Project

General

Profile

Actions

Bug #823

closed

Sending packet failed on socket 5: Message too long

Added by Laszlo Madarassy over 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

A new bug (or problem) again:
These errors are displayed on suricata console when traffic goes to the monitored interface:
[5522] 12/6/2013 -- 16:04:15 - (source-af-packet.c:645) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 5: Message too long
[5522] 12/6/2013 -- 16:04:15 - (tmqh-packetpool.c:280) <Warning> (TmqhOutputPacketpool) -- [ERRCODE: SC_ERR_INVALID_ACTION(142)] - Unable to release packet data

Config:
%YAML 1.1
---

outputs:

af-packet:
- interface: eth1
threads: 1
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth2
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1

default-rule-path: /etc/suricata/rules
rule-files:
- mini.rule

action-order:
- pass
- drop
- reject
- alert

Suricata version: latest 1.4-dev from git
MTU is 1500 on both interfaces.
Some traffic is going through, but I don't know what is dropped.

Laszlo


Files

Actions #1

Updated by Eric Leblond over 11 years ago

Hello this is a duplicate of #812.

Please try with defrag set to no and disable GRO and other off loading things if needed.

Actions #2

Updated by Laszlo Madarassy over 11 years ago

Eric Leblond wrote:

Hello this is a duplicate of #812.

Please try with defrag set to no and disable GRO and other off loading things if needed.

I set defrag to no, but the result is the same.

Actions #3

Updated by Eric Leblond over 11 years ago

I've tried to reproduce the issue without success. Can you apply the attached patch to your suricata and run some tests ? This should displays info about the dropped packet.

Actions #4

Updated by Laszlo Madarassy over 11 years ago

Eric Leblond wrote:

I've tried to reproduce the issue without success. Can you apply the attached patch to your suricata and run some tests ? This should displays info about the dropped packet.

I have applied the patch and saved the output. It seems an ipv6 packet causes the problem.
You can download the full log from here:
http://mik.bme.hu/~lmadarassy/suricata/suricata.log
I have sent this traffic to suricata:
http://mik.bme.hu/~lmadarassy/suricata/eth1.cap

Laszlo

Actions #5

Updated by Eric Leblond over 11 years ago

  • Assignee set to Eric Leblond

The decoding of hexdump in scapy gives some interesting result. This is a packet from vmware to cisco and it is IPv4/TCP. As everything is coherent when compared to information found in the pca file, we can conclude we have something weird here.

Among the weirdness and I think as mentioned by Laszlo before the announced IP packet length is 1648 (anf DF flags is set). This is kind of strange for an interface with a MTU of 1500 (if I'm correct). Laszlo can you confirm we have MTU set to 1500 and that all GRO, GSO are disabled on the capture interface ?

Here's the packet print in scapy:

<Ether  dst=00:50:56:a7:5d:ad src=00:18:b9:4e:1e:1b type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=1648 id=20583 flags=DF frag=0L ttl=118 proto=tcp chksum=0x7747 src=188.36.159.9 dst=192.168.27.3 options=[] |<TCP  sport=26461 dport=27230 seq=3248517057 ack=2608885882 dataofs=5L reserved=0L flags=A window=257 chksum=0x3d3c urgptr=0 options=[] |<Raw  load='\xc3G\xc5\xde\xe7-\x87\x82\x10 \xca\xadW/K(T];\x0f\t\x02M\x1e\x0f\x923%\xb7H\x95+\x98\xaa\xc8\x065\xe5\xfa\n9I@S\x90\xc0\xf0\x10+\xfe\x83`\x96\xa4J\xbf\xa5\xea\xbf\xbf\x98 Ya\x80\x85\x02\x18\xfb\xea\x95\x17\x82\x1c\x90\xbeL.\xbe\x9e\xfdV\x9a\xdf\xe8\x12\x00\x80x\x08\x14\xc1\x82\x18\xf8\x03\x81\xbc$\xfc\xbe\x00j\xb0A\x1f\x893\xcaB\x14\x12?\xe2\xef\x01B\xf1\xd6\xfe-\x1e\x0f\x01\x01\xc8\x06\x03j\x89K\xc7\xca\x95\x17d\xbf\xf5\x94\xbe\xfc\x0cI\xcf\xc9\xf5\xf03\xf7\x8b\x87\x93e\x93f\xe5\xb5\xb8\x98L\rB\x18\xfdR\xb5J\xaf\xe2\xbd\xf76I\xd8\xb6\xd65\xa3 S\xfas\xf9g\xdb\x88\x0f\x89S\xd2\xe1quR%\x8f\xc7J\xa5W=K\xff\x04I\xcd\x1a\\\xbf\xf7\xbe>V%\x04/\xab\xa0p\x10\xed\xfc\xf7\xa0\x8f\xff\xc8;\xb9\x1a\xf6u\xe3\xef\x03\x17\t\x10H\xb5X\x97\xe0\x82\x08C\xfb\x82Iz\xa0B\xf5\x8a\xd9\x12\x95yD\x1fO\xde\xa8\xeb\xf7?\xb7\x9b&Ssrv\xe6\xa7\x9a\xf0)\xa3\xb3\xf4\x12=\xf9@7\x85\xe1\x0c\xbb\xe1\x03%U>\\\x08W\xe9\xf2\x81\xfd\xad\xa8\xb30\x94\x10\x04\xbf\te\xc0\x1fG\xff\xf4\xfe\xc9\x15\x97_\xd8\xaa%\xb0F^\x9d\x08E\xfe\x85\xea@\xf0\x95\xf1\xfa\xbf`(\x82\x10\xfb/\xd4\xdciT\x88\xedx@Q-R\xaf\xc2]\xcc\xcfJ#\x7fDU\x1b\xb8\xce\x06j\xda\x8b\x16\x98\xf6m\x96\xf7\r\x01J\xbe\xe6Q\xf7\xcb\xd5\xc1)H\x90\xa0!\xfez\x0f\x15A\xfe*\xfdL^\xaf\x99\x00\xca\xcd\x1f\x08C\xf0e4}\x83\xe5\n\x84\xb5y/\xf8\xaf\xc3\xed\x11\xff\x95@\xf7;<\xd6\xbdU\x96\xcb\xb6\x95=\x9e]\xdc\\\xa1\x81\xab\ra\xb0)\x9b\x96\xeb\xe9\xec.\x85\xd3\x99\xec\x96I.\xb3\xf5\xb6\xd3\xb2E\x12M\xbc\x8d\xdb\xda\x9d\xe0\xc2P5\x06\x1f\x97\x04\n^%{A\xb7\xd2\xdf\xab/\x9fT\x10\x0b\xbd\x1b\xff\xd5\xe2\x92\xfc\x03\x05\xd3\xa4\xe0\xc1\x00\x03\x81\x84\x95BL\xf3\x7fS\xb0\x14#\xc8%\t\x03\xd0e\x84\x8f+\xf8\x1f\xfe/Q\x93l\x8a\xb1\xa8b\xc8\xad\\\xfd\xca\xbd\xd8l\x05p\xf1  \x048\x10\xc4\xa0P\xf9P\x96\xa9U\xff\xe7\xa0\x96]\xf1\xf7\xff\x97\x14\xc5_\x1d\xcf|D\xb6M\x87b\x8f\xb3\xeb8g\x97;v\xb5\xb9\x83.\xcdk#\x11\xb1\x9b\xed\xd4\xd2\x99\xc7\xa6\xd8\xd9\x95\x1b\xb8\xc3k\xd1Vu\xd5N\xb1l\xf3y\xcd\x1c\x91\x00\xa77\xc3\xcd\xfc[\t\xe2\xf8\x8e\x94\x06JE=\x91\xc7:\xf0\x14\xce\xecQ\xa2/\xe6.qW\'\xf0\x0br\x90\x17xu?k#Q(\xbb3{\xb7\xfb=i\x85Jh\xb2\xe6\x1f\nx\x95\x82:\xc1X\xfb\x87\x87\xd6\xc5uKQ\xab\x17\xae.\xac\xe2B)\xe0\x9f\xe1 \x14\xeb\xae\xaa\xb9in\xd2a\xf7\xf5fi\xffA\xe3\x15\x83\xa5\xd2\xdc\x99\xc6\xe3\\F-\xf3b\xc5c\x10)\xaa\xb5\x17\xbe\xdcJ\xd5\'\xd2\xff\xef*c\x92~\x0e\x9b\xf7\xa4@\xf8%\xfb\x998\xd2\xe7i\x127\x03\x1c\xf2\xc0\xbf8o\x06\x91j(p\nc\x7f\xf9\xe9>\xa3\xebm\x15I\xfdV\x90u\xd2j\xa7\xd4u\x93\xf8\xbc\x0f\x896I\xb6\xd8\xd2\xe2\xc9\xfe\x88\xd9\xc21x\x14\xfa\x9c\xbe\xfa\\R\x9f\xf2F\x83Gz\xe8\xe7!5S(|\x91\xea\xaf\xec\x9f\x9d\xdbW`-U\x7f3\x88\x19%\xfc8\x02\x9c\x8b$\xc1\x8d\xaa>K\xff0\xaa\xea\xf4\x97\xcc\xdcs\x8c\x853\xa9\x7f\xfb=\x82\xbcUAC\x07c\xcbX\x11q\x9cZ\x92\xf8\xbc\x03\xe8\x07\x0f\xbe%\xe7d\xe1 <\x04\x0e"@<\x07\xf8\xffK\xf64\xf4\xb0\x0e+\xfa\x99\xe99)\x90)\x84\x15n\xda\xba;Wk\x95\xc5\x03S\xc3\xb7\x9c\x1f\xf9\\\x99\x18\x84\x80S\x18\x17\x9c,\x06@\xb1\\K\xaa\xe7\xe4\x9e\xb2^<\x18 \x8f\xa0\xe9N\x9d/\x08\n-\xf5\x12z\x93\x94kB\x00 \xf8\x03\xc1\xbc$\xfcJ\xed\x9e\xbeO?\xfeG\x97\xfa\x7f\xd7\xae\x00\xe0\x0f\xf4\xf7\xf0\xbb\xeaU~\xc9s5\xc1L\xea\x08 \xdf\x1f\x83h\x07\xfeJ\r\xc0\x85\xff\xaaT\x9d[J\xd5\x94B@a,\x10*\xaf\tj\xaf\xf7%\x96\xe320C|\xe0x\x0f\xedA\xbc\x08\x16g\xd5+.\xf9~{\x157\x83\xf5`k\xc9\xef\xa6\xff\xec8\xb8\x7f\xfe=D\x85\xca\xa4b8\n~*\x8b\x07\x80\xfd\xa4J\x1f\xaa\x08~S\xf5S%\x03\xba\xddW@\xd1t\x039\x1b0\x0f\x01\xfdH<\x07\xf9%\xffS=\xde3\xa0\xc6U+\x97\xd7\xf3\xea\xa8!\x97g\xafqH\x97Dux\xc4\x8dy!,O[\x01\xc1\x00|]}t\xda\xa2\xefzQ\xeb\x80.\x02\xab\x98\x8eK\x06\x1c\x94gEY\x95?U;\xbd5\x94D\xda\x8a\xaf\x02\x84\xc6\xc8\xa0\xcb\x86\xc5\x0f\xd2\xc9\xbb\xde\xa1\xb6\xc9\x0e\x07u\x9dL\xd7$\x90\xde\xf3\xbd\xce-\xa8*\xe8\x86G\x9aIoE\xc10S\xbc\xdbz\xa2*Z2C\x04\xec\x9b7%\xc1\x13\xadn\x9b\x87\x82\x9b]\xe14;\xe6^\xc0:\'\xba\x85\xe7\xc2\x9e\x19y9\xef<\x02\xba\xc8.\x15<\x059\xfe\xb8\xf0x\x08\x17A\xe0?\xb5\xf05/\x08R\t@\xcd\x17O\xdbee9\x13\x87\xca\xcb\xa0\x96\xab\xe5\xdfk\xf2\xba\xb3\xac\x8dG\x94\x0f+\x8a\xf2S\xc1KGA\x981x7\xcb\x84\xa1 \x10D\x92\xe5W|\xa9]\xf4 \x9eV\xa6i\x15\xc6X\xb3a\x10S\xce\xbb\xc2\xdc\x98I\xc3\xf3\\\x14\x8c\xa0\x12\x0f\x01\x01\xb85\xaa\x15\xcf{\x92\x9b\x06\x12\x01\x05Wc\xfc\xafTp\x86\xf9\xb8|\n9\xdb\x1f\x07\x80\x80\xfc\x03?\x9fN\xf0`\x80%\t\x1eS?\x86\x8e\xaa.\x99\x1fU\xddx9\x07$' |>>>><Ether  dst=00:50:56:a7:5d:ad src=00:18:b9:4e:1e:1b type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=1648 id=20583 flags=DF frag=0L ttl=118 proto=tcp chksum=0x7747 src=188.36.159.9 dst=192.168.27.3 options=[] |<TCP  sport=26461 dport=27230 seq=3248517057 ack=2608885882 dataofs=5L reserved=0L flags=A window=257 chksum=0x3d3c urgptr=0 options=[] |<Raw  load='\xc3G\xc5\xde\xe7-\x87\x82\x10 \xca\xadW/K(T];\x0f\t\x02M\x1e\x0f\x923%\xb7H\x95+\x98\xaa\xc8\x065\xe5\xfa\n9I@S\x90\xc0\xf0\x10+\xfe\x83`\x96\xa4J\xbf\xa5\xea\xbf\xbf\x98 Ya\x80\x85\x02\x18\xfb\xea\x95\x17\x82\x1c\x90\xbeL.\xbe\x9e\xfdV\x9a\xdf\xe8\x12\x00\x80x\x08\x14\xc1\x82\x18\xf8\x03\x81\xbc$\xfc\xbe\x00j\xb0A\x1f\x893\xcaB\x14\x12?\xe2\xef\x01B\xf1\xd6\xfe-\x1e\x0f\x01\x01\xc8\x06\x03j\x89K\xc7\xca\x95\x17d\xbf\xf5\x94\xbe\xfc\x0cI\xcf\xc9\xf5\xf03\xf7\x8b\x87\x93e\x93f\xe5\xb5\xb8\x98L\rB\x18\xfdR\xb5J\xaf\xe2\xbd\xf76I\xd8\xb6\xd65\xa3 S\xfas\xf9g\xdb\x88\x0f\x89S\xd2\xe1quR%\x8f\xc7J\xa5W=K\xff\x04I\xcd\x1a\\\xbf\xf7\xbe>V%\x04/\xab\xa0p\x10\xed\xfc\xf7\xa0\x8f\xff\xc8;\xb9\x1a\xf6u\xe3\xef\x03\x17\t\x10H\xb5X\x97\xe0\x82\x08C\xfb\x82Iz\xa0B\xf5\x8a\xd9\x12\x95yD\x1fO\xde\xa8\xeb\xf7?\xb7\x9b&Ssrv\xe6\xa7\x9a\xf0)\xa3\xb3\xf4\x12=\xf9@7\x85\xe1\x0c\xbb\xe1\x03%U>\\\x08W\xe9\xf2\x81\xfd\xad\xa8\xb30\x94\x10\x04\xbf\te\xc0\x1fG\xff\xf4\xfe\xc9\x15\x97_\xd8\xaa%\xb0F^\x9d\x08E\xfe\x85\xea@\xf0\x95\xf1\xfa\xbf`(\x82\x10\xfb/\xd4\xdciT\x88\xedx@Q-R\xaf\xc2]\xcc\xcfJ#\x7fDU\x1b\xb8\xce\x06j\xda\x8b\x16\x98\xf6m\x96\xf7\r\x01J\xbe\xe6Q\xf7\xcb\xd5\xc1)H\x90\xa0!\xfez\x0f\x15A\xfe*\xfdL^\xaf\x99\x00\xca\xcd\x1f\x08C\xf0e4}\x83\xe5\n\x84\xb5y/\xf8\xaf\xc3\xed\x11\xff\x95@\xf7;<\xd6\xbdU\x96\xcb\xb6\x95=\x9e]\xdc\\\xa1\x81\xab\ra\xb0)\x9b\x96\xeb\xe9\xec.\x85\xd3\x99\xec\x96I.\xb3\xf5\xb6\xd3\xb2E\x12M\xbc\x8d\xdb\xda\x9d\xe0\xc2P5\x06\x1f\x97\x04\n^%{A\xb7\xd2\xdf\xab/\x9fT\x10\x0b\xbd\x1b\xff\xd5\xe2\x92\xfc\x03\x05\xd3\xa4\xe0\xc1\x00\x03\x81\x84\x95BL\xf3\x7fS\xb0\x14#\xc8%\t\x03\xd0e\x84\x8f+\xf8\x1f\xfe/Q\x93l\x8a\xb1\xa8b\xc8\xad\\\xfd\xca\xbd\xd8l\x05p\xf1  \x048\x10\xc4\xa0P\xf9P\x96\xa9U\xff\xe7\xa0\x96]\xf1\xf7\xff\x97\x14\xc5_\x1d\xcf|D\xb6M\x87b\x8f\xb3\xeb8g\x97;v\xb5\xb9\x83.\xcdk#\x11\xb1\x9b\xed\xd4\xd2\x99\xc7\xa6\xd8\xd9\x95\x1b\xb8\xc3k\xd1Vu\xd5N\xb1l\xf3y\xcd\x1c\x91\x00\xa77\xc3\xcd\xfc[\t\xe2\xf8\x8e\x94\x06JE=\x91\xc7:\xf0\x14\xce\xecQ\xa2/\xe6.qW\'\xf0\x0br\x90\x17xu?k#Q(\xbb3{\xb7\xfb=i\x85Jh\xb2\xe6\x1f\nx\x95\x82:\xc1X\xfb\x87\x87\xd6\xc5uKQ\xab\x17\xae.\xac\xe2B)\xe0\x9f\xe1 \x14\xeb\xae\xaa\xb9in\xd2a\xf7\xf5fi\xffA\xe3\x15\x83\xa5\xd2\xdc\x99\xc6\xe3\\F-\xf3b\xc5c\x10)\xaa\xb5\x17\xbe\xdcJ\xd5\'\xd2\xff\xef*c\x92~\x0e\x9b\xf7\xa4@\xf8%\xfb\x998\xd2\xe7i\x127\x03\x1c\xf2\xc0\xbf8o\x06\x91j(p\nc\x7f\xf9\xe9>\xa3\xebm\x15I\xfdV\x90u\xd2j\xa7\xd4u\x93\xf8\xbc\x0f\x896I\xb6\xd8\xd2\xe2\xc9\xfe\x88\xd9\xc21x\x14\xfa\x9c\xbe\xfa\\R\x9f\xf2F\x83Gz\xe8\xe7!5S(|\x91\xea\xaf\xec\x9f\x9d\xdbW`-U\x7f3\x88\x19%\xfc8\x02\x9c\x8b$\xc1\x8d\xaa>K\xff0\xaa\xea\xf4\x97\xcc\xdcs\x8c\x853\xa9\x7f\xfb=\x82\xbcUAC\x07c\xcbX\x11q\x9cZ\x92\xf8\xbc\x03\xe8\x07\x0f\xbe%\xe7d\xe1 <\x04\x0e"@<\x07\xf8\xffK\xf64\xf4\xb0\x0e+\xfa\x99\xe99)\x90)\x84\x15n\xda\xba;Wk\x95\xc5\x03S\xc3\xb7\x9c\x1f\xf9\\\x99\x18\x84\x80S\x18\x17\x9c,\x06@\xb1\\K\xaa\xe7\xe4\x9e\xb2^<\x18 \x8f\xa0\xe9N\x9d/\x08\n-\xf5\x12z\x93\x94kB\x00 \xf8\x03\xc1\xbc$\xfcJ\xed\x9e\xbeO?\xfeG\x97\xfa\x7f\xd7\xae\x00\xe0\x0f\xf4\xf7\xf0\xbb\xeaU~\xc9s5\xc1L\xea\x08 \xdf\x1f\x83h\x07\xfeJ\r\xc0\x85\xff\xaaT\x9d[J\xd5\x94B@a,\x10*\xaf\tj\xaf\xf7%\x96\xe320C|\xe0x\x0f\xedA\xbc\x08\x16g\xd5+.\xf9~{\x157\x83\xf5`k\xc9\xef\xa6\xff\xec8\xb8\x7f\xfe=D\x85\xca\xa4b8\n~*\x8b\x07\x80\xfd\xa4J\x1f\xaa\x08~S\xf5S%\x03\xba\xddW@\xd1t\x039\x1b0\x0f\x01\xfdH<\x07\xf9%\xffS=\xde3\xa0\xc6U+\x97\xd7\xf3\xea\xa8!\x97g\xafqH\x97Dux\xc4\x8dy!,O[\x01\xc1\x00|]}t\xda\xa2\xefzQ\xeb\x80.\x02\xab\x98\x8eK\x06\x1c\x94gEY\x95?U;\xbd5\x94D\xda\x8a\xaf\x02\x84\xc6\xc8\xa0\xcb\x86\xc5\x0f\xd2\xc9\xbb\xde\xa1\xb6\xc9\x0e\x07u\x9dL\xd7$\x90\xde\xf3\xbd\xce-\xa8*\xe8\x86G\x9aIoE\xc10S\xbc\xdbz\xa2*Z2C\x04\xec\x9b7%\xc1\x13\xadn\x9b\x87\x82\x9b]\xe14;\xe6^\xc0:\'\xba\x85\xe7\xc2\x9e\x19y9\xef<\x02\xba\xc8.\x15<\x059\xfe\xb8\xf0x\x08\x17A\xe0?\xb5\xf05/\x08R\t@\xcd\x17O\xdbee9\x13\x87\xca\xcb\xa0\x96\xab\xe5\xdfk\xf2\xba\xb3\xac\x8dG\x94\x0f+\x8a\xf2S\xc1KGA\x981x7\xcb\x84\xa1 \x10D\x92\xe5W|\xa9]\xf4 \x9eV\xa6i\x15\xc6X\xb3a\x10S\xce\xbb\xc2\xdc\x98I\xc3\xf3\\\x14\x8c\xa0\x12\x0f\x01\x01\xb85\xaa\x15\xcf{\x92\x9b\x06\x12\x01\x05Wc\xfc\xafTp\x86\xf9\xb8|\n9\xdb\x1f\x07\x80\x80\xfc\x03?\x9fN\xf0`\x80%\t\x1eS?\x86\x8e\xaa.\x99\x1fU\xddx9\x07$' |>>>><Ether  dst=00:50:56:a7:5d:ad src=00:18:b9:4e:1e:1b type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=1648 id=20583 flags=DF frag=0L ttl=118 proto=tcp chksum=0x7747 src=188.36.159.9 dst=192.168.27.3 options=[] |<TCP  sport=26461 dport=27230 seq=3248517057 ack=2608885882 dataofs=5L reserved=0L flags=A window=257 chksum=0x3d3c urgptr=0 options=[] |<Raw  load='\xc3G\xc5\xde\xe7-\x87\x82\x10 \xca\xadW/K(T];\x0f\t\x02M\x1e\x0f\x923%\xb7H\x95+\x98\xaa\xc8\x065\xe5\xfa\n9I@S\x90\xc0\xf0\x10+\xfe\x83`\x96\xa4J\xbf\xa5\xea\xbf\xbf\x98 Ya\x80\x85\x02\x18\xfb\xea\x95\x17\x82\x1c\x90\xbeL.\xbe\x9e\xfdV\x9a\xdf\xe8\x12\x00\x80x\x08\x14\xc1\x82\x18\xf8\x03\x81\xbc$\xfc\xbe\x00j\xb0A\x1f\x893\xcaB\x14\x12?\xe2\xef\x01B\xf1\xd6\xfe-\x1e\x0f\x01\x01\xc8\x06\x03j\x89K\xc7\xca\x95\x17d\xbf\xf5\x94\xbe\xfc\x0cI\xcf\xc9\xf5\xf03\xf7\x8b\x87\x93e\x93f\xe5\xb5\xb8\x98L\rB\x18\xfdR\xb5J\xaf\xe2\xbd\xf76I\xd8\xb6\xd65\xa3 S\xfas\xf9g\xdb\x88\x0f\x89S\xd2\xe1quR%\x8f\xc7J\xa5W=K\xff\x04I\xcd\x1a\\\xbf\xf7\xbe>V%\x04/\xab\xa0p\x10\xed\xfc\xf7\xa0\x8f\xff\xc8;\xb9\x1a\xf6u\xe3\xef\x03\x17\t\x10H\xb5X\x97\xe0\x82\x08C\xfb\x82Iz\xa0B\xf5\x8a\xd9\x12\x95yD\x1fO\xde\xa8\xeb\xf7?\xb7\x9b&Ssrv\xe6\xa7\x9a\xf0)\xa3\xb3\xf4\x12=\xf9@7\x85\xe1\x0c\xbb\xe1\x03%U>\\\x08W\xe9\xf2\x81\xfd\xad\xa8\xb30\x94\x10\x04\xbf\te\xc0\x1fG\xff\xf4\xfe\xc9\x15\x97_\xd8\xaa%\xb0F^\x9d\x08E\xfe\x85\xea@\xf0\x95\xf1\xfa\xbf`(\x82\x10\xfb/\xd4\xdciT\x88\xedx@Q-R\xaf\xc2]\xcc\xcfJ#\x7fDU\x1b\xb8\xce\x06j\xda\x8b\x16\x98\xf6m\x96\xf7\r\x01J\xbe\xe6Q\xf7\xcb\xd5\xc1)H\x90\xa0!\xfez\x0f\x15A\xfe*\xfdL^\xaf\x99\x00\xca\xcd\x1f\x08C\xf0e4}\x83\xe5\n\x84\xb5y/\xf8\xaf\xc3\xed\x11\xff\x95@\xf7;<\xd6\xbdU\x96\xcb\xb6\x95=\x9e]\xdc\\\xa1\x81\xab\ra\xb0)\x9b\x96\xeb\xe9\xec.\x85\xd3\x99\xec\x96I.\xb3\xf5\xb6\xd3\xb2E\x12M\xbc\x8d\xdb\xda\x9d\xe0\xc2P5\x06\x1f\x97\x04\n^%{A\xb7\xd2\xdf\xab/\x9fT\x10\x0b\xbd\x1b\xff\xd5\xe2\x92\xfc\x03\x05\xd3\xa4\xe0\xc1\x00\x03\x81\x84\x95BL\xf3\x7fS\xb0\x14#\xc8%\t\x03\xd0e\x84\x8f+\xf8\x1f\xfe/Q\x93l\x8a\xb1\xa8b\xc8\xad\\\xfd\xca\xbd\xd8l\x05p\xf1  \x048\x10\xc4\xa0P\xf9P\x96\xa9U\xff\xe7\xa0\x96]\xf1\xf7\xff\x97\x14\xc5_\x1d\xcf|D\xb6M\x87b\x8f\xb3\xeb8g\x97;v\xb5\xb9\x83.\xcdk#\x11\xb1\x9b\xed\xd4\xd2\x99\xc7\xa6\xd8\xd9\x95\x1b\xb8\xc3k\xd1Vu\xd5N\xb1l\xf3y\xcd\x1c\x91\x00\xa77\xc3\xcd\xfc[\t\xe2\xf8\x8e\x94\x06JE=\x91\xc7:\xf0\x14\xce\xecQ\xa2/\xe6.qW\'\xf0\x0br\x90\x17xu?k#Q(\xbb3{\xb7\xfb=i\x85Jh\xb2\xe6\x1f\nx\x95\x82:\xc1X\xfb\x87\x87\xd6\xc5uKQ\xab\x17\xae.\xac\xe2B)\xe0\x9f\xe1 \x14\xeb\xae\xaa\xb9in\xd2a\xf7\xf5fi\xffA\xe3\x15\x83\xa5\xd2\xdc\x99\xc6\xe3\\F-\xf3b\xc5c\x10)\xaa\xb5\x17\xbe\xdcJ\xd5\'\xd2\xff\xef*c\x92~\x0e\x9b\xf7\xa4@\xf8%\xfb\x998\xd2\xe7i\x127\x03\x1c\xf2\xc0\xbf8o\x06\x91j(p\nc\x7f\xf9\xe9>\xa3\xebm\x15I\xfdV\x90u\xd2j\xa7\xd4u\x93\xf8\xbc\x0f\x896I\xb6\xd8\xd2\xe2\xc9\xfe\x88\xd9\xc21x\x14\xfa\x9c\xbe\xfa\\R\x9f\xf2F\x83Gz\xe8\xe7!5S(|\x91\xea\xaf\xec\x9f\x9d\xdbW`-U\x7f3\x88\x19%\xfc8\x02\x9c\x8b$\xc1\x8d\xaa>K\xff0\xaa\xea\xf4\x97\xcc\xdcs\x8c\x853\xa9\x7f\xfb=\x82\xbcUAC\x07c\xcbX\x11q\x9cZ\x92\xf8\xbc\x03\xe8\x07\x0f\xbe%\xe7d\xe1 <\x04\x0e"@<\x07\xf8\xffK\xf64\xf4\xb0\x0e+\xfa\x99\xe99)\x90)\x84\x15n\xda\xba;Wk\x95\xc5\x03S\xc3\xb7\x9c\x1f\xf9\\\x99\x18\x84\x80S\x18\x17\x9c,\x06@\xb1\\K\xaa\xe7\xe4\x9e\xb2^<\x18 \x8f\xa0\xe9N\x9d/\x08\n-\xf5\x12z\x93\x94kB\x00 \xf8\x03\xc1\xbc$\xfcJ\xed\x9e\xbeO?\xfeG\x97\xfa\x7f\xd7\xae\x00\xe0\x0f\xf4\xf7\xf0\xbb\xeaU~\xc9s5\xc1L\xea\x08 \xdf\x1f\x83h\x07\xfeJ\r\xc0\x85\xff\xaaT\x9d[J\xd5\x94B@a,\x10*\xaf\tj\xaf\xf7%\x96\xe320C|\xe0x\x0f\xedA\xbc\x08\x16g\xd5+.\xf9~{\x157\x83\xf5`k\xc9\xef\xa6\xff\xec8\xb8\x7f\xfe=D\x85\xca\xa4b8\n~*\x8b\x07\x80\xfd\xa4J\x1f\xaa\x08~S\xf5S%\x03\xba\xddW@\xd1t\x039\x1b0\x0f\x01\xfdH<\x07\xf9%\xffS=\xde3\xa0\xc6U+\x97\xd7\xf3\xea\xa8!\x97g\xafqH\x97Dux\xc4\x8dy!,O[\x01\xc1\x00|]}t\xda\xa2\xefzQ\xeb\x80.\x02\xab\x98\x8eK\x06\x1c\x94gEY\x95?U;\xbd5\x94D\xda\x8a\xaf\x02\x84\xc6\xc8\xa0\xcb\x86\xc5\x0f\xd2\xc9\xbb\xde\xa1\xb6\xc9\x0e\x07u\x9dL\xd7$\x90\xde\xf3\xbd\xce-\xa8*\xe8\x86G\x9aIoE\xc10S\xbc\xdbz\xa2*Z2C\x04\xec\x9b7%\xc1\x13\xadn\x9b\x87\x82\x9b]\xe14;\xe6^\xc0:\'\xba\x85\xe7\xc2\x9e\x19y9\xef<\x02\xba\xc8.\x15<\x059\xfe\xb8\xf0x\x08\x17A\xe0?\xb5\xf05/\x08R\t@\xcd\x17O\xdbee9\x13\x87\xca\xcb\xa0\x96\xab\xe5\xdfk\xf2\xba\xb3\xac\x8dG\x94\x0f+\x8a\xf2S\xc1KGA\x981x7\xcb\x84\xa1 \x10D\x92\xe5W|\xa9]\xf4 \x9eV\xa6i\x15\xc6X\xb3a\x10S\xce\xbb\xc2\xdc\x98I\xc3\xf3\\\x14\x8c\xa0\x12\x0f\x01\x01\xb85\xaa\x15\xcf{\x92\x9b\x06\x12\x01\x05Wc\xfc\xafTp\x86\xf9\xb8|\n9\xdb\x1f\x07\x80\x80\xfc\x03?\x9fN\xf0`\x80%\t\x1eS?\x86\x8e\xaa.\x99\x1fU\xddx9\x07$' |>>>>

Actions #6

Updated by Laszlo Madarassy over 11 years ago

Eric Leblond wrote:
Laszlo can you confirm we have MTU set to 1500 and that all GRO, GSO are disabled on the capture interface ?

Yes, both MTUs are 1500:
eth1 Link encap:Ethernet HWaddr 00:50:56:a7:5d:ad
inet6 addr: fe80::250:56ff:fea7:5dad/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14276297388 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9748750595274 (8.8 TiB) TX bytes:708 (708.0 B)

eth2 Link encap:Ethernet HWaddr 00:50:56:a7:4e:04
inet6 addr: fe80::250:56ff:fea7:4e04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:254792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:240 (240.0 B) TX bytes:43081568 (41.0 MiB)

This is a vmware esxi 5.1 virtual machine. I haven't set any offloading on the intercaces:
ethtool eth1
Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes

ethtool eth2
Settings for eth2:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes

[ 1.808139] e1000 0000:02:01.0 eth1: (PCI:66MHz:32-bit) 00:50:56:a7:5d:ad
[ 1.808144] e1000 0000:02:01.0 eth1: Intel(R) PRO/1000 Network Connection
[ 2.167533] e1000 0000:02:03.0 eth2: (PCI:66MHz:32-bit) 00:50:56:a7:4e:04
[ 2.167537] e1000 0000:02:03.0 eth2: Intel(R) PRO/1000 Network Connection
[ 8.547215] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 8.726922] e1000: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None

Actions #7

Updated by Dave Crawford over 11 years ago

I've duplicated this behavior in a Debian guest on ESXi 5.1 connected to a Cisco 2970. The fix is to disable generic-receive-offload (GRO) on the two interfaces that af_packet is copying between:

ethtool -K eth1 gro off
ethtool -K eth2 gro off

-Dave

Actions #8

Updated by Eric Leblond about 11 years ago

  • Status changed from New to Resolved

I've updated Common_Errors to state that GRO needs to be deactivated when AF_PACKET IPS is used.

Actions #9

Updated by Victor Julien about 11 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF