From owner-freebsd-stable@FreeBSD.ORG Thu Oct 25 04:29:15 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 347C277C; Thu, 25 Oct 2012 04:29:15 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 84D838FC08; Thu, 25 Oct 2012 04:29:13 +0000 (UTC) Received: by mail-we0-f182.google.com with SMTP id x43so799669wey.13 for ; Wed, 24 Oct 2012 21:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Z7DsMV2raeIW4XPsrzkqw2NB4teJAOYVhpF6rexZEjw=; b=SMNqm19FcN5ogoNcfO5llBqT7kiTDvVvLNVAggua1ger8P+qg/9V1F0d2WVQfvtg3p cl+3L3iEgmYzjtq6JW+qK08sDzx+i9FDVFpcSBKQ+dHU9K+Io6eWvNHGcY0qsEAy7Ti4 Sk/+SBHRg1WbaqcLygnz3uMeV0aYSEUGreBa91U2V/PZKjHHcyOIyverZNRaFVAjDitU +bal5PvAhBzvGHLXB4AdRZx41smT8JhLIn1xgZaI/iFTUrODRs+7Qqao+WIw12l1BNo0 yRHlqM3T9+AXxRoveKRPBbLoR3+H7cpX9+hjAoHl/Rge5m9E4Mah4nAOvXoKSUCQM684 L2bA== MIME-Version: 1.0 Received: by 10.180.87.34 with SMTP id u2mr7331107wiz.3.1351139352962; Wed, 24 Oct 2012 21:29:12 -0700 (PDT) Received: by 10.223.66.194 with HTTP; Wed, 24 Oct 2012 21:29:12 -0700 (PDT) In-Reply-To: <20121024191206.GA6704@icarus.home.lan> References: <20121024154017.GA3167@icarus.home.lan> <5088163E.2090506@omnilan.de> <20121024165148.GA4250@icarus.home.lan> <50881EC7.9030400@omnilan.de> <20121024174425.GA4699@icarus.home.lan> <50882D3B.5050704@omnilan.de> <20121024181239.GA5755@icarus.home.lan> <20121024185525.GA6426@icarus.home.lan> <20121024191206.GA6704@icarus.home.lan> Date: Wed, 24 Oct 2012 21:29:12 -0700 Message-ID: Subject: Re: every 2nd echo-request malformed when ping -s >4067 From: Kevin Oberman To: Jeremy Chadwick Content-Type: text/plain; charset=UTF-8 Cc: Harald Schmalzbauer , Adrian Chadd , FreeBSD Stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2012 04:29:15 -0000 On Wed, Oct 24, 2012 at 12:12 PM, Jeremy Chadwick wrote: > On Wed, Oct 24, 2012 at 11:55:25AM -0700, Jeremy Chadwick wrote: >> On Wed, Oct 24, 2012 at 11:12:39AM -0700, Jeremy Chadwick wrote: >> > On Wed, Oct 24, 2012 at 08:02:35PM +0200, Harald Schmalzbauer wrote: >> > > Please find attached the requested info. >> > >> > Thanks, got 'em! I'll reply in a follow-up mail with the decoded >> > results. >> >> As promised, here are the decoded results. Took me longer than I >> expected since I started going down the road of IP options and then was >> like, "no, wait a minute, this is ICMP gah!". Opinions are at the >> bottom. Gosh I hope I didn't botch a copy-paste on this one... >> >> 17:58:08.481888 IP 10.5.49.126 > 10.5.49.65: ICMP echo request, id 49423, seq 0, length 4076 >> 0x0000: 4500 1000 1fff 4000 4001 9435 0a05 317e >> 0x0010: 0a05 3141 0800 a352 c10f 0000 5088 2c30 >> 0x0020: 0007 5a3b {...snip...} >> >> 0x45 = bits 7-4: IPv4 protocol >> = bits 3-0: header length: 20 bytes >> 0x00 = DSF / RFC 2474 stuff >> 0x1000 = datagram length: 4096 bytes >> 0x1fff = fragment id >> 0x4000 = bits 15-13: %010 = reserved bit (0), DF bit (1), MF bit (0) >> = bits 12-0: fragment offset: 0 >> 0x40 = TTL: 64 >> 0x01 = protocol: 1 (ICMP) >> 0x9435 = header checksum >> 0x0a05317e = source IP >> 0x0a053141 = destination IP >> 0x08 = ICMP type: 8 = Echo Request >> 0x00 = ICMP code: 0 = always zero for ICMP type 8 >> 0xa352 = ICMP header checksum >> 0xc10f = ICMP identifier >> 0x0000 = ICMP sequence number >> 0x5088 = timestamp from ICMP data >> 0x2c30 = timestamp from ICMP data >> 0x0007 = timestamp from ICMP data >> 0x5a3b = timestamp from ICMP data >> >> >> 17:58:09.488461 IP 10.5.49.126 > 10.5.49.65: icmp >> 0x0000: 4500 1000 1fff 0040 4001 d3f5 0a05 317e >> 0x0010: 0a05 3141 0800 8998 c10f 0001 5088 2c31 >> 0x0020: 0007 73f3 {...snip...} >> >> 0x45 = bits 7-4: IPv4 protocol >> = bits 3-0: header length: 20 bytes >> 0x00 = DSF / RFC 2474 stuff >> 0x1000 = datagram length: 4096 bytes >> 0x1fff = fragment id >> 0x0040 = bits 15-13: %000 = reserved bit (0), DF bit (0), MF bit (0) >> = bits 12-0: fragment offset: 64 >> 0x40 = TTL: 64 >> 0x01 = protocol: 1 (ICMP) >> 0xd3f5 = header checksum >> 0x0a05317e = source IP >> 0x0a053141 = destination IP >> 0x08 = ICMP type: 8 = Echo Request >> 0x00 = ICMP code: 0 = always zero for ICMP type 8 >> 0x8998 = ICMP header checksum >> 0xc10f = ICMP identifier >> 0x0001 = ICMP sequence number >> 0x5088 = timestamp from ICMP data >> 0x2c31 = timestamp from ICMP data >> 0x0007 = timestamp from ICMP data >> 0x73f3 = timestamp from ICMP data >> >> >> Summary: I don't see anything anomalous EXCEPT the ordeal regarding the >> fragment offset going from 0->64 and the DF bit going from 1->0. >> Possibly this makes tcpdump throw a fit in some way, I'm not sure. > > Hmm, question: are you using pf, ipfilter, or ipfw on the machines where > you can reproduce this problem? > > On the machine I tested from earlier, I don't use them. I also don't > use jumbo frames (I use stock 1500 bytes). All my ICMP echo packets > look like your 1st one: df=0 and fragoffset=0. I do have a 9.1-PREREL > box that does use pf where I can test from though. > > I hate having to ask this question, but pf.conf(5) and the no-df flag > always come to mind whenever I hear the term fragmentation or DF. > > -- > | Jeremy Chadwick jdc@koitsu.org | > | UNIX Systems Administrator http://jdc.koitsu.org/ | > | Mountain View, CA, US | > | Making life hard for others since 1977. PGP 4BD6C0CB | Just a quick suggestion. You could have saved a lot of time and effort if you would capture the data using the -w option and feeding the BPF file to net/wireshark. It does a first rate job of protocol decode and even flags errors and inconsistencies. Of course, it requires a GUI, but the captured data can be copied to a system that runs one. -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com