IBM Support

Determine dropped packets that are not related to Security Events, Firewall, or Quarantine

Question & Answer


Question

How can you determine if packets are dropped that are not directly related to Security Events, Firewall, Quarantine, etc?

Answer

Here are the counters for dropped packets that do not directly correlate to a Security Event, Connection Event, OpenSignature Response, Quarantine block, or a Firewall drop rule. All packets that are dropped, except for malformed ethernet frames or those dropped due to resource errors, can be logged by using the engine.droplog.enabled parameter. This will write the actual packets being dropped to the /cache/packetlogger/dropped directory on the appliance. These files are designated dropXXXX.enc.
 
  • Packets dropped due to checksum errors:

  • pam.icmp.xsum_errs - The number of ICMP packets with checksum errors seen.
  • pam.icmpv6.xsum_errs - The number of ICMP version 6 packets with checksum errors seen.
  • pam.ipv4.xsum_errs - The number of IP version 4 packets with checksum errors.
  • pam.ospf.xsum_errs - The number of OSPF packets seen.
  • pam.tcp.xsum_errs - The number of TCP packets with checksum errors seen.
  • pam.udp.xsum_errs - The number of UDP packets seen.
Dropping of invalid checksums is tunable via the np.drop.invalid.checksum parameter. Default value is true.
 
  • Packets dropped due to Protocol Violation, Truncation, or DoS protection:

  • pam.ethernet.truncated.dropped - The number of Ethernet packets dropped because they were truncated.
  • pam.ipv4.bad_header.dropped - The number of IP version 4 packets dropped because of improper headers.
  • pam.ipv4.truncated.dropped - The number of IP version 4 packets dropped because of truncated data.
  • pam.pppoe.truncated.dropped - The number of PPPoE packets dropped because they were truncated.
  • pam.pppoe.unknown.dropped - The number of PPPoE packets dropped because they were of an unknown type.
  • pam.tcp.segments.dropped - This statistic tracks error condition where data on TCP stream cannot be correctly re-assembled because available stream buffer table is empty. PAM's reassembles source and destination traffic to ensure that TCP stream is processed in-order. If sensor is receiving a sizeable number of out-of-order segments and active connections are relatively high, then this error condition might be reached. In common case, the ratio of pam.tcp.segments/ and pam.tcp.connections.active should be approximately 1.0. Much larger value might indicate a problem in your network.
  • pam.tcp.synflood.dropped - The number of TCP SYN packets dropped during a SYNFlood.
  • pam.tcp.timeouts - The number of TCP connections dropped after inactivity.

Dropping of these types of packets is tunable via the np.drop.invalid.protocol parameter. Default value is true.
 
  • Packets dropped due to resource error (disabled by default):

  • pam.ipv6.fragments.dropped - The number of IPv6 fragments dropped for lack of resources.
  • pam.tcp.segments.dropped - This statistic tracks error condition where data on TCP stream cannot be correctly re-assembled because available stream buffer table is empty.
  • Other packets might be dropped without being recorded due to the resource errors.

Dropping of these packets is tunable via the np.drop.resource.error parameter.
 
  • Packets dropped seen as rogue TCP packets (disabled by default):

  • There is not an individual counter for this type of drop, this adds to the overall driver drop statistics.

Dropping of these packets is tunable via the np.drop.rogue.tcp.packets parameter.
 
  • Specific to the GX6116 in Inline Protection Mode: Below are types of errors that would result in packets being dropped by the NPU by default. Counters for each are located in the Network Statistics Page of the LMI. There is no way to record the actual packets being dropped by the NPU.

  • pam.look.vlan.errors - The number of 802.1Q frames that were truncated or contained protocol violation.
  • pam.look.pppoe.errors - The number of PPPoE frames that were truncated or contained protocol violation.
  • pam.look.mpls.errors - The number of MPLS frames that were truncated or contained protocol violation.
  • pam.look.isl.frames - The number of Cisco ISL frames that were truncated or contained protocol violation.
  • pam.look.ip.errors - The number of IPv4 frames that were truncated or contained protocol violation.
  • pam.look.ipv6.errors - The number of IPv6 frames that were truncated or contained protocol violation.
  • pam.look.ip.checksum.errors - The number of IPv4 frames that encountered checksum errors.
  • pam.look.gre.errors - The number of General Routing Encapsulation frames that were truncated or contained protocol violation.
  • pam.look.tcp.errors - The number of TCP frames that were truncated or contained protocol violation.
  • pam.look.tcp.checksum.errors - The number of TCP frames that encountered checksum errors.
  • pam.look.udp.errors - The number of UDP frames that were truncated or contained protocol violation.
  • pam.look.udp.checksum.errors - The number of UDP frames that encountered checksum errors.
  • pam.look.icmp.errors - The number of ICMP frames that were truncated or contained protocol violation.
  • pam.look.icmp.checksum.errors - The number of ICMP and ICMPv6 frames that encountered checksum errors.
  • pam.look.dns.malformed - The number of DNS frames that were truncated or contained protocol violation.
  • pam.look.route.drop - The total number of packets that were dropped related to the above errors. This statistic does not include the number of packets dropped due to deep-inspection engine's action result. This statistic includes packets dropped due to malformed ethernet frames.

Each of the above pam.look inspections can be disabled by using the parameter: pam.look.protocol.parse=boolean.
Example: pam.look.dns.parse=false

Additional Information regarding physical layer errors:
All ethernet capable Operating Systems are susceptible to physical errors that cause malformed ethernet frames. Packets of these types are typically never seen by the OS and are dropped at the NIC level. It is typical to include counters for these types of packets. For Proventia G/GX appliances this statistic is included in the overall drop count for Driver Statistics. Except for the GX6116 which this statistic is included in the pam.look.route.drop count. For FW 1.6 appliances malformed ethernet frame errors can be seen in the output of the /etc/iss/drivers/adapterdump -s command. This command outputs the low-level driver statistics. This command can be run on Proventia G/GX appliances running firmware 1.2 or later. The RcvErr counter was added in firmware 1.6. Below is an example output:

$ /etc/iss/drivers/adapterdump -s
Adapter statistics:
Global RxdPkt=57681410 TxdPkt=57554048 FwdPkt=57554048 DrpPkt= 127362
UnpPkt= 28 InjPkt= 0 RBytes=9450213493 TBytes=9447833382
RcvErr= 127362
Dvc 0 RxdPkt=57647258 TxdPkt= 34152 FwdPkt=57519896 DrpPkt= 127362
UnpPkt= 28 InjPkt= 0 RBytes=9433505428 TBytes=16708065
RcvErr= 127362
Dvc 1 RxdPkt= 34152 TxdPkt=57519896 FwdPkt= 34152 DrpPkt= 0
UnpPkt= 0 InjPkt= 0 RBytes=16708065 TBytes=9431125317
RcvErr= 0

Note: This is not applicable to the GX6000 or GX7000 series IPS as the adapterdump script is not available due to the NPU architecture of the appliance. Instead, please use the information found in 1436849 Viewing driver statistics on GX6 and GX7 series appliances.

 

[{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.5;4.6;4.6.1;4.6.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

5153

Document Information

Modified date:
24 January 2021

UID

swg21436664

Page Feedback