Snort mailing list archives
Solaris checksum problem
From: Hector Urdaneta <hector () flowstorm com>
Date: Tue, 04 Jun 2002 12:15:18 -0700
Hi, I've been running snort-1.8.6 under linux and solaris, and getting different results for the tcp checksums. For the same packets, under linux the (tcp) checksum function call returns a value of 0, while for solaris it returns a non-0 value. In particular I am refering to the checksum call made inside the DecodeTCP function (decode.c:1616) I do not know yet what is causing the problem, maybe an endianness problem with the way checksum is computed? Thanks for any leads, Hector Urdaneta PS. Here's what I've track down. In the file decode.c, I add a breakpoint right after the call to the checksum function (decode.c:1618). if(pv.checksums_mode & DO_TCP_CHECKSUMS) { /* setup the pseudo header for checksum calculation */ ph.sip = (u_int32_t)(p->iph->ip_src.s_addr); ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr); ph.zero = 0; ph.protocol = p->iph->ip_proto; ph.tcplen = htons((u_short)len); /* if we're being "stateless" we probably don't care about the TCP * checksum, but it's not bad to keep around for shits and giggles */ /* calculate the checksum */csum = checksum((u_int16_t *)&ph, 12, (u_int16_t *)(p->tcph), len);
break>> if(csum) { p->csum_flags |= CSE_TCP; DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n"); } ... } Running snort under linux: GNU DDD 3.3.1 (i686-pc-linux-gnu), by Dorothea Lütkehaus and Andreas Zeller. Copyright © 1995-1999 Technische Universität Braunschweig, Germany. Copyright © 1999-2001 Universität Passau, Germany. (gdb) break decode.c:1618 Breakpoint 1 at 0x8055502: file ../snort-1.8.6/decode.c, line 1618. (gdb) run -A fast -l ./log -r ~/data/packet1.pcap -c ./snort-1.8.6/snort.conf Log directory = ./log TCPDUMP file reading mode. Reading network traffic from "/home/hector/data/packet1.pcap" file. snaplen = 1514 --== Initializing Snort ==-- .. --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) Breakpoint 1, DecodeTCP (pkt=0x80dfcf4 "", len=47, p=0xbffff160) at ./snort-1.8.6/decode.c:1618 (gdb) print /x ph $1 = {sip = 0xe25083d0, dip = 0xce21c63f, zero = 0x0, protocol = 0x6, tcplen = 0x2f00} (gdb) print /x *p->tcph $2 = {th_sport = 0x1700, th_dport = 0x7706, th_seq = 0x4fe2a52f, th_ack = 0x9c8ff5e8, th_x2 = 0x0, th_off = 0x5, th_flags = 0x18, th_win = 0x7044, th_sum = 0xaa84, th_urp = 0x0} (gdb) print /x len $3 = 0x2f (gdb) print csum $4 = 0 (gdb) Same experiment under Solaris: GNU DDD 3.3 (sparc-sun-solaris2.8), by Dorothea Lütkehaus and Andreas Zeller. Copyright © 1995-1999 Technische Universität Braunschweig, Germany. Copyright © 1999-2001 Universität Passau, Germany. (gdb) break decode.c:1618 Breakpoint 1 at 0x8055502: file Breakpoint 1 at 0x2b74c (gdb) run -A fast -l ./log -r ~/data/packet1.pcap -c ./snort-1.8.6/snort.conf Log directory = ./log TCPDUMP file reading mode. Reading network traffic from "/home/hector/data/packet1.pcap" file. snaplen = 1514 --== Initializing Snort ==-- .. --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) Breakpoint 1, DecodeTCP (pkt=0xec0dc "", len=47, p=0xffbef450) at ./snort-1.8.6/decode.c:1618 (gdb) print /x ph $1 = {sip = 0xd08350e2, dip = 0x3fc621ce, zero = 0x0, protocol = 0x6, tcplen = 0x2f} (gdb) print /x *p->tcph $2 = {th_sport = 0x17, th_dport = 0x677, th_seq = 0x2fa5e24f, th_ack = 0xe8f58f9c, th_off = 0x5, th_x2 = 0x0, th_flags = 0x18, th_win = 0x4470, th_sum = 0x84aa, th_urp = 0x0} (gdb) print /x len $3 = 0x2f (gdb) print csum $4 = 2550 (gdb) Notice linux and solaris get the same input (ph, p->tcph and len), except for the different endian order. Linux checksum call returns a 0 value, while not solaris. I therefore get a "Bad TCP checksum" under solaris (Note: same problem/same value under mips) _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Solaris checksum problem Hector Urdaneta (Jun 04)