Sent again, as I don't receive the copy from the list.
From: [email protected]
To: [email protected]
Subject: FW: Service crash after update to WinPcap networking
Date: Fri, 28 Mar 2014 12:14:08 +0000
The other server has just crashed. So the problem is not restricted to a single
machine.
We are thinking about updating HP NIC drivers and firmware (dated January
2011), hoping that an outdated driver/firmware could make WinPcap more prone to
participate in these crashes.
There is another strange behaviour: we have applied a safety mechanism to
detect malformed packets; it compares the len property of the pktHeader
returned by WinPcap to the datagramSize derived from the IP datagram header. If
they don't match, a log message is written, and the packet is discarded.
Public Const EthernetHeaderSize = 14
Public Const BasicIPHeaderSize = 20
Private _MaxDatagramSize As Integer = 65535
Private _MaxEthernetPacketSize As Integer =
EthernetHeaderSize + Me._MaxDatagramSize
...
Dim errBuf As New
StringBuilder(WinPcap.Constants.PCAP_ERRBUF_SIZE)
Dim session = WinPcap.Driver.pcap_open(Me._DeviceName,
Me._MaxEthernetPacketSize, WinPcap.Constants.PCAP_OPENFLAG_MAX_RESPONSIVENESS +
WinPcap.Constants.PCAP_OPENFLAG_NOCAPTURE_LOCAL, 1, IntPtr.Zero, errBuf)
...
While Not cancellationTokenSource.IsCancellationRequested
Dim pktHeader As IntPtr = IntPtr.Zero
Dim pktData As IntPtr = IntPtr.Zero
Select Case WinPcap.Driver.pcap_next_ex(session,
pktHeader, pktData)
Case 0
Continue While
Case Is < 0
Throw New
Exception(WinPcap.Driver.pcap_geterr(session))
End Select
Dim header =
DirectCast(Marshal.PtrToStructure(pktHeader, GetType(WinPcap.pcap_pkthdr)),
WinPcap.pcap_pkthdr)
If header.len > EthernetHeaderSize + BasicIPHeaderSize
Then 'Ethernet header + IPv4 header (without options)
Dim datagramSize As UShort =
Marshal.ReadByte(pktData, EthernetHeaderSize + 2)
datagramSize <<= 8
datagramSize = datagramSize Or
Marshal.ReadByte(pktData, EthernetHeaderSize + 3)
If header.len >= EthernetHeaderSize + datagramSize
AndAlso datagramSize <= Me._MaxDatagramSize Then
'Process the packet
...
Else
Logging.Write(TraceEventType.Verbose,
"Discarded packet with datagramSize {0} and header.len {1}", datagramSize,
header.len)
End If
End If
End While
Well, it is happening, very significantly I would say.
My questions are:
-- Is it common that packets are this malformed?
-- Is my understanding right that in PCAP_OPENFLAG_MAX_RESPONSIVENESS mode
WinPcap delivers complete datagrams to the application (if the internal buffer
is big enough)? I'm not precluding IP fragmentation, rather I wonder whether
individual datagrams (be they fragments or not) are delivered as indisivible
units to the application. Otherwise, the behaviour we are experiencing could be
the result of WinPcap delivering a portion of a datagram, not the whole
datagram; but it would be a burden for the application to aggregate the
portions.
Thank you very much.
J.M.
From: [email protected]
To: [email protected]
Subject: Service crash after update to WinPcap networking
Date: Fri, 28 Mar 2014 10:07:37 +0000
Hi,
We have updated the raw socket networking subsystem of a Windows service to
WinPcap, with the following architecture:
-- One thread continuously captures on its own pcap_t calling pcap_next_ex.
-- Several threads send packets concurrently over the same interface, but each
one with it own private pcap_t obtained from pcap_open. These threads call
pcap_sendpacket.
Since the update, the service crashes intermittently, although only one of the
two servers in a redundant cluster exhibit the problem.
We are logging the errors produced by WinPcap. For that, after pcap_sendpacket
returning a negative result we call pcap_geterr.
Just before the crash, the service logs (pcap_geterr result):
send error: PacketSendPacket failed
In EventViewer, this is the detail of the crash:
Faulting application name: ...
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000374
Fault offset: 0x00000000000c40f2
Faulting process id: 0x1d64
Faulting application start time: 0x01cf4a53bf7cfe86
Faulting application path: ...
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 0e886882-b656-11e3-b6bb-e4115be757a8
The OS is Windows Server 2008 R2 64 bits.
The WinPcap version is 4.1.3.
The question is: has someone observed this problem?
Thank you very much.
Regards,
J.M.
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
