tcpdump :truncated-ip - 40898 bytes missi... What does this mean

tcpdump :truncated-ip - 40898 bytes missi... What does this mean

Post by Dmitri Barsouko » Thu, 28 Oct 1999 04:00:00



Hello,

I use AVM !Fritz PCI ISDN card when snooping the interface (ippp0), I
have a lot of similar messages. What does this mean?

# tcpdump -i ippp0

.....

23:42:06.922683 truncated-ip - 40898 bytes missing!0.52.120.213 >
64.0.64.6: ip-proto-0 40960 [ttl 0]

...

Thanks,

Dmitri

 
 
 

tcpdump :truncated-ip - 40898 bytes missi... What does this mean

Post by Mike Pella » Fri, 29 Oct 1999 04:00:00


On Wed, 27 Oct 1999 23:30:24 +0100, Dmitri Barsoukov


>Hello,

>I use AVM !Fritz PCI ISDN card when snooping the interface (ippp0), I
>have a lot of similar messages. What does this mean?

[ snip ]

It means that tcpdump doesn't work properly on ppp interfaces. The
encapsulation is different from that on an ethernet interface.

It's much the same if you run it on a token rung i/f.

--
Mike Pellatt

 
 
 

tcpdump :truncated-ip - 40898 bytes missi... What does this mean

Post by Dmitri Barsouko » Fri, 29 Oct 1999 04:00:00



> On Wed, 27 Oct 1999 23:30:24 +0100, Dmitri Barsoukov

> >Hello,

> >I use AVM !Fritz PCI ISDN card when snooping the interface (ippp0), I
> >have a lot of similar messages. What does this mean?

> [ snip ]

> It means that tcpdump doesn't work properly on ppp interfaces. The
> encapsulation is different from that on an ethernet interface.

> It's much the same if you run it on a token rung i/f.

> --
> Mike Pellatt

Thanks, Mike

Are there any tools available to snoop (i)ppp# interface. Will pppd
debug be the right tool. The problem is that my ISDN connection degrades
after some time and even pinging ippp0 peer becomes impossible and I
need to restart isdn4linux. BT, my telco, and my ISP both claim there is
no fault on thier parts

Dmitri

 
 
 

tcpdump :truncated-ip - 40898 bytes missi... What does this mean

Post by Mark Evan » Sun, 31 Oct 1999 04:00:00



> On Wed, 27 Oct 1999 23:30:24 +0100, Dmitri Barsoukov

>>Hello,

>>I use AVM !Fritz PCI ISDN card when snooping the interface (ippp0), I
>>have a lot of similar messages. What does this mean?
> [ snip ]
> It means that tcpdump doesn't work properly on ppp interfaces. The
> encapsulation is different from that on an ethernet interface.

It does work on ordinary PPP, however it appears confused by the
HLDC used in SyncPPP.
 
 
 

tcpdump :truncated-ip - 40898 bytes missi... What does this mean

Post by Joachim Ot » Sun, 14 Nov 1999 04:00:00





> > On Wed, 27 Oct 1999 23:30:24 +0100, Dmitri Barsoukov

> >>Hello,

> >>I use AVM !Fritz PCI ISDN card when snooping the interface (ippp0),
I
> >>have a lot of similar messages. What does this mean?

> > [ snip ]

> > It means that tcpdump doesn't work properly on ppp interfaces. The
> > encapsulation is different from that on an ethernet interface.

> It does work on ordinary PPP, however it appears confused by the
> HLDC used in SyncPPP.

I have the same problem, but I don't think tcpdump has a problem.
I can see how the isdn-connection is "stuck" from time to time.
This is what I found in the tcpdump-trace of ippp0:


                         ebab 0060 0820 d9ac 0800 4500 0105 2a4f
                         0000 3e11 b047 c0a8 2001 c0a8 ffff 008a
                         008a 00f1 2734 110a 665c c0a8 2001 008a
                         00e9 0000 2045 4c46 4345 4245 4f44 4543
                         4143 4143

                         ebab 0060 0820 d9ac 0800 4500 0105 2a4f
                         0000 3e11 b047 c0a8 2001 c0a8 ffff 008a
                         008a 00f1 2734 110a 665c c0a8 2001 008a
                         00e9 0000 2045 4c46 4345 4245 4f44 4543
                         4143 4143

[ttl 0]
                         ebab 0060 0820 ff03 0021 4500 0105 2a4f
                         0000 3e11 b047 c0a8 2001 c0a8 ffff 008a
                         008a 00f1 2734 110a 665c c0a8 2001 008a
                         00e9 0000 2045 4c46 4345 4245 4f44 4543
                         4143 4143

and the interfaces used elsewhere:
relais (192.168.31.3) at 00:60:08:20:D9:AC [ether] on eth0
eth0      Link encap:Ethernet  HWaddr 00:60:8C:51:EB:AB

The data in the beginning of the packet is a part of an old
MAC-header of a packet that was from "relais" to eth0.

dst  src            proto IP-header
ebab 0060 0820 d9ac 0800 4500 0105 2a4f

The data after the "old partial" MAC-header are the data
that were supposed to be sent via ippp0.

And in the 3rd packet:
               ???? ????
ebab 0060 0820 ff03 0021 4500 0105 2a4f

the sequence ff03 0021 also seen a lot times. I know this sequence
from somewhere, but I can't remember right now.

Anyway, when the IP-headers are wrong, they're always off
by 10 bytes. Could it be that someone does a "memcpy (to + offset, .."
and doesn't make sure that offset is zero?

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

1. IP truncated-ip - 4 bytes missing!

We are not able to reach the homepage http://www.citibank.de.
The TCP SYN is answered from www.citibank.de with a TCP SYN ACK.
This TCP SYN ACK is malformed.
tcpdump says: "IP truncated-ip - 4 bytes missing!" with a window size of
0 and missing mss.
ethereal says: "[Malformed Packet: TCP] with incorrect checksum.

This TCP SYN ACK is not forwarded to the PC which requested the connection.

We are using a linux router with Suse 9.1 on a x86.
The Uplink to the internet is ADSL with PPPoE. The server use NAT for IP
address masquerading. The Suse Firewall is also active.

Every thing works fine except the connections to www.citibank.de.

The only one - I found at the Web - who had the same problems, uses a
FritzBox. But after a firmware update, it worked for him.

Are there any statistics, where the drops are counted?
ip -s link and ifstats are without errors.

Regards,
Thomas

2. \ in file

3. truncated-ip with tcpdump and ISDN

4. Login - password limits

5. tcpreplay,tcpdump and truncated-ip

6. functions in ksh

7. truncated-ip in tcpdump

8. BSD & JAZ Drive

9. tcpdump -> truncated-ip

10. truncated-ip - 4 bytes missing

11. Truncated-IP? Are these really bad packets?

12. Truncated-ip

13. DSL Line - PPPoE (-current) and truncated-ip