Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Solaris checksum problem

From: Hector Urdaneta <hector () flowstorm com>
Date: Tue, 04 Jun 2002 12:15:18 -0700
Hi,

I've been running snort-1.8.6 under linux and solaris, and getting
different results for the tcp checksums. For the same packets, under
linux the (tcp) checksum function call returns a value of 0, while for
solaris it returns a non-0 value. In particular I am refering to the
checksum call made inside the DecodeTCP function (decode.c:1616)

I do not know yet what is causing the problem, maybe an endianness
problem with the way checksum is computed?


Thanks for any leads,
Hector Urdaneta


PS. Here's what I've track down.

In the file decode.c, I add a breakpoint right after the call to the
checksum function (decode.c:1618).

if(pv.checksums_mode & DO_TCP_CHECKSUMS)
     {
         /* setup the pseudo header for checksum calculation */
         ph.sip = (u_int32_t)(p->iph->ip_src.s_addr);
         ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr);
         ph.zero = 0;
         ph.protocol = p->iph->ip_proto;
         ph.tcplen = htons((u_short)len);

         /* if we're being "stateless" we probably don't care about the TCP
          * checksum, but it's not bad to keep around for shits and
giggles */
         /* calculate the checksum */
csum = checksum((u_int16_t *)&ph, 12, (u_int16_t *)(p->tcph), len); 

break>> if(csum)
         {
             p->csum_flags |= CSE_TCP;

             DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n");
         }
         ...
  }

Running snort under linux:
GNU DDD 3.3.1 (i686-pc-linux-gnu), by Dorothea Lütkehaus and Andreas Zeller.
Copyright © 1995-1999 Technische Universität Braunschweig, Germany.
Copyright © 1999-2001 Universität Passau, Germany.
(gdb) break decode.c:1618
Breakpoint 1 at 0x8055502: file ../snort-1.8.6/decode.c, line 1618.
(gdb) run -A fast -l ./log -r ~/data/packet1.pcap -c
./snort-1.8.6/snort.conf
Log directory = ./log
TCPDUMP file reading mode.
Reading network traffic from "/home/hector/data/packet1.pcap" file.
snaplen = 1514

         --== Initializing Snort ==--
..
         --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Breakpoint 1, DecodeTCP (pkt=0x80dfcf4 "", len=47, p=0xbffff160) at
./snort-1.8.6/decode.c:1618
(gdb) print /x ph
$1 = {sip = 0xe25083d0, dip = 0xce21c63f, zero = 0x0, protocol = 0x6,
tcplen = 0x2f00}
(gdb) print /x *p->tcph
$2 = {th_sport = 0x1700, th_dport = 0x7706, th_seq = 0x4fe2a52f, th_ack
= 0x9c8ff5e8, th_x2 = 0x0, th_off = 0x5, th_flags = 0x18, th_win =
0x7044, th_sum = 0xaa84, th_urp = 0x0}
(gdb) print /x len
$3 = 0x2f
(gdb) print csum
$4 = 0
(gdb)


Same experiment under Solaris:
GNU DDD 3.3 (sparc-sun-solaris2.8), by Dorothea Lütkehaus and Andreas
Zeller.
Copyright © 1995-1999 Technische Universität Braunschweig, Germany.
Copyright © 1999-2001 Universität Passau, Germany.
(gdb) break decode.c:1618
Breakpoint 1 at 0x8055502: file Breakpoint 1 at 0x2b74c
(gdb) run -A fast -l ./log -r ~/data/packet1.pcap -c
./snort-1.8.6/snort.conf
Log directory = ./log
TCPDUMP file reading mode.
Reading network traffic from "/home/hector/data/packet1.pcap" file.
snaplen = 1514

         --== Initializing Snort ==--
..
         --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Breakpoint 1, DecodeTCP (pkt=0xec0dc "", len=47, p=0xffbef450) at
./snort-1.8.6/decode.c:1618
(gdb) print /x ph
$1 = {sip = 0xd08350e2, dip = 0x3fc621ce, zero = 0x0, protocol = 0x6,
tcplen = 0x2f}
(gdb) print /x *p->tcph
$2 = {th_sport = 0x17, th_dport = 0x677, th_seq = 0x2fa5e24f, th_ack =
0xe8f58f9c, th_off = 0x5, th_x2 = 0x0, th_flags = 0x18, th_win = 0x4470,
th_sum = 0x84aa, th_urp = 0x0}
(gdb) print /x len
$3 = 0x2f
(gdb) print csum
$4 = 2550
(gdb)

Notice linux and solaris get the same input (ph, p->tcph and len),
except for the different endian order. Linux checksum call returns a 0
value, while not solaris. I therefore get a "Bad TCP checksum" under
solaris (Note: same problem/same value under mips)





_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: