Mailinglist Archive: opensuse (3336 mails)

< Previous Next >
Re: [SLE] SuSE/Linux Ping vs DOS Ping
  • From: David McMillan <skyefire@xxxxxxxxxxxx>
  • Date: Fri, 02 Dec 2005 14:10:31 -0500
  • Message-id: <43909C27.9040202@xxxxxxxxxxxx>
Brad Bourn wrote:

ok, cable, windows box, industrial box are "known good"

Yep, verified several different ways.

Anyway, that is now also known good. (We don't need DNS, you know the IP).

The only question we have then is, "Is the SuSE box known good?"

So, I'll ask. Can you / Have you been able to ping anything with that box?

Oh, yes. Ping works fine across the the internet, on my home LAN, on the corporate intranet, and on various WiFi hotspots. Never any trouble.

Does it have internet access? (to test a ping like microsoft.com or your isp or gateway or something)

Can you Windows box ping the SuSE box? (does it answer?)

Hooked up all three machines on a small switch (definitely a switch, not a router -- I checked) to try more testing. XP and SuSE could not ping each other until I killed SuSEFirewall -- after that, perfect pings, both ways. XP could still ping Industrial, but SuSE couldn't.


Does the ping comand even work on the SuSE box? Can it ping itself?

Yep.
# ping 172.16.200.241
PING 172.16.200.241 (172.16.200.241) 56(84) bytes of data.
64 bytes from 172.16.200.241: icmp_seq=1 ttl=64 time=0.169 ms
64 bytes from 172.16.200.241: icmp_seq=2 ttl=64 time=0.164 ms


Ran an nmap of the subnet: (SuSE is .241, XP is .245, Industrial is .240. Netmasks are all 255.255.0.0):
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-12-02 13:43 EST
sendto in send_ip_raw: sendto(4, packet, 28, 0, 172.16.200.0, 16) => Operation not permitted
Interesting ports on 172.16.200.240:
(The 1641 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
24/tcp filtered priv-mail
137/tcp filtered netbios-ns
273/tcp filtered unknown
334/tcp filtered unknown
517/tcp filtered talk
552/tcp filtered deviceshare
682/tcp filtered unknown
730/tcp filtered netviewdm2
817/tcp filtered unknown
823/tcp filtered unknown
834/tcp filtered unknown
936/tcp filtered unknown
1440/tcp filtered eicon-slp
1532/tcp filtered miroconnect
1650/tcp filtered nkd
3269/tcp filtered globalcatLDAPssl
27003/tcp filtered flexlm3

Interesting ports on 172.16.200.241:
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
901/tcp open samba-swat
5800/tcp open vnc-http
5801/tcp open vnc-http-1
5900/tcp open vnc
5901/tcp open vnc-1

Interesting ports on 172.16.200.245:
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
502/tcp open asa-appl-proto
1212/tcp open lupa

Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 126.950 seconds



This should narrow down the possibilities anyway.

Like someone else pointed out. Ping is a TCP/IP protocal / networking thing.

It would be like saying Windows HTML is different than Linux's HTML, or Windows Font is different that Linux's font.

I thought "Windows <anything>" was always different than "Standard <anything>," by definition. :)
Kidding aside, that's what I believed to be true, as well. But as far as I can tell, from process of elimination, there is *something* different between the two.

I'm no low-level protocol guru, but I ran an Ethereal trace just to look at the packet structure. For some reason, I couldn't see the packets passing between XP and the industrial box (the switch's fault?), but I recorded the ping requests between XP and SuSE, and this is what I got (apologies for the lousy formatting):

From XP:
0000 00 40 45 12 91 c4 00 11 11 5b fe 4b 08 00 45 00 .@xxxxxxx[.K..E.
0010 00 3c a2 f6 00 00 80 01 ad c2 ac 10 c8 f5 ac 10 .<..............
0020 c8 f1 08 00 24 5c 02 00 27 00 61 62 63 64 65 66 ....$\..'.abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

From SuSE:
0000 00 09 0f 02 57 09 00 40 45 12 91 c4 08 00 45 00 ....W..@xxxxxxxx
0010 00 54 00 03 40 00 40 01 50 a3 ac 10 c8 f1 ac 10 .T..@.@.P.......
0020 c8 f0 08 00 dc 13 ce 04 00 04 8b 92 90 43 44 0a .............CD.
0030 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67

There is a visible difference, but decoding it is a little beyond my depth. From Ethereal, the two pings are different sizes, have different TTL, and different flags. That's about it.



< Previous Next >
Follow Ups