Malformed wol packets

NRgia

@johnpoz said in Malformed wol packets:

I just went over this not that long ago that pfsense sends out on 40k..

https://forum.netgate.com/post/912917

That you don't know how to use wireshark, doesn't mean the packet is malformed ;)

I can tell wireshark anything is what its not and its going to show up as messed up...

the correct magic packet on the port 9, pfSense sends it on port 40000.

Where did you come up with the idea that port 9 is the correct port? Port means NOTHING in a wol packet.. what port it gets sent out in doesn't mean anything.. Sure there are some common ports 0, 7, 9 etc.. 0 is just going to be a security nightmare and wouldn't normally be allowed out from a firewall at all.. 7 and 9 have their own issues because old clients could see those since its sent to broadcast address, etc.

Sure wireshark will see udp on 9 and think oh wol, and then decode it for that.. But again - what wireshark does for dissection of any given packet is ultimately up to the user using it.. If you say a packet is WOL and its NOT then it will show malformed, if you say its X when its Y, again malformed.. Wireshark tries and make a guess to what the data is - it quite often makes mistakes.. For example thinking your wol is knx..
Why on ports 7 and 9 it sees as a correct wol type packet, and it sees wol on packet 40000 ? How me as a user can affect Wireshark dissection? I just listen on my device for any wol packets, sent by pfSense or other applications. The only one that is perceived as malformed is one sent by wake on lan client on pfSense. If this is a wireshark issue, then sure, glad that I learned about it from this thread. As a user you interpret the Wireshark response, and as I refused to believe the application, I have searched the Internet, and found this thread.
Anyways the issue is still present at this time.

First thing that jumps out at me looking at that sniff - is wtf, they using a /15 mask?? WHY??? Your broadcast is 172.19.255.255 and your coming from a 172.18.0.12 - that is a /15.. Why would you be using that??? My guess why something isn't working is you prob have issues with your mask on your devices..

I don't understand what is your concern here...
From here:
https://www.ietf.org/rfc/rfc1918.txt

and here:

http://jodies.de/ipcalc?host=172.18.0.12&mask1=15&mask2=

I use Private Address Space as seen above. Also I can do subnetting or play with the range as it suits my needs.

@johnpoz said in Malformed wol packets:

A /15 makes zero sense to be assigned to any device... Do you have something close to 130K devices on this network? Really? Use something realistic.. How many devices do you have on this network? How many might it grow too?

Such a mask is something you might use on a route summary, or firewall rule with a bunch of downstream networks.. Not anything you would ever use on a single L2..

I read through some of your posts on this forum, and I know you always try to help, and I appreciate your input(really) but in my case I am respecting the standards. Asking someone to re-shape his network for no reason, it's not helpful, sorry to say this.

johnpoz

A /15 makes zero sense to be assigned to any device... Do you have something close to 130K devices on this network? Really? Use something realistic.. How many devices do you have on this network? How many might it grow too?

Such a mask is something you might use on a route summary, or firewall rule with a bunch of downstream networks.. Not anything you would ever use on a single L2..