Hi Mihai,
Mihai Tanasescu wrote:
21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
After receiving many packets like these on 3-4 interfaces, Cisco starts
loosing packets and acts abnormal.
What I find strange is that there is no port specified (src,dst) and
that the length of the packets is always 1500.
It seems to be fragmented traffic. Because the original IP packet
payload is splitted into pieces, layer-4 header (TCP, UDP) is only
included on the first packet. That's the reason you can't see the ports
on IP packets where offset is different than 0.
Does the destination IP belong to the router/multilayer switch?
Reassembling is done on destination host so fragments should only have
impact on router/switch if it is acting as end host. That could be a
reason of poor performance.
---------------------------------------------------------------------
Carlos Fragoso Mariscal - Network & Security Engineer/Incident Handler
Anella Cientifica RREN Incident Response Team (ERIAC) AS13041 CFM1-RIPE
Communications and Operations Dept.-Supercomputing Center of Catalonia
CCNA CCNP* GSEC GCFW GCIH GREM GHTQ SSP-MPA
cfragoso@cesca.es phone:+34932056464 pgp:0x0E4EDE07 inocdba:13041*CFM
---------------------------------------------------------------------
