[Ntop-misc] Re: IP defragmentation doesn't seem to work

Tue Dec 18 02:27:09 CET 2007

Michael,
anything seems to work fine at least under 2.6.23.1 with the latest
version of PF_RING.
Can you help me to reproduce the bug?
Could you send me a capture of your traffic?

Thanks,
Francesco

Michael Stiller wrote:
> Hi List, 
> 
> i'm using PF_RING 3.7.1 (current svn) with 2.6.22.7 or 2.6.23.1 and have
> problems with ip defragmentation. The module reports it as enabled:
> 
> Version             : 3.7.1
> Bucket length       : 9000 bytes
> Ring slots          : 11650
> Slot version        : 8
> Capture TX          : No [RX only]
> IP Defragment       : Yes
> Total rings         : 0
> 
> My application uses the following code snippet:
> 
> if (unlikely((ntohs(ip->frag_off) & (IP_OFFMASK | IP_MF)) != 0)) {
>         int offset = ntohs(ip->frag_off);
>         offset &= IP_OFFMASK;
>         offset <<= 3;
>         nf++;
>         warn "Fragmentation: 0x%04x, id: 0x%04x, %d, len: %d\n",
>                 ntohs(ip->frag_off), ntohs(ip->id), offset,
> ntohs(ip->tot_len));
>         return; // ignore fragmented
> }
> 
> During capture this shows:
> 
> Fragmentation: 0x2000, id: 0xa592, 0, len: 60
> Fragmentation: 0x0005, id: 0xa592, 40, len: 1500
> Fragmentation: 0x2000, id: 0xfc99, 0, len: 1500
> Fragmentation: 0x00b9, id: 0xfc99, 1480, len: 60
> Fragmentation: 0x0005, id: 0xbe28, 40, len: 1500
> Fragmentation: 0x2000, id: 0xbe28, 0, len: 60
> Fragmentation: 0x2000, id: 0xbe2a, 0, len: 60
> Fragmentation: 0x0005, id: 0xbe2a, 40, len: 1500
> Fragmentation: 0x2000, id: 0xbe2b, 0, len: 52
> Fragmentation: 0x0004, id: 0xbe2b, 32, len: 1500
> Fragmentation: 0x2000, id: 0xf37a, 0, len: 1500
> Fragmentation: 0x00b9, id: 0xf37a, 1480, len: 60
> Fragmentation: 0x2000, id: 0xe300, 0, len: 44
> Fragmentation: 0x2000, id: 0xe301, 0, len: 44
> Fragmentation: 0x0003, id: 0xe300, 24, len: 1488
> Fragmentation: 0x0003, id: 0xe301, 24, len: 1488
> 
> I would say, this doesn't look bogus actually. 
> 
> 0x2000 is the "More Fragments" bit of the ip_off field, 
> the id of the corresponding packets match, the length and offset values
> look reasonable. 
> 
> BUT: Why does this happen? It should not, if ip defrag is enabled in 
> the pf_ring module? 
> 
> I tried to debug this, but without luck so far. 
> I defined RING_DEBUG but never got the 
> "There is a fragment to handle [proto=%d][frag_off=%u] [ip_id=%u]\n"
> printout, even if the application reported fragments. 
> 
> I printed the iphdr->frag_off value and got only 0x4000 and 0x0000
> values in the ring module. 
> 
> What should i do, how can i debug this?
> 
> Cheers,
> 
> -Michael
> 
> 
> 
> 

-- 
Fusco Francesco - <fusco at ntop.org>