tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Odd behaviour under Linux 2.6.21

From: James Healy <jhealy () swin edu au>
Date: Fri, 06 Jul 2007 13:30:11 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We've encountered some odd behaviour with tcpdump/libpcap under Linux
2.6.21 (debian etch) and are hoping that others might be able to shed
some light on it for us.

The following 2 pcap files are from 2 hosts involved in a short scp
transmission:

http://caia.swin.edu.au/urp/newtcp/files/scp-sender-2.6.21.dmp
http://caia.swin.edu.au/urp/newtcp/files/scp-receiver-2.6.21.dmp

The hosts are connected via a crossover cable and are using gigabit
Intel cards. Jumbo frames are not enabled.

The sender pcap file indicates that some packets that went out were

1500 bytes in size, however the receiver side says that packets with

the same IP ID were exactly 1500 bytes long.

At first we thought the packets were being truncated, but when we review
the files using tcpdump's -X option, it appears that the packets are
being fragmented and the sender side instance of tcpdump/libpcap is
unaware of it.

The third pcap file is from the sender side of a SCP transfer with the
same setup but under a 2.6.12 kernel (a Knoppix 4.0.2 live cd). It
records all outgoing packets as <= 1500 bytes as expected:

http://caia.swin.edu.au/urp/newtcp/files/scp-sender-2.6.12.dmp

Any tips? This one has us stumped!

James Healy
Centre for Advanced Internet Architectures
Swinburne University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjbdD4oawkrbYo/kRAvOwAJ9tPO5AMI6eVHPi+bvD/67BJq6CAgCghjFH
IyxS/eMg5zsHFClze+SXtYk=
=eiZf
-----END PGP SIGNATURE-----

Swinburne University of Technology
CRICOS Provider Code: 00111D

NOTICE
This e-mail and any attachments are confidential and intended only for the use of the addressee. They may contain 
information that is privileged or protected by copyright. If you are not the intended recipient, any dissemination, 
distribution, printing, copying or use is strictly prohibited. The University does not warrant that this e-mail and any 
attachments are secure and there is also a risk that it may be corrupted in transmission. It is your responsibility to 
check any attachments for viruses or defects before opening them. If you have received this transmission in error, 
please contact us on +61 3 9214 8000 and delete it immediately from your system. We do not accept liability in 
connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment.

Please consider the environment before printing this email.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: