[SOLVED] Invalid packet messages in dmesg on Slackware64 14

raphaeldavidf · 10-30-2012, 08:05 PM

Hey guys,

for a while now I've noticed this messages in my dmesg output:

Code:

[ 2780.795888] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.177 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=65392 PROTO=TCP SPT=443 DPT=44817 WINDOW=0 RES=0x00 RST URGP=0 
[ 3142.305954] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=28080 DF PROTO=TCP SPT=80 DPT=38955 WINDOW=0 RES=0x00 ACK RST URGP=0 
[ 3255.536373] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=13768 DF PROTO=TCP SPT=80 DPT=38953 WINDOW=0 RES=0x00 ACK RST URGP=0 
[ 3363.902825] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=69.63.190.74 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=9579 DF PROTO=TCP SPT=80 DPT=38952 WINDOW=0 RES=0x00 ACK RST URGP=0 
[ 3511.905695] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=199.47.217.177 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=41920 WINDOW=0 RES=0x00 RST URGP=0 
[ 4660.165956] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.185 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=9516 PROTO=TCP SPT=443 DPT=57088 WINDOW=0 RES=0x00 RST URGP=0 
[ 4660.170552] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.185 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=9517 PROTO=TCP SPT=443 DPT=57088 WINDOW=0 RES=0x00 RST URGP=0 
[ 4976.340183] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=173.194.34.79 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=3662 PROTO=TCP SPT=443 DPT=44741 WINDOW=0 RES=0x00 RST URGP=0 
[ 5343.291404] Invalid packet: IN=wlan0 OUT= MAC=ec:55:f9:af:27:be:00:0c:42:71:9d:bc:08:00 SRC=74.125.234.161 DST=192.168.88.199 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=18881 PROTO=TCP SPT=443 DPT=41007 WINDOW=0 RES=0x00 RST URGP=0

what does it mean? Is some wrong configuration?

Thanks

Habitual · 10-30-2012, 08:38 PM

Code:

173.194.34.79 is GOOGLE
199.47.217.177 is DROPBOX
69.63.190.74 is TFBNET2
74.125.234.161 is GOOGLE
74.125.234.177 is GOOGLE
74.125.234.185 is GOOGLE

Try

Code:

grep -iw wlan0 /var/log/*

and look for another clue.

raphaeldavidf · 10-30-2012, 09:59 PM

with

Code:

grep -iw wlan0 /var/log/*

the only strange thing that I found was this

Code:

/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613646] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=36708 DPT=6771 LEN=127 
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613737] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=6771 DPT=6771 LEN=127 
/var/log/syslog.1:Oct 27 21:17:26 DeathStar kernel: [ 2255.613781] INPUT packet died: IN=wlan0 OUT= MAC= SRC=192.168.88.199 DST=239.192.152.143 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=6771 DPT=6771 LEN=127

But I still don't have a clue...
the output is attached (the complete output was 6 MB so i edited to leave only newer messages).

bormant · 10-31-2012, 07:02 AM

You can see your firewall settings, somewhere will be "-j LOG --log-prefix="INPUT packet died: ". These messages generated with that firewall rule.

dive · 10-31-2012, 09:57 AM

Yeah logging firewall rules is something for the masochists among us

tobyl · 10-31-2012, 02:41 PM

You can use an online whois to lookup destination ip addresses as Habitual probably did for you

you can google port numbers (or look at /etc/services) to get an idea what service is using that port

6771 is often used by a p2p service called transmission, perhaps someone on your lan is using this?
If you have run a p2p app recently, and you have quit the application, peers will still try to connect for a while and your firewall will reject them. One of those 3 lines has a TTL of one, and all have a local ip of 192.168.88.199 - this sounds like local broadcast traffic

one of my favourites is (as root)

Quote:

netstat -pantu

this will tell you what services you have running and which ports they are using

Quote:

lsof -i

gives similar info

you should be able to match this info with your log output to help you see what is going on on your network.

tobyl

raphaeldavidf · 10-31-2012, 02:45 PM

Thanks guys for all the replies. As soon as I get home I'll try them out. =D

raphaeldavidf · 11-01-2012, 05:24 PM

Thanks bormant and all the others for the help, it was this

Code:

-j LOG --log-prefix="INPUT packet died: "

in my firewall rules. The problem was solved when I removed this.

unSpawn · 11-01-2012, 09:12 PM

Quote:

Originally Posted by raphaeldavidf

The problem was solved when I removed this.

The first batch was tagged "Invalid packet:", marking packets containing a RST flag, which differs from the second batch as they carry no clue at all wrt reasons for filtering. So IMHO the only thing removing that log target or firewall rule accomplished was stop logging instead of making you aware why that rule was there in the first place...