Lately I've been seeing my kernel logs spammed by these events:
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000001
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000002
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000003
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000004
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000005
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000006
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000007
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000008
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000009
Feb 17 18:38:48 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 00000000000a
Feb 17 18:38:54 localhost kernel: printk: 1 messages suppressed.
Feb 17 18:38:54 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 00000000000c
Feb 17 18:38:58 localhost kernel: printk: 2 messages suppressed.
Feb 17 18:38:58 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 00000000000f
Feb 17 18:39:07 localhost kernel: printk: 2 messages suppressed.
Feb 17 18:39:07 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000012
Feb 17 18:39:08 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000013
Feb 17 18:39:25 localhost kernel: printk: 1 messages suppressed.
Feb 17 18:39:25 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000015
Feb 17 18:39:26 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000016
Feb 17 18:39:27 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000017
Feb 17 18:39:35 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000018
Feb 17 18:39:36 localhost kernel: TKIP: replay detected: STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000019
This is with the various 2.6.16-rc*-git* kernels, and possibly older 2.6.15 series as well.
They always seem to arrive in large bursts, like the bunch shown above. Using wifi
over ipw2200 to a WPA2 AP.
Either this is "normal" behaviour, in which case the code should NOT be spamming me,
or something is broken, in which case.. what?
Cheers
On Fri, Feb 17, 2006 at 06:40:51PM -0500, Mark Lord wrote:
> Lately I've been seeing my kernel logs spammed by these events:
>
> Feb 17 18:38:48 localhost kernel: TKIP: replay detected:
> STA=00:13:46:16:96:b8 previous TSC ffff80723500 received TSC 000000000001
netdev could be better mailing list for this kind of issue. Anyway, it
looks like something managed to set the last packet number to very high
number which will make all future frames dropped as replays.
> This is with the various 2.6.16-rc*-git* kernels, and possibly older 2.6.15
> series as well.
> They always seem to arrive in large bursts, like the bunch shown above.
> Using wifi
> over ipw2200 to a WPA2 AP.
Are you using wpa_supplicant to take care of the WPA2 handshake? If yes,
it would be interesting to see debug log from it for the key handshake
that happened just prior to this replay issue occurring.
> Either this is "normal" behaviour, in which case the code should NOT be
> spamming me,
> or something is broken, in which case.. what?
This is not normal behavior, i.e., something is indeed broken
(driver/supplicant/AP). Though, the those messages could be disabled by
default if there were a useful counter for detecting this kind of issues
easily. Anyway, these debug messages are quite useful in figuring out
what could have caused the "replays".
--
Jouni Malinen PGP id EFC895FA