tcpdump: truncated-ip - 4 bytes missing
Jorgen Skjaanes
cable modem I get alot of of these (1 or 2 each second):
02:47:43.282504 eth0 B truncated-ip - 4 bytes missing!0.0.0.0.30587 > 255.255.255.255.30591: udp 1438 [ttl 1]
02:47:43.981059 eth0 B truncated-ip - 4 bytes missing!0.0.0.0.30587 > 255.255.255.255.30591: udp 1438 [ttl 1]
Does anyone have any idea what they mean? Is it a bug in tcpdump
(version 3.4), a problem with my setup/kernel of some kind, or is
it my ISP's gateway that is doing strange stuff?
--
Jorgen
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majo...@vger.rutgers.edu
Praveen Dwivedi
This might mean someone might be sending custom made junk
packets. Did you see the content of the packets using tcpdump.
-Praveen
Niklas Höglund
=)
*SNIP*
13:53:25.910000 truncated-ip - 61956 bytes missing!32.65.134.138 >
32.70.9.17: (frag 16384:62000@48) [tos 0x28]
13:53:25.910000 truncated-ip - 30985 bytes missing!32.70.134.138 >
32.65.0.23: (frag 16384:31244@48) [tos 0x9]
13:53:25.930000 truncated-ip - 61958 bytes missing!32.65.134.138 >
32.70.9.17: (frag 16384:62002@48) [tos 0x28]
13:53:25.930000 truncated-ip - 30986 bytes missing!32.70.134.138 >
32.65.0.23: (frag 16384:31245@48) [tos 0x9]
*SNIP*
13:57:54.760000 truncated-ip - 32525 bytes missing!32.70.134.138 >
32.65.0.23: (frag 16384:33052@48) [tos 0x19]
0219 8124 4000 4006 6a0f 868a 2046 868a
2041 0017 0911 2216 6857 7cab 76c8 5018
7fe0 420f 0000 3133 3a35 373a 3534 2e37
3430 3030
*SNIP
This machines IP is 134.138.32.70 (134.138.32.65 is another linux machine)
...
I'm very sure that noone is sending junk packets on this network, besides
if I tcpdump on 134.138.32.65 I dont get this...
What does this "truncated-ip" mean? Is it crc error in the ip packet?
//Niklas
Niklas Höglund
This is a Netwinder machine (www.netwinder.org), I dont like this machine
- it wasnt I that bought this junk.
Anyway, there is a small possibility that it is a "Digital DS21142/3
Tulip" NIC.
Let me know if you find any solution to this... =)
//Niklas
On Mon, 21 Feb 2000, Serge Maandag wrote:
> Date: Mon, 21 Feb 2000 14:57:21 +0100
> From: Serge Maandag <se...@staff.zeelandnet.nl>
> To: 'Niklas Höglund' <Niklas....@ericsson.com>,
> "'linu...@vger.rutgers.edu'" <linu...@vger.rutgers.edu>
> Cc: "Bill Stegers (E-mail)" <bi...@sleepnet.net>
> Subject: RE: tcpdump: truncated-ip - 4 bytes missing
>
> We are having the same trouble here. Including the same strange mutilation
> of IP adresses. The only clients that are sending these corrupt packets are
> clients with Realtek NICs. Don't know whether all of them run windows, but
> most of them do.
> What kind of NIC do you use?
>
> Serge Maandag.
Serge Maandag
Jorgen Skjaanes
> total_length field in IP header = 1466
> tcpdump reports udp length of 1438
>
> 1438 +
> sizeof(udpheader)+sizeof(ipheader)+sizeof(mac_header)
> 1438 + 20 + 20 = 1478 = total_length field in IP
> header
> so there is a discrepancy in the IP header.
>
> I do not know what is causing this. You might want to
> temporarily remove non UNIX hosts on your lan to see
> if the problem goes away.
I wish I could, but this is my home-computer connected with
a cablemodem to a gateway that alot of other people's boxes
are also connected to. I guess most of the other boxes are'nt
running Linux/Unix...
So what I'm seeing is then probably some unidentified neighbour
of mine that runs a crappy OS or application somewhere.
I guess I'll just have to leave it at that.
Thanks for responding!
--
Jørgen
Praveen Dwivedi
total_length field in IP header = 1466
tcpdump reports udp length of 1438
1438 +
sizeof(udpheader)+sizeof(ipheader)+sizeof(mac_header)
1438 + 20 + 20 = 1478 = total_length field in IP
header
so there is a discrepancy in the IP header.
I do not know what is causing this. You might want to
temporarily remove non UNIX hosts on your lan to see
if the problem goes
away.
-Praveen
--- Jorgen Skjaanes <jor...@gulesider.no> wrote:
> On Sun, 20 Feb 2000, Praveen Dwivedi wrote:
>
> > This might mean someone might be sending custom
> made junk
> > packets. Did you see the content of the packets
> using tcpdump.
>
> Attached is the output of tcpdump -x -s 1500 -i
> eth0 -c 2
> I hope this make sense to you or anybody.
>
> And many thanks for your help with the options. I'm
> very green when it
> comes to this.
>
> --
> Jorgen
>
>
> > 23:55:54.463970 B truncated-ip - 4 bytes
> missing!0.0.0.0.30587 > 255.255.255.255.30591: udp
> 1438 [ttl 1]
> 4500 05ba c6f4 0000 0111 ed3f 0000 0000
> ffff ffff 777b 777f 05a6 0000 7f77 0000
> 4e45 4d4f 160c 0000 6074 0000 0000 2000
> 18fa 1200 7062 2000 7805 5670 00e8 e207
> c9c3 c802 0000 9cfa 803e 5b8a 0075 4d80
> 3e5a 8a00 7546 a0e6 8ab4 008b d88a 8f62
> 018a c1b4 008b d88a 87de 8a88 46ff 8a46
> ffb4 008a d1c0 e203 8bd8 0297 6201 8856
> fe8a 46fe b400 d1e0 8bd8 8b87 5e8a a3e7
> 8aa1 e78a 3b06 e98a 7402 cd71 9dc9 c355
> 8bec 9cfa fe06 5a8a 9d5d c3c8 0400 009c
> faa0 5a8a 04ff a25a 8a0a c075 5380 3e5b
> 8a00 754c a0e6 8ab4 008b d88a 8762 0188
> 46fe 8a46 feb4 008b d88a 87de 8a88 46ff
> 8a46 ffb4 008a 56fe c0e2 038b d802 9762
> 0188 56fd 8a46 fdb4 00d1 e08b d88b 875e
> 8aa3 e78a a1e7 8a3b 06e9 8a74 03e8 3a07
> 9dc9 c3c8 0200 009c fa8b 1ee9 8a8a 4703
> 8846 ff8a 46ff b400 2507 008b d88a 875a
> 01f6 d08a 56ff b600 c1fa 038b da20 87de
> 8a8a 87de 8a0a c075 148a 46ff b400 c1f8
> 038b d88a 875a 01f6 d020 06e6 8a8b 1ee9
> 8a8b 4604 8947 049d e8d7 fec9 c355 8bec
> 568b 365c 8aeb 449c fa83 7c04 0074 38ff
> 4c04 8b44 040b c075 2e8a 4c03 8ac1 b400
> c1f8 038b d88a 875a 0108 06e6 8a8a c1b4
> 0025 0700 8bd8 8a87 5a01 8ad1 b600 c1fa
> 038b da08 87de 8a9d 8b74 0680 7c03 3f75
> b65e 5dc3 558b ec56 9cfa 8b36 588a 8b44
> 06a3 588a 9d8b c6eb 005e 5dc3 558b ec9c
> fafe 065b 8a9d 5dc3 558b ec9c fafe 0e5b
> 8a9d e84d fe5d c3c8 0200 009c fa8a 4604
> b400 d1e0 8bd8 83bf 5e8a 0074 099d b028
> e9a8 00e9 a500 8b1e e98a 8a47 0388 46ff
> 8a46 ffb4 0025 0700 8bd8 8a87 5a01 f6d0
> 8a56 ffb6 00c1 fa03 8bda 2087 de8a 8a87
> de8a 0ac0 7514 8a46 ffb4 00c1 f803 8bd8
> 8a87 5a01 f6d0 2006 e68a 8a46 04b4 00c1
> f803 8bd8 8a87 5a01 0806 e68a 8a46 04b4
> 0025 0700 8bd8 8a87 5a01 8a56 04b6 00c1
> fa03 8bda 0887 de8a 8b1e e98a 8a46 0488
> 4703 8a46 04b4 00d1 e08b 16e9 8a8b d889
> 975e 8a8a 46ff b400 d1e0 8bd8 c787 5e8a
> 0000 9de8 8cfd b000 e955 ffc9 c3c8 0200
> 009c fa8b 1ee9 8a8a 4703 8846 ff8a 46ff
> b400 d1e0 8bd8 c787 5e8a 0000 8a46 ffb4
> 0025 0700 8bd8 8a87 5a01 f6d0 8a56 ffb6
> 00c1 fa03 8bda 2087 de8a 8a87 de8a 0ac0
> 7514 8a46 ffb4 00c1 f803 8bd8 8a87 5a01
> f6d0 2006 e68a 8b1e e98a 837f 0800 7518
> 8b1e e98a 8b5f 06c7 4708 0000 8b1e e98a
> 8b47 06a3 5c8a eb22 8b1e e98a 8b47 068b
> 1ee9 8a8b 5f08 8947 068b 1ee9 8a8b 4708
> 8b1e e98a 8b5f 0689 4708 8b1e e98a a158
> 8a89 4706 a1e9 8aa3 588a 9de8 d4fc c9c3
> 558b ec56 8b76 049c fa8b 4606 8904 c644
> 0200 c644 0300 c644 0400 c644 0500 c644
> 0600 c644 0700 c644 0800 c644 0900 c644
> 0a00 9db0 00eb 005e 5dc3 c806 0000 5657
> 8b76 048b 7e08 9cfa 8b04 8946 fa0b c074
> 0bc7 0400 009d c605 00e9 cb00 8b1e e98a
> 804f 0201 8b1e e98a 8b46 0689 4704 8b1e
> e98a 8a47 03b4 00c1 f803 8846 fe8b 1ee9
> 8a8a 4703 2407 8846 ff8a 46fe b400 8bd8
> 8a87 5a01 8846 fc8a 46ff b400 8bd8 8a87
> 5a01 8846 fd8a 46fe b400 8a56 fdf6 d28b
> d820 97de 8a8a 87de 8a0a c075 098a 46fc
> f6d0 2006 e68a 8a46 feb4 008a 56fd 8bd8
> 0850 038a 46fc 0844 029d e8f5 fb9c fa8b
> 1ee9 8af6 4702 0174 318a 46fe b400 8a56
> fdf6 d28b d820 5003 8a40 030a c075 088a
> 46fc f6d0 2044 028b 1ee9 8ac6 4702 00c7
> 46fa 0000 9dc6 050a eb0d 8b04 8946 fac7
> 0400 009d c605 008b 46fa eb00 5f5e c9c3
> c806 0000 568b 7604 9cfa 833c 0074 099d
> b014 e9be 00e9 bb00 8b46 0689 0480 7c02
> 0075 03e9 a700 8a44 02b4 008b d88a 8762
> 0188 46fe 8a46 feb4 008b d88a 4003 b400
> 8bd8 8a87 6201 8846 ff8a 46fe b400 8bd8
> 8a87 5a01 8846 fc8a 46ff b400 8bd8 8a87
> 5a01 8846 fd8a 46fe b400 8a56 fdf6 d28b
> d820 5003 8a40 030a c075 088a 46fc f6d0
> 2044 028a 46fe c0e0 0302 46ff 8846 fb8a
> 46fb b400 d1e0 8bd8 8b9f 5e8a 8067 02fe
> 8a46 fbb4 00d1 e08b d88b 9f5e 8ac7 4704
> 0000 8a46 fc08 06e6 8a8a 46fe b400 8a56
> fd8b d808 97de 8a9d e8d7 faeb 019d b000
> e93f ff5e c9c3 558b ec56 8b76 048b 4e06
> 9cfa 890c 8a46 08b4 00d1 e08b d103 d089
> 5402 894c 0489 4c06 8a46 0888 4408 c644
> 0900 c644 0a00 c644 0b00 c644 0c00 c644
> 0d00 c644 9805
> 23:55:55.160884 B truncated-ip - 4 bytes
> missing!0.0.0.0.30587 > 255.255.255.255.30591: udp
> 1438 [ttl 1]
> 4500 05ba c6f5 0000 0111 ed3e 0000 0000
> ffff ffff 777b 777f 05a6 0000 7f77 0000
> 4e45 4d4f 160c 0000 6074 0000 0000 2000
> 18fa 1300 e867 2000 7805 f6a5 0e00 c644
> 0f00 c644 1000 c644 1100 c644 1200 9db0
> 00eb 005e 5dc3 c806 0000 5657 8b7e 049c
> fa80 7d09 0074 268b 5d06 8345 0602 8b07
> 8946 fafe 4d09 8b45 063b 4502 7505 8b05
> 8945 069d 8b5e 08c6 0700 e9e4 008b 1ee9
> 8a80 4f02 048b 1ee9 8a8b 4606 8947 048b
> 1ee9 8a8a 4703 b400 c1f8 0388 46fe 8b1e
> e98a 8a47 0324 0788 46ff 8a46 feb4 008b
> d88a 875a 0188 46fc 8a46 ffb4 008b d88a
> 875a 0188 46fd 8a46 feb4 008a 56fd f6d2
> 8bd8 2097 de8a 8a87 de8a 0ac0 7509 8a46
> fcf6 d020 06e6 8a8a 46fe b400 8a56 fd8b
> d808 510b 8a46 fc08 450a 9de8 bcf9 9cfa
> 8b1e e98a f647 0204 7434 8a46 feb4 008a
> 56fd f6d2 8bd8 2051 0b8a 410b 0ac0 7508
> 8a46 fcf6 d020 450a 8b1e e98a c647 0200
> c746 fa00 009d 8b5e 08c6 070a eb23 8b5d
> 0683 4506 028b 0789 46fa fe4d 098b 4506
> 3b45 0275 058b 0589 4506 9d8b 5e08 c607
> 008b 46fa eb00 5f5e c9c3 c802 0000 5657
> 8b7e 049c fa80 7d09 0074 248b 5d06 8345
> 0602 8b07 8946 fefe 4d09 8b45 063b 4502
> 7505 8b05 8945 069d 8b46 feeb 07eb 059d
> 33c0 ebf7 5f5e c9c3 c806 0000 5657 8b7e
> 049c fa8a 4509 3a45 0872 099d b01e e9d5
> 00e9 d200 8b5d 0483 4504 028b 4606 8907
> fe45 098b 4504 3b45 0275 058b 0589 4504
> 807d 0a00 7503 e9a7 008a 450a b400 8bd8
> 8a87 6201 8846 fe8a 46fe b400 8bd8 8a41
> 0bb4 008b d88a 8762 0188 46ff 8a46 feb4
> 008b d88a 875a 0188 46fc 8a46 ffb4 008b
> d88a 875a 0188 46fd 8a46 feb4 008a 56fd
> f6d2 8bd8 2051 0b8a 410b 0ac0 7508 8a46
> fcf6 d020 450a 8a46 fec0 e003 0246 ff88
> 46fb 8a46 fbb4 00d1 e08b d88b 9f5e 8a80
> 6702 fb8a 46fb b400 d1e0 8bd8 8b9f 5e8a
> c747 0400 008a 46fc 0806 e68a 8a46 feb4
> 008a 56fd 8bd8 0897 de8a 9de8 2cf8 eb01
> 9db0 00e9 28ff 5f5e c9c3 8b1e e78a 891e
> e98a 8b07 8be0 8cd8 8ed0 0761 cf60 068b
> 1ee9 8a89 278b 1ee7 8a89 1ee9 8a8b 2707
> 61cf 83c4 0c8b 1ee9 8a89 278b 1ee7 8a89
> 1ee9 8a8b 2707 61cf 6006 e871 a5ba 0eff
> b800 02ef b820 00ba 00ff efba 04ff efe8
> 25f8 e8f0 f8e8 2bf8 0761 cf00 6006 b820
> 00ba 00ff efe8 0ff8 e813 9be8 15f8 0761
> cf60 06b8 2000 ba00 ffef e8fa f7e8 08a8
> e800 f807 61cf 558b ec5d c355 8bec 6a64
> e858 f859 9cfa a190 890b 0692 8974 05b8
> 0100 eb02 33c0 9929 0690 8919 1692 899d
> 9cfa 689b 89e8 5604 599d a066 0000 0667
> 0080 3e67 0002 7617 803e 7200 0074 1080
> 3ec9 8800 7409 9cfa 6a00 e8cb b459 9dc6
> 0666 0001 eba8 5dcb 558b eceb 29a1 6202
> ff06 6202 3d0a 007e 17c7 0662 0200 006a
> 0168 8280 6a00 900e e8cf ab83 c406 eb06
> 6a01 e8d6 f759 6866 ffe8 fe9c 59a9 0800
> 74cb 8a46 04b4 0050 686a ffe8 d49c 83c4
> 045d c3c8 0200 008d 46ff 506a 01ff 3606
> 00e8 62fc 83c4 0688 46fe 807e ff00 750e
> 807e fe00 7408 8a46 fe50 e88b ff59 ebd7
> c9cb 558b ec56 578a 460c b400 d1e0 8bd8
> 83bf 5e8a 0074 03e9 f200 e81f f88b f88a
> 460c 8845 03c6 4502 00c7 4504 0000 8b76
> 0a83 ee02 8b46 0889 0483 ee02 8b46 0689
> 0483 ee02 8b46 0489 0483 ee02 c704 0002
> 83ee 028b 4606 8904 83ee 028b 4604 8904
> 83ee 02c7 0400 0083 ee02 c704 0000 83ee
> 02c7 0400 0083 ee02 c704 0000 83ee 02c7
> 0400 0083 ee02 c704 0000 83ee 02c7 0400
> 0083 ee02 c704 0000 83ee 02c7 0400 0089
> 358a 460c b400 d1e0 8bd8 89bf 5e8a 9cfa
> a15c 8a89 4506 c745 0800 0083 3e5c 8a00
> 7407 8b1e 5c8a 897f 0889 3e5c 8a8a 460c
> b400 c1f8 038b d88a 875a 0108 06e6 8a8a
> 460c b400 2507 008b d88a 875a 018a 560c
> b600 c1fa 038b da08 87de 8a9d 803e eb8a
> 0074 03e8 b4f5 b000 eb06 eb04 b028 ebf8
> 5f5e 5dc3 c802 0000 c606 018b 00c7 0664
> 0200 009c fa8d 46ff 506a 10e8 39e8 83c4
> 049d 8a46 ff04 0288 46ff 807e ff0f 7d0e
> 807e ff00 7e08 a004 8b98 0bc0 7504 c646
> ff0f 8a46 ff50 e834 f259 8a46 ffa2 028b
> a203 8b33 c0a3 0c8b a30a 8ba2 128b c606
> 088b 00c7 0605 8b02 00c6 0600 8b02 c9c3
> 558b eca0 038b 506a 10e8 01e8 83c4 04a0
> 038b 50e8 f7f1 59c7 0664 0201 0033 c0a3
> 0c8b a30a 9805
>
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Tuan Hoang
UDP header is only 8 bytes. When you compute the checksum you add on a 12
byte pseudo header but that's not included as part of the datagram
packet when it's passed to the IP layer.
sizeof(Data Payload + UDP Header + IP Header) = Total Length of IP Packet
1438 + 8 + 20 = 1466
On Wed, 23 Feb 2000, Jorgen Skjaanes wrote:
> On Tue, 22 Feb 2000, Praveen Dwivedi wrote:
>
> > total_length field in IP header = 1466
> > tcpdump reports udp length of 1438
> >
> > 1438 +
> > sizeof(udpheader)+sizeof(ipheader)+sizeof(mac_header)
> > 1438 + 20 + 20 = 1478 = total_length field in IP
> > header
> > so there is a discrepancy in the IP header.
> >
> > I do not know what is causing this. You might want to
> > temporarily remove non UNIX hosts on your lan to see
> > if the problem goes away.
>
> I wish I could, but this is my home-computer connected with
> a cablemodem to a gateway that alot of other people's boxes
> are also connected to. I guess most of the other boxes are'nt
> running Linux/Unix...
>
> So what I'm seeing is then probably some unidentified neighbour
> of mine that runs a crappy OS or application somewhere.
>
> I guess I'll just have to leave it at that.
>
> Thanks for responding!
>
> --
> Jørgen
>
>
Praveen Dwivedi
well, so the total lenght field in IP packet is
correct.
-Praveen
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Praveen Dwivedi
Praveen Dwivedi
well. So the total lenght field in IP packet is
Philip Blundell
>This is a Netwinder machine (www.netwinder.org), I dont like this machine
>- it wasnt I that bought this junk.
>>
>> 13:53:25.910000 truncated-ip - 61956 bytes missing!32.65.134.138 >
>> 32.70.9.17: (frag 16384:62000@48) [tos 0x28]
You have a buggy tcpdump.
p.