[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Partition imaging mystery



just some quick thoughts

what fs is on the array? (i cant think of any limit close to 9.5 gigs
of any linux related filesystem but maybe i am forgetting)

try using dd to create an empty file in the array of a larger file size?

i would try rsyncing or nfs/smb mounting and then writing to the mount
next as others have suggested.

Casey

On Thu, 11 Nov 2004 13:14:42 -0600, Robert G. (Doc) Savage
<dsavage@peaknet.net> wrote:
> Hi folks,
> 
> I have a real head scratcher for you. I wouldn't believe it myself if I
> hadn't witnessed it with my own eyes. As some of you know, I plan to get
> out of the federal rent-a-brain business and start a third career as a
> computer forensics consultant. I've run into a bit of a technical
> problem along the way....
> 
> For practice -- and as a safety precaution before upgrading to FC3 --
> I'm booting my laptop with the Helix 1.5 forensics CD and exporting
> images of its partitions to a very large drive array on my big server
> system. I'm using dd and nc just as in the SANS Track 8 course:
> 
> listener (large array):
>         # nc -l -p 30000 > hda5.img
> source (laptop):
>         # dd if=/dev/hda5 bs=2048 | nc 192.168.1.2 30000 -w 3
> 
> The size of the hda5 partition is 35,486,608 1k blocks, or exactly
> 36,338,286,592 bytes.
> 
> The netcat transfer of the hda5 image consistently aborts when the
> destination file reaches 9,883,033,600 bytes. This is smaller than the
> hda2 image file, for which this process works perfectly (see directory
> entries below).
> 
> The path is composed of the following sequence of links:
> 
>         1. Helix 1.5 boot CD running Knoppix 2.6.7 kernel, _OR_
>            FC1 2.4.22-1.2199.nptl kernel (same results for both)
>         2. Intel Pro/100 (e100.o) driver v2.3.18 dated 8/25/03
>            configured as 192.168.1.4, 100Mbps, and full duplex
>         3. Cat5e cable
>         4. Linksys WRT54G router (and default gateway 192.168.1.1)
>         5. Cat5e cable
>         6. 3Com 3c920/980 (3c59x.o) driver v1.1.18ac dated 7/2/01
>            configured as 192.168.1.2, 100Mbps, and full duplex
>         7. RHEL3 Update3 2.4.21-10.ELsmp kernel
> 
> After two tries and two identical abbreviated files, df shows the large
> array's status as:
> 
>         Filesystem  1K-blocks      Used Available Use% Mounted
>         /dev/sdb1  1056888680 210811160 792390704  22% /pub
> 
>         # ls -gG hda2* hda5*
>         -rw-r--r--    1 10489651200 Nov 10 17:35 hda2.img
>         -rw-r--r--    1 9883033600 Nov 10 21:17 hda5.img
>         -rw-r--r--    1 9883033600 Nov 11 03:02 hda5a.img
> 
> While netcat is copying the hda5 image to the large array, I see
> multiple errors like this in the listener's /var/log/messages:
> 
>         Nov 11 02:58:23 lion kernel: eth0: memory shortage
>         Nov 11 03:00:03 lion last message repeated 3 times
> 
> Before anyone dashes off to Google searching for this error message,
> I've already done that. It's generated by the 3c59x.o driver when its
> receive buffer is depleted. I've Bugzilla'd it (#137270), and the guys
> at Red Hat have confirmed that this is an obscure bug that's been around
> for quite some time.
> 
> OK...here's the mystery. Given all these facts, can anyone explain why
> multiple transfer attempts all fail after exactly 9,883,033,600 bytes?
> What's special about that number??
> 
> --Doc
> 
> P.S. About the only thing I haven't tried is slowing the Ethernet port
> speeds at each end to 10Mbps, but I've forgotten how to do that. Who
> remembers?
> 
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.