(Warning: very long mail, conclusion at the bottom)
I've seen broken NICs (usually il-cheapo NE2000 clones)
do things like this before -- a few bytes get inserted
or deleted somewhere in the packet. Usually right in
the the ethernet header, but I suppose this could be
something similar, only it does its insertion/deletion
dance a couple of bytes later. (Or, it just garbles
everything completely -- I can't see any patterns
here)
Let's take a look at the data you supplied.
>
> ETHER: ----- Ether Header -----
> ETHER:
> ETHER: Packet size = 66 bytes
> ETHER: Destination = 8:0:20:c0:c7:d6, Sun
> ETHER: Source = 0:d0:b7:7f:17:52,
> ETHER: Ethertype = 0800 (IP)
> ETHER:
Source address begins with 00:d0:b7. This is registered
to "INTEL CORPOTATION" (not my typo), according to
http://standards.ieee.org/regauth/oui/oui.txt
Destination address is 08:00:20, which corresponds to
08-00-20 (hex) SUN MICROSYSTEMS INC.
Your FW-1 is running on a Sun, no? This packet
is directed to a Sun.
The packet size (66) seems to be okay, as its corresponds
to the IP layer size of 52:
> IP: Total length = 52 bytes
The ethertype is correct.
However, after this, pretty much everything is garbled.
> IP: Version = 0
Ehhh.. IPv0 ? Right. This should get dropped silently
by any router or host.
> IP: Header length = 24 bytes
24 bytes of IP header. Could be right, but IP options
are really uncommon. Considering that the IHL resides
in the same byte as the version number, I'm just
going to consider this broken.
> IP: Type of service = 0x01
The two lowest bits in the TOS field are reserved and
should be set to zero. Broken.
> IP: Total length = 52 bytes
This is okay, which boggles me.
> IP: Identification = 0
An ID number of zero? This is too much of a coincidence
to me. Broken?
> IP: Flags = 0x0
This field looks alright, unless ofcourse the sender
machine has PMTU discovery enabled, in which case
I'd expect the "don't fragment" flag to be set (it isn't).
> IP: Time to live = 6 seconds/hops
This is way too low for my taste.
> IP: Protocol = 0 (IP)
Ehmm... Protocol 0? It's more likely that this should be
that "6" we saw above; in that case, it'd be TCP.
> IP: Header checksum = 02af
This is probably screwed up. I did a quick IP checksum calc
and got a correct checksum of 0x8249 for a 24-byte header.
The correct checksum for a 20-byte header is 0xbea6.
(Unless I screwed up somewhere, which is not impossible)
> IP: Source address = 118.20.165.232, 118.20.165.232
> IP: Destination address = 26.39.0.0, 26.39.0.0
Well... Can we say screwed up? :)
> IP: Options: (4 bytes)
> IP: - Option 167 (unknown - 229 bytes)
Option code 167 is variation of the RECORD ROUTE (7)
option, however, it has the "Copy to All Frags" (128) flag
and a reserved flag (32) set. On top of that, its length
is set to be 229 bytes, which will never ever fit inside
an IP header (IP headers cannot grow past 60 bytes, leaving
40 bytes for option data -- not to mention that 229 bytes
won't fit inside this packet's total length).
Looking at all of this in retrospect suggests that it is
NOT a broken NIC. If it was, it is highly unlikely that
the length would match, which it does. I'm going to go
ahead and make an (un?)educated guess that the IP stack
is plain broken. My guess would be that it does ARP
resolution and copying to the Ethernet header correctly.
It then goes ahead with copying _something_ in the IP
space of the packet, and finally sets the length
manually, which would explain why the length isn't broken.
Now, why the checksum doesn't match, I don't know. If they
copied invalid data, the checksum would still be correct
if computed on that data. Maybe it's being handled
(copied/calculated) separately or they're using incremental
checksumming.
For a NUMBER of reasons (ip version, checksum, etc)
this packet will never travel across a router, so
something local to the firewall's internal interface
is definately causing it.
So... I'd say that you need to talk to your Cisco
representative, unless I've entirely misinterpreted
this situation.
$.02
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
