dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
77
johnmwilson7
join:2007-08-30
Washington, DC

2 edits

johnmwilson7 to funchords

Member

to funchords

Re: How to test how many connections are being reset by RST pack

FunChords,

Great, that will help. I have updated my filter string as shown below;

"( ip.src != your.ip.addr.ess ) and ( tcp.flags.reset == 1) and (tcp.seq > 1) and ( tcp.ack > 1)and (tcp.dstport == yourport)"

With name resolution turned on, many of the connection sources are identified. So it is easy for me to recognize the packets from my network provider.

So my question is, are the forged resets spoofed as well? Or will they have the same name as my network provider?

Thanks for taking the time to walk me thru this. Hopefully others will find it useful as well.

Sincerely,

John M. Wilson

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

It looks like you're ready -- right click on one of those red lines and choose "Follow TCP Stream"

The RSTs are forged to appear to come from your Peer. They sometimes come at the end of stream of data, but more often they come right after a peer makes a request or after bitfields are exchanged.

An example is here: »torrentfreak.com/images/ ··· rst1.txt

Many of the RSTs you'll see will be clear cases of injected (forged) RST. Get to know those patterns.

When you look at the TCP Stream, one possibility is that the connection was shaky -- you'll see lots of retransmits and the RSTs that come won't fit the pattern of ones that are positively injected. These RSTs may or may not be legitimate, and when I'm not sure, I discount it.

Hope that helps!
Movieman420
join:2007-08-28

1 edit

Movieman420

Member

Click for full size
said by funchords:

It looks like you're ready -- right click on one of those red lines and choose "Follow TCP Stream"
eegads..waaay to deep for me..lol.

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

1 edit

1 recommendation

funchords

MVM

158 kB/s upload is insanely fast! Is this one of those 16Mb/2Mb tiers of service?

Remember, all things in moderation. Even though you have 16M/2M, your neighborhood is still sharing the same pipe. Be a kind sharer.
Movieman420
join:2007-08-28

3 edits

Movieman420

Member

Heh..this will blow your mind...Blast! isn't available in my area (WV..go figure...lol)! I signed up for the premium tier..the 8Mb line..when I asked what the upload bw was, I couldn't get an answer from the comcast person I talked to...I just figured it couldn't be any worse than my previous RoadRunner 9Mb line w/ 512kbps up, ~60k max u/l. My local computer guru who is also on comcast (formerly adephia like my area) told me of his speeds (he's in a semi-rural area)..thought it was a fluke. But I was wrong ...I can maintain ~1,500k down (1.5MB) and between 80 and 160k up...u/l fluctuates. My only guess is my node is way undersold (I'm in a semi-rural area as well)..or it has something to do with the comcast/time warner buyout of Adelphia cable and my 'limits' got lost in the shuffle..I dunno but I love it..lol. On the flash bw test I hit 20+ down and usually 1.5Mb up but thats powerboost involved.

My last few tests:

»/archi ··· t=Search

Any way...a quick thought (for wat it's worth..lol)..Some clients do not show as a seed to other peers when in superseed mode...wonder if this mode could somehow be modified/used/employed to help 'fool' the sandvine box into thinking your not 'seeding'. I may be p!issin in the wind..just thought I'd mention it tho.

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

said by Movieman420:

My last few tests:

»/archi ··· t=Search
I hate you and everything that you stand for!
said by Movieman420:

Any way...a quick thought (for wat it's worth..lol)..Some clients do not show as a seed to other peers when in superseed mode...wonder if this mode could somehow be modified/used/employed to help 'fool' the sandvine box into thinking your not 'seeding'.
Lazy Bitfield does about the same thing, but I think your suggestion is worth a test.
funchords

funchords

MVM

Optimize BitTorrent To Outwit Traffic Shaping ISPs

said by funchords:
said by Movieman420:Some clients do not show as a seed to other peers when in superseed mode...wonder if this mode could somehow be modified/used/employed to help 'fool' the sandvine box into thinking your not 'seeding'.
Lazy Bitfield does about the same thing, but I think your suggestion is worth a test.
I tried it both ways today, no joy. But very good thinking on your part!

On a related note, here's something from Wired's HOW-TO Wiki. I am not the original author, but since I provided the last revisions, some displays (like the RSS) have listed me as the author. I don't deserve the credit:

Optimize BitTorrent To Outwit Traffic Shaping ISPs
Movieman420
join:2007-08-28

Movieman420

Member

A somewhat dark ending in that article...let's just hope the developers of Az and uT are getting busy with something. As the two most popular clients it'd be nice if they came up with a joint strategy together. One can only hope...

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

pflog to funchords

MVM

to funchords
Doesn't enabling (forcing) encryption have a similar effect, though? At least until it catches on, this means less peers (both up and down) if you enable and force encryption. Perhaps not as detrimental to the upstream side, but then the downstream side suffers, too.

jig
join:2001-01-05
Hacienda Heights, CA

jig

Member

the major reason to care about seeding is for ratio purposes, and there are two ways to fix that....
StuartA67
join:2003-08-08
Boulder, CO

StuartA67

Member

I'm a little technically challenged. What would I be looking for to see if the rst's are being sent. I have a network sniffer and saw quite a bit of action coming from Comcast and going to the port I have opened for bittorrent. Just not sure what it means exactly and I don't see rst in those.
Movieman420
join:2007-08-28

Movieman420 to jig

Member

to jig
Thu a vpn or ssh tunnel (works for now at least) ...or spend a little money and get a host for a seed box.

JedSezZed
@comcast.net

JedSezZed

Anon

said by Movieman420:

Thu a vpn or ssh tunnel (works for now at least) ...or spend a little money and get a host for a seed box.
Can you give a little more direction, even in the form of a link with info. Several posters above have said they haven't had success with this method (I'm not able to get it working either with SecureIx).

Thanks
Presage
join:2004-06-01
Londonderry, NH

Presage

Member

Use PuTTy and a shell to use SSH and tunnel your bittorrent traffic. Info here: »whalesalad.com/2006/08/2 ··· /#eberth

I recommend checking freeshells.info for shells.

koitsu
MVM
join:2002-07-16
Mountain View, CA
Humax BGW320-500

koitsu

MVM

And I recommend talking to your shell provider before doing this. It's considered "rude" to blindly siphon network traffic through a shell host like this, since now you're not only using up large amounts of bandwidth yourself, but on your shell providers' uplink as well.

I can tell you that as a hosting provider that offers SSH, if our users started doing that with their shell accounts, I'd be *livid*.

dontask2much
@comcast.net

dontask2much to StuartA67

Anon

to StuartA67
"What would I be looking for to see if the rst's are being sent. I have a network sniffer and saw quite a bit of action coming from Comcast and going to the port I have opened for bittorrent"

I didn't have my port open, don't use or even have BitTorrent and I saw the same thing you did. Someone posted in reply to me last weekend that I either had someone on my wireless router (sorry, there's no joy there, it's WEP and MAC filtered/restricted for that very reason) and I was seeing P2P afterglow and alas too, not the case. Instead, this was loop back traffic from a specific network router locally affected in conjunction with Comcast's filtering implementation in this area - they cleared it up this past Sunday night and I no longer have any of the issues that I had before. I might also mention that when calling Comcast last weekend, I was told by the 3 folks to whom I spoke that the call center's own network was intermittently degraded or completely down while this work was taking place.

It is no surprise that Comcast (or any other ISP/broadband provider for that matter) would be attempting to throttle excessive bandwidth consumption based on their published TOS and advertised service packages you can purchase. Sorry folks, I can also say that since this all took place, my service is better than it ever has been before - and I am glad.

To the poster who mentioned UDP - good luck. UDP is notoriously unreliable even though it's lighter and quicker and my bet is you'll have the same issues you are now and perhaps worse. Especially on Comcast's network - at least in my area, my employer wanted us use UDP as the default protocol for VPN into their network and I tested it for them from both Cox and Comcast connections. It was so bad (frequent drops, hanging out there in the ether) that the UDP "standard" idea was abandoned after 3 weeks of testing.
StuartA67
join:2003-08-08
Boulder, CO

StuartA67

Member

I just heard (from an undisclosed source) that Comcast is not throttling as much those on the higher speed package (8mbs). Not sure if this is a fact or not but curious to know if others are noticing this distinction.

S