Henry Markov
2010-06-09 15:57:18 UTC
One XP/SP2 machine in our private network of about 85 identical machines
occasionally is the source of a NetBios name query message that has a bad
TCP checksum as indicated by a WireShark trace. In the case we most closely
investigated the high order octet of the source IP address got a bit flipped
so that 192 became 196. This produced a TCP checksum error but not a UDP
checksum error. Immediately upon broadcast of this errored packet all
networking to all machines on the network except for the source machine was
permanently disabled however switches and a non-MS system on the network
remained intact. Networking could only be restored by rebooting all
machines.
I used Wireshark to capture a good name query message and then I corrupted
it in the same way that it had been corrupted in production. I used the
ColaSoft Packet Player to play this message back into a switch and all MS XP
hosts had their networking disabled exactly as in the production scenario.
The machines use XP-Embedded and are headless, etc. so visibility into these
machines is limited and we need to enhance that. Note that XP-Embedded uses
the same OS code as desktop XP so I assume we are dealing with a generic XP
issue. Pending more investigation on our part I am very interested in
knowing whether any aspects of this problem are known or have been seen
before. Also, any insight or suggestions are welcome.
HM
occasionally is the source of a NetBios name query message that has a bad
TCP checksum as indicated by a WireShark trace. In the case we most closely
investigated the high order octet of the source IP address got a bit flipped
so that 192 became 196. This produced a TCP checksum error but not a UDP
checksum error. Immediately upon broadcast of this errored packet all
networking to all machines on the network except for the source machine was
permanently disabled however switches and a non-MS system on the network
remained intact. Networking could only be restored by rebooting all
machines.
I used Wireshark to capture a good name query message and then I corrupted
it in the same way that it had been corrupted in production. I used the
ColaSoft Packet Player to play this message back into a switch and all MS XP
hosts had their networking disabled exactly as in the production scenario.
The machines use XP-Embedded and are headless, etc. so visibility into these
machines is limited and we need to enhance that. Note that XP-Embedded uses
the same OS code as desktop XP so I assume we are dealing with a generic XP
issue. Pending more investigation on our part I am very interested in
knowing whether any aspects of this problem are known or have been seen
before. Also, any insight or suggestions are welcome.
HM