View Issue Details

IDProjectCategoryView StatusLast Update
0014679CentOS-7tcpdumppublic2018-04-11 14:56
Reporterbsterne 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformCentOSOSCentOS 7OS Version7.4.1708
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014679: Syn-Ack frames captured from loopback have mangled timestamps
DescriptionWhen capturing traffic off the loopback interface, timestamps for all SYN-ACK packets are badly mangled. This prevents tools like network analyzers and IDS from correctly identifying traffic flows correctly. I have reproduced this on 3 flavors of Centos7 VMs (OpenStack, VirtualBox, Hyper-V) as well as bare metal. On the virtual machines, the timestamps tend to be mangled such that they fall in the early 1970s, while on bare metal they tend to fall into the 2060s.

It happens with all SYN-ACK packets. See frame 4:

$ tshark -t ud -r lo-port80.pcap | head -n6
    1 2018-04-09 23:16:28.351659 ::1 → ::1 TCP 94 58156 → 80 [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0 WS=64
    2 2018-04-09 23:16:28.351667 ::1 → ::1 TCP 74 80 → 58156 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
    3 2018-04-09 23:16:28.351937 127.0.0.1 → 127.0.0.1 TCP 74 43060 → 80 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0 WS=64
    4 1971-02-20 11:53:55.672126 127.0.0.1 → 127.0.0.1 TCP 74 80 → 43060 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=8358349 WS=64
    5 2018-04-09 23:16:28.351959 127.0.0.1 → 127.0.0.1 TCP 66 43060 → 80 [ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
    6 2018-04-09 23:16:28.352031 127.0.0.1 → 127.0.0.1 HTTP 139 GET / HTTP/1.1
Steps To Reproduce[shell-1]$ sudo tcpdump -s 0 -i lo -w lo-port-80.pcap "port 80"
[shell-2]$ sudo python -m SimpleHTTPServer 80
[shell-3]$ curl localhost
[shell-1]$ ^C
[shell-1]$ tshark -t ud -r lo-port-80.pcap | grep "SYN, ACK"
  4 2071-12-25 07:07:56 127.0.0.1 -> 127.0.0.1 TCP 74 http > 43230 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4044275184 TSecr=4044275184 WS=128
TagsNo tags attached.
abrt_hash
URL

Activities

TrevorH

TrevorH

2018-04-11 14:56

manager   ~0031602

Tested here on 3.10.0-693.21.1 and I get packets with dates of 2094-05-31

Tested on a Debian machine running a 4.14 kernel and the dates are correct.

This is almost certainly a kernel bug and will need to be reported to Redhat via bugzilla.redhat.com (unless you have a support contract with them). Once they fix the problem then CentOS will inherit the fix when it's released.

Issue History

Date Modified Username Field Change
2018-04-11 14:32 bsterne New Issue
2018-04-11 14:56 TrevorH Note Added: 0031602