OK... I'll spare you the more gory details. My environment is all Solaris. A Sparc-based Solaris 8 system (that I'm trying to replace), and an Intel-based Solaris 10 system (running under VMware) that is intended to be the replacement). Although we were doing forwarding in other places, this was the first time that I was able to get some reasonable statistical reporting, between two servers that were initially supposed to be getting the same data (via the forwarding). The short story is that the receiving system "seemed" to be getting a fraction of the packets, and because the environment is slightly more complex (e.g. the VMware piece) I kept ass-u-me-ing that my original problem was not related to syslog-ng, but simply to something else going wrong. When I finally did start capturing packets with snoop, and more importantly, finally moved onto using Wireshark to look at those captures, that's when I realized that all of the forwarded packets WERE, in fact, making it to the second system, but that Solaris was tossing most of them out because their (UDP header) checksum was wrong. When I finally figured that out, I had suspected libnet might be the culprit, and after doing a bit more googling, I finally found someone else complaining about the checksum issue (albeit not in regard to using libnet with syslog-ng), and posting a suggested fix that they claimed solved the problem. Now that I know what I'm looking for, I think that Mike may have addressed the problem in his 1.1.3 Beta, but every time that ever I've tried to compile that version (on several different systems), I get a bazillion compile errors, so I've never used anything other than 1.1.2.1. The short description of the problem is that it's an "odd byte issue". The checksum process is done against 2-byte chunks of data, and if the amount of data being checksum'd is an odd number, then the code was not handling that last byte properly. So... The packets with even-numbered data volumes (in my case, about 1/3 of my forwarded packets) came through just fine, but everything else looks like a corrupted packet (to the receiving OS) and gets tossed in the bin. For your reference, here's where I lucked into the discussion: http://www.securityfocus.com/archive/89/384197/30/90/threaded I had to modify his suggested fix slightly, but this is what is now documented in my own "how to build syslog-ng" documentation: ---------------------------------------

From the libnet package directory, one needs to edit the checksum module, i.e.:

vi src/libnet_checksum.c Then, you will need to locate this section of code: libnet_in_cksum(u_int16_t *addr, int len) { int sum; sum = 0; while (len > 1) { sum += *addr++; len -= 2; } if (len == 1) { sum += *(u_int16_t *)addr; } return (sum); } Now, replace that section with the following (and save/quit from the editor): libnet_in_cksum(u_int16_t *addr, int len) { int sum; u_int16_t last_byte; sum = 0; last_byte = 0; while (len > 1) { sum += *addr++; len -= 2; } if (len == 1) { *(u_int8_t*)&last_byte = *(u_int8_t*)addr; sum += last_byte; } return (sum); } -------------------------------------- Obviously, there are only a couple of lines of code modified in there, but for my purposes, it was simpler to just replace the section. I am NOT a C programmer (although I used to program in a lot of other older languages!). I can't speak to whether this is the "best" solution, or not (in terms of efficiency or coding techniques). BUT, bottom line... Once I made this change, it appears that I'm no longer receiving any packet loss at all. The sample captures that I've done, and then loaded into Wireshark, are showing no checksum errors. Whether you use this coding solution, or work up one of your own, the bottom line is that 1.1.2.1 absolutely needs to be modified, in order to make source-spoofed forwarding work as intended. Let me know if you have any questions about the above information. I'll do my best to provide answers. I'd be remiss if I didn't also take this opportunity to say THANKS for all of your syslog-ng efforts. It's a fine product. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of bazsi@balabit.hu Sent: Wednesday, August 29, 2007 7:06 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Lost packets; UDP Checksum (chksum) errors; forwarding - source spoofing; libnet bug On Wed, 2007-08-29 at 06:58 -0600, Marvin.Nipper@Stream.com wrote:

OK. I've only posted here a couple of times, but I've googled this list (for help) extensively in the past. Before I waste everyone's time, I just wanted to find out if I'm the only one who "didn't already know" that there's a nasty bug in libnet-1.1.2.1, such that anybody doing source-spoofed forwarding of UDP-based syslog packets will likely end up losing large volumes of packets in the process (in my case a 2/3 loss of packets).

Again. I thought that I had searched the mailing list archives properly, and that I didn't see a mention of this issue (as I've been fighting my way through figuring this out, over a multi-week period), BUT, as this would seem to impact a lot of syslog-ng users, I keep thinking that I've just missed something, and everyone else already knows about this. Before I waste time writing a detailed message on the topic, I figured that I'd ask first.

I would appreciate if you could write about this. I don't know about anything related. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html