From owner-freebsd-questions Sun Jun 4 19:20:41 2000 Delivered-To: freebsd-questions@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 9340837B7C8 for ; Sun, 4 Jun 2000 19:20:25 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.12 #1) id 12ykKO-0009PA-00 for questions@freebsd.org; Mon, 05 Jun 2000 01:01:12 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.12 #7) id 12ykKN-0006RR-00 for questions@FreeBSD.org; Mon, 05 Jun 2000 01:01:11 +0100 Date: Mon, 5 Jun 2000 01:01:11 +0100 From: Ben Smithurst To: questions@FreeBSD.org Subject: corrupt duplicates with tcpdump + broadcast address Message-ID: <20000605010111.D42325@strontium.scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Md/poaVZ8hnGTzuv" X-Mailer: Mutt 1.0i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --Md/poaVZ8hnGTzuv Content-Type: text/plain; charset=us-ascii Can someone give a likely explanation of what could case this: 00:48:19.321320 ff:ff:ff:ff:0:e0 2:0:0:0:ff:ff 7d81 102: 749d 0800 4500 0054 a32d 0000 ff01 e0d6 c0a8 5b24 c0a8 5b2f 0800 aeb4 0e3e 0000 c3ea 3a39 4de6 0400 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 00:48:19.321356 0:e0:7d:81:74:9d ff:ff:ff:ff:ff:ff 0800 98: 192.168.91.36 > 192.168.91.47: icmp: echo request 4500 0054 a32d 0000 ff01 e0d6 c0a8 5b24 c0a8 5b2f 0800 aeb4 0e3e 0000 c3ea 3a39 4de6 0400 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 The second packet is what I actually sent: an echo request to my LAN's broadcast address. Can anyone explain where the junk before the first packet has come from? The packet is just a copy of the real packet but with the four bytes "02 00 00 00" added to the front (tcpdump hides this slightly by printing the source ethernet address first, though the destination address is first in the ethernet header). This bogus packet doesn't appear if I run tcpdump on another host (i.e. the packet isn't on the wire), which is what I'd expected (I've noticed it's normal for broadcast packets to show twice on the source host, but this time it just has some junk in front). This is on a 4.0-stable machine, it also happens on 5.0-current. The raw dump file is attached. -- Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D --Md/poaVZ8hnGTzuv Content-Type: application/octet-stream Content-Disposition: attachment; filename="net.dump" Content-Transfer-Encoding: base64 1MOyoQIABAAAAAAAAAAAAAACAAABAAAAw+o6OSjnBABmAAAAZgAAAAIAAAD///////8A4H2B dJ0IAEUAAFSjLQAA/wHg1sCoWyTAqFsvCACutA4+AADD6jo5TeYEAAgJCgsMDQ4PEBESExQV FhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2N8PqOjlM5wQAYgAAAGIAAAD///// //8A4H2BdJ0IAEUAAFSjLQAA/wHg1sCoWyTAqFsvCACutA4+AADD6jo5TeYEAAgJCgsMDQ4P EBESExQVFhcYGRobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzNDU2N8TqOjlkCQUAZgAAAGYA AAACAAAA////////AOB9gXSdCABFAABUoy4AAP8B4NXAqFskwKhbLwgAv5EOPgEAxOo6OToJ BQAICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1NjfE6jo5 fwkFAGIAAABiAAAA////////AOB9gXSdCABFAABUoy4AAP8B4NXAqFskwKhbLwgAv5EOPgEA xOo6OToJBQAICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1 NjfF6jo5ejAFAGYAAABmAAAAAgAAAP///////wDgfYF0nQgARQAAVKMvAAD/AeDUwKhbJMCo Wy8IAKJqDj4CAMXqOjlVMAUACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSor LC0uLzAxMjM0NTY3xeo6OZUwBQBiAAAAYgAAAP///////wDgfYF0nQgARQAAVKMvAAD/AeDU wKhbJMCoWy8IAKJqDj4CAMXqOjlVMAUACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQl JicoKSorLC0uLzAxMjM0NTY3 --Md/poaVZ8hnGTzuv-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message