From: Mike Grau <m.grau_at_kcc.state.ks.us>
Date: Tue, 15 Jul 1997 12:07:07 -0500
Sorry for the long delay with the summary. Thank you _all_ who
responded. The question:
> On a 3000/800s DU3.2c (DNS, mail, oracle) I'm getting the
> following in daemon.log:
> Jun 20 08:42:29 wildcat bootpd[7125]: bad addr len from from Ethernet
> address 52.41.53.20.20.D5
> Jun 20 08:42:52 wildcat last message repeated 2 times
> Jun 20 08:44:54 wildcat last message repeated 4 times
> What does this mean and how can I track it down? I notice the error
> always begins to show up at 8 am and and stops at 5 pm. At least
> someone
> shows up for work consistantly on time.
The offending address never showed up in the arp table, nor was I able
to track it down with "ifconfig". ( I'm probably not knowledgable
enough to use "ifconfig" effectively; if anyone has any pointers, I'd be
grateful. ) It turns out the address in daemon.log seems to bear no
relation to the actual MAC address which is 00-80-5f-4a-45-c3. I finally
tracked down the culprit by having someone record the link lights that
were lit on the hubs for a few minutes before and after the error in the
log appeared. A 1 (one) was assigned to machines when there was no error
and a 2 (two) assigned when there was. I did this for three or four days
after which the numbers were added and averaged. Only one machine
averaged a 2, and when this machine was turned off, the error messages
did indeed disappear and re-appeared when it was turned on. It was a
Windows NT machine received from another office.
I received many good suggestions on the probable causes of the error all
of which I'll include since a good number of people contacted me saying
they were getting the same error. Perhaps they'll be helpful. In my
instance, Randy Hayman hit the nail with my head exactly; his response
is noted at the last. Other responses:
####
"Sounds like a garbage ethernet message. You need to find the system
(likely to be a PC) that is getting turned on and get it repaired. The
good news is you've got the culprit's Ethernet address:
52.41.53.20.20.D5 (which most of us would write with dashes, but it's
the 6 octets). Find the garbage system and repair it."
####
"One of your network users has a bad ethernet card. If the HEX ethernet
address is any good you may be able to track him down by looking at an
ARP table (arp -a) and seeing if you find that card address. This may
give you an IP address and possibly a system name.
Once you find the system with the bad card, use an ifconfig or some
other netowrk debug tool to determine the errors reported by the
interface to ensure that you truly have found the bad interface."
####
I saw a lot of these until my department was no longer
on the main campus FDDI ring. It usually was tied to
someone have a networked printer with no subnet mask
or someone firing up lpjetadmin (out of the box does a
class A search for hp printers)... though i would
suspect a printer somewhere with no subnet mask set.
Now that we are behind a router, life is significantly
better."
####
"Since the mac address seems to be of the right length, I would guess
that perhaps there is an error in your /etc/bootptab file. Edit the
file and look for the entry for the mac address in question.
That is just a guess. I have no particular experience with that error
message. Even if I am wrong, you can at least find out what machine the
error is associated with that way."
####
"we had asimilar error - it was a bad ethernet bridge. we it was
powered off, the error went away. Being that it happens
from 8 to 5 looks like it might be a faulty PC ethernet card
or maybe a network printer."
####
"I am not 100% positive, but I *THINK* 'bad len' is a bad length record
coming from that NIC card. In your bootptabs file, is there a line for
52.41.53.20.20.D5? My first guess is that THAT NIC is bad... Good
luck... (Hope this was helpful???)"
####
"The packets are obviously coming from a PC or some other client. I've
seen a similar thing, but never bothered to find out where they were
coming from.
You can try with arp (arp -a) to find an IP address. If there isn't
any, the only way is to find a human who knows to whom this particular
ehternet (or whichever else medium there is) card belongs."
####
"I think you should contact DEC support on this. Checked
the archives and found a similar error reported but there
were no summaries posted."
###
>From Randy Hayman:
"The problem you are seeing is from someone's Windows NT workstation
configured with the DHCP option. To turn it off so that your network
isn't flooded with these requests, Windows NT will have to be
re-installed from scratch.
I've been there, seen that, and fixt it. Windows NT can't turn this
feature off since it is built into the system at installation time - it
may be quieted until the next reboot, perhaps, but the only way to
eliminate it is to re-install."
####
Regretfully, I used MS Network Monitor (it actually worked pretty well
if you discount the times it shutdown after performing an "illegal
operation".) to discover something since the machine seemed to be
functioning OK on the network. It confirmed Randy Hayman's suspicions.
For your enrichment and enjoyment, I'm attaching the trace for those
interested.
************************************************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
1 21.138 KS1_SQL_MANAGER *BROADCAST DHCP Discover (xid=0B9B45C8) KS1_SQL_MANAGER 255.255.255.255 IP
FRAME: Base frame properties
FRAME: Time of capture = Jul 7, 1997 15:35:24.8
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 1
FRAME: Total frame length: 342 bytes
FRAME: Capture frame length: 342 bytes
FRAME: Frame data: Number of data bytes remaining = 342 (0x0156)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : FFFFFFFFFFFF
ETHERNET: .......1 = Group address
ETHERNET: ......1. = Locally administered address
ETHERNET: Source address : 00805F4A45C3
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 342 (0x0156)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 328 (0x0148)
IP: ID = 0x715; Proto = UDP; Len: 328
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
+ IP: Service Type = 0 (0x0)
IP: Total Length = 328 (0x148)
IP: Identification = 1813 (0x715)
+ IP: Flags Summary = 0 (0x0)
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 0x87F1
IP: Source Address = 165.201.4.214
IP: Destination Address = 255.255.255.255
IP: Data: Number of data bytes remaining = 308 (0x0134)
UDP: IP Multicast: Src Port: BOOTP Client, (68); Dst Port: BOOTP Server (67); Length = 308 (0x134)
UDP: Source Port = BOOTP Client
UDP: Destination Port = BOOTP Server
UDP: Total length = 308 (0x134) bytes
UDP: UDP Checksum = 0xF829
UDP: Data: Number of data bytes remaining = 300 (0x012C)
DHCP: Discover (xid=0B9B45C8)
DHCP: Op Code (op) = 1 (0x1)
DHCP: Hardware Type (htype) = 1 (0x1) 10Mb Ethernet
DHCP: Hardware Address Length (hlen) = 16 (0x10)
DHCP: Hops (hops) = 0 (0x0)
DHCP: Transaction ID (xid) = 194725320 (0xB9B45C8)
DHCP: Seconds (secs) = 0 (0x0)
+ DHCP: Flags (flags) = 128 (0x80)
DHCP: Client IP Address (ciaddr) = 0.0.0.0
DHCP: Your IP Address (yiaddr) = 0.0.0.0
DHCP: Server IP Address (siaddr) = 0.0.0.0
DHCP: Relay IP Address (giaddr) = 0.0.0.0
UNIX ERROR:
Jul 7 07:55:25 wildcat bootpd[16533]: bad addr len
from from Ethernet address 52.41.53.20.20.D5
Jul 7 07:55:49 wildcat last message repeated 2 times
Jul 7 07:57:54 wildcat last message repeated 4 times
Jul 7 08:07:57 wildcat last message repeated 19 times
Jul 7 08:08:29 wildcat last message repeated 2 times
Received on Tue Jul 15 1997 - 19:30:03 NZST
This archive was generated by hypermail 2.4.0
: Wed Nov 08 2023 - 11:53:36 NZDT