Determine NAT Mapping Behaviour using two STUN servers - udp

is it possible to determine the mapping behaviour of a NAT using two STUN servers? something like here.
There are three types of mapping behaviour:
Endpoint-Independent Mapping:The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to any external IP address and port. Specifically, X1′:x1′ equals X2′:x2′ for all Y.
Address-Dependent Mapping: The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address, regardless of the external port. Specifically, X1′:x1′ equals X2′:x2′ if and only if, Y2 equals Y1.
Address and Port-Dependent Mapping:The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address and port while the mapping is still active. Specifically, X1′:x1′ equals X2′:x2′ if and only if, Y2:y2 equals Y1:y1.
So in theory if you ask two different STUN servers for your public IP address and you get the same IP:port, you should have an Endpoint-Independent Mapping right? but how do you differentiate the other two types?

I would try setting up two stun servers on different ports on the same host.
So you will need 3 stun servers in total: two on the same host and one on other.
If you get 3 different candidates, it must be address and port dependent mapping; 2 means address-dependent; 1 - endpoint-dependent; 0 - udp is probably blocked.
But this approach needs to be tested thoroughly, I believe there might be some browser-dependent surprises (see esser50k comment in the article you provided).

Related

What does RHPort mean in tinyusb?

Looking through tinyusb, am a bit confused on the meaning of RHPort - cannot find much on Internet, grepping through source gives me results like:
tinyusb/docs/info/changelog.rst:- Add rhport to hcd_init()
tinyusb/docs/info/changelog.rst: - Support multiple usb ports with rhport=1 is high
...
tinyusb/examples/device/cdc_dual_ports/src/tusb_config.h:// RHPort max operational speed can defined by board.mk
...
tinyusb/examples/device/cdc_dual_ports/src/tusb_config.h:// Device mode with rhport and speed defined by board.mk
...
tinyusb/examples/device/cdc_msc/src/tusb_config.h:// RHPort number used for device can be defined by board.mk, default to port 0
...
... and trying to think of what could "RH" possibly stand for as an acronym, the only thing that pops in my head is "Right Honourable" :)
So, what is the meaning of RHPort in (tiny)USB?
Ok, I think I found at least some sort of an explanation ...
Anyways, https://docs.tinyusb.org/en/latest/reference/getting_started.html says:
Port Selection
If a board has several ports, one port is chosen by default in the
individual board.mk file. Use option PORT=x To choose another port.
For example to select the HS port of a STM32F746Disco board, use:
$ make BOARD=stm32f746disco PORT=1 all
A bit tricky to find where that PORT is used, then - but for the above example, it is most likely in https://github.com/hathach/tinyusb/blob/master/hw/bsp/stm32f7/family.mk :
...
CFLAGS += \
...
-DBOARD_TUD_RHPORT=$(PORT)
...
... which then gets used in e.g. https://github.com/hathach/tinyusb/blob/master/examples/device/dfu_runtime/src/main.c :
...
// init device stack on configured roothub port
tud_init(BOARD_TUD_RHPORT);
...
... which reveals, that "RH" in "RHPort" most likely stands for "Root Hub".
So, my guess is, that for boards that have multiple physical USB port connectors, the RHPort determines which of those ports is tinyusb targeting?

DPDK SRIOV multiple vlan traffic over single VF of SRIOV passthrough

When trying to use RTE API's for VLAN offload and VLAN filtering I observe that both VLAN tagged and untagged packets are being sent out.
API's used:
rte_eth_dev_set_vlan_offload ,
rte_eth_dev_vlan_filter
DPDK - 18.08
RHEL - 7.6
Driver - igb_uio
Is there a way to allow only VLAN tagged packets to be sent out?
Regards,
Not sure if I understand correctly - you're trying to strip vlan tags from tx packets? Why would you want to offload that? If you forward packets from somewhere else they already have their tags stripped by rx offload. If you create them yourself, well - you're in control.
Regardless, if you'd want to offload tx vlan insertion:
rte_eth_dev_set_vlan_offload only sets RX offload flags.
You'll probably have to set the tx offload flag in your port config manually, like in this abridged snippet from the DPDK Flow Filtering example code:
struct rte_eth_conf port_conf = {
.txmode = {
.offloads =
DEV_TX_OFFLOAD_VLAN_INSERT,
},
};

How does PerformanceCounter count current connections to IIS website?

We can use C# code or performance monitor in windows server to view current connections to IIS website.
PerformanceCounter performanceCounter = new System.Diagnostics.PerformanceCounter();
performanceCounter.CategoryName = "Web Service";
performanceCounter.CounterName = "Current Connections";
performanceCounter.InstanceName = "SMS_Collection_CFC";
string data = string.Format("{0}\t{1} = {2}", performanceCounter.CategoryName,
performanceCounter.CounterName, performanceCounter.NextValue());
This can return the connections number.
Is this counting the TCP connections under the hood? We know there are many TCP connection status like ESTABLISHED,TIME_WAIT, which status is performance counter counting?
Since nobody answers this post, I post my findings.
In the server, I invoke the related code in the original post, and it returns 574.
string data = string.Format("{0}\t{1} = {2}", performanceCounter.CategoryName,
performanceCounter.CounterName, performanceCounter.NextValue());
And then, I run the netstat command.The website is ocupying port 9010.
netstat -an | find /i "9010"
It returens 550 established TCP connections. So I guess it is monitoring established TCP connections.

Wireshark filter for packets which initiates FIN (connection close) sequence from the server-side

Apache (ec2) --- Client (ELB)
| |
|-------[1.]FIN------->|
| |
|<-----[2.]FIN+ACK-----|
| |
|---------ACK--------->|
| |
With Wireshark I'd like to extract only the packet "[1.]FIN" described above figure which is emitted by server's 80 port and which "initiates" FIN sequence.
I've tried a filter:
tcp.flags.fin && tcp.srcport==80
but the filter also extracts the extra "[2.]FIN+ACK" packets.
How can I filter out only [1.] packet considering "FIN" sequence initiator?
Background:
I'm struggling to get rid of 504 errors with AWS ELB and ec2 (apache), where "FIN - FIN/ACK - ACK" sequence is initiated by the backend apache-side. In such environment FIN sequence initiated by ELB is ideal as AWS official sais: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html
According to https://aws.amazon.com/jp/premiumsupport/knowledge-center/504-error-classic/, I've tried changing replace MPM (event -> worker) and disabling TCP_DEFER_ACCEPT, which slightly reduced 504 errors. However the situation is not much improved.
The point I think will be to find the cause which makes apache initiate active-close sequence, thus I'm firstly trying to extract initiating FIN packet from apache among at most 512 parallel connections between ELB and EC2 (apache).
tcp.flags.fin == 1 && tcp.flags.ack == 0
A filter such as tcp.flags.fin only checks for the presence of the parameter. To find certain values of a parameter, a comparison is needed. That is why filters like "tcp" work to find TCP packets.
The filter match for FIN does not exclude other flags being set or not set, so a comparison is needed for each flag that should be part of the filter.

ICE protocol what is base?

In ICE protocol, What is Base?
I understood Base as, for the server reflexive candidate , host candidate is the base, is it correct or not?
How to find the foundation of the candidate?
You are correct. According RFC5245 :
Base: The base of a server reflexive candidate is the host candidate
from which it was derived. A host candidate is also said to have a
base, equal to that candidate itself. Similarly, the base of a
relayed candidate is that candidate itself.
The foundation is an arbitrary value. You can find it for each ICE candidates in the SDP. It is the first value after candidate:
For example
a=candidate:1174096638 1 udp 2122194687 10.191.1.117 57105 typ host generation 0
a=candidate:2999745851 1 udp 2122129151 192.168.59.1 57106 typ host generation 0
Foundations are
1174096638
2999745851