Community discussions

MikroTik App
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Mystery packet?

Sun Jan 08, 2012 8:27 pm

Well at least for me it is mysterious.

I send a single UDP packet from my laptop to the router, and the sniffer sees two. One rx: no problem with the existence of that one, since I sent it and I can see it traverse the firewall. But what is the score with the (smaller) tx one? Where is it coming from and where is it going???? Doc says rx=entering the router, tx=leaving the router. But I can't see the tx packet anywhere in the firewall chains.

I am sure there is a good explanation for it though, and that at least one of you knows it.

Also one more question: where in the packet flow is the sniffer sampling the packets?

My router is setup as an all in one SOHO router, transparent web proxy and hotspot.

Here are the sniffed packets:
[admin@MikroTik] /tool sniffer packet> print detail
 0 time=3.341 num=1 direction=rx interface=ether2-local-master src-address=172.16.7.254:3584 dst-address=172.16.0.1:40056 protocol=ip ip-protocol=udp size=46 ip-packet-size=28 
   ip-header-size=20 dscp=0 identification=32114 fragment-offset=0 ttl=128 

 1 time=3.341 num=2 direction=tx interface=ether2-local-master src-address=172.16.7.254:3584 dst-address=172.16.0.1:40056 protocol=ip ip-protocol=udp size=28 ip-packet-size=28 
   ip-header-size=20 dscp=0 identification=32114 fragment-offset=0 ttl=128 


[admin@MikroTik] /tool sniffer packet> print raw
 0 time=3.341 interface=ether2-local-master direction=rx data=
     0000  45 00 00 1c 7d 72 00 00  80 11 5d 3f ac 10 07 fe   E...}r.. ..]?....
     0010  ac 10 00 01 0e 00 9c 78  00 08 f5 45 1b f8 0d 2d   .......x ...E...-
     0020  08 02 a2 00 00 22 43 56  20 0f 94 0c 6d b6         ....."CV  ...m.

 1 time=3.341 interface=ether2-local-master direction=tx data=
     0000  45 00 00 1c 7d 72 00 00  80 11 5d 3f ac 10 07 fe   E...}r.. ..]?....
     0010  ac 10 00 01 0e 00 9c 78  00 08 f5 45               .......x ...E
 
neticted
Member Candidate
Member Candidate
Posts: 137
Joined: Wed Jan 04, 2012 10:36 am

Re: Mystery packet?

Mon Jan 09, 2012 1:38 am

Maybe packet is split in two due to fragmentation?
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Re: Mystery packet?

Mon Jan 09, 2012 5:20 am

Nice try but fragment-offset is zero for both packets, and the first 28 bytes of the first packet are identical to the 28 bytes of the second packet and one is in the rx direction and the other in the tx direction, so I doubt they are two fragments of a single packet. Also the last 18 bytes of the first packet contain MAC addresses, so it looks like the second packet is the same as the first but stripped from its ethernet header.

But I still don't get what justifies the existence of the second packet.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], johnson73, mhn6868 and 82 guests