[Winpcap-users] Unable to send or receive some IP packets on WinXP

Heyligen Tom Tom.Heyligen at thomson.net
Tue Aug 2 13:46:49 GMT 2005


Dear WinPcap-users,

WinPcap on my WinXP is unable to send (and receive, see later) some mangled or non-standard IGMP/ICMP/TCP/UDP packets. Please find below some specific sample packets, captured with libpcap/ethereal on Linux 2.6.9. Apparently, they all struggle with some length at some point?

They never appear in Ethereal, nor on the wire. These packets can however be send when changing the Ethernet type from 0x08 0x00 (IP) to e.g. 0x09 0x00 (unknown) or changing the IP protocol to e.g. 0xFF. This happens on any Ethernet interface on that machine...making me believe it must be a "security feature/setting" hidden somewhere in Windows? Strangely, I am unable to reproduce this problem on similar WinXP machines with/without SP2 installed.

I use the Win32 specific function pcap_sendpacket(pcap_t*,u_char*,int) to send the raw data. This function returns 0, so the packet should be succesfully sent...


Additionally, when trying to receive such packets, below sample packets 1 and 3 were transferred to my pcap_handler callback (and seen in Ethereal), while packet 2 wasn't...


Any ideas which part in WinPcap or WinXP is responsible for this unexpected and unwanted behavior?
P.S. No problems seen on Linux when calling write() to send and using libpcap to receive.

Thanks a lot,
 Tom.



Environment:
------------
(Although I played around with versions and OS hotfixes, in vain):
 MS WinXP SP2 (firewall and other security tools disabled)
 WinPcap v3.0
 Ethereal v0.10.10 


sample packet 1 
(IGMP part should be at least 8 bytes long?)
--------------------------------------------
Frame 1 (40 bytes on wire, 40 bytes captured)
Ethernet II, Src: 00:01:02:03:04:05, Dst: 00:0d:56:c5:01:a5
Internet Protocol, Src Addr: 192.168.1.123 (192.168.1.123), Dst Addr: 192.168.1.254 (192.168.1.254)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 26
    Identification: 0x5456 (21590)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (0x02)
    Header checksum: 0xe0c2 (correct)
    Source: 192.168.1.123 (192.168.1.123)
    Destination: 192.168.1.254 (192.168.1.254)
Internet Group Management Protocol
    Type: Unknown (0xaa)
    Data

0000  00 0d 56 c5 01 a5 00 01 02 03 04 05 08 00 45 00   ..V...........E.
0010  00 1a 54 56 00 00 01 02 e0 c2 c0 a8 01 7b c0 a8   ..TV.........{..
0020  01 fe aa bb cc dd ee ff                           ........


sample packet 2 
(ip.hdr_len 0x06 should be 0x05?)
---------------------------------
Frame 2 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: 00:01:02:03:04:05, Dst: 00:0d:56:c5:01:a5
Internet Protocol, Src Addr: 192.168.1.123 (192.168.1.123), Dst Addr: 192.168.1.254 (192.168.1.254)
    Version: 4
    Header length: 24 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 60
    Identification: 0x0188 (392)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: ICMP (0x01)
    Header checksum: 0x736f (incorrect, should be 0x2613)
    Source: 192.168.1.123 (192.168.1.123)
    Destination: 192.168.1.254 (192.168.1.254)
    Options: (4 bytes)
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 0 (Network unreachable)
    Checksum: 0x0500 (incorrect, should be 0x525c)
    Internet Protocol, Src Addr: 113.114.115.116 (113.114.115.116), Dst Addr: 117.118.119.97 (117.118.119.97)
        Version: 6
        Header length: 20 bytes
        Differentiated Services Field: 0x66 (DSCP 0x19: Unknown DSCP; ECN: 0x02)
        Total Length: 26472
        Identification: 0x696a (26986)
        Flags: 0x06 (Don't Fragment) (More Fragments)
        Fragment offset: 23392
        Time to live: 109
        Protocol: Compaq Peer (0x6e)
        Header checksum: 0x6f70 (incorrect, should be 0x1f2d)
        Source: 113.114.115.116 (113.114.115.116)
        Destination: 117.118.119.97 (117.118.119.97)
    Data (8 bytes)

0000  00 0d 56 c5 01 a5 00 01 02 03 04 05 08 00 46 00   ..V...........F.
0010  00 3c 01 88 40 00 80 01 73 6f c0 a8 01 7b c0 a8   .<.. at ...so...{..
0020  01 fe 08 00 45 5c 03 00 05 00 61 62 63 64 65 66   ....E\....abcdef
0030  67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76   ghijklmnopqrstuv
0040  77 61 62 63 64 65 66 67 68 69                     wabcdefghi


sample packet 3
(ip.len 0x00 0x3C is too long?)
-------------------------------
Frame 3 (41 bytes on wire, 41 bytes captured)
Ethernet II, Src: 00:01:02:03:04:05, Dst: 00:0d:56:c5:01:a5
Internet Protocol, Src Addr: 192.168.1.123 (192.168.1.123), Dst Addr: 192.168.1.254 (192.168.1.254)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 60
    Identification: 0x0188 (392)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: ICMP (0x01)
    Header checksum: 0x746f (correct)
    Source: 192.168.1.123 (192.168.1.123)
    Destination: 192.168.1.254 (192.168.1.254)
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0 
    Checksum: 0x455c (incorrect, should be 0xefff)
    Identifier: 0x0300
[Malformed Packet: ICMP]

0000  00 0d 56 c5 01 a5 00 01 02 03 04 05 08 00 45 00   ..V...........E.
0010  00 3c 01 88 40 00 80 01 74 6f c0 a8 01 7b c0 a8   .<.. at ...to...{..
0020  01 fe 08 00 45 5c 03 00 05                        ....E\...



More information about the Winpcap-users mailing list