TCP Hijack/TCP Segment Overwrite false positives?

Similar Messages

• TCP segment Overwrite

  Recently, I've been seeing a ton of messages on the IPS Event Viewer stating that TCP Segment Overwrites have been detected. The events are from either the IPS-A to our DMZ or vice versa. It just started whenever we added some servers to the network. Does anybody have any suggestions? We traced the packets, it's not hacker related. It seems like maybe a server or app. may be causing the issue. The problem is isolating it. I would appreciate any feedback you could provide. Thanks!

  TCP normalization
  Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To make sure policy enforcement can occur with no false positives and false negatives, the state of the two TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except for TCP segment retransmits. Overwrites in the TCP session should not occur. If overwrites do occur, someone is intentionally trying to elude the security policy or the TCP stack implementation is broken. Maintaining full information about the state of both endpoints is not possible unless the sensor acts as a TCP proxy. Instead of the sensor acting as a TCP proxy, the segments will be ordered properly and the normalizer will look for any abnormal packets associated with evasion and attacks.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf52e.html

• TCP Segment Overwrite - IDSM2 with IPS5.1(1d)

  Hi,
  I have an IDSM2 running IPS5.1(1d)S220 upgraded recently from 4.x. My network has windows desktops (spanned on multiple subnets) whose default gateway is a Cisco 6500 FWSM module.
  Since I upgraded to IPS 5.x, I am seeing lots and lots of TCP Hijack and TCP Segment Overwrite alarms. The source addresses of these alarms are my windows PCs, destination addresses are Windows 2003 servers..Sometimes, the destination address is 0.0.0.0 and ports are empty.
  It is difficult to ignore so many alarms unless there is a technical explanation to see if the placement of FWSM is causing IPS to treat this as a threat.
  Can someone help me to get out of this issue?

  I found this on a previously written thread. I cannot find the thread anymore. All credit is given to the message owner. i hope the reply helps.
  mlhall of - CISCO SYSTEMS wrote:
  Oct 6, 2003, 11:06am PST
  I have several packet traces from several customers that see this alert. There appears to be a bug in the microsoft TCP stack when connections go stale. What happens is that the last successful segment's last byte is resent with a value of 0xff. This is after the other endhost has ACK'ed the sequence from the last segments.
  So for example.
  a->b seq=100 data="ABCDEFG"
  b->a ack=107 no data
  a->b seq=106 data="(0xff)"
  The last packet in the example is overwriting the G in the first packet with an 0xff. This causes the IDS to fire. We are working on detecting this stack bug in a new version.

• ID 1300 TCP Segment Overwrite

  I keep seeing the Sig ID 1300 TCP Segment Overwrite between two hosts. This is normal traffic and I have no reason to suspect the machines as having to been compromised or misused. I was wondering if anyone has had the experience of seeing this signature fire for normal traffic. Can this be a programming error caused by our in house programmers writing custom applications?

  Personally, I error on the side of suspicion. I would recommend investigating this further. This signature is somewhat suspicious in that segmentation overwriting is something hackers use to try to bypass IPS. Is the destination address always the same, if you are always getting the error from the same source to the same destination that could be a bad sign….?
  I would suspect that it's not a program error because, most programmers will just send their data to a socket and the underlying network code will set up windowing and segmentation. In this case most socket code is pretty tried and true.
  Is this data coming from a VPN segment? It could be an MTU issue. Could be a network device behaving badly between your source and destination, if this is happening it should be true for more then just one host.
  Don’t forget you can use your reporting tool and turn on verbose reporting when ever the alert is generated or to assist in forensics you can turn on reporting of all packets between a specific host or destination….

• Java NIO - TCP segment size abnormally low

  Hi !
  After noticing a weird behaviour on our Linux production server for code that works perfectly on my Windows dev box, I used tcpdump to sniff the packets that are actually sent to our clients.
  The code I use to write the data is as simple as :
  // using NIO - buffer is at most 135 bytes long
  channel.write(buffer);
  if (buffer.hasRemaining()) {
      // this never happens
  }When the buffer is 135 bytes long, this systematically results in two TCP segments being sent : one containing 127 bytes of data, the other one containing 8 bytes of data.
  Our client is an embedded system which is poorly implemented and handles TCP packets as whole application messages, which means that the remaining 8 bytes end up being ignored and the operation fails.
  I googled it a bit, but couldn't find any info about the possible culprit (buffer sizes and default max tcp segment sizes are of course way larger that 127 bytes !)
  Any ideas ?
  Thanks !

  NB the fragmentation could also be happening in any intermediate router.
  All I can suggest is that you set the TCP send buffer size to some multiple of the desired segment size, or maybe just set it very large, like 64k-1, so that you can reduce its effect on segmentation.

• Signature 1330-X: TCP segment out of order - what does it mean?

  Hi,
  on a customer's site, on one of their IPS, I get a lot of sig 1330 alerts, mainly those two:
  1330-12: TCP segment is out of order. If the signature status is set to disabled, the packet will be passed to all engines that are not stream based.
  This signature will not produce an alert in promiscuous mode regardless of the signature status.
  1330-17: TCP segment out of state order. If a packet in a stream causes this signature to produce an alert, processing will cease for that stream. This signature will not produce an alert in promiscuous mode regardless of the signature status
  I'm not sure how to interpret these alerts correctly and/or how to troubleshoot further. Does anyone have an idea?
  Thanks a lot,
  Florian

  Is your sensor monitoring more than one network segment?
  If so then these alarms are common when a TCP connection crosses both networks and gets seen twice by the sensor.
  This can confuse the sensor's tracking of the connection.
  A common scenario is to have the sensor monitor both the Inside network or a firewall as well as the DMZ. When an internal user connects to the company's web server the traffic gets seen by the sensor both on the Inside network and in the DMZ. The sensor tries to put the packets from both networks together in order to try and monitor it as a single connection. Because the packets get modified by the firewall it often results in inconsitency between traffic on the 2 sides and causes the sensor to be confused about the connection.
  The good news is that if this is your problem, then there are 2 easy workarounds.
  1) If your sensor supports virtual sensors, then create a second virtual sensor. Assign one network to default vs0, and assign the other network to the new virtual sensor. This way each virtual sensor sees traffic on just one of the networks and won't become confused.
  2) If your sensor does not support additional virtual sensors, or you've used up all 4 virtual sensors, then there is a configuration option within the virtual sensor configuration itself:
  Inline TCP Session Tracking Mode
  By default it is set to Virtual Sensor which is why it tries to put together packets from both networks to try and look at is a single connection and gets confused.
  BUT it can also be set to Interface and Vlan. This configuration allows the virtual sensor to treat the traffic on each network independantly. The connection on the first network will be monitored independant of the connection on the second network. This will prevent the virtual sensor from getting confused.
  The above is just my guess at what is going on in your network based on what we've seen on other networks. If this doesn't address the reason for the signature triggerings, then please respond back with more information about your network.
  It is possible that these could be a hacker trying to avoid detection by the sensor, but more likely something in your deployment is confusing the sensor.

• TCP segment of a reassembled PDU - nsludt2.cap (0/1)

  Hi,
  I've been having some issues lately with long DNS lookups. I ran
  PacketScan on the DNS server (10.10.10.20), and saw many occurences of
  "TCP segment of a reassembled PDU". This mainly occurred during
  communication between the DNS server and other servers on our network.
  Could this segmentation issue be the cause of processing delays on DNS
  querys? Is this something I should be concerned about? Does it
  indicate MTU mismatches between servers? All servers are NW6 SP4.
  Please see the attached CAP file.
  Thanks,
  Jeff Palmer

  1) The messages "TCP segment of a reassembled PDU" are not problems. They
  are just indicators that the main traffic of that connection occured
  earlier. In fact, looking at the actual packets shows that these are
  simply TCP keepalive packets. E.g. there are some open connections to your
  server and the other end that has the connection open sends keepalive
  packets from time to time.
  2) Your DNS traffic is perfectly "normal". All requests are properly
  replied to. The delays you get are entirely due to the external server
  216.68.4.10 (ns1.zoomtown.com) which is slow in responding to you. It
  takes 0.8 seconds for the first query your DNS does to it, and 1.7 seconds
  for the followup Akamai DNS query. Overall, this leads to a delay of about
  2.5 seconds for answering your workstation's query.
  If you want to speed up your DNS you should investigate why the queries to
  216.68.4.10 take so long and maybe you should consider forwarding your DNS
  requests to a different faster server.
  Marcel Cox (using XanaNews 1.18.1.6)

• MiFi4510L sporatically hangs on Web sites w/ IE Win6&7 (THIS URL!); TCP Segment Lost

    I had to use Dial-Up just to get this far!!!
    Sometimes it works fine; other times it hangs FOREVER (TCP Segment Lost)! Must manually STOP..
  I've let it hang for over 10 minutes; nothing ever happens after the last trace entry. No re-xmits.
    The last time it hung, I collected dumps&traces, then Stop & Refresh in IE and it worked fine.
  During the hang, I successfully TELNET'ed to the DNS (same IPAddr), so it's NOT apparently a connection issue.
  Certainly YOUR OWN URL should NOT be having constant problems!
    I powered off&on your device. Still occasionally hangs.
    WHAT IS GOING ON? The only solution seems to be to use Dial-Up!!! I have NEVER had this problem in all the many years
  using Dial-Up.
    Here are NETMON traces from a recent hang
  669 {DNS:131, UDP:130, IPv4:4} 4:01:19 PM 8/4/2011 127    DNS 0x1    192.168.1.2 8.8.8.8 DNS:QueryId = 0xCAB, QUERY (Standard query), Query  for www.goes.noaa.gov of type Host Addr on class Internet
  670 {DNS:131, UDP:130, IPv4:4} 4:01:19 PM 8/4/2011 247    DNS 0x2    8.8.8.8 192.168.1.2 DNS:QueryId = 0xCAB, QUERY (Standard query), Response - Success, 129.15.96.23, 140.90.33.23 ...
  671 {TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 116 iexplore.exe 0x12d4  TCP 0x1 Half Connected Disregarded  192.168.1.2 129.15.96.23 TCP:Flags=......S., SrcPort=49248, DstPort=HTTP(80), PayloadLen=0, Seq=3442312612, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192
  672 {TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 116 iexplore.exe 0x12d4  TCP 0x2 Connected Good  129.15.96.23 192.168.1.2 TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=49248, PayloadLen=0, Seq=3625396553, Ack=3442312613, Win=5840 ( Negotiated scale factor 0x9 ) = 2990080
  673 {TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 104 iexplore.exe 0x12d4  TCP 0x1 Connected Disregarded  192.168.1.2 129.15.96.23 TCP:Flags=...A...., SrcPort=49248, DstPort=HTTP(80), PayloadLen=0, Seq=3442312613, Ack=3625396554, Win=4380 (scale factor 0x2) = 17520
  674 {HTTP:133, TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 497 iexplore.exe 0x12d4 Request, GET /GIFS/ECIR.JPG  HTTP 0x1 Connected Disregarded  192.168.1.2 129.15.96.23 HTTP:Request, GET /GIFS/ECIR.JPG
  675 {TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 104 iexplore.exe 0x12d4  TCP 0x2 Connected Good  129.15.96.23 192.168.1.2 TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=49248, PayloadLen=0, Seq=3625396554, Ack=3442313006, Win=14 (scale factor 0x9) = 7168
  676 {HTTP:133, TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 1286 iexplore.exe 0x12d4 HTTP Payload, URL: /GIFS/ECIR.JPG  IPHTTPS 0x2 Connected Good 0x1 129.15.96.23 192.168.1.2 IPHTTPS
    Frame: Number = 676, Captured Frame Length = 1286, MediaType = WiFi
  - WiFi: [Unencrypted Data] F.....P, (I) RSSI = -49 dBm, Rate = 67.5 Mbps
    - MetaData: RSSI = -49 dBm, Rate = 67.5 Mbps
       Version: 2 (0x2)
       Length: 32 (0x20)
     - OpMode: Extensible Station Mode
        StationMode:           (...............................0) Not Station Mode
        APMode:                (..............................0.) Not AP Mode
        ExtensibleStationMode: (.............................1..) Extensible Station Mode
        Unused:                (.0000000000000000000000000000...)
        MonitorMode:           (0...............................) Not Monitor Mode
       Flags: 0 (0x0)
       PhyType: 802.11g
       Channel: 1, Center Frequency: 2412 MHz
       lRSSI: -49 dBm
       Rate: 67.5 Mbps
       TimeStamp: 08/04/2011, 22:01:19.606165 UTC
    - FrameControl: Version 0,Data, Data, F.....P(0x4208)
       Version:        (..............00) 0
       Type:           (............10..) Data
       SubType:        (........0000....) Data
       DS:             (......10........) DS to STA via AP
       MoreFrag:       (.....0..........) No
       Retry:          (....0...........) No
       PowerMgt:       (...0............) Active Mode
       MoreData:       (..0.............) No
       ProtectedFrame: (.1..............) Yes
       Order:          (0...............) Unordered
      Duration: 48 (0x30)
      DA: 1C659D CA2550
      BSSID: Novatel Wireless, Inc. 04C0AF
      SA: Novatel Wireless, Inc. 04C0AF
    - SequenceControl: Sequence Number = 889
       FragmentNumber: (............0000) 0
       SequenceNumber: (001101111001....) 889
  - LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
    - DSAP: SNAP(Sub-Network Access Protocol), Individual DSAP
       Address: (1010101.) SNAP(Sub-Network Access Protocol)
       IG:      (.......0) Individual Address
    - SSAP: SNAP(Sub-Network Access Protocol), Command
       Address: (1010101.) SNAP(Sub-Network Access Protocol)
       CR:      (.......0) Command Frame
    - Unnumbered: UI - Unnumbered Information
       MMM:  (000.....) 0
       PF:   (...0....) Poll Bit - No Response Solicited
       MM:   (....00..)
       Type: (......11) Unnumbered(U) Frame
  - Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX CORPORATION
      OrganizationCode: XEROX CORPORATION, 0(0x0000)
      EtherType: Internet IP (IPv4), 2048(0x0800)
  - Ipv4: src=129.15.96.23, Dest = 192.168.1.2, Next Protocol = TCP, Packet ID = 44701, Total IP Length = 1222
    - Versions: IPv4, Internet Protocol; Header Length = 20
       Version:      (0100....) IPv4, Internet Protocol
       HeaderLength: (....0101) 20 bytes (0x5)
    - DifferentiatedServicesField: DSCP: 0, ECN: 0
       DSCP: (000000..) Differentiated services codepoint 0
       ECT:  (......0.) ECN-Capable Transport not set
       CE:   (.......0) ECN-CE not set
      TotalLength: 1222 (0x4C6)
      Identification: 44701 (0xAE9D)
    - FragmentFlags: 16384 (0x4000)
       Reserved: (0...............)
       DF:       (.1..............) Do not fragment
       MF:       (..0.............) This is the last fragment
       Offset:   (...0000000000000) 0
      TimeToLive: 46 (0x2E)
      NextProtocol: TCP, 6(0x6)
      Checksum: 63171 (0xF6C3)
      SourceAddress: 129.15.96.23
      DestinationAddress: 192.168.1.2
  - Tcp: [Segment Lost]Flags=...AP..., SrcPort=HTTP(80), DstPort=49248, PayloadLen=1182, Seq=3625399474 - 3625400656, Ack=3442313006, Win=14 (scale factor 0x9) = 7168
  ALL HANGS GET "SEGMENT LOST"
      SrcPort: HTTP(80)
      DstPort: 49248
      SequenceNumber: 3625399474 (0xD81734B2)
      AcknowledgementNumber: 3442313006 (0xCD2D872E)
    - DataOffset: 80 (0x50)
       DataOffset: (0101....) 20 bytes
       Reserved:   (....000.)
       NS:         (.......0) Nonce Sum not significant
    - Flags: ...AP...
       CWR:    (0.......) CWR not significant
       ECE:    (.0......) ECN-Echo not significant
       Urgent: (..0.....) Not Urgent Data
       Ack:    (...1....) Acknowledgement field significant
       Push:   (....1...) Push Function
       Reset:  (.....0..) No Reset
       Syn:    (......0.) Not Synchronize sequence numbers
       Fin:    (.......0) Not End of data
      Window: 14 (scale factor 0x9) = 7168
      Checksum: 0xF6BE, Good
      UrgentPointer: 0 (0x0)
      TCPPayload: SourcePort = 80, DestinationPort = 49248
  - Http: HTTP Payload, URL: /GIFS/ECIR.JPG
      payload: HttpContentType = NetmonNull
    IPHTTPS:
  677 {TCP:132, IPv4:26} 4:01:19 PM 8/4/2011 116 iexplore.exe 0x12d4  TCP 0x1 Connected Disregarded  192.168.1.2 129.15.96.23 TCP:Flags=...A...., SrcPort=49248, DstPort=HTTP(80), PayloadLen=0, Seq=3442313006, Ack=3625396554, Win=4380 (scale factor 0x2) = 17520
    Comments?

  11103 {TCP:736, IPv4:735} 7:02:15 AM 8/24/2011 104 iexplore.exe  0x598 TCP 0x2 Connected Good  129.15.96.23 192.168.1.2 Flags=...A...., SrcPort=HTTP(80), DstPort=49472, PayloadLen=0, Seq=3370795655, Ack=3806480488, Win=14 (scale factor 0x9) = 7168 TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=49472, PayloadLen=0, Seq=3370795655, Ack=3806480488, Win=14 (scale factor 0x9) = 7168
    Frame: Number = 11103, Captured Frame Length = 104, MediaType = WiFi
  - WiFi: [Unencrypted Data] F.....P, (I) RSSI = -51 dBm, Rate = 67.5 Mbps
    - MetaData: RSSI = -51 dBm, Rate = 67.5 Mbps
       Version: 2 (0x2)
       Length: 32 (0x20)
     - OpMode: Extensible Station Mode
        StationMode:           (...............................0) Not Station Mode
        APMode:                (..............................0.) Not AP Mode
        ExtensibleStationMode: (.............................1..) Extensible Station Mode
        Unused:                (.0000000000000000000000000000...)
        MonitorMode:           (0...............................) Not Monitor Mode
       Flags: 0 (0x0)
       PhyType: 802.11g
       Channel: 2, Center Frequency: 2417 MHz
       lRSSI: -51 dBm
       Rate: 67.5 Mbps
       TimeStamp: 08/24/2011, 13:02:15.623759 UTC
    - FrameControl: Version 0,Data, Data, F.....P(0x4208)
       Version:        (..............00) 0
       Type:           (............10..) Data
       SubType:        (........0000....) Data
       DS:             (......10........) DS to STA via AP
       MoreFrag:       (.....0..........) No
       Retry:          (....0...........) No
       PowerMgt:       (...0............) Active Mode
       MoreData:       (..0.............) No
       ProtectedFrame: (.1..............) Yes
       Order:          (0...............) Unordered
      Duration: 48 (0x30)
      DA: 1C659D CA2550
      BSSID: Novatel Wireless, Inc. 04C0AF
      SA: Novatel Wireless, Inc. 04C0AF
    - SequenceControl: Sequence Number = 2338
       FragmentNumber: (............0000) 0
       SequenceNumber: (100100100010....) 2338
  - LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
    - DSAP: SNAP(Sub-Network Access Protocol), Individual DSAP
       Address: (1010101.) SNAP(Sub-Network Access Protocol)
       IG:      (.......0) Individual Address
    - SSAP: SNAP(Sub-Network Access Protocol), Command
       Address: (1010101.) SNAP(Sub-Network Access Protocol)
       CR:      (.......0) Command Frame
    - Unnumbered: UI - Unnumbered Information
       MMM:  (000.....) 0
       PF:   (...0....) Poll Bit - No Response Solicited
       MM:   (....00..)
       Type: (......11) Unnumbered(U) Frame
  - Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX CORPORATION
      OrganizationCode: XEROX CORPORATION, 0(0x0000)
      EtherType: Internet IP (IPv4), 2048(0x0800)
  - Ipv4: src=129.15.96.23, Dest = 192.168.1.2, Next Protocol = TCP, Packet ID = 62246, Total IP Length = 40
    - Versions: IPv4, Internet Protocol; Header Length = 20
       Version:      (0100....) IPv4, Internet Protocol
       HeaderLength: (....0101) 20 bytes (0x5)
    - DifferentiatedServicesField: DSCP: 0, ECN: 0
       DSCP: (000000..) Differentiated services codepoint 0
       ECT:  (......0.) ECN-Capable Transport not set
       CE:   (.......0) ECN-CE not set
      TotalLength: 40 (0x28)
      Identification: 62246 (0xF326)
    - FragmentFlags: 16384 (0x4000)
       Reserved: (0...............)
       DF:       (.1..............) Do not fragment
       MF:       (..0.............) This is the last fragment
       Offset:   (...0000000000000) 0
      TimeToLive: 46 (0x2E)
      NextProtocol: TCP, 6(0x6)
      Checksum: 46808 (0xB6D8)
      SourceAddress: 129.15.96.23
      DestinationAddress: 192.168.1.2
  - Tcp: Flags=...A...., SrcPort=HTTP(80), DstPort=49472, PayloadLen=0, Seq=3370795655, Ack=3806480488, Win=14 (scale factor 0x9) = 7168
      SrcPort: HTTP(80)
      DstPort: 49472
      SequenceNumber: 3370795655 (0xC8EA4287)
      AcknowledgementNumber: 3806480488 (0xE2E24868)
    - DataOffset: 80 (0x50)
       DataOffset: (0101....) 20 bytes
       Reserved:   (....000.)
       NS:         (.......0) Nonce Sum not significant
    - Flags: ...A....
       CWR:    (0.......) CWR not significant
       ECE:    (.0......) ECN-Echo not significant
       Urgent: (..0.....) Not Urgent Data
       Ack:    (...1....) Acknowledgement field significant
       Push:   (....0...) No Push Function
       Reset:  (.....0..) No Reset
       Syn:    (......0.) Not Synchronize sequence numbers
       Fin:    (.......0) Not End of data
      Window: 14 (scale factor 0x9) = 7168
      Checksum: 0x14A8, Good
      UrgentPointer: 0 (0x0)
  11104 {HTTP:737, TCP:736, IPv4:735} 7:02:15 AM 8/24/2011 1286 iexplore.exe HTTP Payload, URL: /GIFS/ECIR.JPG  0x598 HTTP 0x2 Connected Good 0x1 129.15.96.23 192.168.1.2 [Segment Lost]Flags=...AP..., SrcPort=HTTP(80), DstPort=49472, PayloadLen=1182, Seq=3370798575 - 3370799757, Ack=3806480488, Win=14 (scale factor 0x9) = 7168 HTTP:HTTP Payload, URL: /GIFS/ECIR.JPG
    Frame: Number = 11104, Captured Frame Length = 1286, MediaType = WiFi
  - WiFi: [Unencrypted Data] F.....P, (I) RSSI = -51 dBm, Rate = 67.5 Mbps
    - MetaData: RSSI = -51 dBm, Rate = 67.5 Mbps
       Version: 2 (0x2)
       Length: 32 (0x20)
     - OpMode: Extensible Station Mode
        StationMode:           (...............................0) Not Station Mode
        APMode:                (..............................0.) Not AP Mode
        ExtensibleStationMode: (.............................1..) Extensible Station Mode
        Unused:                (.0000000000000000000000000000...)
        MonitorMode:           (0...............................) Not Monitor Mode
       Flags: 0 (0x0)
       PhyType: 802.11g
       Channel: 2, Center Frequency: 2417 MHz
       lRSSI: -51 dBm
       Rate: 67.5 Mbps
       TimeStamp: 08/24/2011, 13:02:15.626528 UTC
    - FrameControl: Version 0,Data, Data, F.....P(0x4208)
       Version:        (..............00) 0
       Type:           (............10..) Data
       SubType:        (........0000....) Data
       DS:             (......10........) DS to STA via AP
       MoreFrag:       (.....0..........) No
       Retry:          (....0...........) No
       PowerMgt:       (...0............) Active Mode
       MoreData:       (..0.............) No
       ProtectedFrame: (.1..............) Yes
       Order:          (0...............) Unordered
      Duration: 48 (0x30)
      DA: 1C659D CA2550
      BSSID: Novatel Wireless, Inc. 04C0AF
      SA: Novatel Wireless, Inc. 04C0AF
    - SequenceControl: Sequence Number = 2339
       FragmentNumber: (............0000) 0
       SequenceNumber: (100100100011....) 2339
  - LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
    - DSAP: SNAP(Sub-Network Access Protocol), Individual DSAP
       Address: (1010101.) SNAP(Sub-Network Access Protocol)
       IG:      (.......0) Individual Address
    - SSAP: SNAP(Sub-Network Access Protocol), Command
       Address: (1010101.) SNAP(Sub-Network Access Protocol)
       CR:      (.......0) Command Frame
    - Unnumbered: UI - Unnumbered Information
       MMM:  (000.....) 0
       PF:   (...0....) Poll Bit - No Response Solicited
       MM:   (....00..)
       Type: (......11) Unnumbered(U) Frame
  - Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX CORPORATION
      OrganizationCode: XEROX CORPORATION, 0(0x0000)
      EtherType: Internet IP (IPv4), 2048(0x0800)
  - Ipv4: src=129.15.96.23, Dest = 192.168.1.2, Next Protocol = TCP, Packet ID = 62249, Total IP Length = 1222
    - Versions: IPv4, Internet Protocol; Header Length = 20
       Version:      (0100....) IPv4, Internet Protocol
       HeaderLength: (....0101) 20 bytes (0x5)
    - DifferentiatedServicesField: DSCP: 0, ECN: 0
       DSCP: (000000..) Differentiated services codepoint 0
       ECT:  (......0.) ECN-Capable Transport not set
       CE:   (.......0) ECN-CE not set
      TotalLength: 1222 (0x4C6)
      Identification: 62249 (0xF329)
    - FragmentFlags: 16384 (0x4000)
       Reserved: (0...............)
       DF:       (.1..............) Do not fragment
       MF:       (..0.............) This is the last fragment
       Offset:   (...0000000000000) 0
      TimeToLive: 46 (0x2E)
      NextProtocol: TCP, 6(0x6)
      Checksum: 45623 (0xB237)
      SourceAddress: 129.15.96.23
      DestinationAddress: 192.168.1.2
  - Tcp: [Segment Lost]Flags=...AP..., SrcPort=HTTP(80), DstPort=49472, PayloadLen=1182, Seq=3370798575 - 3370799757, Ack=3806480488, Win=14 (scale factor 0x9) = 7168
      SrcPort: HTTP(80)
      DstPort: 49472
      SequenceNumber: 3370798575 (0xC8EA4DEF)
      AcknowledgementNumber: 3806480488 (0xE2E24868)
    - DataOffset: 80 (0x50)
       DataOffset: (0101....) 20 bytes
       Reserved:   (....000.)
       NS:         (.......0) Nonce Sum not significant
    - Flags: ...AP...
       CWR:    (0.......) CWR not significant
       ECE:    (.0......) ECN-Echo not significant
       Urgent: (..0.....) Not Urgent Data
       Ack:    (...1....) Acknowledgement field significant
       Push:   (....1...) Push Function
       Reset:  (.....0..) No Reset
       Syn:    (......0.) Not Synchronize sequence numbers
       Fin:    (.......0) Not End of data
      Window: 14 (scale factor 0x9) = 7168
      Checksum: 0xD681, Good
      UrgentPointer: 0 (0x0)
      TCPPayload: SourcePort = 80, DestinationPort = 49472
  - Http: HTTP Payload, URL: /GIFS/ECIR.JPG
    - payload: HttpContentType = NetmonNull
       HTTPPayloadLine: 4ïücvÖ#8íÒª×wªx!fÕ.î Ô-`µ’whð˜URÇT1Ç ªsxXLdß«Ç(Ü’¤YVú‘ÈèGZ

• TCP segmentation offload (TSO) and vmxnet3/1000v - bug?

  NOTE: My knowledge of ESX and the 1000v does not run deep so I do not have a thorough understanding of the relationship / integration between those two components.  If anything I'm saying here is out-of-line I apologize in advance.
  Yesterday a report came in that an IIS application on a staging server in our test environment was not working (in Internet Explorer it returned "Page cannot be displayed").  The IIS server sits behind an F5 load balancer.  Both the F5 and the IIS server are VM guests on a VMware ESX host.  Both the IIS server and the F5 had recently been moved to a new environment in which the version of 1000v changed and the vnic driver changed (from E1000 to vmxnet3) and this appeared to be the first time that anybody noticed an issue.
  After some digging we noticed something peculiar.  The problem only manifested when the IIS server and the F5 were on the same physical host.  If they were not co-resident everything worked just fine.  After reviewing packet captures we figured out that the "Page cannot be displayed" was not because the content wasn't making it from IIS server to client but rather because the content was gzip compressed and something happened in-transit between the IIS server and the client to corrupt the payload thereby making the gzip decompressible.  As a matter of fact, at no time was IP connectivity ever an issue.  We could RDP to the IIS server and SSH/HTTP into the F5 without any issues.
  I started digging in a little deeper with Wireshark (details of which are included as an attached PDF).  It turns out that a bug??? involving TCP segmentation offload (TSO) was causing the payload of the communication to become corrupted.  What I'm still trying to figure out is who is responsible for the bug?  Is it VMware or Cisco?  I'm leaning towards Cisco and the 1000v and this is why.
  Referring to the attached PDF, TEST #2 (hosts co-resident) and TEST #3 (hosts not co-resident) show packet captures taken from the IIS box, the 1000v and the F5.  Figure 6 shows that the contents of the gzip'd payload can be deciphered by Wireshark as it leaves the IIS box.  Figure 8 shows capture data from the 1000v's perspective (spanning rx/tx on the F5 veth port).  It's still good at this point.  However, figure 10 shows capture data taken on the F5.  At some point in time between leaving the egress port on the 1000v and entering the F5 it cannot be decompressed (corrupt data).  There is no mention that the TCP checksum failed.  In my mind the only way that the data could be corrupt without a TCP checksum failure is if the corruption occurred during the segmentation of the packet.  However, if it was due to the guest OS-level vnic driver then why did it still look good to the 1000v egress towards the F5? 
  The most curious aspect of this whole thing is the behavior I described earlier related to onbox vs. offbox.  This problem only occurs when the traffic is switched in memory.  Refer to figure's 11 - 16 for capture data that shows the very same test when the F5 and IIS are not co-resident.  Is the 1000v (or vnic) savy enough to skip TSO in software and allow the physical NIC to do TSO if it knows that the traffic is going to have to leave the host and go onto the physical wire?  That's the only way I can make sense of this difference in behavior.
  In any case, here are all of the guest OS-level settings related to offload of any type (along with the defaults) and the one we had to change (in bold) to get this to work with the vmxnet3 NIC:
  IPv4 Checksum Offload: Rx & Tx Enabled
  IPv4 TSO Offload: From Enabled to Disabled
  Large Send Offload V2 (IPv4): Enabled
  Offload IP Options: Enabled
  Offload TCP Options: Enabled
  TCP Checksum Offload (IPv4): Rx & Tx Enabled
  UPD Checksum Offload (IPv4): Rx & Tx Enabled

  Hi sdavids5670
  Did you ever find a proper fix to your issue? was updating the N1Kv a solution?
  I have exactly the same symptoms with a N1Kv [4.2(1)SV2(1.1a)], F5 (ASM), vmxnet3 guests, however I'm failing all RDP (win2k8r2) and SSH large packets (redhat); the rest of my traffic appears fine. This only occurs when the F5 resides on the same VEM or VMware host as you have seen. My packet captures are similar.
  My work around is two fold. Firstly create rules to isolate the F5 onto hosts where guests are not utilising it and secondly, disable TCP offloading (I use IPv4 only). Neither of these are solutions.
  I have not tried a non-F5 trunk (ie, perhaps a CSR1000v) to replicate this without the F5.
  I suspected that the onbox / offbox issue was something specific about the logic of the VEM installed on the host (that's how I justified it to myself) rather than VEM->VEM traffic. It appears that only vEth -> vEth traffic on the same VEM is the issue. Also, I can only replicate this when one of the vEth ports is a trunk. I have yet to be able to replicate this if both are access port-groups (vEths).
  I have yet to log a TAC as I wanted to perform testing to exclude the F5.
  Thought that I would just ask....
  Cheers
  David

• %FW-4-TCP_OoO_SEG: Dropping TCP Segment

  Any idea what this means? Why are these packets being dropped?
  Mar  2 13:46:11.315: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1826858942 1492 bytes is out-of-order; expected seq:1826829902. Reason: TCP reassembly queue overflow - session 10.2.31.31:50052 to 31.13.69.42:80
  Mar  2 13:52:13.439: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1264022358 1492 bytes is out-of-order; expected seq:1263984606. Reason: TCP reassembly queue overflow - session 10.2.31.31:50228 to 184.84.239.17:80
  Mar  2 14:08:46.261: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3591782745 1492 bytes is out-of-order; expected seq:3591717405. Reason: TCP reassembly queue overflow - session 10.2.31.13:58412 to 207.46.206.46:80
  Mar  2 14:08:47.825: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3591726117 1492 bytes is out-of-order; expected seq:3591720309. Reason: TCP reassembly queue overflow - session 10.2.31.13:58412 to 207.46.206.46:80

  Ronni,
  It looks like you are running some firewall inspection features on your router. What's happening is your out-of-order queue is getting full and dropping packets.
  One thing you can try is increasing the queue size:
  ip inspect tcp reassembly queue length
  I would suggest starting with a size of about 80 to see if it has any effect on the logs. If you are still seeing an issue, could you provide a 'show ip inspect statistics' and any relevant configuration?
  Thanks!
  Joey

• How can you distinguish a 'false positive'?

  The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?
  “Triggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.”
  appInstanceId: 403
  signature: description=SMB Remote Registry Access Attempt id=5579 version=S264
  subsigId: 1
  marsCategory: Probe/Host/WinRegistry

  You should start by looking for documented benign triggers:
  https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5579&signatureSubId=0
  In this case, the benign triggers should tell you what you need to know.

• Cellular signal becomes false positive

  Everything works fine, except after a while the cellular signal becomes a false positive. By this I mean the upper left corner continue to read "Verizon 4G LTE" with a few bars, but there's actually no signal. All apps that require the Internet doesn't work. It's an easy fix though — in Settings, the Cellular Data has to be turned off, then turned back on. And by "after a while" I mean when it falls into sleep mode after a FaceTime session, then awoken. Not sure exactly how long afterwards. Not sure if it's consistently after one nap or longer. Not sure if running other apps would do the same thing.
  Question is:
  Is this normal?
  I can imagine the upside is that you don't waste data in a prepaid data plan like when background apps continue to run.
  The dreadful downside, however, is that any incoming FaceTime call cannot get through.
  If this is NOT normal, is it a common glitch/bug/quirk? And how to fix it?
  iPad3, OS 6.0.1

  You can't begin measuring velocity until it is positive unless you have already been measuring velocity.
  The solution is to always do the measurement.  Evaluate it with a >0.  In the true condition, then do whatever it is you want to do.

• False Positives with GRC AC 5.2

  Hi,
  I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis.
  ¿do anyone knows how to solve this problem? ¿do you have documents or links to help?
  Thanks,
  Ricardo.

  Thank you Alpesh for response.
  In fact, i have several problem with false positives, but with transactional level. For example, i have a user with pfcg and su01 transaction. The configutation of profiles in SAP r/3 system do not allow to user involved in this, to execute both transactions in end-to-end process, i mean, the user have a transaction vía s_tcode object, have some other objects related with pfcg and su01 transactions, but he doesn´t have the values that allow to a transactions work properly. Then the Compliance Calibrator informs risks that it doesn´t exists.
  It seems that is a ruleset configuration problem in the CC, then my question is, ¿the standard ruleset detects properly these problems?
  Let my explain the reason that causes the problem.
  We have been working with personalized ruleset, for customer-request. For that reason we look the usobt_c table and we form the ruleset-->functions in CC so that this functions were equal to usobt_c table. We did that because the standard ruleset shows false positives, such as first example of this post.
  Thank you very much,
  RCL.
  Edited by: Ricardo  Carrasco on Jun 18, 2009 11:58 PM

• LMS 4.2.2 DFM still not possible to disable Duplicate IP false positives?

  I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
  Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
  DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
  Is it possible to disable these false positives in DFM?
  Thanks for any hints!

  I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
  Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
  DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
  Is it possible to disable these false positives in DFM?
  Thanks for any hints!

• Comparing documents and false positives

  Hello,
  I often have to send a proof of a book to a printer. The proof is a PDF. When they return a soft proof--another PDF that they will use to print--I need to quickly compare the two to make sure that there have been no changes in the text.
  The Compare Documents feature certainly beats a side-by-side eyeball scan. But I often get a lot of false positives, words are flagged that actually have not changed.
  It appears that my PDF, exported from InDesign has some hidden discretionary hyphens. In ID these are used to make sure a word breaks at the end of the line at the correct syllable. They are invisible when printed. In a PDF these are not necessary because the text ain't gonna reflow, right?
  But when I compare the soft proof to the original PDF, words with discretionary hyphens are flagged. Somehow the printer has stripped the discretionary hyphens. That's fine but what must I do to get rid of them in my PDF?
  Below is an example. The PDF shown is the one from the printer. The comment box shows the difference from the original PDF, though there is in fact no difference on the page.
  Any advice would be appreciated.
  Tom

  I like Acrobat's text comparisons, which have saved me from bad goofs several times -- mostly stray key-strokes, but once I caught an InDesign footnote numbering snafu.  However, the false positives have always been annoying even without flagging every single discretionary hyphen.
  I imagine you have tried the image method for comparisons, a modern version of the old trick of putting printouts of the old and new versions of a page on a light table to find differences.
  I don't recall seeing comments of the type "undefined", but does re-sorting comments by type at least isolate these so you can step through the rest?  I'm no scripter, but can a javascript mark or eliminate comments containing hyphens?
  More drastic, would it be worth trying to eliminate the discretionary hyphens?  For instance, you could apply Harb's "Freeze Composition" in InDesign, and then search-and-replace all discretionary hyphens.  (Read the comments on the In-Tools site, as well as those in the InDesignSecrets blog it links to because you might want to modify the way it handles hyphens.)
  Good luck!
  David