How do I catch a packet mutilator?

Raul Miller (rdm@test.legislate.com)
Sun, 6 Dec 1998 02:10:07 -0500

I just stumbled on something odd that I don't understand.

Consider the following tcpdump excerpts [they represent hitting return
in an ssh session]:

Seen from the netbsd box:
01:21:01.479330 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: P 2210554452:2210554472(20) ack 2189690015 win 31856 <nop,nop,timestamp 38040243 3141313> (DF) [tos 0x10]
01:21:01.479771 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: . ack 20 win 17500 <nop,nop,timestamp 3141394 38040243> [tos 0x10]
01:21:01.499865 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 1:53(52) ack 20 win
17520 <nop,nop,timestamp 3141394 38040243> [tos 0x10]
01:21:05.449053 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 1:53(52) ack 20 win
17520 <nop,nop,timestamp 3141401 38040243> [tos 0x10]
01:21:06.441164 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: . ack 53 win 31856 <nop,nop,timestamp 38040740 3141401> (DF) [tos 0x10]

Seen from the linux box:
01:21:01.001218 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: P 2210554452:2210554472(20) ack 2189690015 win 31856 <nop,nop,timestamp 38040243 3141313> (DF) [tos 0x10]
01:21:01.979277 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: . ack 20 win 17500 <nop,nop,timestamp 3141394 38040243> [tos 0x10]
01:21:01.999251 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 1:53(52) ack 20 win
17520 <nop,nop,timestamp 1091434 1438162> [tos 0x10]
01:21:05.956474 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 1:53(52) ack 20 win
17520 <nop,nop,timestamp 3141401 38040243> [tos 0x10]
01:21:05.970488 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: . ack 53 win 31856 <nop,nop,timestamp 38040740 3141401> (DF) [tos 0x10]

What's strange is the timestamp on the third line of each dump.
The netbsd box claims to see a timestamp which is in sequence with
the other timestamps its sending out. The linux box claims to see a
timestamp which is wildly out of sequence.

This is very repeatable. For example:

Seen from the linux box:
01:21:21.741406 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: P 20:40(20) ack 53 win 31856 <nop,nop,timestamp 38042317 3141401> (DF) [tos 0x10]
01:21:22.729006 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: . ack 40 win 17500 <nop,nop,timestamp 3141435 38042317> [tos 0x10]
01:21:22.754060 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 53:105(52) ack 40 win 17520 <nop,nop,timestamp 1091434 1438162> [tos 0x10]
01:21:25.976220 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 53:105(52) ack 40 win 17520 <nop,nop,timestamp 3141441 38042317> [tos 0x10]
01:21:25.990691 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: . ack 105 win 31856 <nop,nop,timestamp 38042742 3141441> (DF) [tos 0x10]

Seen from the netbsd box:
01:21:22.230047 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: P 20:40(20) ack 53 win 31856 <nop,nop,timestamp 38042317 3141401> (DF) [tos 0x10]
01:21:22.230517 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: . ack 40 win 17500 <nop,nop,timestamp 3141435 38042317> [tos 0x10]
01:21:22.253316 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 53:105(52) ack 40 win 17520 <nop,nop,timestamp 3141435 38042317> [tos 0x10]
01:21:25.452813 netbsd-1.3.2.ssh > linux-2.1.129ac5.1023: P 53:105(52) ack 40 win 17520 <nop,nop,timestamp 3141441 38042317> [tos 0x10]
01:21:26.479800 linux-2.1.129ac5.1023 > netbsd-1.3.2.ssh: . ack 105 win 31856 <nop,nop,timestamp 38042742 3141441> (DF) [tos 0x10]

It looks to me like the first packet coming back is always getting
corrupted.

Any recommendations on how I might isolate this?

Thanks,

-- 
Raul


[By the way, the network device on the linux box is a 3c509].


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/