View unanswered posts | View active topics It is currently Sat Dec 15, 2018 4:46 am



Post new topic Reply to topic  [ 5 posts ] 
 why IP packet dimension overflow... ? 
Author Message

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post why IP packet dimension overflow... ?
Hi,

I see in xplico_*.log file, exist in tmp directory, many lines looks like this:
Code:
15:17:00 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
15:17:00 [CORE]{c}-INFO: frame 0 - prot: 1,  flow: no, id: -1 -
15:17:00 [CORE]{c}-INFO:    eth.type: 2048
15:17:00 [CORE]{c}-INFO:    frame 1 - prot: 0,  flow: no, id: -1 -
15:17:00 [CORE]{c}-INFO:       pcapf.layer1: 1
15:17:00 [CORE]{c}-INFO:       pcapf.count: 836966
15:17:00 [CORE]{c}-INFO:       pcapf.file: lo


I read your code and saw:
Code:
if (ip_len > pkt->len) {
        LogPrintf(LV_WARNING, "IP packet dimension overflow the real dimension of packet");
        ProtStackFrmDisp(pkt->stk, TRUE);
        PktFree(pkt);
        return NULL;
    }


Why or When may ip_len bigger than pkt->data? Note that in previous lines, you get ip from pkt->data in these lines:
Code:
ip = (struct iphdr *)pkt->data;
ip_len = ntohs(ip->tot_len);


Thu Oct 28, 2010 10:29 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: why IP packet dimension overflow... ?
Code:
Why or When may ip_len bigger than pkt->data? Note that in previous lines, you get ip from pkt->data in these lines:

We have not implemented all controls (ex: pkt->len >=sizeof(struct iphdr), but the only one:
Code:
if (ip_len > pkt->len) {
        LogPrintf(LV_WARNING, "IP packet dimension overflow the real dimension of packet");
        ProtStackFrmDisp(pkt->stk, TRUE);
        PktFree(pkt);
        return NULL;
}

because this error has an hight probably . In fact, in your case, this control was useful.
You have some problems of acquisition.
The ip packet (+tcp/udp) dimension overflow the raw packet when for example you don't use the option -s 0 with tcpdump.

You can verify this situation with Wireshak, you can open your pcap file and at packet number 836966 you can see the problem.
Xplico in live mode (this modality is only to test/try Xplico, Xplico live mode does not ensure proper data acquisition) may lose packets! Xplico live mode is not a real-time application, and can not be used as a probe, there are other software (or hw) for this purpose (probe).

Ciao.
Gianluca


Thu Oct 28, 2010 11:55 am
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: why IP packet dimension overflow... ?
Code:
You can verify this situation with Wireshak, you can open your pcap file and at packet number 836966 you can see the problem.


Why pcapf.count in each run is different? For example in one run i get this warning related to pcapf.count: 1766 and there isn't any warning related to pcapf.count: 18233.

But in another run, i get this warning related to pcapf.count: 18233 and there isn't any warning related to pcapf.count: 1766.

When i open cap file in wireshark, i see these two packets(1766 & 18233) with some another packets(about 1000 packets) have problem(warning colorful).
But in each run of xplico, i see some of them doesn't make warning and some of them make warning!
Why this is irregular?


Wed Dec 22, 2010 11:11 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: why IP packet dimension overflow... ?
Very strange.
Are you sure there are no the both warnings in the log file?
Could you send us this pcap?

Ciao.
Gianluca


Fri Dec 24, 2010 7:01 am
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: why IP packet dimension overflow... ?
Problem solved.

It was related to missing packets in real time mode. With pcap module, there is not the problem.

Thank you Gianluca.


Mon Dec 27, 2010 8:31 am
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.