unusual behaviour of captured packets - problem with bpf?WAS:unexplained behavior of rtadvd

[Ken Tollefson]

I have found, since this was originally posted, that when the packet 
captures are done from a system outside the IPv6 router there are no 
abnormal packets seen.(with thanks to SUZUKI, Shinsuke @ KAME Project 
for assistance).  The original packet captures were done from within the 
router. It would seem from this that bpf might be behaving in an unusual 
manner.

I have read the documentation for bpf but have not found anything that 
explains the behavior noted below.  Can anyone shed light on what might 
be happening here?  Any help appreciated!

Ken Tollefson

Ken Tollefson wrote:
I hope this question is going to the right list.  Please let me know if
there is a more appropriate list it should go to.
I have installed Freebsd 4.9 and have configured it as an IPv6 router.
I captured some of the packets sent by rtadvd and found
what appeared to be corrupt frames.  The output shown below is from
ethereal but tcpdump and snort show the same patterns.
The detail from Frame 4 below is actually the same as the last 64 bytes
of Frame 5 and this pattern is repeated, with each RA that is sent by 
rtadvd being preceded by the 64-byte 'fragment' which is misinterpreted 
as a Fiber Channel frame.

I found a reference to a problem with the way mbufs are handled by
various NICs so tried three different cards using the
xl0, rl0 and fxp0 drivers and found the same behaviour in each case.
The original ipv6 software has been replaced with the latest
Kame snap available for FreeBSD4.9 with no change.
I have been unable to find a reference to this behavior in the FAQs or
lists.  Any help explaining what is going on here will be appreciated.
Ken
***************************************************************************** 

Machine Specs:
Intel P150, 32 MB RAM, 40 GB HDD
NICs - xl0 - 3COM 3C905B, fxp0 - Intel Pro100 S, rl0 - $15 generic NIC 
with RealTek chipset rebadged as a 'Dolphin' brand card.

No.     Time        Source          Destination           Protocol Info
1 0.000000 fe80::210:5aff:fe77:e85c ff02::2 ICMPv6 Multicast listener done
2 2.879182 fe80::210:5aff:fe77:e85c ff02::2 ICMPv6 Multicastlistener report
3 11.038023 fe80::210:5aff:fe77:e85c ff02::2 ICMPv6 Multicastlistener 
report
4 18.888487   00.00.00              00.00.00     FC       Unknown frame
5 18.888545   fe80::210:5aff:fe77:e85c ff02::1 ICMPv6  Router advertisement
6 34.898863   00.00.00              00.00.00     FC       Unknown frame
7 34.898944   fe80::210:5aff:fe77:e85c ff02::1   ICMPv6   Router
advertisement

Frame Detail
------------
Frame 4
0000  60 00 00 00 00 18 3a ff  fe 80 00 00 00 00 00 00
0010  02 10 5a ff fe 77 e8 5c  ff 02 00 00 00 00 00 00
0020  00 00 00 00 00 00 00 01  86 00 ad 56 40 00 07 08
0030  00 00 00 00 00 00 00 00  01 01 00 10 5a 77 e8 5c
Frame 5
0000  33 33 00 00 00 01 00 10  5a 77 e8 5c 86 dd 60 00
0010  00 00 00 18 3a ff fe 80  00 00 00 00 00 00 02 10
0020  5a ff fe 77 e8 5c ff 02  00 00 00 00 00 00 00 00
0030  00 00 00 00 00 01 86 00  ad 56 40 00 07 08 00 00
0040  00 00 00 00 00 00 01 01  00 10 5a 77 e8 5c


_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

--
Ken Tollefson
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"