7759 – r8169 driver sends TCP packets shorter than 20 bytes, according to snort

Bug 7759 - r8169 driver sends TCP packets shorter than 20 bytes, according to snort

Summary: r8169 driver sends TCP packets shorter than 20 bytes, according to snort

Status:	CLOSED CODE_FIX

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Network (show other bugs)
Hardware:	i386 Linux

Importance:	P2 normal
Assignee:	Francois Romieu

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-01-02 00:39 UTC by Leonard Norrgard
Modified:	2007-01-10 15:57 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	v2.6.20-rc3-ge22a9a8
Subsystem:
Regression:	---
Bisected commit-id:

Attachments
Output of lspci -nn -vvv (19.55 KB, text/plain) 2007-01-02 00:45 UTC, Leonard Norrgard	Details
/var/log/dmesg (19.61 KB, text/plain) 2007-01-02 00:48 UTC, Leonard Norrgard	Details
config (69.65 KB, text/plain) 2007-01-02 00:52 UTC, Leonard Norrgard	Details
Output of lspci -nn -vvx (24.73 KB, text/plain) 2007-01-02 00:55 UTC, Leonard Norrgard	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Leonard Norrgard 2007-01-02 00:39:46 UTC

Most recent kernel where this bug did *NOT* occur: ?
Distribution: Debian testing (Etch), but with git master kernel
Hardware Environment:
MSI K9A Platinum, which has both of these networking chips:

    Realtek RTL8110SC
http://www.realtek.com.tw/search/default.aspx?keyword=RTL8110SC

    Realtek RTL8111B http://www.realtek.com.tw/search/default.aspx?keyword=RTL8111B

Software Environment: 64-bit
Problem Description: Sends TCP packets shorter than 20 bytes, according to snort

Steps to reproduce:

0) Install snort
1) # tail -f /var/log/snort/alert
2) Point web browser at http://tomshardware.com
3) Snort logs many short TCP packets.

Output in /var/log/snort/alert:

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:42.285601 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:42.286644 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:43.484722 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:43.485875 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:45.685176 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:45.685622 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:49.884532 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:49.884963 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:58.083339 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:44:58.083544 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:45:14.280559 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

[**] [116:45:1] (snort_decoder) TCP packet len is smaller than 20 bytes! [**]
01/02-09:45:14.280752 192.168.21.7:0 -> 216.92.211.178:0
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:32 DF
TCP header truncated

Comment 1 Leonard Norrgard 2007-01-02 00:45:43 UTC

Created attachment 9986 [details]
Output of lspci -nn -vvv

Comment 2 Leonard Norrgard 2007-01-02 00:48:35 UTC

Created attachment 9987 [details]
/var/log/dmesg

Comment 3 Leonard Norrgard 2007-01-02 00:52:53 UTC

Created attachment 9988 [details]
config

Comment 4 Leonard Norrgard 2007-01-02 00:55:21 UTC

Created attachment 9989 [details]
Output of lspci -nn -vvx

Comment 5 Francois Romieu 2007-01-02 12:04:35 UTC

Thanks for the information.

I have more questions:
- was the web session performed under X ? If so, may I assume that no binary
driver was loaded ?
- can you catch the traffic with a 'tcpdump -w file.pcap -i ethX' and attach it ?
  I'd prefer to see everything which goes through the interface but feel free to
add an 'arp or port 80' if your privacy matters.
- please send ifconfig and ethtool -i ethX for the interfaces so that I can
figure which interface is implied.

-- 
Ueimor

Comment 6 Leonard Norrgard 2007-01-10 15:57:09 UTC

Francois,

This doesn't seem to happen anymore on this box, after I upgraded it to Linux
2.6.20-rc4-gf3a2c3e today. Closing the issue now.

>- was the web session performed under X ? If so, may I assume that no binary
driver was loaded ?

The test for the bugzilla submission was done with X disabled + reboot (the
proprietary driver was thus never loaded in the kernel).  I then used ssh -X
from another box to run Firefox and Konqueror (to confirm the problem was
independent of the web browser used).

The test was running on the 02:00.0 device (IRQ 18):

02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
RTL8111/8168B PCI Express Gigabit Ethernet controller [10ec:8168] (rev 01)

Note You need to log in before you can comment on or make changes to this bug.