tech-net: Re: PPPoE + fragmentation + bad hdr length

Subject: Re: PPPoE + fragmentation + bad hdr length
To: None <tech-net@netbsd.org>
From: Dan Fraser <dfraser@capybara.org>
List: tech-net
Date: 10/04/2004 21:22:21
>   so, please add '-v' to tcpdump to see the actual bad length.
>   It sounds like you have a device upstream that is now freaking out on
> fragmented packets.

Here are some more yummy, yummy packets!

21:16:14.907483 PPPoE  [ses 0x618] H31.C18.B96.tor.eicat.ca.54649 >
miso.capybara.org.www: S [tcp sum ok] 934009145:934009145(0) win 16384
<mss 1424,nop,wscale0,nop,nop,timestamp 0 0> (ttl 64, id 43612, len 60)

21:16:20.038334 PPPoE  [ses 0x618] miso.capybara.org.www >
H31.C18.B96.tor.eicat.ca.54661: . [bad hdr length] (frag 7302:24@0+) (ttl
55, len 44)

21:16:20.043669 PPPoE  [ses 0x618] miso.capybara.org >
H31.C18.B96.tor.eicat.ca: (frag 7302:1428@24) (ttl 55, len 1448)

21:16:20.043750 PPPoE  [ses 0x618] H31.C18.B96.tor.eicat.ca.51964 >
miso.capybara.org.2: R [tcp sum ok] 1213486160:1213486160(0) win 0 (ttl
64, id 7302, len 40)

21:16:20.898728 PPPoE  [ses 0x618] H31.C18.B96.tor.eicat.ca.54649 >
miso.capybara.org.www: S [tcp sum ok] 934009145:934009145(0) win 16384
<mss 1424,nop,wscale 0,nop,nop,timestamp 12 0> (ttl 64, id 44250, len 60)

21:16:20.913214 PPPoE  [ses 0x618] miso.capybara.org.www >
H31.C18.B96.tor.eicat.ca.54649: S [tcp sum ok] 1172158202:1172158202(0)
ack 934009146 win 4356 <mss 1400,nop,wscale 0,nop,nop,timestamp 183038 12>
(ttl 56, id 7306, len 60)

21:16:20.913335 PPPoE  [ses 0x618] H31.C18.B96.tor.eicat.ca.54649 >
miso.capybara.org.www: . [tcp sum ok] 1:1(0) ack 1 win 17088
<nop,nop,timestamp 13 183038> (ttl 64, id 44251, len 52)

21:16:20.914251 PPPoE  [ses 0x618] H31.C18.B96.tor.eicat.ca.54649 >
miso.capybara.org.www: P 1:249(248) ack 1 win 17088 <nop,nop,timestamp 13
183038> (ttl 64, id 44252, len 300)

21:16:21.539650 PPPoE  [ses 0x618] miso.capybara.org.www >
H31.C18.B96.tor.eicat.ca.54649: . [bad hdr length] (frag 7312:24@0+) (ttl
55, len 44)

>   I would start calling your ISP.

I sent them an email this afternoon, we'll see if I get a reply.

>   Does "ping -s 8000" cause the same kind of problem?

Yes, very much so.

pocky% ping -q -c 10 -s 8000 miso.capybara.org
PING miso.capybara.org (216.123.188.164): 8000 data bytes
----miso.capybara.org PING Statistics----
10 packets transmitted, 1 packets received, 90.0% packet loss
round-trip min/avg/max/stddev = 157.340/157.340/157.340/0.000 ms

pocky% ping -q -c 10 -s 1000 miso.capybara.org
PING miso.capybara.org (216.123.188.164): 1000 data bytes
----miso.capybara.org PING Statistics----
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 37.564/55.754/82.593/15.380 ms

>   {Do you have UDP/TCP hardware checksum offload enabled at either end?}

Nope.  Not that I'm aware of. :)

-- 
Dan J. Fraser <dfraser@capybara.org>
PGP: 0xF3972A01 (17 B7 24 90 27 05 B8 92  4F 7F 61 18 B9 D1 17 CE)
"Verbing weirds language." -- Calvin