Interesting Traces - Sometimes it isn't the network

This is an example of the importance of looking at both sides of a connection, not to mention really understanding the tools that you are using and of course not jumping to conclusions.

I was working on an MTU problem and decided to bypass the application which took a significant amount of setup. Instead I figured I could use netcat on the client host to send a long UDP packet to an echo server on the server host. Sure enough when I sent a 1162 bytes of data (1162 + 20 + 8 = 1190 Total Length) I did NOT get 1162 bytes of data back. Instead I got only 1024 (1024 + 20 + 8 = 1052 Total Length).

So I figured something in the path was somehow fragmenting the packet incorrectly.

However, a trace taken with snoop on the actual echo server host tells the real tale. All 1190 bytes of data made it to the echo server which only echoed back 1052 bytes.

What did I learn

Just because the trace shows something doesn't mean the network caused it.
Make sure that you really understand what the tools you are using do. In this case I assumed that the echo program would echo whatever packet I sent it.
Like digging a tunnel, its always better to trace at both ends

This trace taken at the client end was done with Wildpackets's Etherpeek.

Packet Info
  Flags:                0x00000000
  Status:               0x00000001
  Packet Length:        1208
  Timestamp:            11:45:03.881569800 08/11/2005
Ethernet Header
IP Header - Internet Protocol Datagram
  Version:              4
  Header Length:        5  (20 bytes)
  Differentiated Services:%00000000
  Total Length:         1190
  Identifier:           63418
  Fragmentation Flags:  %000
  Fragment Offset:      0  (0 bytes)
  Time To Live:         128
  Protocol:             17  UDP
  Header Checksum:      0xE9CF
  Source IP Address:    YYY.YYY.77.50
  Dest. IP Address:     XXX.XXX.220.130
UDP - User Datagram Protocol
  Source Port:          2281  lnvconsole
  Destination Port:     7  echo
  Length:               1170
  UDP Checksum:         0x2806
Echo Protocol
  Echo Data:
  1111111111111111  31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
. . .
FCS - Frame Check Sequence
  FCS:                  0x9B669400  Calculated



Packet Info
  Flags:                0x00000000
  Status:               0x00000001
  Packet Length:        1070
  Timestamp:            11:45:04.003317800 08/11/2005
Ethernet Header
IP Header - Internet Protocol Datagram
  Version:              4
  Header Length:        5  (20 bytes)
  Differentiated Services:%00000000
  Total Length:         1052
  Identifier:           8501
  Fragmentation Flags:  %010
  Fragment Offset:      0  (0 bytes)
  Time To Live:         55
  Protocol:             17  UDP
  Header Checksum:      0xC9DF
  Source IP Address:    XXX.XXX.220.130
  Dest. IP Address:     YYY.YYY.77.50
UDP - User Datagram Protocol
  Source Port:          7  echo
  Destination Port:     2281  lnvconsole
  Length:               1032
  UDP Checksum:         0x37CF
Echo Protocol
  Echo Data:
  1111111111111111  31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
. . .
FCS - Frame Check Sequence
  FCS:                  0x25CBE41C  Calculated

This trace taken at the server end was done with snoop

ETHER:  ----- Ether Header -----
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:   Total length = 1190 bytes
IP:   Identification = 63418
IP:   Flags = 0x0
IP:   Fragment offset = 0 bytes
IP:   Time to live = 123 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = eecf
IP:   Source address = YYY.YYY.77.50
IP:   Destination address = XXX.XXX.220.130
IP:   No options
IP:   
UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 2281
UDP:  Destination port = 7 (ECHO)
UDP:  Length = 1170 
UDP:  Checksum = 2806 
UDP:  
ECHO:  ----- ECHO:   -----
ECHO:  
ECHO:  "111111111111111111111111111111111111111111111111111111111111"
ECHO:  

ETHER:  ----- Ether Header -----
IP:   ----- IP Header -----
IP:   
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:   Total length = 1052 bytes
IP:   Identification = 8501
IP:   Flags = 0x4
IP:   Fragment offset = 0 bytes
IP:   Time to live = 60 seconds/hops
IP:   Protocol = 17 (UDP)
IP:   Header checksum = c4df
IP:   Source address = XXX.XXX.220.130
IP:   Destination address = YYY.YYY.77.50
IP:   No options
IP:   
UDP:  ----- UDP Header -----
UDP:  
UDP:  Source port = 7
UDP:  Destination port = 2281 
UDP:  Length = 1032 
UDP:  Checksum = 37CF 
UDP:  
ECHO:  ----- ECHO:   -----
ECHO:  
ECHO:  "111111111111111111111111111111111111111111111111111111111111"
ECHO:

This page was last modified on 05-08-12

Send comments and suggestions
to ndav1@cox.net