tcpdump mailing list archives
Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap
From: Klaus Schrod <kschrod () npc de>
Date: Tue, 13 Jul 2004 16:56:06 +0200
Guy Harris wrote:
On Mon, Jul 12, 2004 at 03:13:33PM +0200, Klaus Schrod wrote:Does anybody have any idea why we still get this error?Because, for whatever reason, the dissector for the protocol atop which the purported IP traffic is running thinks it's IP even though it isn't? (The version field has 11, not 4 or 6, in it.) Could you send us a capture file with this problem? We'd probably need that in order to figure out why it's happening. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Dear Guy Harris, first of all I want to thank you for your response of my error message. Today I noticed that the error message changed sometimes.Again our situation: Two computers connected to the net, one (lion) with a fixed ip address and one (styx) with pppoe. We established an ipsec tunnel between them successfully. tcpdump showed an error in the ESP traffic between styx and lion. But the error messages changed depending on the computer which sent the first packet after the ipsec tunnel is initiated.
The errors appear only on styx, the pppoe side of the connection. tcpdump on lion shows the correct (and expacted) ESP traffic.
If the first package (in my case a ping) came from lion the error message of tcpdump was "IP7 bad-hlen 12". In one case I saw also a "IP3 bad-hlen 8" message. There is no "truncated-ip" message in this case.
If the first package (also a ping) came from the styx side the error mesage was the "truncated-ip" stuff. I did not find any "bad-hlen" in the messages.
Depending on where the first packege was coming from I get only one or the other type of message. I did not know if the two type of messages have any logical connection.
You will find two capture files as an attachment, one with the bad-hlen message and one with the truncated-ip message.
If you need any further information please do not hesitate to contanct me. regards, Klaus Schrod
Attachment:
ping2_over_ipsec.pcap
Description:
Attachment:
ping_over_ipsec.pcap
Description:
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- error-message "IP11 truncated-ip" in last tcpdump/libpcap Klaus Schrod (Jul 12)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 12)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Klaus Schrod (Jul 13)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 13)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 13)
- windump options 4 writing in a *.txt file César Cárdenas (Jul 13)
- Re: windump options 4 writing in a *.txt file Guy Harris (Jul 13)
- Only SYN César Cárdenas (Jul 22)
- Re: Only SYN Guy Harris (Jul 22)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Klaus Schrod (Jul 13)
- Re: error-message "IP11 truncated-ip" in last tcpdump/libpcap Guy Harris (Jul 12)