unusual behaviour of captured packets - problem with bpf?WAS:unexplained behavior of rtadvd

Ken Tollefson kenneth.tollefson at jcu.edu.au
Tue Nov 23 04:38:00 PST 2004


I have found, since this was originally posted, that when the packet 
captures are done from a system outside the IPv6 router there are no 
abnormal packets seen.(with thanks to SUZUKI, Shinsuke @ KAME Project 
for assistance).  The original packet captures were done from within the 
router. It would seem from this that bpf might be behaving in an unusual 
manner.

I have read the documentation for bpf but have not found anything that 
explains the behavior noted below.  Can anyone shed light on what might 
be happening here?  Any help appreciated!

Ken Tollefson



Ken Tollefson wrote:
> 
> I hope this question is going to the right list.  Please let me know if
> there is a more appropriate list it should go to.
> 
> I have installed Freebsd 4.9 and have configured it as an IPv6 router.
> I captured some of the packets sent by rtadvd and found
> what appeared to be corrupt frames.  The output shown below is from
> ethereal but tcpdump and snort show the same patterns.
> 
> The detail from Frame 4 below is actually the same as the last 64 bytes
> of Frame 5 and this pattern is repeated, with each RA that is sent by 
> rtadvd being preceded by the 64-byte 'fragment' which is misinterpreted 
> as a Fiber Channel frame.
> 
> I found a reference to a problem with the way mbufs are handled by
> various NICs so tried three different cards using the
> xl0, rl0 and fxp0 drivers and found the same behaviour in each case.
> 
> The original ipv6 software has been replaced with the latest
> Kame snap available for FreeBSD4.9 with no change.
> 
> I have been unable to find a reference to this behavior in the FAQs or
> lists.  Any help explaining what is going on here will be appreciated.
> 
> Ken
> ***************************************************************************** 
> 
> Machine Specs:
> Intel P150, 32 MB RAM, 40 GB HDD
> NICs - xl0 - 3COM 3C905B, fxp0 - Intel Pro100 S, rl0 - $15 generic NIC 
> with RealTek chipset rebadged as a 'Dolphin' brand card.
> 
> No.     Time        Source          Destination           Protocol Info
> 1 0.000000 fe80::210:5aff:fe77:e85c ff02::2 ICMPv6 Multicast listener done
> 2 2.879182 fe80::210:5aff:fe77:e85c ff02::2 ICMPv6 Multicastlistener report
> 3 11.038023 fe80::210:5aff:fe77:e85c ff02::2 ICMPv6 Multicastlistener 
> report
> 4 18.888487   00.00.00              00.00.00     FC       Unknown frame
> 5 18.888545   fe80::210:5aff:fe77:e85c ff02::1 ICMPv6  Router advertisement
> 6 34.898863   00.00.00              00.00.00     FC       Unknown frame
> 7 34.898944   fe80::210:5aff:fe77:e85c ff02::1   ICMPv6   Router
> advertisement
> 
> Frame Detail
> ------------
> Frame 4
> 0000  60 00 00 00 00 18 3a ff  fe 80 00 00 00 00 00 00
> 0010  02 10 5a ff fe 77 e8 5c  ff 02 00 00 00 00 00 00
> 0020  00 00 00 00 00 00 00 01  86 00 ad 56 40 00 07 08
> 0030  00 00 00 00 00 00 00 00  01 01 00 10 5a 77 e8 5c
> 
> Frame 5
> 
> 0000  33 33 00 00 00 01 00 10  5a 77 e8 5c 86 dd 60 00
> 0010  00 00 00 18 3a ff fe 80  00 00 00 00 00 00 02 10
> 0020  5a ff fe 77 e8 5c ff 02  00 00 00 00 00 00 00 00
> 0030  00 00 00 00 00 01 86 00  ad 56 40 00 07 08 00 00
> 0040  00 00 00 00 00 00 01 01  00 10 5a 77 e8 5c
> 
> 
> 
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> 

-- 
Ken Tollefson


More information about the freebsd-questions mailing list