This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Expert Info: “Time to Live != 255” message just when HSRP is Version 2

0

Hi all, this is the architecture :

Switch A -> Interface Vlan X -> HSRP Version 1 -> PC A

In the wireshark capture taken by PC A :

  • In the expert info there are no Notes related to the "Time To live".
  • The TTL of HSRP 1 is 1.

Switch A -> Interface Vlan Y -> HSRP Version 2 -> PC B

In the wireshark capture taken by PC B :

  • In the expert info, in the Notes sheet there is the note : "Time To Live" !=255 for a packet sent to the Local Network Control Block (see RFC 3171).
  • The TTL of HSRP 2 is 1

Question : Why the capture of the PC B shows me this TTL info even if is correct and present in the pcap that the HSRP-TTL is 1 ?

asked 25 Mar '15, 07:54

ValerioItaly's gravatar image

ValerioItaly
5334
accept rate: 0%

2 Answers:

1

According to the Wireshark code and your capture file, the expert info is wrong for your case, because the expert module is just looking at the IP address (224.0.0.102) which is usually tied to Cisco GLBP, where the TTL is expected to be 255 (like VRRP). Your sample frame is actually HSRP, using the same IP address (224.0.0.102), however with a TTL of 1 (which is expected for HSRP).

So, the Wireshark expert is triggering on the IP address (224.0.0.102) with a "wrong" TTL (expected:255, real:1).

Either you reconfigure your HSRP routers to use a different IP address, or you simply ignore the Wireshark expert message.

File: packet-ip.c

#define IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR       0xE0000066  <=== 224.0.0.102
#define IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL        0XFF        <=== TTL = 255

if (is_a_local_network_control_block_addr(dst32)) {
ttl = local_network_control_block_addr_valid_ttl(dst32);   <=== HERE
if (ttl != iph->ip_ttl && ttl != IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL) {
expert_add_info_format(pinfo, ttl_item, &ei_ip_ttl_lncb, "&quot;Time To Live&quot; != %d for a packet sent to the "
"Local Network Control Block (see RFC 3171)",
ttl);
}


local_network_control_block_addr_valid_ttl(guint32 addr)
{
/* An exception list, as some protocols seem to insist on


    

  • doing differently:
*/
    • 



/* Cisco's GLPB */
if (IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR == addr)    <=== HERE
return IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL;

Regards
Kurt

answered 25 Mar ‘15, 17:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Ok Kurt, your answer in very clear ! Thanks a lot to you and to SYN Bit for the support :)

(26 Mar ‘15, 00:00) ValerioItaly

0

Looking at the source code, there are a couple of multicast mac addresses in the Local Network Control Block (224.0.0.0/24) that do not have a TTL of 1. It looks like your trace of HSRP 2 traffic is matching one of the exceptions. Are you able to post a small capture file with the HSRP 2 packets (on Cloudshark for instance), it would be easier to determine if there is a bug in the wireshark code.

answered 25 Mar '15, 12:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks a lot for your support.

Here you can find an example of what I see :

https://www.cloudshark.org/captures/a41f1b374661

(25 Mar '15, 13:46) ValerioItaly