?

Log in

No account? Create an account

Bizarre networking issue - Journal of Omnifarious

Nov. 29th, 2007

10:21 am - Bizarre networking issue

Previous Entry Share Next Entry

Packets appear to be being dropped between the time pcap gets them and the time they're seen by the raw:PREROUTING table. Does anybody have any ideas on why this would happen?

Here is the table:

# iptables -t raw -nL PREROUTING Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
LOG        icmp --  0.0.0.0/0            216.254.16.18       LOG flags 0 level 4 prefix `debug ' 
LOG        icmp --  0.0.0.0/0            216.254.16.17       LOG flags 0 level 4 prefix `debug2 '

And here is the result of tcpdump:

# tcpdump -eni eth0 ip host 209.40.196.143 and not tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:48:05.949100 00:90:1a:40:a2:a2 > 00:e0:81:2c:b6:e2, ethertype IPv4 (0x0800), length 98: 209.40.196.143 > 216.254.16.18: ICMP echo request, id 37964, seq 1, length 64
09:48:07.948419 00:90:1a:40:a2:a2 > 00:e0:81:2c:b6:e2, ethertype IPv4 (0x0800), length 98: 209.40.196.143 > 216.254.16.18: ICMP echo request, id 37964, seq 2, length 64
09:48:09.947579 00:90:1a:40:a2:a2 > 00:e0:81:2c:b6:e2, ethertype IPv4 (0x0800), length 98: 209.40.196.143 > 216.254.16.18: ICMP echo request, id 37964, seq 3, length 64
09:48:12.863715 00:90:1a:40:a2:a2 > 00:0d:61:91:5d:e6, ethertype IPv4 (0x0800), length 98: 209.40.196.143 > 216.254.16.17: ICMP echo request, id 49484, seq 1, length 64
09:48:12.863960 00:0d:61:91:5d:e6 > 00:90:1a:40:a2:a2, ethertype IPv4 (0x0800), length 98: 216.254.16.17 > 209.40.196.143: ICMP echo reply, id 49484, seq 1, length 64
09:48:14.864049 00:90:1a:40:a2:a2 > 00:0d:61:91:5d:e6, ethertype IPv4 (0x0800), length 98: 209.40.196.143 > 216.254.16.17: ICMP echo request, id 49484, seq 2, length 64
09:48:14.864258 00:0d:61:91:5d:e6 > 00:90:1a:40:a2:a2, ethertype IPv4 (0x0800), length 98: 216.254.16.17 > 209.40.196.143: ICMP echo reply, id 49484, seq 2, length 64
09:48:16.863956 00:90:1a:40:a2:a2 > 00:0d:61:91:5d:e6, ethertype IPv4 (0x0800), length 98: 209.40.196.143 > 216.254.16.17: ICMP echo request, id 49484, seq 3, length 64
09:48:16.864159 00:0d:61:91:5d:e6 > 00:90:1a:40:a2:a2, ethertype IPv4 (0x0800), length 98: 216.254.16.17 > 209.40.196.143: ICMP echo reply, id 49484, seq 3, length 64

And here is the kernel log (notice the complete absence of any 'debug' bits despite tcpdump clearly showing packets that would match the rule):

Nov 29 09:47:58 dark kernel: device eth0 entered promiscuous mode
Nov 29 09:47:58 dark kernel: audit(1196358478.738:10): dev=eth0 prom=256 old_prom=0 auid=4294967295
Nov 29 09:48:12 dark kernel: debug2 IN=eth0 OUT= MAC=00:0d:61:91:5d:e6:00:90:1a:40:a2:a2:08:00 SRC=209.40.196.143 DST=216.254.16.17 LEN=84 TOS=0x00 PREC=0x20 TTL=58 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=49484 SEQ=1 
Nov 29 09:48:14 dark kernel: debug2 IN=eth0 OUT= MAC=00:0d:61:91:5d:e6:00:90:1a:40:a2:a2:08:00 SRC=209.40.196.143 DST=216.254.16.17 LEN=84 TOS=0x00 PREC=0x20 TTL=58 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=49484 SEQ=2 
Nov 29 09:48:16 dark kernel: debug2 IN=eth0 OUT= MAC=00:0d:61:91:5d:e6:00:90:1a:40:a2:a2:08:00 SRC=209.40.196.143 DST=216.254.16.17 LEN=84 TOS=0x00 PREC=0x20 TTL=58 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=49484 SEQ=3 
Nov 29 09:50:31 dark kernel: debug2 IN=eth0 OUT= MAC=00:0d:61:91:5d:e6:00:90:1a:40:a2:a2:08:00 SRC=67.15.240.43 DST=216.254.16.17 LEN=78 TOS=0x00 PREC=0x20 TTL=53 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=9131 

My routing table:

# ip route ls
216.254.16.1 dev eth0  scope link
216.254.16.17 dev eth4  scope link
216.254.16.18 dev eth4  scope link
216.254.16.19 dev eth4  scope link
192.168.210.0/24 dev eth3  proto kernel  scope link  src 192.168.210.1
192.168.230.0/24 dev eth4  proto kernel  scope link  src 192.168.230.1
192.168.220.0/24 dev eth1  proto kernel  scope link  src 192.168.220.1
169.254.0.0/16 dev eth4  scope link
default via 216.254.16.1 dev eth0

The ifconfig for eth0

eth0      Link encap:Ethernet  HWaddr 00:0D:61:91:5D:E6  
          inet addr:216.254.16.16  Bcast:216.254.16.16  Mask:255.255.255.255
          inet6 addr: fe80::20d:61ff:fe91:5de6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:321895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:270299 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:173078587 (165.0 MiB)  TX bytes:150066298 (143.1 MiB)
          Interrupt:22 Base address:0xa000

Current Mood: [mood icon] aggravated