View unanswered posts | View active topics It is currently Wed Oct 16, 2019 5:31 am



Post new topic Reply to topic  [ 13 posts ]  Go to page 1, 2  Next
 not reading PCAPs generated from STM data 
Author Message

Joined: Tue Aug 31, 2010 1:31 pm
Posts: 21
Reply with quote
Post not reading PCAPs generated from STM data
Dear all,
I am trying to read pcap data from Endace DAG card installed on RHEL server with libpcap 0.9.4 installed. The pcap data is being generated from an STM (SDH) line and then being fed into xplico.

However xplico shows no packets, even though tcpdump shows that there are many UDP packets, TCP packets etc. the file size is 85 MB (so is much smalled than the max_file_size = 100M). xplico deployed on ubuntu Lucid is able to read sample pcap data provided by xplico but not this data (STM data), in pcap format.

what could be the problem. Please advise

Vsharm


Tue Aug 31, 2010 1:37 pm
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: not reading PCAPs generated from STM data
Hello,

try again disabling the checksum verification ( http://wiki.xplico.org/doku.php?id=tips_tricks ) and give us more feedback.

Carlos.


Tue Aug 31, 2010 3:29 pm
Profile

Joined: Tue Aug 31, 2010 1:31 pm
Posts: 21
Reply with quote
Post Re: not reading PCAPs generated from STM data
Dear Carlos,

Tried disabling Checksum verification. does not work.

the same pcap files are being decoded by Netwitness and other tools

Please advise

Vikas


Wed Sep 01, 2010 9:19 am
Profile

Joined: Tue Aug 31, 2010 1:31 pm
Posts: 21
Reply with quote
Post Re: not reading PCAPs generated from STM data
Dear Carlos,

We disabled the Checksum verification and then restarted the machine. However xplico is still unable to pick up our pcap files.

It displays 0s on the terminal window, when reading the file, (in front of each protocol)

Please Advise

Vsharm


Wed Sep 01, 2010 9:21 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: not reading PCAPs generated from STM data
May depend on the stratification of the protocols, perhaps Xplico does not handle one of the protocols below IP.
If you can send us a pcap with few packets we can understand the problem ( bug[@]xplico.org ).

Gianluca


Wed Sep 01, 2010 10:23 am
Profile WWW

Joined: Tue Aug 31, 2010 1:31 pm
Posts: 21
Reply with quote
Post Re: not reading PCAPs generated from STM data
Dear Carlos,

the protcols are UDP based.

We will not be able to share pcap files with you.

Can you guide us in determining the error. Where should we look ?

the pcap file is valid since some other software can read it and decode the data correctly.

Vsharm


Wed Sep 01, 2010 11:06 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: not reading PCAPs generated from STM data
If (using Wireshark) you list me all the protocols stack from layer "Frame" to the layer UDP we can make a check.
Obviously we would go much better with PCAP. For analysis are just necessary a few packets and to mask the IP and PORT you can use the tools of project tcpreplay.
You can send me the pcap privately... you already have my email address.

Ciao.
Gianluca


Wed Sep 01, 2010 11:21 am
Profile WWW

Joined: Tue Aug 31, 2010 1:31 pm
Posts: 21
Reply with quote
Post Re: not reading PCAPs generated from STM data
Dear Gianluca,

As per your suggestions we ran the wireshark tool and recieved a protocol stack as
1. FRAME
a. CISCO HDLC
i. Internet Protocol
1. TCP
2. UDP
3. ICMP
4. IPv6
ii. CISCO SLARP

(I have also attached a word document on the detailed protocol stack)

vsharm


You do not have the required permissions to view the files attached to this post.


Fri Sep 03, 2010 1:36 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: not reading PCAPs generated from STM data
Ok...
the problem is CISCO HDLC, Xplico does not handle this protocol.


Fri Sep 03, 2010 2:03 pm
Profile WWW

Joined: Tue Aug 31, 2010 1:31 pm
Posts: 21
Reply with quote
Post Re: not reading PCAPs generated from STM data
Dear Gianluca,

whats the solution in that case. Do you have a patch for this ?

vsharm


Fri Sep 03, 2010 3:20 pm
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ]  Go to page 1, 2  Next


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.