I have private LAN with > 100 servers, in which, I have 3 server:
- x.x.x.37: run memcache on port 11211 (called s37 for short)
- x.x.x.241: run an application server, which connect to memcache on
x.x.x.37:11211 (called s241) - x.x.x.46: test server. (called s46)
When I run tcpdump on s46, port 11211, I get strange packet periodically (every 2 hours) as bellow:
tcpdump -i eth0 'port 11211'
result:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:30:22.334411 IP x.x.x.37.11211 > x.x.x.241.57060: . ack 2839551529 win 12
Note that I don't have any application which listens on port 11211 on s46.
So, what causes this symptom? Is there any problem with Ethernet card/Network config on s37? How can I get rid of this problem?
Thank you in advanced!
[update 1]
In my LAN, I have several servers which run memcached. But this symptom only happen to s37 server.
[update 2]
tcpdump with -e option:
tcpdump -e -i eth0 'port 11211'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:30:22.410129 00:25:90:02:df:31 (oui Unknown) > 00:50:56:81:18:11 (oui Unknown), ethertype IPv4 (0x0800), length 60: x.x.x.37.11211 > x.x.x.241.57060: . ack 2839551529 win 12
Best Answer
Since this is a TCP session, and there is only an
ack
, the session is already established.The source IP and port are the listening memcached server. The destination is the application server client.
Looks to me like it's a heartbeat from the server to the client.