0

So I decided to have tcpdump listen on port 80 because I use HTTPS whenever possible, and thought there shouldn't be anything there. Well, there was. I can see that one of these connections is the OCSP, so nothing fishy there I guess other than that it uses HTTP for that. But what's Fedora doing phoning home to this Fedora server (a proxy) for? I don't use any proxies. And the third connection to a Google IP address, I have no idea what that is. I have Google Chrome installed via the official repo but I just about never use it.

$ sudo tcpdump -vvvnn 'port 80'
dropped privs to tcpdump
tcpdump: listening on enp0s25, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:23:37.752080 IP (tos 0x0, ttl 64, id 19436, offset 0, flags [DF], proto TCP (6), length 52)
    xxx.xxx.xxx.xxx.59872 > 117.18.237.29.80: Flags [.], cksum 0xf309 (incorrect -> 0x12c9), seq 1284819876, ack 3901196772, win 501, options [nop,nop,TS val 2224927611 ecr 3251634268], length 0
00:23:37.798367 IP (tos 0x0, ttl 57, id 48346, offset 0, flags [none], proto TCP (6), length 52)
    117.18.237.29.80 > xxx.xxx.xxx.xxx.59872: Flags [.], cksum 0xb1e8 (correct), seq 1, ack 1, win 131, options [nop,nop,TS val 3251644514 ecr 2224876999], length 0
00:23:40.526300 IP (tos 0x0, ttl 64, id 19437, offset 0, flags [DF], proto TCP (6), length 52)
    xxx.xxx.xxx.xxx.59872 > 117.18.237.29.80: Flags [F.], cksum 0xf309 (incorrect -> 0xdfe9), seq 1, ack 1, win 501, options [nop,nop,TS val 2224930386 ecr 3251644514], length 0
00:23:40.566806 IP (tos 0x0, ttl 57, id 48909, offset 0, flags [none], proto TCP (6), length 52)
    117.18.237.29.80 > xxx.xxx.xxx.xxx.59872: Flags [F.], cksum 0xd689 (correct), seq 1, ack 2, win 131, options [nop,nop,TS val 3251647283 ecr 2224930386], length 0
00:23:40.566856 IP (tos 0x0, ttl 64, id 19438, offset 0, flags [DF], proto TCP (6), length 52)
    xxx.xxx.xxx.xxx.59872 > 117.18.237.29.80: Flags [.], cksum 0xf309 (incorrect -> 0xd4ef), seq 2, ack 2, win 501, options [nop,nop,TS val 2224930426 ecr 3251647283], length 0
00:24:24.052529 IP6 (flowlabel 0xd3fb6, hlim 64, next-header TCP (6) payload length: 40) xxxx:xxxx:xxxx:xxxx::x.38602 > 2604:1580:fe00:0:dead:beef:cafe:fed1.80: Flags [S], cksum 0x9ea9 (incorrect -> 0x09df), seq 837969268, win 64800, options [mss 1440,sackOK,TS val 3613564085 ecr 0,nop,wscale 7], length 0
00:24:24.281018 IP6 (flowlabel 0x01ae1, hlim 51, next-header TCP (6) payload length: 40) 2604:1580:fe00:0:dead:beef:cafe:fed1.80 > xxxx:xxxx:xxxx:xxxx::x.38602: Flags [S.], cksum 0xc901 (correct), seq 3862673729, ack 837969269, win 64260, options [mss 1440,sackOK,TS val 3651717569 ecr 3613564085,nop,wscale 7], length 0
00:24:24.281114 IP6 (flowlabel 0xd3fb6, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.38602 > 2604:1580:fe00:0:dead:beef:cafe:fed1.80: Flags [.], cksum 0x9ea1 (incorrect -> 0xefde), seq 1, ack 1, win 507, options [nop,nop,TS val 3613564314 ecr 3651717569], length 0
00:24:24.281266 IP6 (flowlabel 0xd3fb6, hlim 64, next-header TCP (6) payload length: 125) xxxx:xxxx:xxxx:xxxx::x.38602 > 2604:1580:fe00:0:dead:beef:cafe:fed1.80: Flags [P.], cksum 0x9efe (incorrect -> 0x3f72), seq 1:94, ack 1, win 507, options [nop,nop,TS val 3613564314 ecr 3651717569], length 93: HTTP, length: 93
        GET /static/hotspot.txt HTTP/1.1
        Host: fedoraproject.org
        Accept: */*
        Connection: close

00:24:24.503175 IP6 (flowlabel 0x01ae1, hlim 51, next-header TCP (6) payload length: 32) 2604:1580:fe00:0:dead:beef:cafe:fed1.80 > xxxx:xxxx:xxxx:xxxx::x.38602: Flags [.], cksum 0xeea8 (correct), seq 1, ack 94, win 502, options [nop,nop,TS val 3651717791 ecr 3613564314], length 0
00:24:24.503971 IP6 (flowlabel 0x01ae1, hlim 51, next-header TCP (6) payload length: 446) 2604:1580:fe00:0:dead:beef:cafe:fed1.80 > xxxx:xxxx:xxxx:xxxx::x.38602: Flags [P.], cksum 0x2960 (correct), seq 1:415, ack 94, win 502, options [nop,nop,TS val 3651717792 ecr 3613564314], length 414: HTTP, length: 414
        HTTP/1.1 200 OK
        Date: Thu, 18 Feb 2021 16:24:24 GMT
        Server: Apache
        Upgrade: h2
        Connection: Upgrade, close
        Last-Modified: Wed, 08 Jan 2020 00:05:02 GMT
        Accept-Ranges: bytes
        Content-Length: 2
        Cache-Control: must-revalidate
        Expires: Thu, 18 Feb 2021 16:24:24 GMT
        AppTime: D=283
        X-Fedora-ProxyServer: proxy11.fedoraproject.org
        X-Fedora-RequestID: YC6UuEDJFAFz3TTTp0GrxQAAAI0
        Content-Type: text/plain

        OK [|http]
00:24:24.504065 IP6 (flowlabel 0xd3fb6, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.38602 > 2604:1580:fe00:0:dead:beef:cafe:fed1.80: Flags [.], cksum 0x9ea1 (incorrect -> 0xec29), seq 94, ack 415, win 504, options [nop,nop,TS val 3613564536 ecr 3651717792], length 0
00:24:24.504110 IP6 (flowlabel 0x01ae1, hlim 51, next-header TCP (6) payload length: 32) 2604:1580:fe00:0:dead:beef:cafe:fed1.80 > xxxx:xxxx:xxxx:xxxx::x.38602: Flags [F.], cksum 0xed08 (correct), seq 415, ack 94, win 502, options [nop,nop,TS val 3651717792 ecr 3613564314], length 0
00:24:24.504326 IP6 (flowlabel 0xd3fb6, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.38602 > 2604:1580:fe00:0:dead:beef:cafe:fed1.80: Flags [F.], cksum 0x9ea1 (incorrect -> 0xec26), seq 94, ack 416, win 504, options [nop,nop,TS val 3613564537 ecr 3651717792], length 0
00:24:24.726701 IP6 (flowlabel 0x01ae1, hlim 51, next-header TCP (6) payload length: 32) 2604:1580:fe00:0:dead:beef:cafe:fed1.80 > xxxx:xxxx:xxxx:xxxx::x.38602: Flags [.], cksum 0xeb4a (correct), seq 416, ack 95, win 502, options [nop,nop,TS val 3651718014 ecr 3613564537], length 0

...

00:50:25.432190 IP6 (flowlabel 0x7719f, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60920 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0xa666), seq 384, ack 703, win 502, options [nop,nop,TS val 1999913169 ecr 483576757], length 0
00:50:25.470489 IP6 (flowlabel 0x8ae63, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60920: Flags [.], cksum 0x371f (correct), seq 703, ack 385, win 261, options [nop,nop,TS val 483586996 ecr 1999800587], length 0
00:50:25.944081 IP6 (flowlabel 0xaf031, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60930 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0x67a2), seq 383, ack 702, win 502, options [nop,nop,TS val 1999913680 ecr 1874946443], length 0
00:50:25.944100 IP6 (flowlabel 0xfdee8, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60932 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0x3f2f), seq 383, ack 702, win 502, options [nop,nop,TS val 1999913681 ecr 3369118020], length 0
00:50:25.944111 IP6 (flowlabel 0x34f7c, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60934 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0x16f5), seq 383, ack 702, win 502, options [nop,nop,TS val 1999913681 ecr 1571835192], length 0
00:50:25.981152 IP6 (flowlabel 0xa9a77, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60932: Flags [.], cksum 0xd071 (correct), seq 702, ack 384, win 261, options [nop,nop,TS val 3369128259 ecr 1999800961], length 0
00:50:25.981153 IP6 (flowlabel 0xb79e6, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60930: Flags [.], cksum 0xf8e3 (correct), seq 702, ack 384, win 261, options [nop,nop,TS val 1874956682 ecr 1999800961], length 0
00:50:25.983644 IP6 (flowlabel 0xe9721, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60934: Flags [.], cksum 0xa83b (correct), seq 702, ack 384, win 261, options [nop,nop,TS val 1571845433 ecr 1999800955], length 0
00:50:27.852620 IP6 (flowlabel 0x7719f, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60920 > 2404:6800:4005:811::2003.80: Flags [F.], cksum 0xf1cb (incorrect -> 0x74f1), seq 385, ack 703, win 502, options [nop,nop,TS val 1999915589 ecr 483586996], length 0
00:50:27.896715 IP6 (flowlabel 0x8ae63, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60920: Flags [F.], cksum 0x6c67 (correct), seq 703, ack 386, win 261, options [nop,nop,TS val 483589422 ecr 1999915589], length 0
00:50:27.896846 IP6 (flowlabel 0x7719f, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60920 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0x6b4a), seq 386, ack 704, win 502, options [nop,nop,TS val 1999915633 ecr 483589422], length 0
00:50:28.853363 IP6 (flowlabel 0x34f7c, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60934 > 2404:6800:4005:811::2003.80: Flags [F.], cksum 0xf1cb (incorrect -> 0xe394), seq 384, ack 702, win 502, options [nop,nop,TS val 1999916590 ecr 1571845433], length 0
00:50:28.853424 IP6 (flowlabel 0xfdee8, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60932 > 2404:6800:4005:811::2003.80: Flags [F.], cksum 0xf1cb (incorrect -> 0x0bd1), seq 384, ack 702, win 502, options [nop,nop,TS val 1999916590 ecr 3369128259], length 0
00:50:28.853447 IP6 (flowlabel 0xaf031, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60930 > 2404:6800:4005:811::2003.80: Flags [F.], cksum 0xf1cb (incorrect -> 0x3443), seq 384, ack 702, win 502, options [nop,nop,TS val 1999916590 ecr 1874956682], length 0
00:50:28.904019 IP6 (flowlabel 0xe9721, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60934: Flags [F.], cksum 0xd91c (correct), seq 702, ack 385, win 261, options [nop,nop,TS val 1571848353 ecr 1999916590], length 0
00:50:28.904021 IP6 (flowlabel 0xa9a77, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60932: Flags [F.], cksum 0x0157 (correct), seq 702, ack 385, win 261, options [nop,nop,TS val 3369131181 ecr 1999916590], length 0
00:50:28.904133 IP6 (flowlabel 0x34f7c, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60934 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0xd7f8), seq 385, ack 703, win 502, options [nop,nop,TS val 1999916641 ecr 1571848353], length 0
00:50:28.904170 IP6 (flowlabel 0xfdee8, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60932 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0x0033), seq 385, ack 703, win 502, options [nop,nop,TS val 1999916641 ecr 3369131181], length 0
00:50:28.904201 IP6 (flowlabel 0xb79e6, hlim 58, next-header TCP (6) payload length: 32) 2404:6800:4005:811::2003.80 > xxxx:xxxx:xxxx:xxxx::x.60930: Flags [F.], cksum 0x29c9 (correct), seq 702, ack 385, win 261, options [nop,nop,TS val 1874959604 ecr 1999916590], length 0
00:50:28.904230 IP6 (flowlabel 0xaf031, hlim 64, next-header TCP (6) payload length: 32) xxxx:xxxx:xxxx:xxxx::x.60930 > 2404:6800:4005:811::2003.80: Flags [.], cksum 0xf1cb (incorrect -> 0x28a5), seq 385, ack 703, win 502, options [nop,nop,TS val 1999916641 ecr 1874959604], length 0
Improve this question

1 Answer 1

Reset to default
4

https://lwn.net/Articles/776809/

This is used by NM to check for network connectivity.

Pretty much all modern OSes do it one way or another.

Improve this answer
2
  • Makes sense. The .txt file at fedoraproject.org has nothing in it other than "OK". But what about the Google IP at 2404:6800:4005:811::2003? Commented Feb 22, 2021 at 8:45
  • 1
    The log is truncated so it's hard to say. These are requests to port 80 which is plain HTTP but we don't see what traffic goes in and out. Commented Feb 22, 2021 at 9:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.