Interesting Traces - Routing Loop

I was originally asked to explain the reason for the fast retransmissions done by 10.1.3.5. What I was sent was the following summary. Since all the sequence numbers are the same (726811823) and all the lengths are the same (512) it was thought that these are retransmissions.

Packet Source   Destination   Delta Time                                Summary   
77   192.168.1.1   10.1.3.5   0.095424   "Src=60761,Dst= 4000,.A....,S=2329514902,L=    0,A= 726811823,W=32768"
86   10.1.3.5   192.168.1.1   0.062624   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
87   10.1.3.5   192.168.1.1   0.000704   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
90   10.1.3.5   192.168.1.1   0.002688   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
91   10.1.3.5   192.168.1.1   0.000672   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
92   10.1.3.5   192.168.1.1   0.002560   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
94   10.1.3.5   192.168.1.1   0.018656   "Src= 4000,Dst=60761,.A....,S= 726812335,L=  512,A=2329514902,W=11468"
103  10.1.3.5   192.168.1.1   0.115520   "Src= 4000,Dst=60761,.A....,S= 726812335,L=  512,A=2329514902,W=11468"
105  10.1.3.5   192.168.1.1   0.000832   "Src= 4000,Dst=60761,.A....,S= 726812335,L=  512,A=2329514902,W=11468"
106  10.1.3.5   192.168.1.1   0.003520   "Src= 4000,Dst=60761,.A....,S= 726812335,L=  512,A=2329514902,W=11468"
110  10.1.3.5   192.168.1.1   0.060064   "Src= 4000,Dst=60761,.A....,S= 726812847,L=  512,A=2329514902,W=11468"
112  10.1.3.5   192.168.1.1   0.002496   "Src= 4000,Dst=60761,.A....,S= 726812847,L=  512,A=2329514902,W=11468"
113  10.1.3.5   192.168.1.1   0.000672   "Src= 4000,Dst=60761,.A....,S= 726812847,L=  512,A=2329514902,W=11468"
115  10.1.3.5   192.168.1.1   0.002880   "Src= 4000,Dst=60761,.A....,S= 726812847,L=  512,A=2329514902,W=11468"
123  192.168.1.1   10.1.3.5   0.032192   "Src=60761,Dst= 4000,.A....,S=2329514902,L=    0.A= 726812335,W=32768"

However, the delta times are very small. It is possible that these transmissions were triggered by the fast retransmission algorithm, but if that were the case I would expect to see ACKs arriving from 192.168.1.1 to trigger the retransmissions, that is not the case.

The data in the complete trace tells the real story. The key is to look at the IP-ID value in each packet. Each unique IP packet should have a unique ID value (at least until the 16 bit value wraps back to 0). In this case all the packets with the same sequence number have the same ID value.This tells me that these are not retransmissions. Now looking at the Time To Live (TTL) value tells me what the problem is. Each time though a router the TTL is decremneted, which is what we have here.

Packet Source   Destination   Delta Time IP-ID   TTL                                 Summary   
86   10.1.3.5   192.168.1.1   0.062624   11583   63   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
87   10.1.3.5   192.168.1.1   0.000704   11583   62   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
90   10.1.3.5   192.168.1.1   0.002688   11583   61   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
91   10.1.3.5   192.168.1.1   0.000672   11583   60   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
92   10.1.3.5   192.168.1.1   0.002560   11583   59   "Src= 4000,Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"

Finally, look at the physical addresses which will tell you who is actually sending the packets and makes the looping obvious. We have 00:10:7B:xx:yy:01 sending to 00:0D:65:xx:yy:02 which sends it back to 00:10:7B:xx:yy:01. This happens twice before 00:10:7B:xx:yy:01 sends the packet to 00:0C:85:xx:yy:03 instead of back to 00:0D:65:xx:yy:02.

Packet Source    Source Physical    Destination   Dest. Physical      Delta Time IP-ID   TTL                                 Summary   
86   10.1.3.5   00:10:7B:xx:yy:01   192.168.1.1   00:0D:65:xx:yy:02   0.062624   11583   63   "Src= 4000.Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
87   10.1.3.5   00:0D:65:xx:yy:02   192.168.1.1   00:10:7B:xx:yy:01   0.000704   11583   62   "Src= 4000.Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
90   10.1.3.5   00:10:7B:xx:yy:01   192.168.1.1   00:0D:65:xx:yy:02   0.002688   11583   61   "Src= 4000.Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
91   10.1.3.5   00:0D:65:xx:yy:02   192.168.1.1   00:10:7B:xx:yy:01   0.000672   11583   60   "Src= 4000.Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"
92   10.1.3.5   00:10:7B:xx:yy:01   192.168.1.1   00:0C:85:xx:yy:03   0.002560   11583   59   "Src= 4000.Dst=60761,.A....,S= 726811823,L=  512,A=2329514902,W=11468"

So the issue has nothing to do with fast retransmissions but with a loop in the routing tables. The really interesting thing is that the trace is full of these sequences of packets. Each packet from 10.1.3.5 loops between 2 and 4 times and then gets sent to 00:0C:85:xx:yy:03. What I'd love to do is get a look at the routing table on 00:10:7B:xx:yy:01 to see why it switches between 00:0D:65:xx:yy:02 and 00:0C:85:xx:yy:03.

This page was last modified on 03-12-12

Send comments and suggestions
to ndav1@cox.net