LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-30-2012, 08:05 PM   #1
raphaeldavidf
Member
 
Registered: Sep 2012
Location: São Paulo, Brazil
Distribution: Slackware 14.0
Posts: 33

Rep: Reputation: 17
Invalid packet messages in dmesg on Slackware64 14


Hey guys,

for a while now I've noticed this messages in my dmesg output:


Code:
[ 2780.795888] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.177 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=65392 PROTO=TCP SPT=443 DPT=44817 WINDOW=0 RES=0x00 RST URGP=0 
[ 3142.305954] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=28080 DF PROTO=TCP SPT=80 DPT=38955 WINDOW=0 RES=0x00 ACK RST URGP=0 
[ 3255.536373] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=13768 DF PROTO=TCP SPT=80 DPT=38953 WINDOW=0 RES=0x00 ACK RST URGP=0 
[ 3363.902825] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=9579 DF PROTO=TCP SPT=80 DPT=38952 WINDOW=0 RES=0x00 ACK RST URGP=0 
[ 3511.905695] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=199.47.217.177 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=41920 WINDOW=0 RES=0x00 RST URGP=0 
[ 4660.165956] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.185 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=9516 PROTO=TCP SPT=443 DPT=57088 WINDOW=0 RES=0x00 RST URGP=0 
[ 4660.170552] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.185 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=9517 PROTO=TCP SPT=443 DPT=57088 WINDOW=0 RES=0x00 RST URGP=0 
[ 4976.340183] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=173.194.34.79 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=3662 PROTO=TCP SPT=443 DPT=44741 WINDOW=0 RES=0x00 RST URGP=0 
[ 5343.291404] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.161 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=18881 PROTO=TCP SPT=443 DPT=41007 WINDOW=0 RES=0x00 RST URGP=0
what does it mean? Is some wrong configuration?

Thanks
 
Old 10-30-2012, 08:38 PM   #2
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,481
Blog Entries: 6

Rep: Reputation: Disabled
Code:
173.194.34.79 is GOOGLE
199.47.217.177 is DROPBOX
69.63.190.74 is TFBNET2
74.125.234.161 is GOOGLE
74.125.234.177 is GOOGLE
74.125.234.185 is GOOGLE
Try
Code:
grep -iw wlan0 /var/log/*
and look for another clue.

Last edited by Habitual; 10-30-2012 at 08:40 PM.
 
1 members found this post helpful.
Old 10-30-2012, 09:59 PM   #3
raphaeldavidf
Member
 
Registered: Sep 2012
Location: São Paulo, Brazil
Distribution: Slackware 14.0
Posts: 33

Original Poster
Rep: Reputation: 17
with
Code:
grep -iw wlan0 /var/log/*
the only strange thing that I found was this

Code:
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613646] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=36708 DPT=6771 LEN=127 
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613737] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=6771 DPT=6771 LEN=127 
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613781] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=6771 DPT=6771 LEN=127
But I still don't have a clue...
the output is attached (the complete output was 6 MB so i edited to leave only newer messages).
Attached Files
File Type: txt log.txt (211.4 KB, 3 views)
 
Old 10-31-2012, 07:02 AM   #4
bormant
Member
 
Registered: Jan 2008
Posts: 100

Rep: Reputation: 47
You can see your firewall settings, somewhere will be "-j LOG --log-prefix="INPUT packet died: ". These messages generated with that firewall rule.
 
3 members found this post helpful.
Old 10-31-2012, 09:57 AM   #5
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 292Reputation: 292Reputation: 292
Yeah logging firewall rules is something for the masochists among us
 
Old 10-31-2012, 02:41 PM   #6
tobyl
Member
 
Registered: Apr 2003
Location: uk
Distribution: slackware current
Posts: 743

Rep: Reputation: 51
You can use an online whois to lookup destination ip addresses as Habitual probably did for you

you can google port numbers (or look at /etc/services) to get an idea what service is using that port

6771 is often used by a p2p service called transmission, perhaps someone on your lan is using this?
If you have run a p2p app recently, and you have quit the application, peers will still try to connect for a while and your firewall will reject them. One of those 3 lines has a TTL of one, and all have a local ip of 192.168.88.199 - this sounds like local broadcast traffic

one of my favourites is (as root)
Quote:
netstat -pantu
this will tell you what services you have running and which ports they are using
Quote:
lsof -i
gives similar info

you should be able to match this info with your log output to help you see what is going on on your network.

tobyl
 
Old 10-31-2012, 02:45 PM   #7
raphaeldavidf
Member
 
Registered: Sep 2012
Location: São Paulo, Brazil
Distribution: Slackware 14.0
Posts: 33

Original Poster
Rep: Reputation: 17
Thanks guys for all the replies. As soon as I get home I'll try them out. =D
 
Old 11-01-2012, 05:24 PM   #8
raphaeldavidf
Member
 
Registered: Sep 2012
Location: São Paulo, Brazil
Distribution: Slackware 14.0
Posts: 33

Original Poster
Rep: Reputation: 17
Thanks bormant and all the others for the help, it was this
Code:
-j LOG --log-prefix="INPUT packet died: "
in my firewall rules. The problem was solved when I removed this.
 
Old 11-01-2012, 09:12 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by raphaeldavidf View Post
The problem was solved when I removed this.
The first batch was tagged "Invalid packet:", marking packets containing a RST flag, which differs from the second batch as they carry no clue at all wrt reasons for filtering. So IMHO the only thing removing that log target or firewall rule accomplished was stop logging instead of making you aware why that rule was there in the first place...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
excess of Invalid packet in dmesg | firewall kernel 2.6.28.8 slackware 12.2 acummings Slackware 1 03-31-2009 01:56 AM
dmesg Invalid packet / INPUT packet died flood H_TeXMeX_H Slackware 5 11-12-2007 02:52 PM
dmesg Invalid packet H_TeXMeX_H Slackware 4 03-13-2007 12:07 PM
Getting Messages Before Dmesg LinuxGeek Linux - Software 2 01-18-2005 07:10 AM
Bogus packet displayed in dmesg zulfilee Linux - Networking 0 06-23-2004 08:52 AM


All times are GMT -5. The time now is 11:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration