I have private LAN with > 100 servers, in which, I have 3 server:
- x.x.x.37: run memcache on port 11211 (called s37 for short)
- x.x.x.241: run an application server, which connect to memcache on
x.x.x.37:11211 (called s241) - x.x.x.46: test server. (called s46)
When I run tcpdump on s46, port 11211, I get strange packet periodically (every 2 hours) as bellow:
tcpdump -i eth0 'port 11211'
result:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:30:22.334411 IP x.x.x.37.11211 > x.x.x.241.57060: . ack 2839551529 win 12
Note that I don't have any application which listens on port 11211 on s46.
So, what causes this symptom? Is there any problem with Ethernet card/Network config on s37? How can I get rid of this problem?
Thank you in advanced!
[update 1]
In my LAN, I have several servers which run memcached. But this symptom only happen to s37 server.
[update 2]
tcpdump with -e option:
tcpdump -e -i eth0 'port 11211'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:30:22.410129 00:25:90:02:df:31 (oui Unknown) > 00:50:56:81:18:11 (oui Unknown), ethertype IPv4 (0x0800), length 60: x.x.x.37.11211 > x.x.x.241.57060: . ack 2839551529 win 12
Best Answer
Since this is a TCP session, and there is only an
ack, the session is already established.The source IP and port are the listening memcached server. The destination is the application server client.
Looks to me like it's a heartbeat from the server to the client.