I have a router running this,
$ sysctl -n kern.version
OpenBSD 5.9 (GENERIC.MP) #1868: Mon Feb 1 20:02:36 MST 2016
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
$ ifconfig em1 hwfeatures | head -2
em1:
flags=18b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,MPSAFE> mtu
1500
hwfeatures=36<CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING> hardmtu
16110
i.e. mpsafe nic driver, and before the bpf lock fix. So it seems
this is reasonably good at mangling captured frames which triggers
bugs in libpcap/tcpdump.
I don't have time to look into this further now but I thought I'd send
a few here in case anyone would like to investigate.
First one: I didn't have coredumps enabled for this run. As well as
anything else the timestamp is also bad.
16:25:57.720179234 70:00:00:01:01:08 f5:80:18:08:0e:98 0a2c -38995653:
08f6 a195 404f e60f 57f3 9f5f af2b cc78
9693 ea2d e1e8 a321 4972 3016 9e82 e034
<snip 1190 lines>
0108 0ae5 0bc6 c3a4 2bb0 8fff ffff ffff
ffff ffff ffff ffff ffff ff00 1304 0000
0000 0000 0000 0000 0000 0000 0000 0000
Segmentation fault
Another crash (timestamp correct, I have masked IPs):
10:52:12.878548 truncated-ip - 480 bytes missing!XXX.XX.XXX.3.22 >
XX.XX.XXX.130.42113: . [bad tcp cksum 9a44! -> 387] 897328:897348(20) ack 577
win 2062 <nop,nop,timestamp 738786570 0> [tos 0x10] (ttl 64, id 16204, len 552)
Segmentation fault (core dumped)
#0 ether_if_print (user=Variable "user" is not available.
) at /usr/src/usr.sbin/tcpdump/print-ether.c:120
120 ether_type = ntohs(ep->ether_type);
(gdb) bt
#0 ether_if_print (user=Variable "user" is not available.
) at /usr/src/usr.sbin/tcpdump/print-ether.c:120
#1 0x00001616652a0816 in pcap_read (p=0x161711ed8200, cnt=-1,
callback=0x161463116230 <ether_if_print>, user=0x0) at
/usr/src/lib/libpcap/pcap-bpf.c:188
#2 0x000016166529f367 in pcap_loop (p=0x161711ed8200, cnt=-1,
callback=0x161463116230 <ether_if_print>, user=0x0) at
/usr/src/lib/libpcap/pcap.c:76
#3 0x00001614631116fd in main (argc=Variable "argc" is not available.
) at /usr/src/usr.sbin/tcpdump/tcpdump.c:496
Seems a bit odd, doesn't the size check on print-ether.c line 99 cover this?
.. another:
11:03:51.217338 82:03:00:42:00:00 > 7d:97:c8:d6:56:46 sap 00 I (s=0,r=11,P)
len=295625085
Segmentation fault (core dumped)
#0 pcap_read (p=0xaa67d539c00, cnt=-1, callback=0xaa441d1781f
<ether_if_print>, user=0x0) at /usr/src/lib/libpcap/pcap-bpf.c:184
184 hdrlen = bhp->bh_hdrlen;
(gdb) bt
#0 pcap_read (p=0xaa67d539c00, cnt=-1, callback=0xaa441d1781f
<ether_if_print>, user=0x0) at /usr/src/lib/libpcap/pcap-bpf.c:184
#1 0x00000aa664976367 in pcap_loop (p=0xaa67d539c00, cnt=-1,
callback=0xaa441d1781f <ether_if_print>, user=0x0) at
/usr/src/lib/libpcap/pcap.c:76
#2 0x00000aa441d11b75 in main (argc=3, argv=0x7f7ffffd6858) at
/usr/src/usr.sbin/tcpdump/tcpdump.c:496
