Re: arcane changling
Re: arcane changling
- Subject: Re: arcane changling
- From: David A Rowland <email@hidden>
- Date: Mon, 24 Jul 2006 17:53:22 -0700
The bytes changed are exactly where the TCP checksum would be if it
were still a TCP packet. However, it is now ESP. Why does the system
insist it is TCP, and how can I tell it that it is not?
The only thing that changes packets after tcpdump is the driver or
the hardware. The most common change is hardware checksums or vlan
tagging that happens in hardware.
-josh
On Jul 24, 2006, at 3:22 PM, email@hidden wrote:
I have an IP filter that alters packets. On output it reinjects them. I find
that two
bytes are changed when the packet arrives at the destination.
The packets are IP with ESP content. The changed bytes are 16 bytes offset
into the
ESP portion which is the beginning of the encrypted portion.
Using tcpdump I see that they are not changed at the interface (if that is
where
tcpdump makes its snapshot). We are fairly certain the destination is not
making the
change, and we can see no relationship between the before and after values.
What is there after tcpdump that could change an IP packet?
Thanks,
David
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment converted: Savitri:smime 16.p7s ( / ) (00405BA1)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden