Xplico.org
http://forum.xplico.org/

Xplico in command line - Unable to read configuration file
http://forum.xplico.org/viewtopic.php?f=3&t=32
Page 1 of 1

Author:  diago [ Tue Nov 03, 2009 1:29 am ]
Post subject:  Xplico in command line - Unable to read configuration file

Hi,

I have a 400MB+ .pcap file that I tried to analyze using xplico.
I used the command line method and followed the installation and usage procedures given in the Wiki (http://wiki.xplico.org/doku.php/tutorial)

I am using Ubuntu 9.04

Can you please help me out with this error.
------------------------------------------------------------------------------------------------------------------------------------------------------------

diago@mm:/opt/xplico/bin$ sudo ./xplico -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap
[sudo] password for diago:
xplico v0.5.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.

Copyright 2007-2009 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Unable to read configuration file.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Any help will be appreciated.

-Diago

Author:  gianluca.costa [ Tue Nov 03, 2009 7:31 am ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hi Diago,
maybe I understood the problem.
I think you have first tried with the script /opt/xplico/script/sqlite_demo.sh. This script overwrite the file /opt/xplico/cfg/xplico.cfg used by Xplico in cli mode. Then I suggest you to use the configuration file source.
There are two possibilities:
  • if your source code has path /xplico_path then: sudo /opt/xplico/bin/xplico -c /xplico_path/config/xplico_fix.cfg -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap
  • copy xplico_fix.cfg from source code to /opt/xplico/cfg/xplico.cfg in this way the command sudo /opt/xplico/bin/xplico -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap can operate.

The Xplico 0.5.3 version no longer has this problem.

Author:  diago [ Tue Nov 03, 2009 9:24 am ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hi Gianluca,

Thanks a lot your solution worked.
But Now I am getting this error.

Is it because the .pcap file is too big ?

How do I handle pcap file of 408 MB in the command line mode.

-------------------------------------------------------------------------------------------------------
tcp-grb: running: 20/11386, subflow:0/0, tot pkt:187124
udp-grb: running: 0/0, subflow:0/0, tot pkt:0
Pei inserted: 0
Pei to be insert: 0
Fthread: 45/100
Groups: 0/100
Dns DB: ip number: 166, total size: 206640
Segmentation Fault: see log file and report
diago@mm:/opt/xplico$
----------------------------------------------------------------------------------------------------------

Many Thanks.

-diago

Author:  carlos.gacimartin [ Tue Nov 03, 2009 9:44 am ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hi Diago,
could you attach the logs? (tmp/)

Thanks.

Author:  gianluca.costa [ Tue Nov 03, 2009 11:08 am ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hi Diago,
Not a problem of size. I think it is a bug.
Can you try with 0.5.3 beta release: viewtopic.php?f=3&t=30
If even with this release you have a crash then can you make this steps:
1) ./xplico -m pcap -f <your pcap file>
2) wait fault
3) at fault you can see in tmp directory (where is the log files) the file oops_xxxx.xml
4) launch /opt/script/xml2pcap.php <tmp/oops_xxxx.xml> bug.pcap or system/script/xml2pcap.php <tmp/oops_xxxx.xml> bug.pcap
5) and then run ./xplico -m pcap -f bug.pcap
6) wait fault
7) if the fault does not appear then... I would describe the procedure in the next post ;) .
8) if you see the fault then the bug.pcap "contains" the bug
9) check the bug.pcap file with Wireshark and if you can send me (bug@xplico.org) or post in this forum, I'll be happy :) .

This procedure can be used even with 0.5.2.

Author:  diago [ Tue Nov 03, 2009 5:38 pm ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Thanks Gianluca,

I will try out your soloution.

In the mean while here are the contents of the log files.


1. xplico_2009_10_03.log ( its a 300mb file I have just put a few lines from it that show a segfault)
---------------------------------------------------------
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020901
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020902
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020903
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [dns]{59}-DEBUG: DNS id: 59
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020913
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [CORE]{59}-OOPS: (2) SegFault
04:08:55 [CORE]{59}-INFO: [0Cframe 0 - prot: 6, flow: yes, id: 59 -
04:08:55 [CORE]{59}-INFO: [3Ctcp.srcport: 1542
04:08:55 [CORE]{59}-INFO: [3Ctcp.dstport: 53
04:08:55 [CORE]{59}-INFO: [3Ctcp.clnt: 1
04:08:55 [CORE]{59}-INFO: [3Ctcp.lost: 0
04:08:55 [CORE]{59}-INFO: [3Cframe 1 - prot: 4, flow: no, id: -1 -
04:08:55 [CORE]{59}-INFO: [6Cip.proto: 6
04:08:55 [CORE]{59}-INFO: [6Cip.src: 10.1.2.10
04:08:55 [CORE]{59}-INFO: [6Cip.dst: 10.100.1.50
04:08:55 [CORE]{59}-INFO: [6Cframe 2 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{59}-INFO: [9Ceth.type: 2048
04:08:55 [CORE]{59}-INFO: [9Cframe 3 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{59}-INFO: [12Cpcapf.layer1: 1
04:08:55 [CORE]{59}-INFO: [12Cpcapf.count: 1020908
04:08:55 [CORE]{59}-INFO: [12Cpcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
------------------------------------------------------------------------------------------------------

2. fault_1257239335
-------------------------------------------------------------------------------------------------
Event: Segmentation Fault
Reduce pcap size with this tshark filter (tshark -r <original_pcap> -R "<all line below>" -w fault.pcap):

( tcp.port==22984 and tcp.port==3268 and ip.addr==10.1.2.11 and ip.addr==10.1.1.1 ) or ( udp.port==137 and udp.port==137 and ip.addr==10.1.2.10 and ip.addr==10.1.2.255 ) or ...................
--------------------------------------------------------------------------------------------------

3. oops_2_1257239335
------------------------------------------------------------------------------------------------

--- Decoding info: stream 0 --- tcp tcp.srcport 1542 tcp.dstport 53 tcp.clnt 1 tcp.lost 0 ip ip.proto 6 ip.src 10.1.2.10 ip.dst 10.100.1.50 eth eth.type 2048 pcapf pcapf.layer1 1 pcapf.count 1020908 pcapf.file /home/diago/Desktop/forensics/221710072007.pcap

-------------------------------------------------------------------------------------------------

4.warn_1_1257239330
------------------------------------------------------------------------------------------------
--- Decoding info: stream 0 --- tcp tcp.srcport 4824 tcp.dstport 80 tcp.clnt 1 tcp.lost 0 ip ip.proto 6 ip.src 10.100.1.50 ip.dst 10.1.2.10 eth eth.type 2048 pcapf pcapf.layer1 1 pcapf.count 997222 pcapf.file /home/diago/Desktop/forensics/221710072007.pcap
------------------------------------------------------------------------------------------------

I will try out the solution that you have given above and will let you know.

Many Thanks.

-Diago

Author:  diago [ Tue Nov 03, 2009 8:59 pm ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hi Gianluca,

I tried using version 0.5.3. I got the segmentation fault again.

I got a bug.pcap file from the process that you had mentioned in your previous post.

I analyzed the bug.pcap file in wireshark and got a few packets with unknown operations and unknown error.

I have attached the bug.pcap file below.

How can I over come this problem?

Thank a lot
-Diago

Author:  carlos.gacimartin [ Tue Nov 03, 2009 9:50 pm ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hello Diago,
please try this, on beta version 0.5.3:

Code:
diago@mm:/opt/xplico/bin$ sudo ./xplico -c /opt/xplico/cfg/xplico_nc.cfg -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap


This will use a config file which doesn't checksum validation, perhaps it could help you if the pcap has many errors. Anyway, a segmentation seems to be a bug :(

Author:  gianluca.costa [ Wed Nov 04, 2009 6:48 am ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Ok. it is a bug in DNS dissector and it is also present in version 0.5.3.
For now you can disable the DNS dissector. From configuration file changes the line:
Code:
MODULE=dis_dns.so        LOG=FEWS

to
Code:
#MODULE=dis_dns.so        LOG=FEWS

Once we have solved the problem we put the new code here for testing.

Thanks for the helpful information.

Author:  carlos.gacimartin [ Wed Nov 04, 2009 10:17 am ]
Post subject:  Re: Xplico in command line - Unable to read configuration file

Hello Diago,
Gianluca has released a new beta version this morning to fix your bug, could you try it?
http://forum.xplico.org/viewtopic.php?f=3&t=30

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/