Re: iptable log analysis - LEN property appears twice

On 12 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1173693257.730859.143610@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, crowl@xxxxxx wrote:

Wondering browsing my iptable logs I see some logs which have the LEN
properties twice.

kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
LEN=484

504 - 484 = 20 Hmmm, I'll bet this was windoze messenger spam. The
source IP address is _probably_ faked.

kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58

78 - 58 = 20 Windoze name request "would you like to share viruses?"

For what reason is there more than one LEN counter? And also important
to know, what is the difference (what does each each LEN mean, in
which case is more than one LEN counter is used)?

LENgth of IP packet = LENgth of UDP/TCP packet plus header length. See

0768 User Datagram Protocol. J. Postel. August 1980. (Format: TXT=5896
bytes) (Also STD0006) (Status: STANDARD)

0791 Internet Protocol. J. Postel. September 1981. (Format: TXT=97779
bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005)
(Status: STANDARD)

0792 Internet Control Message Protocol. J. Postel. September 1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

0793 Transmission Control Protocol. J. Postel. September 1981.
(Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007)
(Status: STANDARD)

These RFCs can be found in many places - use your favorite search engine.
Briefly, see figure 4 of RFC0791. These packets consist of a 20 byte
IPv4 header (Version, Header length, Type of Service, Total LENgth, an
Identification [serial number] word, flags and fragment offset, Time To
Live, Protocol number, header checksum, source and destination IP address
which is a total of 20 bytes [there can be additional options in increments
of 4 from zero to 40 additional bytes for a maximum IP header of 60 bytes)
followed by a UDP/TCP/ICMP pack, which itself consists of 4 to 60 bytes of
protocol headers (ICMP = 4, UDP = 8, TCP = 20 to 60) followed by the actual
data.

Old guy
.

Relevant Pages

  • Sygate Firewall warning
    ... Ethernet II (Packet Length: 76) ... Internet Protocol ... Header checksum: 0x76cd ... Source port: 1161 ...
    (alt.computer.security)
  • Re: Problem with the NDIS MUX IM driver (decapsulation not working)
    ... If the higher-level protocol and the lower-level miniport have enabled some TCP task offload contract, then the decapsulated packet you are indicating may not provide the necessary task offload information. ... then temporarily disabling the NDIS task offload features of the adapter using the adapter's NCPA advanced property tab should make the behavior "better". ... I slap on my own ethernet header infront of the real ...
    (microsoft.public.development.device.drivers)
  • Re: dx upgrade - unexpected network connection
    ... > Ethernet II (Packet Length: ... > Internet Protocol ... = Don't fragment: Set ... > Header checksum: 0xa61c ...
    (microsoft.public.security)
  • pppd out of bounds memory access, possible DOS
    ... ppp is an implementation of Point-to-Point Protocol for Unix systems. ... Improper verification of header fields lets an attacker make the pppd server ... It reads in the packet at line 932, at most 1500 + PPP header sized ...
    (Bugtraq)
  • What is this port 0 traffic, pls?
    ... Here is one such packet captured with ethereal: ... Capture Length: 76 bytes ... Protocol: IP ... Header checksum: 0x9b75 ...
    (comp.os.linux.security)