[Snort-users] Solaris checksum problem

Hector Urdaneta hector at ...6012...
Tue Jun 4 17:11:34 EDT 2002


Hi,

I've been running snort-1.8.6 under linux and solaris, and getting
different results for the tcp checksums. For the same packets, under
linux the (tcp) checksum function call returns a value of 0, while for
solaris it returns a non-0 value. In particular I am refering to the
checksum call made inside the DecodeTCP function (decode.c:1616)

I do not know yet what is causing the problem, maybe an endianness
problem with the way checksum is computed?


Thanks for any leads,
Hector Urdaneta


PS. Here's what I've track down.

In the file decode.c, I add a breakpoint right after the call to the
checksum function (decode.c:1618).

if(pv.checksums_mode & DO_TCP_CHECKSUMS)
      {
          /* setup the pseudo header for checksum calculation */
          ph.sip = (u_int32_t)(p->iph->ip_src.s_addr);
          ph.dip = (u_int32_t)(p->iph->ip_dst.s_addr);
          ph.zero = 0;
          ph.protocol = p->iph->ip_proto;
          ph.tcplen = htons((u_short)len);

          /* if we're being "stateless" we probably don't care about the TCP
           * checksum, but it's not bad to keep around for shits and
giggles */
          /* calculate the checksum */
          csum = checksum((u_int16_t *)&ph, 12, (u_int16_t *)(p->tcph), 
len);

break>> if(csum)
          {
              p->csum_flags |= CSE_TCP;

              DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n");
          }
          ...
   }

Running snort under linux:
GNU DDD 3.3.1 (i686-pc-linux-gnu), by Dorothea Lütkehaus and Andreas Zeller.
Copyright © 1995-1999 Technische Universität Braunschweig, Germany.
Copyright © 1999-2001 Universität Passau, Germany.
(gdb) break decode.c:1618
Breakpoint 1 at 0x8055502: file ../snort-1.8.6/decode.c, line 1618.
(gdb) run -A fast -l ./log -r ~/data/packet1.pcap -c
./snort-1.8.6/snort.conf
Log directory = ./log
TCPDUMP file reading mode.
Reading network traffic from "/home/hector/data/packet1.pcap" file.
snaplen = 1514

          --== Initializing Snort ==--
..
          --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch at ...1935..., www.snort.org)

Breakpoint 1, DecodeTCP (pkt=0x80dfcf4 "", len=47, p=0xbffff160) at
./snort-1.8.6/decode.c:1618
(gdb) print /x ph
$1 = {sip = 0xe25083d0, dip = 0xce21c63f, zero = 0x0, protocol = 0x6,
tcplen = 0x2f00}
(gdb) print /x *p->tcph
$2 = {th_sport = 0x1700, th_dport = 0x7706, th_seq = 0x4fe2a52f, th_ack
= 0x9c8ff5e8, th_x2 = 0x0, th_off = 0x5, th_flags = 0x18, th_win =
0x7044, th_sum = 0xaa84, th_urp = 0x0}
(gdb) print /x len
$3 = 0x2f
(gdb) print csum
$4 = 0
(gdb)


Same experiment under Solaris:
GNU DDD 3.3 (sparc-sun-solaris2.8), by Dorothea Lütkehaus and Andreas
Zeller.
Copyright © 1995-1999 Technische Universität Braunschweig, Germany.
Copyright © 1999-2001 Universität Passau, Germany.
(gdb) break decode.c:1618
Breakpoint 1 at 0x8055502: file Breakpoint 1 at 0x2b74c
(gdb) run -A fast -l ./log -r ~/data/packet1.pcap -c
./snort-1.8.6/snort.conf
Log directory = ./log
TCPDUMP file reading mode.
Reading network traffic from "/home/hector/data/packet1.pcap" file.
snaplen = 1514

          --== Initializing Snort ==--
..
          --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch at ...1935..., www.snort.org)

Breakpoint 1, DecodeTCP (pkt=0xec0dc "", len=47, p=0xffbef450) at
./snort-1.8.6/decode.c:1618
(gdb) print /x ph
$1 = {sip = 0xd08350e2, dip = 0x3fc621ce, zero = 0x0, protocol = 0x6,
tcplen = 0x2f}
(gdb) print /x *p->tcph
$2 = {th_sport = 0x17, th_dport = 0x677, th_seq = 0x2fa5e24f, th_ack =
0xe8f58f9c, th_off = 0x5, th_x2 = 0x0, th_flags = 0x18, th_win = 0x4470,
th_sum = 0x84aa, th_urp = 0x0}
(gdb) print /x len
$3 = 0x2f
(gdb) print csum
$4 = 2550
(gdb)

Notice linux and solaris get the same input (ph, p->tcph and len),
except for the different endian order. Linux checksum call returns a 0
value, while not solaris. I therefore get a "Bad TCP checksum" under
solaris (Note: same problem/same value under mips)








More information about the Snort-users mailing list