On Sat, May 31, 2003 at 05:12:52PM +0200, Dieter Kasielke wrote: > 45:00:00:3a:b6:28 > 45:00:00:41:b6:52 ... > > This looks like the first bytes of the IP header. > > Any ideas? Forgotten to reset the pointer to the start of L2 again? > But why only rarely and then, why for so many packets? Or is it not > pf at all? Of course, without the pf bridge in between the 2 routers, > there was never such a overflow condition in months of operation.
Yes, sounds like a reasonable explanation, though it's not clear where/why it occurs. Can you get a full hexdump of such packets with tcpdump -X, maybe there's a pattern of what packets get truncated like this. > There was also a kernel crash: > > kernel: page fault trap code=0 > Stopped at _pf_normalize_ip+0x43c:testb $0x4,0x21(%ecx) Can you try to find out which source code line this is (by following http://www.benzedrine.cx/crashreport.html, rebuild pf_norm.c with debug information), especially since it's a non-GENERIC kernel? Daniel
