTW, thanks for the info.  I researched this a bit and think it may be my culprit.  I am going to manually unload the nf_conntrack_sip and nf_nat_sip modules tonight and reboot to see if this fixes the issue but I suspect it will.  I'll update this thread if it does.

Concerning the product there is always a tradeoff with features.  I am a big supporter of pfSense and still am, but there are a handful of features on Endian that just work and are so much easier to configure.  I have had some strange behavior with the IPSEC VPN however on a this rollout of 9 locations that I may start a new thread on it's just low on my list right now. 

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:52 PM, Matt Hayes <[hidden email]> wrote:
I completely agree.  I love the product, just wish the community edition had more attention.  In the past few years the support in the community has just gone way down hill.  It used to be quite active.


On Thu, May 30, 2013 at 11:54 AM, Scott Howell <[hidden email]> wrote:
Thank a lot Matt for the info.  At least this gives me something else to look into before I yank the Endian.  I will begin some research now and see if this is where the problem lies.

As far as this mailing list and the forums you are correct it it garbage.  I don't really understand why though.  I have tried just about every open source UTM on the market and all their communities are vibrant.  The Endian stacks up well against all of them yet the community is non-existent.  It's a shame for such a well polished product in so many ways.

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 9:57 AM, Matt Hayes <[hidden email]> wrote:
This cuts off, but I just ssh'd into my Endian and did lsmod | grep sip and here's my results:

nf_nat_sip              3710  0
nf_conntrack_sip       10485  1 nf_nat_sip
nf_nat                 10267  9 iptable_nat,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_tftp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda
nf_conntrack           38475  23 xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_conntrack_netbios_ns,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_h323,nf_conntrack_h323,nf_nat_ftp,nf_conntrack_ftp,nf_nat_amanda,nf_nat,nf_conntrack_amanda,nf_conntrack_ipv4


The reason that the sip proxy was removed is that now there's a sip conntrack module in iptables.  Unfortunately, I have yet to setup a true IP PBX behind Endian.   I know others have, however, as you can tell, this mailing list and any other support medium for the community edition of Endian is shit anymore.

-Matt


On Thu, May 30, 2013 at 8:46 AM, Scott Howell <[hidden email]> wrote:
Absolutely, pretty much everything works except for one type of call.  Either way, it is somewhat irrelevant.  In this scenario I did the two capture simultaneously at eth1 (WAN) in the Endian and on the IP-PBX.  I compared the two captures side by side and here is the difference . . . This is the identical packet on each of the interfaces which is going out to the ITSP.  You can see in the second capture (External on Endian) how the (c) has changed.  

I am completely lost . . It is my understanding there is no "SIP Helper/Proxy" in this release and I'm not a linux expert, but this seems to be the case best I can tell.  I can think of no other reason why the Endian would change this, or why it would change to this bogus IP even if there was a proxy?

Internal 

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 69.61.101.90
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 69.61.xx.xx
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 69.61.xx.xx
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 69.61.xx.xx

External Endian Interface

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 134.2.0.0
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 134.2.0.0
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 134.2.0.0
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 134.2.0.0

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:41 AM, Matt Hayes <[hidden email]> wrote:
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: Endian Modifying Packet!

Matt Hayes
You are most welcome.


On Thu, May 30, 2013 at 1:56 PM, Scott Howell <[hidden email]> wrote:
BTW, thanks for the info.  I researched this a bit and think it may be my culprit.  I am going to manually unload the nf_conntrack_sip and nf_nat_sip modules tonight and reboot to see if this fixes the issue but I suspect it will.  I'll update this thread if it does.

Concerning the product there is always a tradeoff with features.  I am a big supporter of pfSense and still am, but there are a handful of features on Endian that just work and are so much easier to configure.  I have had some strange behavior with the IPSEC VPN however on a this rollout of 9 locations that I may start a new thread on it's just low on my list right now. 

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:52 PM, Matt Hayes <[hidden email]> wrote:
I completely agree.  I love the product, just wish the community edition had more attention.  In the past few years the support in the community has just gone way down hill.  It used to be quite active.


On Thu, May 30, 2013 at 11:54 AM, Scott Howell <[hidden email]> wrote:
Thank a lot Matt for the info.  At least this gives me something else to look into before I yank the Endian.  I will begin some research now and see if this is where the problem lies.

As far as this mailing list and the forums you are correct it it garbage.  I don't really understand why though.  I have tried just about every open source UTM on the market and all their communities are vibrant.  The Endian stacks up well against all of them yet the community is non-existent.  It's a shame for such a well polished product in so many ways.

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 9:57 AM, Matt Hayes <[hidden email]> wrote:
This cuts off, but I just ssh'd into my Endian and did lsmod | grep sip and here's my results:

nf_nat_sip              3710  0
nf_conntrack_sip       10485  1 nf_nat_sip
nf_nat                 10267  9 iptable_nat,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_tftp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda
nf_conntrack           38475  23 xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_conntrack_netbios_ns,nf_nat_snmp_basic,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_h323,nf_conntrack_h323,nf_nat_ftp,nf_conntrack_ftp,nf_nat_amanda,nf_nat,nf_conntrack_amanda,nf_conntrack_ipv4


The reason that the sip proxy was removed is that now there's a sip conntrack module in iptables.  Unfortunately, I have yet to setup a true IP PBX behind Endian.   I know others have, however, as you can tell, this mailing list and any other support medium for the community edition of Endian is shit anymore.

-Matt


On Thu, May 30, 2013 at 8:46 AM, Scott Howell <[hidden email]> wrote:
Absolutely, pretty much everything works except for one type of call.  Either way, it is somewhat irrelevant.  In this scenario I did the two capture simultaneously at eth1 (WAN) in the Endian and on the IP-PBX.  I compared the two captures side by side and here is the difference . . . This is the identical packet on each of the interfaces which is going out to the ITSP.  You can see in the second capture (External on Endian) how the (c) has changed.  

I am completely lost . . It is my understanding there is no "SIP Helper/Proxy" in this release and I'm not a linux expert, but this seems to be the case best I can tell.  I can think of no other reason why the Endian would change this, or why it would change to this bogus IP even if there was a proxy?

Internal 

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 69.61.101.90
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 69.61.xx.xx
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 69.61.xx.xx
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 69.61.xx.xx

External Endian Interface

Code:
Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): 3cxPS 275414777856 414900551682 IN IP4 134.2.0.0
                Owner Username: 3cxPS
                Session ID: 275414777856
                Session Version: 414900551682
                Owner Network Type: IN
                Owner Address Type: IP4
                Owner Address: 134.2.0.0
            Session Name (s): 3cxPS Audio call
            Connection Information (c): IN IP4 134.2.0.0
                Connection Network Type: IN
                Connection Address Type: IP4
                Connection Address: 134.2.0.0

Sincerely,

Scott Howell
Mobile : 404-735-5273



On Thu, May 30, 2013 at 12:41 AM, Matt Hayes <[hidden email]> wrote:
Just a question, but do you have port 5060 port forwarding or a 1-to-1 NAT or anything?


On Wed, May 29, 2013 at 4:23 PM, Scott Howell <[hidden email]> wrote:
I can't think of any reason this is happening but it is.  I have a 3CX IP-PBX behind Community 2.5.1.  I ran a Wireshark on my PBX and at the same time did a tcpdump within the Endian at the same time.  

When looking at the two captures side by side the Endian is modifying the (c) Connection information during Session Description.  On the PBX I see it going out as my WAN IP, but the same packet in the Endian has a bogus IP of 134.2.0.0 in this part of the Message Body.

What the heck is going on??

Any help is greatly appreciated.

Sincerely,

Scott

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user