Bug #823: Sending packet failed on socket 5: Message too long - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #823

closed

Sending packet failed on socket 5: Message too long

Added by Laszlo Madarassy almost 11 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Eric Leblond

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,

A new bug (or problem) again:
These errors are displayed on suricata console when traffic goes to the monitored interface:
[5522] 12/6/2013 -- 16:04:15 - (source-af-packet.c:645) <Warning> (AFPWritePacket) -- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 5: Message too long
[5522] 12/6/2013 -- 16:04:15 - (tmqh-packetpool.c:280) <Warning> (TmqhOutputPacketpool) -- [ERRCODE: SC_ERR_INVALID_ACTION(142)] - Unable to release packet data

Config:
%YAML 1.1
---

outputs:

af-packet:
- interface: eth1
threads: 1
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth2
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1

default-rule-path: /etc/suricata/rules
rule-files:
- mini.rule

action-order:
- pass
- drop
- reject
- alert

Suricata version: latest 1.4-dev from git
MTU is 1500 on both interfaces.
Some traffic is going through, but I don't know what is dropped.

Laszlo

Files

0001-debug-display-invalid-packet.patch (1.8 KB) 0001-debug-display-invalid-packet.patch

Eric Leblond, 06/14/2013 10:15 AM

Actions

Copy link

Updated by Eric Leblond almost 11 years ago

Hello this is a duplicate of #812.

Please try with defrag set to no and disable GRO and other off loading things if needed.

Actions

Copy link

Updated by Laszlo Madarassy almost 11 years ago

Eric Leblond wrote:

Hello this is a duplicate of #812.

Please try with defrag set to no and disable GRO and other off loading things if needed.

I set defrag to no, but the result is the same.

Actions

Copy link

Updated by Eric Leblond almost 11 years ago

File 0001-debug-display-invalid-packet.patch 0001-debug-display-invalid-packet.patch added

I've tried to reproduce the issue without success. Can you apply the attached patch to your suricata and run some tests ? This should displays info about the dropped packet.

Actions

Copy link

Updated by Laszlo Madarassy almost 11 years ago

Eric Leblond wrote:

I've tried to reproduce the issue without success. Can you apply the attached patch to your suricata and run some tests ? This should displays info about the dropped packet.

I have applied the patch and saved the output. It seems an ipv6 packet causes the problem.
You can download the full log from here:
http://mik.bme.hu/~lmadarassy/suricata/suricata.log
I have sent this traffic to suricata:
http://mik.bme.hu/~lmadarassy/suricata/eth1.cap

Laszlo

Actions

Copy link

Updated by Eric Leblond almost 11 years ago

Assignee set to Eric Leblond

The decoding of hexdump in scapy gives some interesting result. This is a packet from vmware to cisco and it is IPv4/TCP. As everything is coherent when compared to information found in the pca file, we can conclude we have something weird here.

Among the weirdness and I think as mentioned by Laszlo before the announced IP packet length is 1648 (anf DF flags is set). This is kind of strange for an interface with a MTU of 1500 (if I'm correct). Laszlo can you confirm we have MTU set to 1500 and that all GRO, GSO are disabled on the capture interface ?

Here's the packet print in scapy:

<Ether  dst=00:50:56:a7:5d:ad src=00:18:b9:4e:1e:1b type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=1648 id=20583 flags=DF frag=0L ttl=118 proto=tcp chksum=0x7747 src=188.36.159.9 dst=192.168.27.3 options=[] |<TCP  sport=26461 dport=27230 seq=3248517057 ack=2608885882 dataofs=5L reserved=0L flags=A window=257 chksum=0x3d3c urgptr=0 options=[] |<Raw  load='\xc3G\xc5\xde\xe7-\x87\x82\x10 \xca\xadW/K(T];\x0f\t\x02M\x1e\x0f\x923%\xb7H\x95+\x98\xaa\xc8\x065\xe5\xfa\n9I@S\x90\xc0\xf0\x10+\xfe\x83`\x96\xa4J\xbf\xa5\xea\xbf\xbf\x98 Ya\x80\x85\x02\x18\xfb\xea\x95\x17\x82\x1c\x90\xbeL.\xbe\x9e\xfdV\x9a\xdf\xe8\x12\x00\x80x\x08\x14\xc1\x82\x18\xf8\x03\x81\xbc$\xfc\xbe\x00j\xb0A\x1f\x893\xcaB\x14\x12?\xe2\xef\x01B\xf1\xd6\xfe-\x1e\x0f\x01\x01\xc8\x06\x03j\x89K\xc7\xca\x95\x17d\xbf\xf5\x94\xbe\xfc\x0cI\xcf\xc9\xf5\xf03\xf7\x8b\x87\x93e\x93f\xe5\xb5\xb8\x98L\rB\x18\xfdR\xb5J\xaf\xe2\xbd\xf76I\xd8\xb6\xd65\xa3 S\xfas\xf9g\xdb\x88\x0f\x89S\xd2\xe1quR%\x8f\xc7J\xa5W=K\xff\x04I\xcd\x1a\\\xbf\xf7\xbe>V%\x04/\xab\xa0p\x10\xed\xfc\xf7\xa0\x8f\xff\xc8;\xb9\x1a\xf6u\xe3\xef\x03\x17\t\x10H\xb5X\x97\xe0\x82\x08C\xfb\x82Iz\xa0B\xf5\x8a\xd9\x12\x95yD\x1fO\xde\xa8\xeb\xf7?\xb7\x9b&Ssrv\xe6\xa7\x9a\xf0)\xa3\xb3\xf4\x12=\xf9@7\x85\xe1\x0c\xbb\xe1\x03%U>\\\x08W\xe9\xf2\x81\xfd\xad\xa8\xb30\x94\x10\x04\xbf\te\xc0\x1fG\xff\xf4\xfe\xc9\x15\x97_\xd8\xaa%\xb0F^\x9d\x08E\xfe\x85\xea@\xf0\x95\xf1\xfa\xbf`(\x82\x10\xfb/\xd4\xdciT\x88\xedx@Q-R\xaf\xc2]\xcc\xcfJ#\x7fDU\x1b\xb8\xce\x06j\xda\x8b\x16\x98\xf6m\x96\xf7\r\x01J\xbe\xe6Q\xf7\xcb\xd5\xc1)H\x90\xa0!\xfez\x0f\x15A\xfe*\xfdL^\xaf\x99\x00\xca\xcd\x1f\x08C\xf0e4}\x83\xe5\n\x84\xb5y/\xf8\xaf\xc3\xed\x11\xff\x95@\xf7;<\xd6\xbdU\x96\xcb\xb6\x95=\x9e]\xdc\\\xa1\x81\xab\ra\xb0)\x9b\x96\xeb\xe9\xec.\x85\xd3\x99\xec\x96I.\xb3\xf5\xb6\xd3\xb2E\x12M\xbc\x8d\xdb\xda\x9d\xe0\xc2P5\x06\x1f\x97\x04\n^%{A\xb7\xd2\xdf\xab/\x9fT\x10\x0b\xbd\x1b\xff\xd5\xe2\x92\xfc\x03\x05\xd3\xa4\xe0\xc1\x00\x03\x81\x84\x95BL\xf3\x7fS\xb0\x14#\xc8%\t\x03\xd0e\x84\x8f+\xf8\x1f\xfe/Q\x93l\x8a\xb1\xa8b\xc8\xad\\\xfd\xca\xbd\xd8l\x05p\xf1  \x048\x10\xc4\xa0P\xf9P\x96\xa9U\xff\xe7\xa0\x96]\xf1\xf7\xff\x97\x14\xc5_\x1d\xcf|D\xb6M\x87b\x8f\xb3\xeb8g\x97;v\xb5\xb9\x83.\xcdk#\x11\xb1\x9b\xed\xd4\xd2\x99\xc7\xa6\xd8\xd9\x95\x1b\xb8\xc3k\xd1Vu\xd5N\xb1l\xf3y\xcd\x1c\x91\x00\xa77\xc3\xcd\xfc[\t\xe2\xf8\x8e\x94\x06JE=\x91\xc7:\xf0\x14\xce\xecQ\xa2/\xe6.qW\'\xf0\x0br\x90\x17xu?k#Q(\xbb3{\xb7\xfb=i\x85Jh\xb2\xe6\x1f\nx\x95\x82:\xc1X\xfb\x87\x87\xd6\xc5uKQ\xab\x17\xae.\xac\xe2B)\xe0\x9f\xe1 \x14\xeb\xae\xaa\xb9in\xd2a\xf7\xf5fi\xffA\xe3\x15\x83\xa5\xd2\xdc\x99\xc6\xe3\\F-\xf3b\xc5c\x10)\xaa\xb5\x17\xbe\xdcJ\xd5\'\xd2\xff\xef*c\x92~\x0e\x9b\xf7\xa4@\xf8%\xfb\x998\xd2\xe7i\x127\x03\x1c\xf2\xc0\xbf8o\x06\x91j(p\nc\x7f\xf9\xe9>\xa3\xebm\x15I\xfdV\x90u\xd2j\xa7\xd4u\x93\xf8\xbc\x0f\x896I\xb6\xd8\xd2\xe2\xc9\xfe\x88\xd9\xc21x\x14\xfa\x9c\xbe\xfa\\R\x9f\xf2F\x83Gz\xe8\xe7!5S(|\x91\xea\xaf\xec\x9f\x9d\xdbW`-U\x7f3\x88\x19%\xfc8\x02\x9c\x8b$\xc1\x8d\xaa>K\xff0\xaa\xea\xf4\x97\xcc\xdcs\x8c\x853\xa9\x7f\xfb=\x82\xbcUAC\x07c\xcbX\x11q\x9cZ\x92\xf8\xbc\x03\xe8\x07\x0f\xbe%\xe7d\xe1 <\x04\x0e"@<\x07\xf8\xffK\xf64\xf4\xb0\x0e+\xfa\x99\xe99)\x90)\x84\x15n\xda\xba;Wk\x95\xc5\x03S\xc3\xb7\x9c\x1f\xf9\\\x99\x18\x84\x80S\x18\x17\x9c,\x06@\xb1\\K\xaa\xe7\xe4\x9e\xb2^<\x18 \x8f\xa0\xe9N\x9d/\x08\n-\xf5\x12z\x93\x94kB\x00 \xf8\x03\xc1\xbc$\xfcJ\xed\x9e\xbeO?\xfeG\x97\xfa\x7f\xd7\xae\x00\xe0\x0f\xf4\xf7\xf0\xbb\xeaU~\xc9s5\xc1L\xea\x08 \xdf\x1f\x83h\x07\xfeJ\r\xc0\x85\xff\xaaT\x9d[J\xd5\x94B@a,\x10*\xaf\tj\xaf\xf7%\x96\xe320C|\xe0x\x0f\xedA\xbc\x08\x16g\xd5+.\xf9~{\x157\x83\xf5`k\xc9\xef\xa6\xff\xec8\xb8\x7f\xfe=D\x85\xca\xa4b8\n~*\x8b\x07\x80\xfd\xa4J\x1f\xaa\x08~S\xf5S%\x03\xba\xddW@\xd1t\x039\x1b0\x0f\x01\xfdH<\x07\xf9%\xffS=\xde3\xa0\xc6U+\x97\xd7\xf3\xea\xa8!\x97g\xafqH\x97Dux\xc4\x8dy!,O[\x01\xc1\x00|]}t\xda\xa2\xefzQ\xeb\x80.\x02\xab\x98\x8eK\x06\x1c\x94gEY\x95?U;\xbd5\x94D\xda\x8a\xaf\x02\x84\xc6\xc8\xa0\xcb\x86\xc5\x0f\xd2\xc9\xbb\xde\xa1\xb6\xc9\x0e\x07u\x9dL\xd7$\x90\xde\xf3\xbd\xce-\xa8*\xe8\x86G\x9aIoE\xc10S\xbc\xdbz\xa2*Z2C\x04\xec\x9b7%\xc1\x13\xadn\x9b\x87\x82\x9b]\xe14;\xe6^\xc0:\'\xba\x85\xe7\xc2\x9e\x19y9\xef<\x02\xba\xc8.\x15<\x059\xfe\xb8\xf0x\x08\x17A\xe0?\xb5\xf05/\x08R\t@\xcd\x17O\xdbee9\x13\x87\xca\xcb\xa0\x96\xab\xe5\xdfk\xf2\xba\xb3\xac\x8dG\x94\x0f+\x8a\xf2S\xc1KGA\x981x7\xcb\x84\xa1 \x10D\x92\xe5W|\xa9]\xf4 \x9eV\xa6i\x15\xc6X\xb3a\x10S\xce\xbb\xc2\xdc\x98I\xc3\xf3\\\x14\x8c\xa0\x12\x0f\x01\x01\xb85\xaa\x15\xcf{\x92\x9b\x06\x12\x01\x05Wc\xfc\xafTp\x86\xf9\xb8|\n9\xdb\x1f\x07\x80\x80\xfc\x03?\x9fN\xf0`\x80%\t\x1eS?\x86\x8e\xaa.\x99\x1fU\xddx9\x07$' |>>>><Ether  dst=00:50:56:a7:5d:ad src=00:18:b9:4e:1e:1b type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=1648 id=20583 flags=DF frag=0L ttl=118 proto=tcp chksum=0x7747 src=188.36.159.9 dst=192.168.27.3 options=[] |<TCP  sport=26461 dport=27230 seq=3248517057 ack=2608885882 dataofs=5L reserved=0L flags=A window=257 chksum=0x3d3c urgptr=0 options=[] |<Raw  load='\xc3G\xc5\xde\xe7-\x87\x82\x10 \xca\xadW/K(T];\x0f\t\x02M\x1e\x0f\x923%\xb7H\x95+\x98\xaa\xc8\x065\xe5\xfa\n9I@S\x90\xc0\xf0\x10+\xfe\x83`\x96\xa4J\xbf\xa5\xea\xbf\xbf\x98 Ya\x80\x85\x02\x18\xfb\xea\x95\x17\x82\x1c\x90\xbeL.\xbe\x9e\xfdV\x9a\xdf\xe8\x12\x00\x80x\x08\x14\xc1\x82\x18\xf8\x03\x81\xbc$\xfc\xbe\x00j\xb0A\x1f\x893\xcaB\x14\x12?\xe2\xef\x01B\xf1\xd6\xfe-\x1e\x0f\x01\x01\xc8\x06\x03j\x89K\xc7\xca\x95\x17d\xbf\xf5\x94\xbe\xfc\x0cI\xcf\xc9\xf5\xf03\xf7\x8b\x87\x93e\x93f\xe5\xb5\xb8\x98L\rB\x18\xfdR\xb5J\xaf\xe2\xbd\xf76I\xd8\xb6\xd65\xa3 S\xfas\xf9g\xdb\x88\x0f\x89S\xd2\xe1quR%\x8f\xc7J\xa5W=K\xff\x04I\xcd\x1a\\\xbf\xf7\xbe>V%\x04/\xab\xa0p\x10\xed\xfc\xf7\xa0\x8f\xff\xc8;\xb9\x1a\xf6u\xe3\xef\x03\x17\t\x10H\xb5X\x97\xe0\x82\x08C\xfb\x82Iz\xa0B\xf5\x8a\xd9\x12\x95yD\x1fO\xde\xa8\xeb\xf7?\xb7\x9b&Ssrv\xe6\xa7\x9a\xf0)\xa3\xb3\xf4\x12=\xf9@7\x85\xe1\x0c\xbb\xe1\x03%U>\\\x08W\xe9\xf2\x81\xfd\xad\xa8\xb30\x94\x10\x04\xbf\te\xc0\x1fG\xff\xf4\xfe\xc9\x15\x97_\xd8\xaa%\xb0F^\x9d\x08E\xfe\x85\xea@\xf0\x95\xf1\xfa\xbf`(\x82\x10\xfb/\xd4\xdciT\x88\xedx@Q-R\xaf\xc2]\xcc\xcfJ#\x7fDU\x1b\xb8\xce\x06j\xda\x8b\x16\x98\xf6m\x96\xf7\r\x01J\xbe\xe6Q\xf7\xcb\xd5\xc1)H\x90\xa0!\xfez\x0f\x15A\xfe*\xfdL^\xaf\x99\x00\xca\xcd\x1f\x08C\xf0e4}\x83\xe5\n\x84\xb5y/\xf8\xaf\xc3\xed\x11\xff\x95@\xf7;<\xd6\xbdU\x96\xcb\xb6\x95=\x9e]\xdc\\\xa1\x81\xab\ra\xb0)\x9b\x96\xeb\xe9\xec.\x85\xd3\x99\xec\x96I.\xb3\xf5\xb6\xd3\xb2E\x12M\xbc\x8d\xdb\xda\x9d\xe0\xc2P5\x06\x1f\x97\x04\n^%{A\xb7\xd2\xdf\xab/\x9fT\x10\x0b\xbd\x1b\xff\xd5\xe2\x92\xfc\x03\x05\xd3\xa4\xe0\xc1\x00\x03\x81\x84\x95BL\xf3\x7fS\xb0\x14#\xc8%\t\x03\xd0e\x84\x8f+\xf8\x1f\xfe/Q\x93l\x8a\xb1\xa8b\xc8\xad\\\xfd\xca\xbd\xd8l\x05p\xf1  \x048\x10\xc4\xa0P\xf9P\x96\xa9U\xff\xe7\xa0\x96]\xf1\xf7\xff\x97\x14\xc5_\x1d\xcf|D\xb6M\x87b\x8f\xb3\xeb8g\x97;v\xb5\xb9\x83.\xcdk#\x11\xb1\x9b\xed\xd4\xd2\x99\xc7\xa6\xd8\xd9\x95\x1b\xb8\xc3k\xd1Vu\xd5N\xb1l\xf3y\xcd\x1c\x91\x00\xa77\xc3\xcd\xfc[\t\xe2\xf8\x8e\x94\x06JE=\x91\xc7:\xf0\x14\xce\xecQ\xa2/\xe6.qW\'\xf0\x0br\x90\x17xu?k#Q(\xbb3{\xb7\xfb=i\x85Jh\xb2\xe6\x1f\nx\x95\x82:\xc1X\xfb\x87\x87\xd6\xc5uKQ\xab\x17\xae.\xac\xe2B)\xe0\x9f\xe1 \x14\xeb\xae\xaa\xb9in\xd2a\xf7\xf5fi\xffA\xe3\x15\x83\xa5\xd2\xdc\x99\xc6\xe3\\F-\xf3b\xc5c\x10)\xaa\xb5\x17\xbe\xdcJ\xd5\'\xd2\xff\xef*c\x92~\x0e\x9b\xf7\xa4@\xf8%\xfb\x998\xd2\xe7i\x127\x03\x1c\xf2\xc0\xbf8o\x06\x91j(p\nc\x7f\xf9\xe9>\xa3\xebm\x15I\xfdV\x90u\xd2j\xa7\xd4u\x93\xf8\xbc\x0f\x896I\xb6\xd8\xd2\xe2\xc9\xfe\x88\xd9\xc21x\x14\xfa\x9c\xbe\xfa\\R\x9f\xf2F\x83Gz\xe8\xe7!5S(|\x91\xea\xaf\xec\x9f\x9d\xdbW`-U\x7f3\x88\x19%\xfc8\x02\x9c\x8b$\xc1\x8d\xaa>K\xff0\xaa\xea\xf4\x97\xcc\xdcs\x8c\x853\xa9\x7f\xfb=\x82\xbcUAC\x07c\xcbX\x11q\x9cZ\x92\xf8\xbc\x03\xe8\x07\x0f\xbe%\xe7d\xe1 <\x04\x0e"@<\x07\xf8\xffK\xf64\xf4\xb0\x0e+\xfa\x99\xe99)\x90)\x84\x15n\xda\xba;Wk\x95\xc5\x03S\xc3\xb7\x9c\x1f\xf9\\\x99\x18\x84\x80S\x18\x17\x9c,\x06@\xb1\\K\xaa\xe7\xe4\x9e\xb2^<\x18 \x8f\xa0\xe9N\x9d/\x08\n-\xf5\x12z\x93\x94kB\x00 \xf8\x03\xc1\xbc$\xfcJ\xed\x9e\xbeO?\xfeG\x97\xfa\x7f\xd7\xae\x00\xe0\x0f\xf4\xf7\xf0\xbb\xeaU~\xc9s5\xc1L\xea\x08 \xdf\x1f\x83h\x07\xfeJ\r\xc0\x85\xff\xaaT\x9d[J\xd5\x94B@a,\x10*\xaf\tj\xaf\xf7%\x96\xe320C|\xe0x\x0f\xedA\xbc\x08\x16g\xd5+.\xf9~{\x157\x83\xf5`k\xc9\xef\xa6\xff\xec8\xb8\x7f\xfe=D\x85\xca\xa4b8\n~*\x8b\x07\x80\xfd\xa4J\x1f\xaa\x08~S\xf5S%\x03\xba\xddW@\xd1t\x039\x1b0\x0f\x01\xfdH<\x07\xf9%\xffS=\xde3\xa0\xc6U+\x97\xd7\xf3\xea\xa8!\x97g\xafqH\x97Dux\xc4\x8dy!,O[\x01\xc1\x00|]}t\xda\xa2\xefzQ\xeb\x80.\x02\xab\x98\x8eK\x06\x1c\x94gEY\x95?U;\xbd5\x94D\xda\x8a\xaf\x02\x84\xc6\xc8\xa0\xcb\x86\xc5\x0f\xd2\xc9\xbb\xde\xa1\xb6\xc9\x0e\x07u\x9dL\xd7$\x90\xde\xf3\xbd\xce-\xa8*\xe8\x86G\x9aIoE\xc10S\xbc\xdbz\xa2*Z2C\x04\xec\x9b7%\xc1\x13\xadn\x9b\x87\x82\x9b]\xe14;\xe6^\xc0:\'\xba\x85\xe7\xc2\x9e\x19y9\xef<\x02\xba\xc8.\x15<\x059\xfe\xb8\xf0x\x08\x17A\xe0?\xb5\xf05/\x08R\t@\xcd\x17O\xdbee9\x13\x87\xca\xcb\xa0\x96\xab\xe5\xdfk\xf2\xba\xb3\xac\x8dG\x94\x0f+\x8a\xf2S\xc1KGA\x981x7\xcb\x84\xa1 \x10D\x92\xe5W|\xa9]\xf4 \x9eV\xa6i\x15\xc6X\xb3a\x10S\xce\xbb\xc2\xdc\x98I\xc3\xf3\\\x14\x8c\xa0\x12\x0f\x01\x01\xb85\xaa\x15\xcf{\x92\x9b\x06\x12\x01\x05Wc\xfc\xafTp\x86\xf9\xb8|\n9\xdb\x1f\x07\x80\x80\xfc\x03?\x9fN\xf0`\x80%\t\x1eS?\x86\x8e\xaa.\x99\x1fU\xddx9\x07$' |>>>><Ether  dst=00:50:56:a7:5d:ad src=00:18:b9:4e:1e:1b type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=1648 id=20583 flags=DF frag=0L ttl=118 proto=tcp chksum=0x7747 src=188.36.159.9 dst=192.168.27.3 options=[] |<TCP  sport=26461 dport=27230 seq=3248517057 ack=2608885882 dataofs=5L reserved=0L flags=A window=257 chksum=0x3d3c urgptr=0 options=[] |<Raw  load='\xc3G\xc5\xde\xe7-\x87\x82\x10 \xca\xadW/K(T];\x0f\t\x02M\x1e\x0f\x923%\xb7H\x95+\x98\xaa\xc8\x065\xe5\xfa\n9I@S\x90\xc0\xf0\x10+\xfe\x83`\x96\xa4J\xbf\xa5\xea\xbf\xbf\x98 Ya\x80\x85\x02\x18\xfb\xea\x95\x17\x82\x1c\x90\xbeL.\xbe\x9e\xfdV\x9a\xdf\xe8\x12\x00\x80x\x08\x14\xc1\x82\x18\xf8\x03\x81\xbc$\xfc\xbe\x00j\xb0A\x1f\x893\xcaB\x14\x12?\xe2\xef\x01B\xf1\xd6\xfe-\x1e\x0f\x01\x01\xc8\x06\x03j\x89K\xc7\xca\x95\x17d\xbf\xf5\x94\xbe\xfc\x0cI\xcf\xc9\xf5\xf03\xf7\x8b\x87\x93e\x93f\xe5\xb5\xb8\x98L\rB\x18\xfdR\xb5J\xaf\xe2\xbd\xf76I\xd8\xb6\xd65\xa3 S\xfas\xf9g\xdb\x88\x0f\x89S\xd2\xe1quR%\x8f\xc7J\xa5W=K\xff\x04I\xcd\x1a\\\xbf\xf7\xbe>V%\x04/\xab\xa0p\x10\xed\xfc\xf7\xa0\x8f\xff\xc8;\xb9\x1a\xf6u\xe3\xef\x03\x17\t\x10H\xb5X\x97\xe0\x82\x08C\xfb\x82Iz\xa0B\xf5\x8a\xd9\x12\x95yD\x1fO\xde\xa8\xeb\xf7?\xb7\x9b&Ssrv\xe6\xa7\x9a\xf0)\xa3\xb3\xf4\x12=\xf9@7\x85\xe1\x0c\xbb\xe1\x03%U>\\\x08W\xe9\xf2\x81\xfd\xad\xa8\xb30\x94\x10\x04\xbf\te\xc0\x1fG\xff\xf4\xfe\xc9\x15\x97_\xd8\xaa%\xb0F^\x9d\x08E\xfe\x85\xea@\xf0\x95\xf1\xfa\xbf`(\x82\x10\xfb/\xd4\xdciT\x88\xedx@Q-R\xaf\xc2]\xcc\xcfJ#\x7fDU\x1b\xb8\xce\x06j\xda\x8b\x16\x98\xf6m\x96\xf7\r\x01J\xbe\xe6Q\xf7\xcb\xd5\xc1)H\x90\xa0!\xfez\x0f\x15A\xfe*\xfdL^\xaf\x99\x00\xca\xcd\x1f\x08C\xf0e4}\x83\xe5\n\x84\xb5y/\xf8\xaf\xc3\xed\x11\xff\x95@\xf7;<\xd6\xbdU\x96\xcb\xb6\x95=\x9e]\xdc\\\xa1\x81\xab\ra\xb0)\x9b\x96\xeb\xe9\xec.\x85\xd3\x99\xec\x96I.\xb3\xf5\xb6\xd3\xb2E\x12M\xbc\x8d\xdb\xda\x9d\xe0\xc2P5\x06\x1f\x97\x04\n^%{A\xb7\xd2\xdf\xab/\x9fT\x10\x0b\xbd\x1b\xff\xd5\xe2\x92\xfc\x03\x05\xd3\xa4\xe0\xc1\x00\x03\x81\x84\x95BL\xf3\x7fS\xb0\x14#\xc8%\t\x03\xd0e\x84\x8f+\xf8\x1f\xfe/Q\x93l\x8a\xb1\xa8b\xc8\xad\\\xfd\xca\xbd\xd8l\x05p\xf1  \x048\x10\xc4\xa0P\xf9P\x96\xa9U\xff\xe7\xa0\x96]\xf1\xf7\xff\x97\x14\xc5_\x1d\xcf|D\xb6M\x87b\x8f\xb3\xeb8g\x97;v\xb5\xb9\x83.\xcdk#\x11\xb1\x9b\xed\xd4\xd2\x99\xc7\xa6\xd8\xd9\x95\x1b\xb8\xc3k\xd1Vu\xd5N\xb1l\xf3y\xcd\x1c\x91\x00\xa77\xc3\xcd\xfc[\t\xe2\xf8\x8e\x94\x06JE=\x91\xc7:\xf0\x14\xce\xecQ\xa2/\xe6.qW\'\xf0\x0br\x90\x17xu?k#Q(\xbb3{\xb7\xfb=i\x85Jh\xb2\xe6\x1f\nx\x95\x82:\xc1X\xfb\x87\x87\xd6\xc5uKQ\xab\x17\xae.\xac\xe2B)\xe0\x9f\xe1 \x14\xeb\xae\xaa\xb9in\xd2a\xf7\xf5fi\xffA\xe3\x15\x83\xa5\xd2\xdc\x99\xc6\xe3\\F-\xf3b\xc5c\x10)\xaa\xb5\x17\xbe\xdcJ\xd5\'\xd2\xff\xef*c\x92~\x0e\x9b\xf7\xa4@\xf8%\xfb\x998\xd2\xe7i\x127\x03\x1c\xf2\xc0\xbf8o\x06\x91j(p\nc\x7f\xf9\xe9>\xa3\xebm\x15I\xfdV\x90u\xd2j\xa7\xd4u\x93\xf8\xbc\x0f\x896I\xb6\xd8\xd2\xe2\xc9\xfe\x88\xd9\xc21x\x14\xfa\x9c\xbe\xfa\\R\x9f\xf2F\x83Gz\xe8\xe7!5S(|\x91\xea\xaf\xec\x9f\x9d\xdbW`-U\x7f3\x88\x19%\xfc8\x02\x9c\x8b$\xc1\x8d\xaa>K\xff0\xaa\xea\xf4\x97\xcc\xdcs\x8c\x853\xa9\x7f\xfb=\x82\xbcUAC\x07c\xcbX\x11q\x9cZ\x92\xf8\xbc\x03\xe8\x07\x0f\xbe%\xe7d\xe1 <\x04\x0e"@<\x07\xf8\xffK\xf64\xf4\xb0\x0e+\xfa\x99\xe99)\x90)\x84\x15n\xda\xba;Wk\x95\xc5\x03S\xc3\xb7\x9c\x1f\xf9\\\x99\x18\x84\x80S\x18\x17\x9c,\x06@\xb1\\K\xaa\xe7\xe4\x9e\xb2^<\x18 \x8f\xa0\xe9N\x9d/\x08\n-\xf5\x12z\x93\x94kB\x00 \xf8\x03\xc1\xbc$\xfcJ\xed\x9e\xbeO?\xfeG\x97\xfa\x7f\xd7\xae\x00\xe0\x0f\xf4\xf7\xf0\xbb\xeaU~\xc9s5\xc1L\xea\x08 \xdf\x1f\x83h\x07\xfeJ\r\xc0\x85\xff\xaaT\x9d[J\xd5\x94B@a,\x10*\xaf\tj\xaf\xf7%\x96\xe320C|\xe0x\x0f\xedA\xbc\x08\x16g\xd5+.\xf9~{\x157\x83\xf5`k\xc9\xef\xa6\xff\xec8\xb8\x7f\xfe=D\x85\xca\xa4b8\n~*\x8b\x07\x80\xfd\xa4J\x1f\xaa\x08~S\xf5S%\x03\xba\xddW@\xd1t\x039\x1b0\x0f\x01\xfdH<\x07\xf9%\xffS=\xde3\xa0\xc6U+\x97\xd7\xf3\xea\xa8!\x97g\xafqH\x97Dux\xc4\x8dy!,O[\x01\xc1\x00|]}t\xda\xa2\xefzQ\xeb\x80.\x02\xab\x98\x8eK\x06\x1c\x94gEY\x95?U;\xbd5\x94D\xda\x8a\xaf\x02\x84\xc6\xc8\xa0\xcb\x86\xc5\x0f\xd2\xc9\xbb\xde\xa1\xb6\xc9\x0e\x07u\x9dL\xd7$\x90\xde\xf3\xbd\xce-\xa8*\xe8\x86G\x9aIoE\xc10S\xbc\xdbz\xa2*Z2C\x04\xec\x9b7%\xc1\x13\xadn\x9b\x87\x82\x9b]\xe14;\xe6^\xc0:\'\xba\x85\xe7\xc2\x9e\x19y9\xef<\x02\xba\xc8.\x15<\x059\xfe\xb8\xf0x\x08\x17A\xe0?\xb5\xf05/\x08R\t@\xcd\x17O\xdbee9\x13\x87\xca\xcb\xa0\x96\xab\xe5\xdfk\xf2\xba\xb3\xac\x8dG\x94\x0f+\x8a\xf2S\xc1KGA\x981x7\xcb\x84\xa1 \x10D\x92\xe5W|\xa9]\xf4 \x9eV\xa6i\x15\xc6X\xb3a\x10S\xce\xbb\xc2\xdc\x98I\xc3\xf3\\\x14\x8c\xa0\x12\x0f\x01\x01\xb85\xaa\x15\xcf{\x92\x9b\x06\x12\x01\x05Wc\xfc\xafTp\x86\xf9\xb8|\n9\xdb\x1f\x07\x80\x80\xfc\x03?\x9fN\xf0`\x80%\t\x1eS?\x86\x8e\xaa.\x99\x1fU\xddx9\x07$' |>>>>

Actions

Copy link

Updated by Laszlo Madarassy almost 11 years ago

Eric Leblond wrote:
Laszlo can you confirm we have MTU set to 1500 and that all GRO, GSO are disabled on the capture interface ?

Yes, both MTUs are 1500:
eth1 Link encap:Ethernet HWaddr 00:50:56:a7:5d:ad
inet6 addr: fe80::250:56ff:fea7:5dad/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14276297388 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9748750595274 (8.8 TiB) TX bytes:708 (708.0 B)

eth2 Link encap:Ethernet HWaddr 00:50:56:a7:4e:04
inet6 addr: fe80::250:56ff:fea7:4e04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:254792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:240 (240.0 B) TX bytes:43081568 (41.0 MiB)

This is a vmware esxi 5.1 virtual machine. I haven't set any offloading on the intercaces:
ethtool eth1
Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes

ethtool eth2
Settings for eth2:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes

[ 1.808139] e1000 0000:02:01.0 eth1: (PCI:66MHz:32-bit) 00:50:56:a7:5d:ad
[ 1.808144] e1000 0000:02:01.0 eth1: Intel(R) PRO/1000 Network Connection
[ 2.167533] e1000 0000:02:03.0 eth2: (PCI:66MHz:32-bit) 00:50:56:a7:4e:04
[ 2.167537] e1000 0000:02:03.0 eth2: Intel(R) PRO/1000 Network Connection
[ 8.547215] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 8.726922] e1000: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None

Actions

Copy link

Updated by Dave Crawford over 10 years ago

I've duplicated this behavior in a Debian guest on ESXi 5.1 connected to a Cisco 2970. The fix is to disable generic-receive-offload (GRO) on the two interfaces that af_packet is copying between:

ethtool -K eth1 gro off
ethtool -K eth2 gro off

-Dave

Actions

Copy link