[syslog-ng] Lost packets; UDP Checksum (chksum) errors; forwarding - source spoofing; libnet bug

Marvin.Nipper at Stream.com Marvin.Nipper at Stream.com
Wed Aug 29 15:38:13 CEST 2007


OK... I'll spare you the more gory details.  My environment is all
Solaris.  A Sparc-based Solaris 8 system (that I'm trying to replace), and
an Intel-based Solaris 10 system (running under VMware) that is intended
to be the replacement).  Although we were doing forwarding in other
places, this was the first time that I was able to get some reasonable
statistical reporting, between two servers that were initially supposed to
be getting the same data (via the forwarding).  The short story is that
the receiving system "seemed" to be getting a fraction of the packets, and
because the environment is slightly more complex (e.g. the VMware piece) I
kept ass-u-me-ing that my original problem was not related to syslog-ng,
but simply to something else going wrong.

When I finally did start capturing packets with snoop, and more
importantly, finally moved onto using Wireshark to look at those captures,
that's when I realized that all of the forwarded packets WERE, in fact,
making it to the second system, but that Solaris was tossing most of them
out because their (UDP header) checksum was wrong.

When I finally figured that out, I had suspected libnet might be the
culprit, and after doing a bit more googling, I finally found someone else
complaining about the checksum issue (albeit not in regard to using libnet
with syslog-ng), and posting a suggested fix that they claimed solved the
problem.  Now that I know what I'm looking for, I think that Mike may have
addressed the problem in his 1.1.3 Beta, but every time that ever I've
tried to compile that version (on several different systems), I get a
bazillion compile errors, so I've never used anything other than 1.1.2.1.

The short description of the problem is that it's an "odd byte issue".
The checksum process is done against 2-byte chunks of data, and if the
amount of data being checksum'd is an odd number, then the code was not
handling that last byte properly.  So... The packets with even-numbered
data volumes (in my case, about 1/3 of my forwarded packets) came through
just fine, but everything else looks like a corrupted packet (to the
receiving OS) and gets tossed in the bin.

For your reference, here's where I lucked into the discussion:
http://www.securityfocus.com/archive/89/384197/30/90/threaded

I had to modify his suggested fix slightly, but this is what is now
documented in my own "how to build syslog-ng" documentation:
---------------------------------------


More information about the syslog-ng mailing list