[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tcpdump weirdness on amd64
- To: bugs_(_at_)_openbsd_(_dot_)_org
- Subject: tcpdump weirdness on amd64
- From: Alf Schlichting <a_(_dot_)_schlichting_(_at_)_lemarit_(_dot_)_com>
- Date: Tue, 14 Feb 2006 12:41:53 +0100
- Mail-followup-to: bugs_(_at_)_openbsd_(_dot_)_org
Hello!
tcpdump shows incorrect packet contents when reading from a tcpdump file
on a amd64 -current.
Alf
alf_(_at_)_thor:39$ uname -a
OpenBSD thor.rechners.lemarit.com 3.9 GENERIC#0 amd64
alf_(_at_)_thor:40$
Example:
listen on lo(4):
root_(_at_)_thor:12# tcpdump -s 33192 -w /tmp/lo.dump -i lo0 port 8000
tcpdump: listening on lo0, link-type LOOP
send data:
alf_(_at_)_thor:35$ nc -kl 8000 >/dev/null 2>&1 &
[1] 2925
alf_(_at_)_thor:36$ ls -l /var/log/messages
-rw-r--r-- 1 root wheel 6856 Feb 14 10:00 /var/log/messages
alf_(_at_)_thor:38$ nc localhost 8000 < /var/log/messages
alf_(_at_)_thor:39$
look at the lo.dump file with tcpdump:
^C
10 packets received by filter
0 packets dropped by kernel
root_(_at_)_thor:13# tcpdump -Xnr /tmp/lo.dump | head -n 60
tcpdump: WARNING: compensating for unaligned libpcap packets
tcpdump: WARNING: compensating for unaligned libpcap packets
12:23:03.048967 ::1.21774 > ::1.8000: S 1897798716:1968798792(71000076) win 16384 <mss 33132,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 77917845 0> [flowlabel 0xe9e91]
0000: 002c 0640 0000 0000 0000 0000 0000 0000 .,_(_dot_)__(_at_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_
0010: 0000 0001 0000 0000 0000 0000 0000 0000 ................
0020: 0000 0001 550e 1f40 711e 1c3c 0000 0000 _(_dot_)__(_dot_)__(_dot_)__(_dot_)_U_(_dot_)__(_dot_)__(_at_)_q_(_dot_)__(_dot_)_<....
0030: b002 4000 8564 0000 0204 816c 0101 0402 0_(_dot_)__(_at_)__(_dot_)__(_dot_)_d_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_l_(_dot_)__(_dot_)__(_dot_)__(_dot_)_
0040: 0103 0300 0101 080a 04a4 ee95 0000 0000 .........$n.....
0050: 0400 0000 ....
12:23:03.048987 ::1.8000 > ::1.21774: R 0:71000076(71000076) ack 1897798717 win 0
0000: 0014 0640 0000 0000 0000 0000 0000 0000 _(_dot_)__(_dot_)__(_dot_)__(_at_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_
0010: 0000 0001 0000 0000 0000 0000 0000 0000 ................
0020: 0000 0001 1f40 550e 0000 0000 711e 1c3d _(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_at_)_U_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_q_(_dot_)__(_dot_)_=
0030: 5014 0000 ae25 0000 0204 816c P....%.....l
12:23:03.049028 127.0.0.1.20401 > 127.0.0.1.8000: S 1408376533:1408376533(0) win 16384 <mss 33152,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2001582573 0> (DF)
0000: 248f 4000 4006 1827 7f00 0001 7f00 0001 $_(_dot_)__(_at_)__(_dot_)_@..'........
0010: 4fb1 1f40 53f2 1ed5 0000 0000 b002 4000 O1_(_dot_)__(_at_)_Sr_(_dot_)_U_(_dot_)__(_dot_)__(_dot_)__(_dot_)_0_(_dot_)_@.
0020: 693e 0000 0204 8180 0101 0402 0103 0300 i>..............
0030: 0101 080a 774d b9ed 0000 0000 0000 0000 ....wM9m........
12:23:03.049048 127.0.0.1.8000 > 127.0.0.1.20401: S 1275937888:1275937888(0) ack 1408376534 win 16384 <mss 33152,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2527480456 2001582573> (DF)
0000: 6336 4000 4006 d97f 7f00 0001 7f00 0001 c6_(_at_)__(_dot_)_@.Y.........
0010: 1f40 4fb1 4c0d 4460 53f2 1ed6 b012 4000 _(_dot_)__(_at_)_O1L_(_dot_)_D`Sr_(_dot_)_V0_(_dot_)_@.
0020: f790 0000 0204 8180 0101 0402 0103 0300 w...............
0030: 0101 080a 96a6 4a88 774d b9ed 0000 0000 .....&J.wM9m....
12:23:03.049065 127.0.0.1.20401 > 127.0.0.1.8000: . ack 1 win 16384 <nop,nop,timestamp 2001582573 2527480456> (DF)
0000: 3778 4000 4006 054a 7f00 0001 7f00 0001 7x_(_at_)__(_dot_)_@..J........
0010: 4fb1 1f40 53f2 1ed6 4c0d 4461 8010 4000 O1_(_dot_)__(_at_)_Sr_(_dot_)_VL_(_dot_)_Da_(_dot_)__(_dot_)_@.
0020: b428 0000 0101 080a 774d b9ed 96a6 4a88 4(......wM9m.&J.
0030: 0101 080a ....
12:23:03.049303 127.0.0.1.20401 > 127.0.0.1.8000: P 1:1025(1024) ack 1 win 16384 <nop,nop,timestamp 2001582573 2527480456> (DF)
0000: 4df1 4000 4006 ead0 7f00 0001 7f00 0001 Mq_(_at_)__(_dot_)_@.jP........
0010: 4fb1 1f40 53f2 1ed6 4c0d 4461 8018 4000 O1_(_dot_)__(_at_)_Sr_(_dot_)_VL_(_dot_)_Da_(_dot_)__(_dot_)_@.
0020: 642b 0000 0101 080a 774d b9ed 96a6 4a88 d+......wM9m.&J.
0030: 4665 6220 3133 2032 333a 3030 3a30 3120 Feb 13 23:00:01
0040: 7468 6f72 206e 6577 7379 736c 6f67 5b32 thor newsyslog[2
0050: 3331 3836 5d3a 206c 6f67 6669 0000 0000 3186]: logfi....
0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0080: 0100 0000 ffff ffff 0000 0000 c092 8547 _(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_at_)__(_dot_)__(_dot_)_G
0090: 0000 0000 0000 0000 0500 0000 0000 0000 ................
00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00b0: 0000 0000 ffff ffff 0000 0000 0000 0000 ............
00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
01a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Segmentation fault
root_(_at_)_thor:14#
There is no corefile generated (privsep?)
Look at it with hexdump shows the send data is written to the lo.dump file:
alf_(_at_)_thor:31$ hexdump -C /tmp/lo.dump | head -n 60
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |TC2!............|
00000010 a8 81 00 00 0c 00 00 00 97 bd f1 43 47 bf 00 00 |(........=qCG?..|
00000020 58 00 00 00 58 00 00 00 00 00 00 18 60 0e 9e 91 |X...X.......`...|
00000030 00 2c 06 40 00 00 00 00 00 00 00 00 00 00 00 00 |.,_(_dot_)__(_at_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_|
00000040 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 01 55 0e 1f 40 71 1e 1c 3c 00 00 00 00 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)_U_(_dot_)__(_dot_)__(_at_)_q_(_dot_)__(_dot_)_<....|
00000060 b0 02 40 00 85 64 00 00 02 04 81 6c 01 01 04 02 |0_(_dot_)__(_at_)__(_dot_)__(_dot_)_d_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_l_(_dot_)__(_dot_)__(_dot_)__(_dot_)_|
00000070 01 03 03 00 01 01 08 0a 04 a4 ee 95 00 00 00 00 |.........$n.....|
00000080 97 bd f1 43 5b bf 00 00 40 00 00 00 40 00 00 00 |_(_dot_)_=qC[?_(_dot_)__(_dot_)__(_at_)__(_dot_)__(_dot_)__(_dot_)_@...|
00000090 00 00 00 18 60 00 00 00 00 14 06 40 00 00 00 00 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)_`_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_at_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_|
000000a0 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 01 1f 40 55 0e |_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_at_)_U_(_dot_)_|
000000c0 00 00 00 00 71 1e 1c 3d 50 14 00 00 ae 25 00 00 |....q..=P....%..|
000000d0 97 bd f1 43 84 bf 00 00 44 00 00 00 44 00 00 00 |.=qC.?..D...D...|
000000e0 00 00 00 02 45 00 00 40 24 8f 40 00 40 06 18 27 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)_E_(_dot_)__(_dot_)__(_at_)_$_(_dot_)_@_(_dot_)__(_at_)__(_dot_)__(_dot_)_'|
000000f0 7f 00 00 01 7f 00 00 01 4f b1 1f 40 53 f2 1e d5 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_O1_(_dot_)__(_at_)_Sr_(_dot_)_U|
00000100 00 00 00 00 b0 02 40 00 69 3e 00 00 02 04 81 80 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)_0_(_dot_)__(_at_)__(_dot_)_i>......|
00000110 01 01 04 02 01 03 03 00 01 01 08 0a 77 4d b9 ed |............wM9m|
00000120 00 00 00 00 97 bd f1 43 98 bf 00 00 44 00 00 00 |.....=qC.?..D...|
00000130 44 00 00 00 00 00 00 02 45 00 00 40 63 36 40 00 |D_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_E_(_dot_)__(_dot_)__(_at_)_c6@.|
00000140 40 06 d9 7f 7f 00 00 01 7f 00 00 01 1f 40 4f b1 |@_(_dot_)_Y_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_at_)_O1|
00000150 4c 0d 44 60 53 f2 1e d6 b0 12 40 00 f7 90 00 00 |L_(_dot_)_D`Sr_(_dot_)_V0_(_dot_)__(_at_)__(_dot_)_w_(_dot_)__(_dot_)__(_dot_)_|
00000160 02 04 81 80 01 01 04 02 01 03 03 00 01 01 08 0a |................|
00000170 96 a6 4a 88 77 4d b9 ed 97 bd f1 43 a9 bf 00 00 |.&J.wM9m.=qC)?..|
00000180 38 00 00 00 38 00 00 00 00 00 00 02 45 00 00 34 |8...8.......E..4|
00000190 37 78 40 00 40 06 05 4a 7f 00 00 01 7f 00 00 01 |7x_(_at_)__(_dot_)_@..J........|
000001a0 4f b1 1f 40 53 f2 1e d6 4c 0d 44 61 80 10 40 00 |O1_(_dot_)__(_at_)_Sr_(_dot_)_VL_(_dot_)_Da_(_dot_)__(_dot_)_@.|
000001b0 b4 28 00 00 01 01 08 0a 77 4d b9 ed 96 a6 4a 88 |4(......wM9m.&J.|
000001c0 97 bd f1 43 97 c0 00 00 38 04 00 00 38 04 00 00 |_(_dot_)_=qC_(_dot_)__(_at_)__(_dot_)__(_dot_)_8_(_dot_)__(_dot_)__(_dot_)_8_(_dot_)__(_dot_)__(_dot_)_|
000001d0 00 00 00 02 45 00 04 34 4d f1 40 00 40 06 ea d0 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)_E_(_dot_)__(_dot_)_4Mq_(_at_)__(_dot_)_@.jP|
000001e0 7f 00 00 01 7f 00 00 01 4f b1 1f 40 53 f2 1e d6 |_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_O1_(_dot_)__(_at_)_Sr_(_dot_)_V|
000001f0 4c 0d 44 61 80 18 40 00 64 2b 00 00 01 01 08 0a |L_(_dot_)_Da_(_dot_)__(_dot_)__(_at_)__(_dot_)_d+_(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)__(_dot_)_|
00000200 77 4d b9 ed 96 a6 4a 88 46 65 62 20 31 33 20 32 |wM9m.&J.Feb 13 2|
00000210 33 3a 30 30 3a 30 31 20 74 68 6f 72 20 6e 65 77 |3:00:01 thor new|
00000220 73 79 73 6c 6f 67 5b 32 33 31 38 36 5d 3a 20 6c |syslog[23186]: l|
00000230 6f 67 66 69 6c 65 20 74 75 72 6e 65 64 20 6f 76 |ogfile turned ov|
00000240 65 72 0a 46 65 62 20 31 33 20 32 33 3a 30 30 3a |er.Feb 13 23:00:|
00000250 30 31 20 74 68 6f 72 20 73 79 73 6c 6f 67 64 3a |01 thor syslogd:|
00000260 20 72 65 73 74 61 72 74 0a 46 65 62 20 31 33 20 | restart.Feb 13 |
00000270 32 33 3a 33 36 3a 30 38 20 74 68 6f 72 20 73 79 |23:36:08 thor sy|
00000280 73 6c 6f 67 64 3a 20 65 78 69 74 69 6e 67 20 6f |slogd: exiting o|
00000290 6e 20 73 69 67 6e 61 6c 20 31 35 0a 46 65 62 20 |n signal 15.Feb |
000002a0 31 34 20 30 38 3a 35 34 3a 31 36 20 74 68 6f 72 |14 08:54:16 thor|
000002b0 20 73 79 73 6c 6f 67 64 3a 20 72 65 73 74 61 72 | syslogd: restar|
000002c0 74 0a 46 65 62 20 31 34 20 30 38 3a 35 34 3a 31 |t.Feb 14 08:54:1|
000002d0 36 20 74 68 6f 72 20 2f 62 73 64 3a 20 4f 70 65 |6 thor /bsd: Ope|
000002e0 6e 42 53 44 20 33 2e 39 2d 62 65 74 61 20 28 47 |nBSD 3.9-beta (G|
000002f0 45 4e 45 52 49 43 29 20 23 30 3a 20 53 61 74 20 |ENERIC) #0: Sat |
00000300 46 65 62 20 31 31 20 31 35 3a 33 36 3a 32 31 20 |Feb 11 15:36:21 |
00000310 43 45 54 20 32 30 30 36 0a 46 65 62 20 31 34 20 |CET 2006.Feb 14 |
00000320 30 38 3a 35 34 3a 31 36 20 74 68 6f 72 20 2f 62 |08:54:16 thor /b|
00000330 73 64 3a 20 20 20 20 20 72 6f 6f 74 40 74 68 6f |sd: root_(_at_)_tho|
00000340 72 2e 72 65 63 68 6e 65 72 73 2e 6c 65 6d 61 72 |r.rechners.lemar|
00000350 69 74 2e 63 6f 6d 3a 2f 75 73 72 2f 73 72 63 2f |it.com:/usr/src/|
00000360 73 79 73 2f 61 72 63 68 2f 61 6d 64 36 34 2f 63 |sys/arch/amd64/c|
00000370 6f 6d 70 69 6c 65 2f 47 45 4e 45 52 49 43 0a 46 |ompile/GENERIC.F|
00000380 65 62 20 31 34 20 30 38 3a 35 34 3a 31 36 20 74 |eb 14 08:54:16 t|
00000390 68 6f 72 20 2f 62 73 64 3a 20 72 65 61 6c 20 6d |hor /bsd: real m|
000003a0 65 6d 20 3d 20 31 30 37 33 32 37 38 39 37 36 20 |em = 1073278976 |
000003b0 28 31 30 34 38 31 32 34 4b 29 0a 46 65 62 20 31 |(1048124K).Feb 1|
alf_(_at_)_thor:32$
Visit your host, monkey.org