Re: "TCPv4 bad checksum" (was greased penguin)

Blu3Viper (david@kalifornia.com)
Thu, 26 Mar 1998 05:43:51 -0800 (PST)

> > > My modem link has compression and error checking, so in theory I have
> > ^^^^^^^^^
> > (but your serial cable between computer and modem hasn't), also note
> > that theory and practice often differ. Another possibility is that
> > the packets got corrupted further down the link.

i find the notion it is ppp to be incorrect.

allow me to describe my networks.

Mar 24 11:00:22 Midnight kernel: TCPv4 bad checksum from 207.213.0.47:0050
to 207.212.178.69:0656, len=515/515/535

Midnight(207.212.178.69) is my computer at home. i often bring it with me
to the office (yes, it's bulky...but it's got my developing stuff on it)
where it is assigned 207.213.15.250.

when at home(178.69), i acquire a rather large number of these messages
v.s. when at work. 125 v.s. 8 in a 16 day period. i have had pre1
onboard for the last 30 or so hours and haven't seen a message yet.

when Midnight is at home, it talks via ethernet to my 2.1.62 machine which
has not been changed in months. that machine has the modem on it and runs
pppd v2.3.1, no compression modules loaded, vj is not specifically
disabled.

when i am at the office, (207.213.15.250), the machine is on an ethernet
hub which connects directly to 207.213.0.47 (previous machine of
originating checksum errs). here, i have never received errs from 0.47.
instead, on one particular day, for 31 seconds, i received 8 checksum
errors apparently from 209.77.126.36.

Mar 20 19:23:50 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:0416, len=32/32/52

this ip (.36) is not within my space at all. (the other two are, from
dialup to host.)

here are some of the particulars while this happened:

207.213.0.47 (2.0.33 w/ tulip v0.79)
207.213.15.250/207.212.178.69 (same machine) (2.1.89 w/ tulip v0.87O)
207.212.178.1 (dialup router at home) (2.1.62, pppd 2.3.1, ne2k)

now do note that ALL of these bad checksums happened while 2.1.89 was
onboard. and no tcp anomalies have appeared with pre1.

(please disregard the one hour difference between syslog and tcpdump, i
must have something set wrong that tcpdump looks at. it really is 5am, i
checked--honest.)

----------------------

ok........belay all that. it appears that i can reproduce the checksums
from doxx. let me grab a tcpdump (i know this makes david dance with
delight) and post it. this is while i'm on the ethernet at the office,
2.1.90pre1, tulip v0.87P.

more:/zip/code/x-programs/ram/netReq# tail -f /var/log/debug -n0
Mar 26 05:09:30 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04e2, len=20/20/40
Mar 26 05:09:30 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04df, len=20/20/40
Mar 26 05:09:30 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04de, len=20/20/40
Mar 26 05:09:33 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04e3, len=20/20/40
Mar 26 05:09:33 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04e4, len=20/20/40

more:/zip/code/snmpmon/sdf-1.3.0# tcpdump -fnSvp src or dst 209.77.126.36
06:09:30.185791 209.77.126.36.80 > 207.213.15.250.1250: F
1145403751:1145403751(0) ack 4106945249 win 31789 (DF) (ttl 51, id 24562)
06:09:30.195791 209.77.126.36.80 > 207.213.15.250.1247: F
1129475137:1129475137(0) ack 4104279709 win 31785 (DF) (ttl 51, id 24563)
06:09:30.225791 209.77.126.36.80 > 207.213.15.250.1246: F
1134560301:1134560301(0) ack 4110318168 win 31778 (DF) (ttl 51, id 24565)
06:09:30.905791 209.77.126.36.80 > 207.213.15.250.1250: F
1145403751:1145403751(0) ack 4106945249 win 31789 (DF) (ttl 51, id 24602)
06:09:30.905791 207.213.15.250.1250 > 209.77.126.36.80: . ack 1145403752
win 32120 (DF) (ttl 64, id 46469)
06:09:30.945791 209.77.126.36.80 > 207.213.15.250.1246: F
1134560301:1134560301(0) ack 4110318168 win 31778 (DF) (ttl 51, id 24603)
06:09:30.945791 207.213.15.250.1246 > 209.77.126.36.80: . ack 1134560302
win 32120 (DF) (ttl 64, id 46470)
06:09:30.975791 209.77.126.36.80 > 207.213.15.250.1247: F
1129475137:1129475137(0) ack 4104279709 win 31785 (DF) (ttl 51, id 24605)
06:09:30.975791 207.213.15.250.1247 > 209.77.126.36.80: . ack 1129475138
win 32120 (DF) (ttl 64, id 46471)
06:09:33.045791 209.77.126.36.80 > 207.213.15.250.1251: F
1130380127:1130380127(0) ack 4107986680 win 31790 (DF) (ttl 51, id 24753)

i believe i may have cut off the tail of this, i hit ctrl-c just as the
last checksum msg appeared on syslog and tcpdump was going still.

i was on the doxx main web page at the start of this test. in netscape, i
did a shift-alt-r for a reload. the page came up at 06:09:18. 12 seconds
later, they appeared.

here is another snippet. it's not 100% repeatable, i simply have to keep
talking to this machine until it happens.

more:/zip/code/x-programs/ram/netReq# tail -f /var/log/debug -n0
Mar 26 05:16:53 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04fa, len=20/20/40
Mar 26 05:16:53 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:04f9, len=20/20/40

tcpdump: listening on eth0
06:16:53.625791 209.77.126.36.80 > 207.213.15.250.1274: F
1573742757:1573742757(0) ack 259412472 win 31806 (DF) (ttl 51, id 56172)
06:16:53.645791 209.77.126.36.80 > 207.213.15.250.1273: F
1574959096:1574959096(0) ack 253512124 win 31803 (DF) (ttl 51, id 56175)
06:16:54.085791 209.77.126.36.80 > 207.213.15.250.1274: F
1573742757:1573742757(0) ack 259412472 win 31806 (DF) (ttl 51, id 56205)
06:16:54.085791 207.213.15.250.1274 > 209.77.126.36.80: . ack 1573742758
win 31856 (DF) (ttl 64, id 47378)
06:16:54.325791 209.77.126.36.80 > 207.213.15.250.1273: F
1574959096:1574959096(0) ack 253512124 win 31803 (DF) (ttl 51, id 56224)
06:16:54.325791 207.213.15.250.1273 > 209.77.126.36.80: . ack 1574959097
win 32120 (DF) (ttl 64, id 47381)

let me try a bit more and i'll put a hex snapshot on the packets.

more:/zip/code/x-programs/ram/netReq# tail -f /var/log/debug -n0
Mar 26 05:22:20 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:0510, len=20/20/40

tcpdump: listening on eth0
06:22:20.575791 209.77.126.36.80 > 207.213.15.250.1296: F
1909539681:1909539681(0) ack 589825404 win 31789 (DF) (ttl 51, id 13584)
4500 0028 3510 4000 3306 e37e d14d 7e24
cfd5 0ffa 0050 0510 71d1 4361 2328 057c
5011 7c2d 212d 0000 0000 0000 0000 0000
0000 0000 0000

and again:
more:/zip/code/x-programs/ram/netReq# tail -f /var/log/debug -n0
Mar 26 05:24:46 more kernel: TCPv4 bad checksum from 209.77.126.36:0050 to
207.213.15.250:051a, len=20/20/40

06:24:46.915791 209.77.126.36.80 > 207.213.15.250.1306: F
2048441289:2048441289(0) ack 721766323 win 31789 (DF) (ttl 51, id 23653)
4500 0028 5c65 4000 3306 bc29 d14d 7e24
cfd5 0ffa 0050 051a 7a18 bbc9 2b05 47b3
5011 7c2d 565f 0000 0000 0000 0000 f2cc
8e6e e3a9 8d9e

breaking down the tcp header (ok...how much hot water can i get into,
this is kinda for my clue gaining)

__u16: source 0050 (port 80)
__u16: dest 051a (port 1306)
__u32: seq 7a18bbc9 (2048441289)
__u32: ack_se 2b0547b3 (721766323)
__u16: flags: 5011 (01010000 00010000, doff(5) ack(1)
__u16: window 7c2d (31789)
__u16: check 565f (22111)
__u16: urg_pt 0000 (0)

ok, i'm done playing. have at it dave :)

-d
p.s. no, i wasn't going to post the whole packet and checksum it :)

Look, look, see Windows 95. Buy, lemmings, buy!
(c) 1998 David Ford. Redistribution via the Microsoft Network is prohibited.

[reply to: david@127-0-0-1.kalifornia.com without the 127-0-0-1.]
*** *** Flames will go to /dev/null
** WARNING ** SPAM mail will be returned to you at a
*** *** minimum rate of 50,000 copies per email

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu