1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help with syslog files - explanation needed

Discussion in 'Networking' started by cyberpac9, Jan 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    here'e my setup: PC wired to Linksys wrt54g wireless router, which connects to my cable modem. upgraded firmware on Linksys (dd-wrt) in order to enable WDS. Airport Express connected wirelessly to Linksys with WDS enabled. laptop connects wirelessly to network.

    if i connect my AX (plug it in), my wireless network disconnects. if i unplug my AX, i am good to go with my wireless network. put kiwi syslog on my PC to log what is happening. here is a sample log file from my syslog when i connect my AX, thus causing my wireless network to drop:

    Code:
    2007-01-16 20:33:11   Kernel.Warning   192.168.1.1   kernel: DROP IN=vlan1 OUT= MAC=00:13:72:98:23:e2:00:01:5c:23:cd:42:08:00:45:00:01:f8 SRC=204.16.210.62 DST=74.131.xxx.xx LEN=504 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=33202 DPT=1026 LEN=484
    2007-01-16 20:33:11   Kernel.Warning   192.168.1.1   kernel: DROP IN=vlan1 OUT= MAC=00:13:72:98:23:e2:00:01:5c:23:cd:42:08:00:45:00:01:f8 SRC=204.16.210.62 DST=74.131.xxx.xx LEN=504 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=33202 DPT=1027 LEN=484
    2007-01-16 20:33:21   Kernel.Warning   192.168.1.1   kernel: DROP IN=vlan1 OUT= MAC=00:13:72:98:23:e2:00:01:5c:23:cd:42:08:00:45:00:00:30 SRC=64.236.47.54 DST=74.131.xxx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=4038 SEQ=3318004730 ACK=2694466358 WINDOW=5840 RES=0x00 ACK SYN URGP=0 OPT (020405B401010402)
    2007-01-16 20:34:09   Kernel.Warning   192.168.1.1   kernel: DROP IN=vlan1 OUT= MAC=00:13:72:98:23:e2:00:01:5c:23:cd:42:08:00:45:00:00:30 SRC=64.236.47.54 DST=74.131.xxx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=4038 SEQ=3318004730 ACK=2694466358 WINDOW=5840 RES=0x00 ACK SYN URGP=0 OPT (020405B401010402)
    
    some of this i understand (i think) but some i don't:
    2007-01-16 20:33:11 - date
    Kernel.Warning - type of warning
    192.168.1.1 - router IP
    kernel: DROP IN=vlan1 OUT= - i don't know
    MAC=00:13:72:98:23:e2:00:01:5c:23:cd:42:08:00:45:00:01:f8 - the first part is the MAC address of my PC that is wired to my router
    SRC=204.16.210.62 - i don't know what ip address this represents
    DST=74.131.xxx.xx - router IP
    LEN=504 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=33202 DPT=1026 LEN=484 - don't know what any of this is

    if anyone can assist me and help me figure out what this is telling me so that i can properly use my AX for WDS, i'd really appreciate...
     
  2. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    even if you don't know the answer, if anyone can tell me where i can go to get help with my router logs, i'd really appreciate it..
     
  3. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Looks like you have a couple of different issues. Thanks for taking the time to actually look at syslog.

    I like problems like this. Let's start with the flow below, and we'll go from there. Please review notes.


    2007-01-16 20:33:11 - date -
    Kernel.Warning - type of warning
    192.168.1.1 - router IP
    kernel: DROP IN=vlan1 OUT= - i don't know - * note 1
    MAC=00:13:72:98:23:e2:00:01:5c:23:cd:42:08:00:45:00:01:f8 - the first part is the MAC address of my PC that is wired to my router * note 2
    SRC=204.16.210.62 - i don't know what ip address this represents * note 3
    DST=74.131.xxx.xx - router IP
    LEN=504 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=33202 DPT=1026 LEN=484 - don't know what any of this is * note 4


    note 1: This is showing the direction of the flow. The input of the flow is vlan1 (outside, if your config is default), and the output isnt specified.

    note 2: You're seeing three MAC's in one. Did you configure the router in AP mode, client, or bridge mode?

    note 3: Sorry to be obvious, but this is the source IP that this flow is referencing.

    note 4: This one will be long. It doesn't matter for your purpose, but I'd like to explain - what you're seeing is the IP header.
    LEN=504 - Length of the header + payload of the packet.
    TOS=0x00 - Type of service bits (0, or the default) This is Layer3 queuing mech.
    PREC=0x00 - IP precedence bits (0, default) This is layer2 queue.
    TTL=47 - Time to Live. Loosely the number of router hops for packet expiry.
    ID=0 - Type of packet
    DF - Don't Fragment. This is telling devices not to fragment packet if it exceeds MTU.
    PROTO=UDP - This is a UDP protocol payload.
    SPT=33202 - UDP port of the host that sent this packet
    DPT=1026 - UDP port of the destination that it's sending this to
    LEN=484 - Length of the payload of the packet (The data contained in the packet)

    So, now that we're through all of that. That isn't even your most interesting drop. The other one is kind of fun, because unless you were trying to open an AOL website (64.236.47.54) the TCP SYN was spoofed with your source address (pretty common)

    In any event. The drop messages you see are both from AOL and FastColocation services. FastColocation is a DSL/dialup/datacenter provider, and they constantly make it to the SANS top 10 list for abuse. This means that they have a myriad of customers that are zombied/virii'd/spywared that are targeting random destinations looking for another host to infect. UDP 1026 is a very common port for backdoors.

    The drop messages you have are valid messages, your firewall is doing it's job. Unless YOU initiate the connection (or port forward), the firewall won't let the connection through from the Internet to your host.

    Having said ALL of that. It "smells" like an 802.11 issue, and your WRT doesn't log that. :(

    Can you telnet/ssh into your WRT? If you can, do you think you can get tcpdump to fit on it?

    To troubleshoot, it would be nice to have:

    List of all of the MAC addresses of your wired/wireless devices
    if no TCPDUMP, a pcap compatible 802.11 capture from wireshark or otherwise of "normal" 802.11 frames, and frames when you plug in your airport.

    I'm GUESSING that the WRT is sending a 802.11 deauth for one reason or another when you plug in your Airport.
     
  4. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    A couple of more thoughts.

    Are you using WPA, or WEP? (WPA2 doesn't work with WDS, and WPA is buggy)

    dd-wrt has a very nice wiki for WDS with Airport.... Before we go down the sniffer route, you may want to verify that you've completed all of the items in the wiki.

    http://www.dd-wrt.com/wiki/index.php/WDS_Linked_router_network
     
  5. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    wow, thanks for the info, this is great...let's go through this:
    note 2: it is configured as AP
    note 3: i knew this was an outside IP, but i didn't know that this was what was causing the problem
    notes 1&4: great info, that's good to know...

    "Can you telnet/ssh into your WRT? If you can, do you think you can get tcpdump to fit on it?" not sure how to "get tcpdump on it"...i have putty, if that is a good program to use...

    i'll get the MAC addresses (router, wired PC, laptop, AX)...i'm using WEP and i've looked at that wiki before - mine is setup according to the directions...

    thanks so much for ALL the info you've given me, that's a lot...i'll get the MAC addresses for ya and if you could give me some guidance on how to get tcpdump on it i'd appreciate it...
     
  6. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Well, if you haven't already done it let's not start now. Once you start trying to install stuff on your router, you could make it useless. Let's not do that.

    Do you have another PC with a wireless card? You can download Ethereal/Wireshark to run "sniffer" on your wireless side to watch when you try to power the Airport.
     
  7. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    10-4

    i have the wireless laptop that i'm using right now...i'll download wireshark...does this work even if my network drops? (i assume it will log something once it drops, but better to ask)
     
  8. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Oops. I forgot. Windows.

    Well, we can see Layer2/3 frames with Wireshark + Windows. We won't see 802.11 frames in Windows. My fault.

    Well, you can still do it. We'll see what leads up to the disconnect.
     
  9. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    ok, so for the little bit this has been running it hasn't crashed...go figure...it is getting late, so i'll do this when i get home from work tomorrow...

    you mentioned only layer2/3 for windows...i installed AirPcap with wireshark...it sounds like that will capture what you want, is that correct?

    thanks again for your help...i'll be posting tomorrow evening anything i can...
     
  10. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    well, i turned on wireshark, setup my AX, waited for it to disconnect and stopped wireshark...got a readout, but not sure what it is you want...i don't see anything regarding layers...
     
  11. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    something of note here:
    - i run ethernet cable from AX to router and get good signal
    - signal is never dropped as long as the AX is wired to router
    - unplug ethernet cable from AX and eventually lose the AX connection
    - router is set to renew the client lease every 10 minutes
    - AX loses connections 10 minutes after being unplugged, thus the IP isn't renewed
    - when i first logged onto the AX it had an issued IP of 192.168.1.103, but after it lost connection and i was able to connect again (only after plugging the ethernet cable back in) it gave me an IP of 102...don't know if that matters
    - noticed in the syslog that the AX (with an IP of 103) was trying to connect (ack) and was refected, router offered 102 and AX accepted...but this is only when it is plugged in...

    i'm wondering if this isn't something with the AX and not the router, or could it be a router setting that is preventing the AX from renewing the IP....
     
  12. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Did you save the capture file?

    It does sound like it's sending DHCP via Ethernet.

    What happens if you configure the AX for client mode?
     
  13. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    the file was too big to upload so i put it online http://www.filefactory.com/file/eb711a/

    since i upgrading my router's firmware i have only had it setup w/ WDS...i have thought about switching that off to see if that would help, although that is the reason i flashed to the newer firmware was for WDS. :)
     
  14. cyberpac9

    cyberpac9 Thread Starter

    Joined:
    Sep 1, 2005
    Messages:
    334
    changed the AX and it is now just a client and not part of WDS...the connection still drops, HOWEVER after the connection comes back online it gives the AX an IP address whereas before (when using WDS) it would not register a new IP....
     
  15. O111111O

    O111111O

    Joined:
    Aug 26, 2005
    Messages:
    894
    Yeah, so DHCP is working now. Still sounds like deauth.

    I had issues downloading that file, I'll turn my FTP on tomorrow and PM you the IP, you can send it directly there.

    You may check Preamble/RTS to self/burst frame size/etc. Make sure those match up between the AX and the access-point.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/535986

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice