I started seeing corrupted packets that I've never seen before and wanted to know what the root cause is. I suspect an overloaded network, but a bug or a defective sender might also be the possible (or something completely different). This is a sample of a corrupted packet:
They don't occur too often, but often enough to be visible. Is my assumption correct that these are caused by collisions or network overload? I'm using Wireshark 2.2.3 and the development network these packets are from has a lot of broadcasts. asked 28 Jun '17, 05:53 Blutkoete edited 28 Jun '17, 05:54 showing 5 of 6 show 1 more comments |
One Answer:
0x55 is the bit pattern "01010101", which is used as the preamble and can sometimes be seen when a collision on a half duplex network occurs. In your case it crashed into the beginning of a new frame from the MAC starting with 68:58:c5 before "disaster" strikes (meaning, another node starting to send it's preamble to the wire). So yes, these are caused by collisions. answered 28 Jun '17, 08:22 Jasper ♦♦ |
The answer largely depends on what hardware you use to capture the packets and what type of network you use. A normal Ethernet card would silently drop any incoming packet with a wrong CRC, so either it doesn't because it is a hardware specially designed to capture everything including corrupt packets, or the source sends them with correct CRC. And yes, there is also a theoretical possibility that the CRC of the packet above is
55 55 55 55
, but somehow I don't believe it :-)I'm afraid you'll need to identify the source by splitting the network into halves and capturing just one direction between them, and then splitting the guilty half into halves again, etc., until you get to the last switch where you'll need to check port by port.
Thank you very much!
I feared there's no simple answer to my problem.
Having TDM / VoIP equipment in the 'development network'?
I would maybe start by using a network card based on a different chipset (and, preferably, even chipset vendor) for capturing, in order to exclude the receiving side from the search. This should be relatively simple as world is full of USB network cards.
I'll try to record a trace with a USB network card and check every part of the network step by step. It was just I hoped that there was a simple answer like 'Ah! 0x55! That's a clear indicator of X!', but that is obviously not the case :).
The development network is connecting reference systems for position and distance measurements, if there is a sender in there issuing VoIP packets than something has gone really wrong in the lab.
What @Jaap was thinking of was that 0x55 is PCMA (type of voice codec) zero, so a chain of 0x55 is PCMA silence. But there should be much more other bytes in front of it even if you would capture at raw IP level (no Ethernet layer in the captured frame).