Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-01-15 10:31:52 +0000

markj gravatar image

ICMP redirects with bad chksum

Hello, I have a customer who is showing errors increasing on mgmt port on Other Errors Rcvd counter and CRC Errors Rcvd.

Malware Gateway : DEFAULT SCSVRATD001> show intfport mgmt Total Packets Received : 51629543 Total Packets Sent : 8509101 Total CRC Errors Rcvd : 4663 Total Other Errors Rcvd : 570632 Total CRC Errors Sent : 0 Total Other Errors Sent : 0

IP Address : 192.168.131.195 Netmask : 255.255.252.0 MAC Address : a4:bf:01:1d:a1:86 Malware Interface Port : YES Malware Gateway : DEFAULT

In the pcaps I'm seeing chksum errors for some packets, but they look like they are outgoing?, so should be Tx errors, not the Rx errors he's seeing.

17:22:48.677154 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 192.168.131.195.https > 192.168.122.38.62329: Flags [S.], cksum 0x7f61 (incorrect -> 0x9bbb), seq 321591542, ack 834703075, win 29200, options [mss 1460, nop,nop,sackOK,nop,wscale 8], length 0

17:22:48.677312 IP (tos 0x0, ttl 64, id 23981, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 30961, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 42a4 (->4290)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]

17:22:48.677685 IP (tos 0x0, ttl 64, id 23982, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 30962, offset 0, flags [DF], proto TCP (6), length 212, bad cksum 420b (->41f7)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]

17:22:48.677713 IP (tos 0x0, ttl 64, id 23983, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 2351, offset 0, flags [DF], proto TCP (6), length 60, bad cksum b266 (->b252)!) 192.168.131.195.https > 192.168.122.38.62325: [|tcp]

I'm not entirely sure, but it looks to me like 192.168.129.4 is sending ICMP packets to 192.168.131.195 (which is the ATD's mgmt IP), which is telling the ATD to redirect ping packets to somewhere else which is failing a chksum?.

Which doesn't explain this one where the header is too short:

17:22:48.695626 IP (tos 0x0, ttl 64, id 23992, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 40921, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 1bbc (->1ba8)!) 192.168.131.195.https > 192.168.122.38.62327: tcp 36 [bad hdr length 4 - too short, < 20]

So my question is: Are these packets being sent to the mgmt port already malformed? Should I be looking at the Source 192.168.129.4? to find the problem or are the packets being mangled on the receiving mgmt port ? Some kind of driver problem?

I have attached the log he provided but it's in tcpdump not wireshark format.

ICMP redirects with bad chksum

Hello, I have a customer who is showing errors increasing on mgmt port on Other Errors Rcvd counter and CRC Errors Rcvd.

Malware Gateway : DEFAULT SCSVRATD001> show intfport mgmt Total Packets Received : 51629543 Total Packets Sent : 8509101 Total CRC Errors Rcvd : 4663 Total Other Errors Rcvd : 570632 Total CRC Errors Sent : 0 Total Other Errors Sent : 0

IP Address : 192.168.131.195 Netmask : 255.255.252.0 MAC Address : a4:bf:01:1d:a1:86 Malware Interface Port : YES Malware Gateway : DEFAULT

In the pcaps I'm seeing chksum errors for some packets, but they look like they are outgoing?, so should be Tx errors, not the Rx errors he's seeing.

17:22:48.677154 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 192.168.131.195.https > 192.168.122.38.62329: Flags [S.], cksum 0x7f61 (incorrect -> 0x9bbb), seq 321591542, ack 834703075, win 29200, options [mss 1460, nop,nop,sackOK,nop,wscale 8], length 0

17:22:48.677312 IP (tos 0x0, ttl 64, id 23981, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 30961, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 42a4 (->4290)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]

17:22:48.677685 IP (tos 0x0, ttl 64, id 23982, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 30962, offset 0, flags [DF], proto TCP (6), length 212, bad cksum 420b (->41f7)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]

17:22:48.677713 IP (tos 0x0, ttl 64, id 23983, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 2351, offset 0, flags [DF], proto TCP (6), length 60, bad cksum b266 (->b252)!) 192.168.131.195.https > 192.168.122.38.62325: [|tcp]

I'm not entirely sure, but it looks to me like 192.168.129.4 is sending ICMP packets to 192.168.131.195 (which is the ATD's mgmt IP), which is telling the ATD to redirect ping packets to somewhere else which is failing a chksum?.

Which doesn't explain this one where the header is too short:

17:22:48.695626 IP (tos 0x0, ttl 64, id 23992, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 40921, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 1bbc (->1ba8)!) 192.168.131.195.https > 192.168.122.38.62327: tcp 36 [bad hdr length 4 - too short, < 20]

So my question is: Are these packets being sent to the mgmt port already malformed? Should I be looking at the Source 192.168.129.4? to find the problem or are the packets being mangled on the receiving mgmt port ? Some kind of driver problem?

I have attached the log he provided but it's in tcpdump not wireshark format.

click to hide/show revision 3
None

updated 2018-01-15 10:55:15 +0000

grahamb gravatar image

ICMP redirects with bad chksum

Hello, I have a customer who is showing errors increasing on mgmt port on Other Errors Rcvd counter and CRC Errors Rcvd.

Malware Gateway         : DEFAULT
SCSVRATD001> show intfport mgmt
Total Packets Received  : 51629543
Total Packets Sent      : 8509101
Total CRC Errors Rcvd   : 4663
Total Other Errors Rcvd : 570632
Total CRC Errors Sent   : 0
Total Other Errors Sent : 0
 
0

IP Address              : 192.168.131.195
Netmask                 : 255.255.252.0
MAC Address             : a4:bf:01:1d:a1:86
Malware Interface Port  : YES
Malware Gateway         : DEFAULT
DEFAULT

In the pcaps I'm seeing chksum errors for some packets, but they look like they are outgoing?, so should be Tx errors, not the Rx errors he's seeing.

17:22:48.677154 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    52) 192.168.131.195.https > 192.168.122.38.62329: Flags [S.], cksum 0x7f61 (incorrect -> 0x9bbb), seq 321591542, ack 834703075, win 29200, options [mss 1460, nop,nop,sackOK,nop,wscale 8], length 0
 
0

17:22:48.677312 IP (tos 0x0, ttl 64, id 23981, offset 0, flags [DF], proto ICMP (1), length 56)
    56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36
    36 IP (tos 0x0, ttl 64, id 30961, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 42a4 (->4290)!)
    (->4290)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]
 
[|tcp]

17:22:48.677685 IP (tos 0x0, ttl 64, id 23982, offset 0, flags [DF], proto ICMP (1), length 56)
    56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36
    36 IP (tos 0x0, ttl 64, id 30962, offset 0, flags [DF], proto TCP (6), length 212, bad cksum 420b (->41f7)!)
    (->41f7)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]
 
[|tcp]

17:22:48.677713 IP (tos 0x0, ttl 64, id 23983, offset 0, flags [DF], proto ICMP (1), length 56)
    56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36
    36 IP (tos 0x0, ttl 64, id 2351, offset 0, flags [DF], proto TCP (6), length 60, bad cksum b266 (->b252)!)
   (->b252)!) 192.168.131.195.https > 192.168.122.38.62325: [|tcp]
[|tcp]

I'm not entirely sure, but it looks to me like 192.168.129.4 is sending ICMP packets to 192.168.131.195 (which is the ATD's mgmt IP), which is telling the ATD to redirect ping packets to somewhere else which is failing a chksum?.

Which doesn't explain this one where the header is too short:

17:22:48.695626 IP (tos 0x0, ttl 64, id 23992, offset 0, flags [DF], proto ICMP (1), length 56)
    56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36
    36 IP (tos 0x0, ttl 64, id 40921, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 1bbc (->1ba8)!)
    (->1ba8)!) 192.168.131.195.https > 192.168.122.38.62327:  tcp 36 [bad hdr length 4 - too short, < 20]
20]

So my question is: Are these packets being sent to the mgmt port already malformed? Should I be looking at the Source 192.168.129.4? to find the problem or are the packets being mangled on the receiving mgmt port ? Some kind of driver problem?

I have attached the log he provided but it's in tcpdump not wireshark format.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2