3

I am running sacpy 2.4 in Ubuntu 16.04. I have found on basic packets ( Eth/IP/UDP or Eth/IP/TCP) wireshark often flags a failed frame check sequence.

Upon investigation I found that the "broken packets" all have trailing data behind the UDP or TCP payload. The trailing data is interpreted by wireshark as FCS and the check fails.

How can i stop the random trailing data from being attached to the packet. It looks like some memory leak, since the trailer contains readable stings, "desktop/IBus/" for example.

<code>Wireshark</code> screenshot

I have not come across the problem in a Centos or Windows, but might it be OS or interface card related. Any ideas?

The code used to reproduce the problem:

data=Raw(load="A string of data to fill min packet size")
sendp(Ether()/IP(dst="172.16.63.96")/UDP(sport=4123, dport=5432)/data)

<code>Wireshark</code> capture of sent packet on origination PC

From Scapy I wrote a pcap file containing the generated packets, when inspecting the pcap file with Wireshark, the packets are good. If I then play the 'pcap' file out and capture those packets, trailing data appear. I played the pcap file using Scapy as well as tcpreplay. In both cases random trailing data appears. It looks more like a Ubuntu or driver issue.

phenning
  • 93
  • 1
  • 6

2 Answers2

2

I had a similar issue, but with Tcpreplay. I downgraded the kernel on my Ubuntu server to 4.15.0-23-generic and this resolved the problem. Just adding this in case anyone with the Tcpreplay issue comes across this post.

Simplified
  • 53
  • 1
  • 6
1

The answer was found on scapy’s gitter:

Screenshot

(Edit: it might not cover all versions, but it’s a Linux bug)

It’s a Linux bug

Cukic0d
  • 5,111
  • 2
  • 19
  • 48