every 2nd echo-request malformed when ping -s >4067
Jeremy Chadwick
jdc at koitsu.org
Wed Oct 24 17:44:26 UTC 2012
On Wed, Oct 24, 2012 at 07:00:55PM +0200, Harald Schmalzbauer wrote:
> schrieb Jeremy Chadwick am 24.10.2012 18:51 (localtime):
> > ...
> > # tcpdump -p -i em0 -l -n -s 0 -xx "icmp and dst host 4.2.2.1"
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 09:45:22.725137 IP 192.168.1.51 > 4.2.2.1: ICMP echo request, id 6417, seq 0, length 64
> > 0x0000: e0cb 4ec0 00c4 0030 48d2 22d0
> Have you ever seen "e0:cb:4e:c0:00:c4" and "00:30:48:d2:22:d0" ?
> These are your mac addresses, which -xx shows.
>
> ...
> > And compare this to what you're seeing (look closely at the 2nd line):
> >
> > 16:03:08.963292 IP 10.5.49.126 > 10.5.49.65: ICMP echo request, id 30477, seq 0, length 4076
> > 16:03:09.968454 IP 10.5.49.126 > 10.5.49.65: icmp
>
> Of course, I saw that. That's why I claim the 2nd outgoing request to be
> malformed ;-)
>
> > ...
> >
> > This is why I said I want to see output from -xx and not -x. What I
> > want to see is the *full packet contents* (IP header, ICMP header, and
> > any ICMP payload).
>
> -x gives everything above link-layer, so IP and ICMP are in my last dump.
You're right -- sorry, *I* misread the tcpdump man page! :-) Here I am
telling you what to do yet...... *laugh* Sorry about that.
So I can tell from your original output that you're using "-x" by
itself, so what we're seeing should be the IP header and related bits.
Okay, so let's decode what you got. Too bad we don't have snoop-like
output, since it can decode all of this and output it in a
human-friendly way. Gotta do this by hand...
12:21:09.048447 IP 10.5.49.126 > 10.5.49.65: ICMP echo request, id 46597, seq 0, length 4076
0x0000: 4500 1000 0f2d 4000 4001 a507 0a05 317e
0x45 = bits 7-4: IPv4 protocol
= bits 3-0: header length: 20 bytes
0x00 = DSF / RFC 2474 stuff (don't ask me :-) )
0x1000 = datagram length: 4096 bytes
0x0f2d = fragment id
0x4000 = bits 15-13: %010 = reserved bit (0), DF bit (1), MF bit (0)
= bits 12-0: fragment offset: 0
0x40 = TTL: 64
0x01 = protocol: 1 (ICMP)
0xe4c7 = header checksum
0x0a05317e = source IP
Now for the malformed/wonky packet:
12:21:10.052891 IP 10.5.49.126 > 10.5.49.65: icmp
0x0000: 4500 1000 0f2d 0040 4001 e4c7 0a05 317e
0x45 = bits 7-4: IPv4 protocol
= bits 3-0: header length: 20 bytes
0x00 = DSF / RFC 2474 stuff (don't ask me :-) )
0x1000 = datagram length: 4096 bytes
0x0f2d = fragment id
0x0040 = bits 15-13: %000 = reserved bit (0), DF bit (0), MF bit (0)
= bits 12-0: fragment offset: 64
0x40 = TTL: 64
0x01 = protocol: 1 (ICMP)
0xe4c7 = header checksum
0x0a05317e = source IP
So from this we can tell that the working packets have the DF
(dont-fragment) bit set and have a fragment offset of zero, and the
"broken" packet has the DF bit cleared and a fragment offset of 64.
Can you please re-run your tests with the following tcpdump arguments
and provide full, non-edited output?
Even WITHOUT "-s 0" to tcpdump you should be getting back multiple
lines (0x0000, 0x0010, 0x0020, etc.), yet you've omitted the information
I need to see.
--
| Jeremy Chadwick jdc at koitsu.org |
| UNIX Systems Administrator http://jdc.koitsu.org/ |
| Mountain View, CA, US |
| Making life hard for others since 1977. PGP 4BD6C0CB |
More information about the freebsd-stable
mailing list