I found some useful tcpdump logs to share too:
…#.O1…7…E…Q.@.i._…F.S
.p.|_,.P.@.w…*…8…cKL…
anonUser…>… …r…+…G…)…G…)…anonUser:1206640957763… …
–
14:02:47.062492 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 733:822(89) ack 39468 win 32767
…7…#.O1…E…@.@…m…@…V. .Fc…W…dP…*…S…
yjmonitorprod…)…anonUser:1206640967059…
14:02:47.731016 IP 205.188.8.185.5190 > app3.yjenergy.com.53331: P 41880:42029(149) ack 61 win 16384
…#.O1…7…E…7@.i…F.S
.q.|_,.P.@.?..*…:…cz…
anonUser…>… …r…4…G…)…G…)…anonUser:1206640967059… …
–
14:02:48.082467 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 733:822(89) ack 39468 win 32767
…7…#.O1…E…@.@…k…@…V. .Fc…W…dP…*…S…
yjmonitorprod…)…anonUser:1206640967059…
–
14:02:57.832799 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 822:911(89) ack 39939 win 32767
…7…#.O1…E…@.@…e…@…V. .Fc…;P…*…S…
yjmonitorprod…)…anonUser:1206640977830…
–
14:02:58.213508 IP 205.188.8.185.5190 > app3.yjenergy.com.53331: P 42628:42777(149) ack 61 win 16384
…#.O1…7…E…@.i…M…F.S
.t.|_,.P.@…*…?..c.G…
anonUser…>… …r…>…G…)…G…)…anonUser:1206640977830… …
–
14:03:24.722945 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…a…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:03:26.961292 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…_…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:03:31.436636 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…]…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:03:40.389396 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…[…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:03:58.294231 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…Y…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:04:34.102428 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…W…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:05:45.721167 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…@.@…U…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:07:45.725209 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E… @.@…S…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:09:45.727807 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…"@.@…Q…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
…#.O1…7…E…P.o@.i.#…N…F.
…v.k…mP.@…*…I."…8.
anonUser…
–
14:11:45.731927 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…$@.@…O…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:13:45.736101 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…&@.@…M…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:15:45.738597 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…(@.@…K…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:17:45.742075 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…*@.@…I…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
–
14:19:45.745534 IP app3.yjenergy.com.58400 > 64.12.26.86.5190: P 911:1000(89) ack 40035 win 32767
…7…#.O1…E…,@.@…G…@…V. .Fc.
…P…*…S…
yjmonitorprod…)…anonUser:1206641004720…
I’ll explain what’s happening:
We have a monitor we sent to from each aim session we have through openfire’s gateway. Each time the user sends a message, it consists of their username, in this case anonUser, a colon, and the time it was received in milliseconds. It happens about every 30 seconds, but it’s not a guarantee. As you can see, it does it pretty well, but it attempts to send “anonUser:1206640977830” twice, and then it attempts to send “anonUser:1206641004720” multiple times. The person was essentially signed off and we didn’t know it. The problem probably lies in the joscar source. If we see a message is being sent to one person multiple times in a row as attempts, we should note it and probably consider it as a disconnect.
One question I have is: Are we sure it happens in joscar and not the gateway? Is there any code in the plugin that would cause this behavior?