tcpdump mailing list archives
Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap
From: Guy Harris <guy () alum mit edu>
Date: Tue, 13 Jul 2004 11:51:08 -0700
On Jul 13, 2004, at 7:56 AM, Klaus Schrod wrote:
Again our situation: Two computers connected to the net, one (lion) with a fixed ip address and one (styx) with pppoe. We established an ipsec tunnel between them successfully. tcpdump showed an error in the ESP traffic between styx and lion. But the error messages changed depending on the computer which sent the first packet after the ipsec tunnel is initiated.The errors appear only on styx, the pppoe side of the connection. tcpdump on lion shows the correct (and expacted) ESP traffic.
On what type of interface are you capturing on lion? A regular Ethernet interface?
If the first package (in my case a ping) came from lion the error message of tcpdump was "IP7 bad-hlen 12". In one case I saw also a "IP3 bad-hlen 8" message. There is no "truncated-ip" message in this case.
Ethereal's seeing similar problems. The traffic from 217.234.111.121 to 62.225.140.214 has, as the protocol layers:
Linux cooked capture
IP
ESP
whereas the traffic from 62.225.140.214 to 217.234.111.121 has
Linux cooked capture
IP with a protocol type of IP-inside-IP
IP (with a bogus version number of 3 and a bogus header length of 8)
It *might* be that the traffic from 217.234.111.121 to 62.225.140.214
(which I infer is sent from styx to lion, as the Linux cooked capture
header shows it as "sent by us") is being shown as the ESP packets that
are going on the wire, whereas the traffic from 62.225.140.214 to
217.234.111.121 is having the tunnel ESP headers stripped off, the
tunnel IP header changed to say "IP inside IP", and the payload *NOT*
being decrypted.
I.e., I suspect this is probably a problem with the way the Linux kernel is supplying packets to user-mode code such as libpcap. Googling for
ipsec linux IPIP ESP tcpdump truncated
found
http://www.uwsg.iu.edu/hypermail/linux/kernel/0401.0/1410.html
and
http://braindamage.alal.com/archives/linux-kernel/20030922/7627.html
which looks as if they might be similar problems.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- error-message "IP11 truncated-ip" in last tcpdump/libpcap Klaus Schrod (Jul 12)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 12)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Klaus Schrod (Jul 13)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 13)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 13)
- windump options 4 writing in a *.txt file César Cárdenas (Jul 13)
- Re: windump options 4 writing in a *.txt file Guy Harris (Jul 13)
- Only SYN César Cárdenas (Jul 22)
- Re: Only SYN Guy Harris (Jul 22)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Klaus Schrod (Jul 13)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 12)