Counting TCP/IP packets

Similar Messages

• Getting the data from a TCP/IP packet

  I am dealing with an industrial network that sends and recieves data over TCP/IP between a sort of supervisory system running on Unix and some machines via a bridge that converts messages onto other non TCP/IP networks. This is all old legacy equipment and the bridge now need upgrading. However the original source code is not availiable and no-one is very sure of the messages being sent. I thought it was going to be easy knocking something together in Java to intercept these messages and test various things but have come up against big problems.
  The main problem being that all the data is binary meaning I cant use any of the reader or writer classes I am used too. I am trying to use either DataInputStream or BufferedInputStream to read data in but am struggling. Idealy I need to be able to read (once) the complete data content of each packet that is sent and I need to tell each time a new packet of data arrives so that I can process it as a complete packet. As far as I know there are no eof or eol or any other details that tell me how many bytes of data there are, and they do vary in length, but each packet is a seperate message or message reply.
  I was hoping that there might be someway of getting this information from the TCP/IP layers but cant see how to do it as that all seems to work invisibly. Nor can I see any methods to call on the stream classes that indicate how to tell the lenght of the latest packet or when a new packet has arrived. I am not sure how some of the methods like mark() and reset|() are supposed to be used so am not sure if I couuld use these but am desperate for any help or pointers in the right direction.

  The TCP/IP packets can represent complete messagesThere is no guarantee to this effect anywhere in TCP/IP. Consider the case where a single message requires multiple writes. Consider the case where a write contains the end of one message and the beginning of another. Consider the case where there are multiple messages in a single packet. Consider ... There are just too many of these cases.
  The TCP/IP takes care of numbering the packets so that they can be reasembled in the correct order. Each TCP/IP packet contains information about the size of data the packet contains ...Thank you, I do know how TCP works.
  so in theory if we could get at the TCP/IP layers we should be able to get this information.No. You can get all the packet information out of packets. What you can't get is message information, because it isn't in there. It's in the application protocol, which to TCP/IP is just a stream of bytes. You can get the stream of bytes that the application sent. What it means is up to you.
  I really need to be able to read each packet of data seperately to be able to do anything with itWhy? Given the lack of correlation between writes() and packets and reads() due to TCP streaming, what is the point? And if you want packets you already have them via your sniffer.
  From your first post:
  each packet is a seperate message or message reply.You can't rely on that. There is no guarantee of this anywhere in TCP/IP.
  I also direct your attention to the Nagle algorithm, which coalesces outgoing packets under common conditions.

• ODBC - Excessive TCP/IP packets

  I'm trying to track down why reports from my WebApp are running so slow when connected to Oracle and I've discoverd that there is an unusually high amount of TCP/IP traffic between the Web Server and the Oracle Server as the report is being generated. When I connect my WebApp to SQL Server version of the database the reports run very fast.
  Using a Process Monitor I discovered that, when Connected to Oracle, a report that returns zero (0) rows generates 2,671 TCP/IP packets between IIS and the Oracle server, and it takes 16 seconds to generate the report. If I run the same report, but connected to SQL Server, there are only 35 TCP/IP packets and the report runs in less than 2 seconds.
  Is there some ODBC or Oracle configuration that I'm missing which is causing the excessive TCP/IP packets?
  Oracle Driver: 11g ( SQORA32.DLL ) version 11.02.00.03 dated 10/30/2011.
  Database: Oracle 11g
  Web Server: Windows Server 2008 32bit with IIS7

  922502 wrote:
  Fetch Buffer Size = 64000
  Looking at the TCP/IP packets, in almost all cases the length of the packet is less than 3k and at least 75% of them are less than 500 byte.
  These reports are created with Crystal Reports 2008.
  If I run the same report from Crystal Reports designer using the same ODBC driver against the same Oracle database there are only 8 TCP/IP packets.
  It just seems like there is some config issue between IIS and the ODBC driver.Check for the client (or driver side) trying to play clever by parsing SQL and doing extra work (generating nested SQLs) in order to validate and optimise that SQL. This was disabled in the driver layer by enabling an option called pass-thru in the past. It was a major cause of increasing the amount of SQL client-server traffic.

• Manipulating Raw IP and TCP headers / packets in 5.0

  I apologise in advance if this question has been asked previously. I've checked the archives.
  I currently have a Perl poller that will do two things...
  1. Sends an ICMP type 8 packet to a remote host
  2. Sends a TCP SYN packet to a remote host & port
  I need to replace this with a threaded version of the same thing and would like to implement it in Java.
  All I can see plastered around in the community (google) is that Java can't work at this level and that C/C++ native methods should be used instead.
  I don't have any issues with this, but I guessed it would be quiker (don't know why) if it was all done in Java.
  Is this still the case with Java 5.0?
  Thanks
  And no - this isn't homework ;0)

  Rocksaw will get you started, I have tried it but it looks a bit like the author has lost interest. Your best choice is to do this kind of work in C or as Java with JNI. Rocksaw and JPCap will give you a lot of hints if you decide on the Java route.

• Tcp trace packets

  Hi all,
  Is there anyway of blocking tcp trace packets that are being sent from outside interface to inside ? i have an application that is listening on port 80. Now its a requirement that hackers or unwanted users should not be able to send tcp trace packets to this port, it needs to be blocked ?. Is there anyway of doing it ?

  Hello John,
  The idea is that if your internal http server is availible for everyone, different scanners will identify this port as opened. Only thing that you can do, is to allow access to this server only for trusted sources using access-lists.
  Thank you.

• TCP reset packet issue on Cisco 6509 switch

  Hi,
  We are connecting a malware prevention appliance to a SPAN port on cisco switch 6509 which uses IOS firmware.
  When the Malware appliance send TCP RST packet to the switch, it does not accept it.
  Please help with what additional config to be done on the switch or the span sport so that the packet is received by the switch.

  Hello, Wasim.
  No sure if 6500 supports the feature, but 3750 does:
  monitor session destination int f0/1 ingress vlan 100
  This last part allows SPAN port to send traffic into VLAN 100 (more details here -
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swspan.html#wp1260596)

• Terminating established connections with TCP RST packet

  Hi,
  I'm making a small application for our campus. The idea is to block certain connections from outside of our network to hosts in our network. I'm analyzing the connections using jpcap, this API also has a send method that sends packets, I thought that I can terminate the connections by sending RST packet to the source but it doesn't work, connections don't terminate. Obviously I don't get any error message from the host where I'm sending it to. I think that problem might be in sequence number or something like that. For now I set the sequence number of RST packet to (acknowledgment number from the last packet that comes from the outside host+1) is this where I'm going wrong?
  Cheers.

  This isn't really a Java question, although I'm sure ejp will have some good advice.
  I suggest you look at the relevant TCP RFCs.

• TCP / UDP packets not reaching destination

  Hi all,
  I have an ASR at the hub of 3 different routing domains.
  I have two OSPF processes and one BGP process all on the same ASR.
  BGP routes are redistributed in to both OSPF processes and vice versa. Plus, between the two OSPF processes, routes are also redistributed. Summary addresses are configured at the ASBR before the routes are injected in to Area 0 on each OSPF process.
  ICMP from a source host in one OSPF process to a destination in the BGP process works fine, but any TCP traffic hangs awaiting a SYN/ACK.
  I need to prove that the router is routing the packet toward the egress interface and that the packet is leaving the router. I was wondering if there were any debug commands that I can restrict to a particular host IP so that it does not bring the router down.
  I know about Embedded Packet Capture, but unfortunately the IOS-XE version that I am running is not new enough so we do not have EPC on our ASR.
  I appreciate that I have given only limited information.
  Any advice appreciated.
  Thanks
  Mario

  Mario
  If you don't want to risk debug then i always used a basic but pretty reliable method ie. acls.
  If you create an extended acl with the first line allowing the source IP of the host to any and then a second line with a "permit ip any any" and then apply it outbound to the egress interface it should show if the packets are being routed correctly and sent on towards the destination. 
  Obviously the "permit ip any any" line is very important
  Edit - i haven't used the ASRs so it is possible they process all their acls in hardware in which case the hits may not show as they don't always on L3 switches that process acls in hardware.
  So bear that in mind.
  Jon

• Questions about the TCP Null packet signature

  does this  event  trigger even  if there is one packet without any of the flags SYN, FIN,ACK RST set ? or does it happen only if there are 10 packets out of 100 without the flags ?
  Just trying to understand how this event triggers

  You can use creationPolicy="all" on the Accordion and it will
  create all the children, not just the first one. The downside to
  this is that your app will take a little longer to start up.
  Consider this:
  Child 2:
  <mx:TextInput id="input" />
  If you trying to set child2.input = "something", a better way
  would be to use data binding:
  Child 2:
  [Bindable] public var inputValue:String;
  <mx:TextInput id="input" text="{inputValue}" />
  Now you can do: child2.inputValue = "something"; If the UI of
  child2 have not been created, setting inputValue has no ill effect;
  as soon as the controls on child 2 are created, data binding will
  assign the value. If child 2 has already been created, the data
  binding will also assign the value.
  You can deactivate the click event on the Accordion by
  intercepting it and stopping its propagation, but you have to do
  this in ActionScript, you cannot do this in MXML.
  myAccordion.addEventListener( "change", accHandler, true );
  // true means to use capture phase
  private function accHandler( event:flash.events.Event ) :
  void
  if( event.target is
  mx.containers.accordionClasses.AccordionHeader ) {
  event.stopImmediatePropagation();
  The idea is that you intercept the click event as it travels
  downward through the components (the capture phase). If the target
  of the event is an AccordionHeader, you stop the event from going
  further - that is, from reaching the AccordionHeader itself.
  You can put this event handler on the Accordion or its parent
  upwards to the Application.

• Catch malformed tcp ip packets

  Hello,
  I made an application in LabVIEW 2012 32bit, that communicates with an xPC Target through the xPCAPI dll from Simulink Real Time. The communication is made with TCP/IP and I'm using the Call Library Function Node to access the dll.
  I request an array of signals to the xPC Target every 500ms and my LabVIEW application works fine for a period of time that can be 3 minutes to an hour and then LabVIEW just closes.
  We catched the error message from the xPC, which seems to be causing LabVIEW to crash and it is "Deformed message" error. (It also has the "TCP/IP Read Error").
  I'm not very experienced with Networks, does anybody know how this error is produced and if I can catch it so my main application won't crash?
  Thank you!

  Hi Marco,
  I found out what is causing the problem, but still can't figure out how to fix it.
  I'm not using the TCP/IP communication VIs from LabVIEW, but a call function library node for the xPC dll.
  That DLL has a connection function and a set of functions to communicate with the xPC Target using an ID generated with the connection function.
  After the connection is stablished, I start requesting information from the xPC every 500ms (so my code is basecally that call of the function inside a while).
  The parameters of my function are a vector data pointer for the values, an array with the ID of the signals I'm requesting and the number of signals (array size).
  Everything is fine until an error appears (I've seen TCP/IP Error or Malformed Message) this can be after 30 minutes, 1 hour, 2 hours, it seems to appear faster, if I reduce the delay between calls.
  In the call of the function with error, i receive an array of zeros for my values. In the next call I receive the previous values that I didn't get because of the error, so I get some kind of offset between the calls of the function and the answer of the function:
  Request 1 --> Answer 1
  Request 2 --> Answer 2
  Request 3 --> Error
  Request 1 --> Answer 3
  Request 2 --> Answer 1
  I try disconnecting and reconnecting to clean the data queue, and though it seems to work, the problem reappears until i can't reconnect anymore.
  I'm not sure what is causing the error, so any idea or suggestion is welcome!

• Import / Export and TCP packets relay

  Hi All,
  Any idea what relationship Export/ Import on a local box has on the TCP/IP packets ? I see tremendous amount of packets (42000 / sec) on a Windows 64 bit box while doing Import / Export. Its from an 8i to 10g so the Import / Export.

  On a local server you don't need to use TCP/IP.
  Generally speaking export is just a series of SELECTs. The nomal array interface applies, the size of the array is indicated by the buffer parameter.
  One array is fragment by sqlnet in packages of SDU size, default 2048 bytes.
  These packages are being fragmented by the network card, as the default MTU is 1500 bytes.
  Sybrand Bakker
  Senior Oracle DBA

• WRT54GX2: TCP packets blocked (except SYN/SYN-ACK) to internet

  I'm using WRT54GX2 with latest FW 1.01.22 and I've been running into internet connectivity with one of my laptop (Toshiba MX35-S149 using Atheros). From this laptop DNS/ping works to the internet (UDP/ICMP) but all of the TCP data packets from the internet are being blocked by the router (I think). All of the other PC's continue to work with no problem.
  Rebooting the router (power cycle) causes thing to work again for this laptop but after some time (15-20 minutes or so) once again the problem comes back. I've already spent about 3 hours with support on this but no luck.
   I did a packet capture on the laptop and any HTTP request show TCP SYN, SYN-ACK packets but no data packets. The laptop continues to do the retransmission. At this point I can still PING and DNS resolve any of the names.
  The HTTP to the router's page (192.168.1.1) continues to work without any problem (still using the wireless NIC). Hard-wiring the laptop to router works fine.
  I asked the support if I can do a packet capture on the router itself but I was told "That is not possible".
  I'll add the packet capture files later today.
  Any help is appreciated as I don't think I'll get any help from the tech-support.
  TIA,
  Navras

  Interesting - I have a similar problem however I am trying to block packets going out. So you say that it allows the TCP for a little while then later it is blocked.
  Why are you trying to pass TCP into the computer specifically?
  Do you have a firewall on your laptop that you can check the logs off?
  I have been with support for my issue which is basically the BLOCKED SERVICES options are all greyed out. I need to block udp/tcp packets from going out on exactly the same router, same firmware as yours. They just read scripts from their help desk manuals and do not really seem to understand problems that are NOT in the scripts. Too bad I was hoping after cisco took over linksys would get better at customer support, not the other way.
  I saw a post previously that states that the same router DOES NOT HAVE the blocked services as a function. The manual and screen seem to indicate otherwise.
  Interesting...let us know what happens.
  danee

• Default class map is dropping all Packets

  Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
  The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
  Guest VLAN has access to 2 IP's in Data for printing.
  Cisco871#sh run
  Building configuration...
  Current configuration : 8005 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service sequence-numbers
  hostname Cisco871
  boot-start-marker
  boot-end-marker
  logging buffered 4096
  no logging console
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock summer-time PST recurring
  crypto pki trustpoint TP-self-signed-4004039535
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4004039535
  revocation-check none
  rsakeypair TP-self-signed-4004039535
  crypto pki certificate chain TP-self-signed-4004039535
  certificate self-signed 01
    3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
    32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
    33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
    B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
    147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
    41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
    F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
    551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
    03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
    0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
    092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
    D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
    8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
    E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
    3543BD68 A4B2692D 05CBF6DC C93C8142
              quit
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.0.0.1 10.0.0.5
  ip dhcp excluded-address 172.16.15.1 172.16.15.5
  ip dhcp excluded-address 172.16.15.14
  ip dhcp excluded-address 172.16.17.1 172.16.17.5
  ip dhcp excluded-address 192.168.19.1 192.168.19.5
  ip dhcp pool MyNetNative
     import all
     network 10.0.0.0 255.255.255.248
     default-router 10.0.0.1
     domain-name MyNetNet.org
     dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
     lease 0 2
  ip dhcp pool MyNetData
     import all
     network 172.16.15.0 255.255.255.240
     dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
     default-router 172.16.15.1
     domain-name MyDomain.org
  ip dhcp pool MyNetVoice
     import all
     network 172.16.17.0 255.255.255.240
     dns-server 172.16.15.14
     default-router 172.16.17.1
     domain-name MyDomain.org
  ip dhcp pool MyNetGuest
     import all
     network 192.168.19.0 255.255.255.240
     default-router 192.168.19.1
     domain-name MyNetGuest.org
     dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
  ip domain name MyDomain.org
  ip name-server 172.16.15.14
  ip name-server 4.2.2.4
  ip inspect log drop-pkt
  multilink bundle-name authenticated
  parameter-map type inspect TCP_PARAM
  parameter-map type inspect global
  username MyAdmin privilege 15 secret 5 MyPassword
  archive
  log config
    hidekeys
  class-map type inspect match-all MyNetGuest-access-list
  match access-group 110
  class-map type inspect match-any Base-protocols
  match protocol http
  match protocol https
  match protocol ftp
  match protocol ssh
  match protocol dns
  match protocol ntp
  match protocol ica
  match protocol pptp
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-all MyNetGuest-Class
  match class-map MyNetGuest-access-list
  match class-map Base-protocols
  class-map type inspect match-all MyNetNet-access-list
  match access-group 100
  class-map type inspect match-any Voice-protocols
  match protocol h323
  match protocol skinny
  match protocol sip
  class-map type inspect match-any Extended-protocols
  match protocol pop3
  match protocol pop3s
  match protocol imap
  match protocol imaps
  match protocol smtp
  class-map type inspect match-all MyNetNet-Class
  match class-map MyNetNet-access-list
  match class-map Voice-protocols
  match class-map Extended-protocols
  match class-map Base-protocols
  policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  class type inspect MyNetNet-Class
    inspect
  class class-default
  policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
  class type inspect MyNetNet-Class
    inspect
  class class-default
  policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
  class type inspect MyNetGuest-access-list
    inspect
  class class-default
  policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
  class type inspect MyNetGuest-Class
    inspect
  class class-default
  policy-map type inspect MyNetNet-zone
  class class-default
    pass
  zone security MyNetNet-zone
  zone security MyNetGuest-zone
  zone security MyNetWAN-zone
  zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
  service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
  zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
  service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
  service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
  zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
  service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
  interface FastEthernet0
  description Cisco-2849-Switch
  switchport mode trunk
  speed 100
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  description SBS-Server
  switchport access vlan 10
  spanning-tree portfast
  interface FastEthernet4
  description WAN
  no ip address
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly
  zone-member security MyNetWAN-zone
  ip tcp adjust-mss 1452
  duplex auto
  speed auto
  no cdp enable
  interface Vlan1
  description MyNetNative
  ip address 10.0.0.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetNet-zone
  ip tcp adjust-mss 1452
  interface Vlan10
  description MyNetData
  ip address 172.16.15.1 255.255.255.240
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetNet-zone
  interface Vlan20
  description MyNetVoice
  ip address 172.16.17.1 255.255.255.240
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetNet-zone
  interface Vlan69
  description MyNetGuest
  ip address 192.168.19.1 255.255.255.240
  ip nat inside
  ip virtual-reassembly
  zone-member security MyNetGuest-zone
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  access-list 100 remark MyNetnet
  access-list 100 permit ip 10.0.0.0 0.0.0.7 any
  access-list 100 permit ip 172.16.15.0 0.0.0.31 any
  access-list 100 permit ip 172.16.17.0 0.0.0.15 any
  access-list 110 remark MyNetGuest
  access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
  access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
  access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
  access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
  access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
  access-list 110 permit ip 192.168.19.0 0.0.0.15 any
  control-plane
  banner login ^CC
  You know if you should be here or not.
           if not please leave
  NOW
  ^C
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  scheduler max-task-time 5000
  ntp server 172.16.15.14
  webvpn cef
  end
  Cisco871#sh zone security
  zone self
    Description: System defined zone
  zone MyNetNet-zone
    Member Interfaces:
      Vlan1
      Vlan10
      Vlan20
  zone MyNetGuest-zone
    Member Interfaces:
      Vlan69
  zone MyNetWAN-zone
    Member Interfaces:
      FastEthernet4
  Cisco871#sh zone-pair security
  Zone-pair name MyNetNet->MyNetGuest
      Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
      service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
  Zone-pair name MyNetNet->MyNetWAN
      Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
      service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
  Zone-pair name MyNetGuest->MyNetWAN
      Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
      service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
  Zone-pair name MyNetGuest->MyNetNet
      Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
      service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
  Cisco871#sh int faste4
  FastEthernet4 is up, line protocol is up
    Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
    Description: WAN
    Internet address is 10.38.177.98/25
    MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 100Mb/s, 100BaseTX/FX
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 00:34:50, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 2000 bits/sec, 3 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       593096 packets input, 73090812 bytes
       Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog
       0 input packets with dribble condition detected
       9940 packets output, 1016025 bytes, 0 underruns
       0 output errors, 0 collisions, 3 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out
  Zone-pair: MyNetNet->MyNetWAN
    Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
      Class-map: MyNetNet-Class (match-all)
        Match: class-map match-all MyNetNet-access-list
          Match: access-group 100
        Match: class-map match-any Voice-protocols
          Match: protocol h323
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol skinny
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol sip
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any Extended-protocols
          Match: protocol pop3
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol pop3s
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol imap
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol imaps
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol smtp
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any Base-protocols
          Match: protocol http
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol https
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ftp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ssh
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol dns
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ntp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol ica
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol pptp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol icmp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol tcp
            0 packets, 0 bytes
            30 second rate 0 bps
          Match: protocol udp
            0 packets, 0 bytes
            30 second rate 0 bps
        Inspect
          Session creations since subsystem startup or last reset 0
          Current session counts (estab/half-open/terminating) [0:0:0]
          Maxever session counts (estab/half-open/terminating) [0:0:0]
          Last session created never
          Last statistic reset never
          Last session creation rate 0
          Maxever session creation rate 0
          Last half-open session total 0
      Class-map: class-default (match-any)
        Match: any
        Drop (default action)
          5196 packets, 256211 bytes
  Cisco871#sh log
  Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                  0 flushes, 0 overruns, xml disabled, filtering disabled)
  No Active Message Discriminator.
  No Inactive Message Discriminator.
      Console logging: disabled
      Monitor logging: level debugging, 0 messages logged, xml disabled,
                       filtering disabled
      Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                       filtering disabled
      Logging Exception size (4096 bytes)
      Count and timestamp logging messages: disabled
      Persistent logging: disabled
  No active filter modules.
  ESM: 0 messages dropped
      Trap logging: level informational, 1785 message lines logged
  Log Buffer (4096 bytes):
  001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
  001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
  001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
  001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

  Hello Charlie,
  I would recomend you to investigate a little bit more about how the ZBFW features works
  Now I am going to help you on this one at least, then I will give you a few links you could use to study
  We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
  First the zone-pair
  zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
  service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  so lets go policy-map
  policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
  class type inspect MyNetNet-Class
    inspect
  class class-default
  Finally to the class map
  class-map type inspect match-all MyNetNet-Class
  match class-map MyNetNet-access-list
  match class-map Voice-protocols
  match class-map Extended-protocols
  match class-map Base-protocols
  That keyword MATCH-ALL is the one causing the issues!!
  Why?
  Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
  So here are the links
  http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
  https://supportforums.cisco.com/thread/2138873
  http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
  You have some work to do
  Please remember to rate all the helpful posts
  Julio
  CCSP

• NDIS 6.5 offload checksum test failure - HCK NDIS 6.5 not accepting packet checksum

  We are developing NDIS 6.x miniport driver and are running NDIS Test 6.5 and are encountering failures in Offload Checksum when Rx checksum offload is enabled. The failures are as below indicating that the notified packets are not accepted by HCK test ,
  even though it receives the packets .  We have validated that the checksum is correct by recalculating it in driver and also through wireshark captures on the receiving and send sides. 
  We hereafter refer to the test adapter as Test10GCard and the support adapter as Support10GCard.
  To eliminate the issue, we also have swapped the role of the Test10GCard and Support10GCard . In this case, the Test10GCard became the support adapter and Support10Gcard as the "card under test".  In this case, the test failed in send itself,
  as the packet notified by Test10Gcard to the stack , even when checksum offload is disabled was not accepted.
   We have looked at NET_BUFFER, NET_BUFFER_LIST  , packet and checksums as well.
  Any suggestions?  We have been stuck on this for a long time now.
  Thanks
  Deva
  10001
  StartTime: 02:48:48.497
  Checksum offload - Test Tcp receive checksum offload with Ipv4 ( Tcp checksum recv offload: On/Tcp Option: Off/Ipv4 Option: Off). Packet count: 30; Packet header size: 54; Packet total size 784
  CommunicationHelper::StartReceive
  - Name: TestDeviceSimpleCommHelper
  - Type: SimpleCommunicationHelper
  - Traffic Manager Type: NDT_SIMPLE_TRAFFIC_MGR
  - Receive Process Mech: NDT_PROCESS_RECEIVE_AT_PASSIVE
  - Configured NetBufferModuleStack:
  - [1] NDT_STRESS_PAYLOAD_MODULE
  - [2] NDT_TCP_OFFLOAD_MODULE
  - [3] NDT_IPV4_HEADER_MODULE
  - [4] NDT_ETHERNET_MEDIA_HEADER_MODULE
  - STATUS: NDIS_STATUS_SUCCESS
  CommunicationHelper::StartSend
  - Name: SuppDeviceSimpleCommHelper
  - Type: SimpleCommunicationHelper
  - Traffic Manager Type: NDT_SIMPLE_TRAFFIC_MGR
  - Send Mechanism: NDT_SEND_AT_PASSIVE
  - Send Complete Mech: NDT_VERIFY_SEND_COMPLETE_AT_PASSIVE
  - NDIS Send Flags: 0
  - Send Latency (ms): 0
  - Preallocated NBL Count: 1
  - Configured NetBufferModuleStack:
  - [1] NDT_STRESS_PAYLOAD_MODULE
  - [2] NDT_TCP_OFFLOAD_MODULE
  - [3] NDT_IPV4_HEADER_MODULE
  - [4] NDT_ETHERNET_MEDIA_HEADER_MODULE
  - STATUS: NDIS_STATUS_SUCCESS
  EndPoint::WaitForSendsToComplete
  - Name: SuppDeviceSimpleCommHelper_EndPoint
  - Timeout (ms): 300000
  EndPoint::StopReceive
  - Name: TestDeviceSimpleCommHelper_EndPoint
  - Timeout (ms): 5000
  EndPoint::GetSendResults
  - Name: SuppDeviceSimpleCommHelper_EndPoint
  EndPoint::GetReceiveResults
  - Name: TestDeviceSimpleCommHelper_EndPoint
  EndPoint::GetSendResults
  - Name: SuppDeviceSimpleCommHelper_EndPoint
  Test Tcp receive checksum offload with Ipv4
  Tcp Checksum Offload Enabled
  Tcp Option
  Ip Option
  StressPayload Test Conclusion
  StressPayload Test Explanation
  Tcp Send Packet Number
  Tcp Recv Packet Number
  Accepted Checksum Recv Offload Packet Number
  Tcp Offload Test Conclusion
  Tcp Offload Test Explanation
  Yes
  No
  No
  Passed
  N/A
  30
  30
  0
  Failed
  Tcp Module expected to get 30 packets, but only accepted 0;The miniport is expected to report 30 packets with correct checksum, but only gets 0;
  50019 Test case failed. For detailed information, please see the above log table
  Possible failure reason             

  Hi Mudit,
  Thanks for your replay. I checked the NDIS6.5 Checkconnectivity and Checkconfig these tests were passed. The above Same logic I applied for L3 Check-sum,  then all variations were passed. But only the TCP/UDP
  packets only NDIS is not accepting. I put the wire-shark on both sides the packets were same i.e integrity is fine. 
  Regards
  Mallesh

• Data stream from OEM device, TCP/IP "not enough memory"

  Hi Everyone,
  I'm trying to catch a data stream from an OEM device over a TCP/IP link.  I can start the data stream, or pause/resume it, but the OEM device determines when the data stream has ended.  The data stream begins, and within 20 seconds, I get the famed "not enough memory" error.  Once this happens, data is lost from the stream, and quite often the final message indicating completion is missed.  I see two solutions to this.  1) Watch how many bytes are backed up on my TCP/IP port, and issue a pause command until I can process the backed up bytes at which point a resume will be issued.  ...or 2) Use my application's memory usage in the same manner.  Does anyone know how to do either of these things?
  Thanks much

  Hi Toader,
  Thanks for your response.
  1) I'm not sending any data.  I'm trying to consume an incoming data stream which is being driven by an OEM device.  This device basically has an FPGA hooked up to a 100Mbit/s hose.  You can start it, pause it and resume it.  Those are the available operations related to consuming the data stream.  I think the crux of the problem is deciding when to pause the OEM device to give the LabView app a chance to process and store the accumulated portion of the data stream.
  2) Sure, but it's not my program and is large and complicated.  I guess I could write my own program within a program, but I would rather use the existing architecture.  I might write my own micro app, but I doubt it will keep up with the FPGA driven hose.  If I could detect the condition leading up to the "not enough memory" error, which it seems many LV developers have encountered, but not really solved, then I could issue a pause to the OEM device.
  3) Well using a LabView application under a 2Ghz Windows box may not be sufficient hardware.  But I really think it's the Windows operating system that I'm having trouble with, not the hardware platform.
  I've tried several counters in the LabView application, watched task manager before/during/after the "not enough memory" error, and downloaded an interesting app called taskmanager.vi in an attempt to get something to correlate with the error message.  I've not succeeded yet.  Here's what I think is happening.  The Windows OS is managing my wireless hardware, when it receives a TCP/IP packet, it puts it in the Windows Message que of my LabView application.  I think the "not enough memory" error relates to a Windows OS allocation for my message que which is being exceeded.  Any Windows programmers out there who would know how to look at the application's message que during runtime?
  Thanks for your classic suggestions Toader, I may try a micro app which is spawned by the main app when its time to grab the data.  My intuition is that no software limited by the Windows OS is going to keep up with single minded FPGA hardware.
  I thought this very interesting discussion was the answer and it may still be, but after trying 30+ various counters under Memory, System, Process, TCP, and Server, none correlated to the error.
  http://forums.ni.com/t5/LabVIEW/System-monitor-counter/m-p/1653448/message-uid/1653448/highlight/tru...
  I also tried a taskmanager.vi, but none of the various flavors of memory tracked by that little gem correlated with the error either.  At this point, I started to wonder "what memory was there not enough of?".
  Terry