 
|
Page 1 of 1
|
[ 5 posts ] |
|
IP packet dimension overflow the real dimension of packet
| Author |
Message |
|
lexlth
Joined: Thu May 20, 2010 11:29 pm
Posts: 16
|
 IP packet dimension overflow the real dimension of packet Hello, I am generating a 590Mb file to xplico decode, but in the process of decoding, I get a lot of this messages in its log: Code: 10:36:34 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
10:36:34 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO: eth.type: 2048
10:36:34 [CORE]{c}-INFO: frame 1 - prot: 1, flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO: pol.layer1: 1
10:36:34 [CORE]{c}-INFO: pol.count: 11
10:36:34 [CORE]{c}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/gra2-2.pcap
10:36:34 [CORE]{c}-INFO: pol.sesid: 6
10:36:34 [CORE]{c}-INFO: pol.polid: 1
10:36:34 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
10:36:34 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO: eth.type: 2048
10:36:34 [CORE]{c}-INFO: frame 1 - prot: 1, flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO: pol.layer1: 1
10:36:34 [CORE]{c}-INFO: pol.count: 15
10:36:34 [CORE]{c}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/gra2-2.pcap
10:36:34 [CORE]{c}-INFO: pol.sesid: 6
10:36:34 [CORE]{c}-INFO: pol.polid: 1
10:36:34 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
10:36:34 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO: eth.type: 2048
10:36:34 [CORE]{c}-INFO: frame 1 - prot: 1, flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO: pol.layer1: 1
10:36:34 [CORE]{c}-INFO: pol.count: 16
10:36:34 [CORE]{c}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/gra2-2.pcap
10:36:34 [CORE]{c}-INFO: pol.sesid: 6
10:36:34 [CORE]{c}-INFO: pol.polid: 1 I am also experiencing that it does not show all videos we access, I tried to make an ftp session, but it did not apeared too... Thanks for any help...
|
| Thu Jun 17, 2010 11:53 am |
|
|
|
gianluca.costa
Site Admin
Joined: Wed Sep 16, 2009 10:09 pm
Posts: 173
|
Re: IP packet dimension overflow the real dimension of packe I think is not a bug, but only a acquisition problem. You can verify it if you open the file gra2-2.pcap with Wireshark and go to the packet 11 or 15 or 16.
If you use tcpdump then remember to use '-s 0' option.
Ciao.
Gianluca
|
| Thu Jun 17, 2010 12:44 pm |
|
|
|
lexlth
Joined: Thu May 20, 2010 11:29 pm
Posts: 16
|
Re: IP packet dimension overflow the real dimension of packe Thank you , Gianluca. I had disabled the -s 0 option on tcpdump to test and forgot to enable again. I will test now with this option.
|
| Thu Jun 17, 2010 1:00 pm |
|
|
|
lexlth
Joined: Thu May 20, 2010 11:29 pm
Posts: 16
|
Re: IP packet dimension overflow the real dimension of packe Gianluca, This solved the problem, thank you.... But I am still having some issues here, I put 2 files to decode, and after it has been decoded, something went wrong. I have a machine that is just for test. First, it did not apeared a telnet section I had made to test. Second, I accessed a lot of videos from youtube and other sites, but it did not apeared too. And finally, the processing of the 2x590Mb files were too fast, I got about 5 seconds or less to decode them, and I got this message on the log (riped some personal information, of course): Code: 07:56:24 [CORE]{243}-INFO: frame 0 - prot: 7, flow: yes, id: 243 -
07:56:24 [CORE]{243}-INFO: tcp.srcport: 110
07:56:24 [CORE]{243}-INFO: tcp.dstport: 52644
07:56:24 [CORE]{243}-INFO: tcp.clnt: 0
07:56:24 [CORE]{243}-INFO: tcp.lost: 0
07:56:24 [CORE]{243}-INFO: frame 1 - prot: 5, flow: no, id: -1 -
07:56:24 [CORE]{243}-INFO: ip.proto: 6
07:56:24 [CORE]{243}-INFO: ip.src: xxx.xxx.xxx.xxx
07:56:24 [CORE]{243}-INFO: ip.dst: yyy.yyy.yyy.yy
07:56:24 [CORE]{243}-INFO: ip.offset: 14
07:56:24 [CORE]{243}-INFO: frame 2 - prot: 2, flow: no, id: -1 -
07:56:24 [CORE]{243}-INFO: eth.type: 2048
07:56:24 [CORE]{243}-INFO: frame 3 - prot: 1, flow: no, id: -1 -
07:56:24 [CORE]{243}-INFO: pol.layer1: 1
07:56:24 [CORE]{243}-INFO: pol.count: 367724
07:56:24 [CORE]{243}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:24 [CORE]{243}-INFO: pol.sesid: 6
07:56:24 [CORE]{243}-INFO: pol.polid: 1
07:56:25 [CORE]{296}-INFO: frame 0 - prot: 7, flow: yes, id: 296 -
07:56:25 [CORE]{296}-INFO: tcp.srcport: 110
07:56:25 [CORE]{296}-INFO: tcp.dstport: 52650
07:56:25 [CORE]{296}-INFO: tcp.clnt: 0
07:56:25 [CORE]{296}-INFO: tcp.lost: 0
07:56:25 [CORE]{296}-INFO: frame 1 - prot: 5, flow: no, id: -1 -
07:56:25 [CORE]{296}-INFO: ip.proto: 6
07:56:25 [CORE]{296}-INFO: ip.src: xxx.xxx.xxx.xxx
07:56:25 [CORE]{296}-INFO: ip.dst: yyy.yyy.yyy.yy
07:56:25 [CORE]{296}-INFO: ip.offset: 14
07:56:25 [CORE]{296}-INFO: frame 2 - prot: 2, flow: no, id: -1 -
07:56:25 [CORE]{296}-INFO: eth.type: 2048
07:56:25 [CORE]{296}-INFO: frame 3 - prot: 1, flow: no, id: -1 -
07:56:25 [CORE]{296}-INFO: pol.layer1: 1
07:56:25 [CORE]{296}-INFO: pol.count: 368564
07:56:25 [CORE]{296}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:25 [CORE]{296}-INFO: pol.sesid: 6
07:56:25 [CORE]{296}-INFO: pol.polid: 1
07:56:25 [CORE]{366}-INFO: frame 0 - prot: 7, flow: yes, id: 366 -
07:56:25 [CORE]{366}-INFO: tcp.srcport: 110
07:56:25 [CORE]{366}-INFO: tcp.dstport: 52656
07:56:25 [CORE]{366}-INFO: tcp.clnt: 0
07:56:25 [CORE]{366}-INFO: tcp.lost: 0
07:56:25 [CORE]{366}-INFO: frame 1 - prot: 5, flow: no, id: -1 -
07:56:25 [CORE]{366}-INFO: ip.proto: 6
07:56:25 [CORE]{366}-INFO: ip.src: xxx.xxx.xxx.xxx
07:56:25 [CORE]{366}-INFO: ip.dst: yyy.yyy.yyy.yy
07:56:25 [CORE]{366}-INFO: ip.offset: 14
07:56:25 [CORE]{366}-INFO: frame 2 - prot: 2, flow: no, id: -1 -
07:56:25 [CORE]{366}-INFO: eth.type: 2048
07:56:25 [CORE]{366}-INFO: frame 3 - prot: 1, flow: no, id: -1 -
07:56:25 [CORE]{366}-INFO: pol.layer1: 1
07:56:25 [CORE]{366}-INFO: pol.count: 369542
07:56:25 [CORE]{366}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:25 [CORE]{366}-INFO: pol.sesid: 6
07:56:25 [CORE]{366}-INFO: pol.polid: 1
07:56:25 [CORE]{360}-OOPS: (1) SegFault
07:56:25 [CORE]{360}-INFO: frame 0 - prot: 7, flow: yes, id: 360 -
07:56:25 [CORE]{360}-INFO: tcp.srcport: 1716
07:56:25 [CORE]{360}-INFO: tcp.dstport: 80
07:56:25 [CORE]{360}-INFO: tcp.clnt: 1
07:56:25 [CORE]{360}-INFO: tcp.lost: 0
07:56:25 [CORE]{360}-INFO: frame 1 - prot: 5, flow: no, id: -1 -
07:56:25 [CORE]{360}-INFO: ip.proto: 6
07:56:25 [CORE]{360}-INFO: ip.src: xxx.xxx.xxx.xxx
07:56:25 [CORE]{360}-INFO: ip.dst: 87.230.74.43
07:56:25 [CORE]{360}-INFO: ip.offset: 14
07:56:25 [CORE]{360}-INFO: frame 2 - prot: 2, flow: no, id: -1 -
07:56:25 [CORE]{360}-INFO: eth.type: 2048
07:56:25 [CORE]{360}-INFO: frame 3 - prot: 1, flow: no, id: -1 -
07:56:25 [CORE]{360}-INFO: pol.layer1: 1
07:56:25 [CORE]{360}-INFO: pol.count: 369199
07:56:25 [CORE]{360}-INFO: pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:25 [CORE]{360}-INFO: pol.sesid: 6
07:56:25 [CORE]{360}-INFO: pol.polid: 1
|
| Fri Jun 18, 2010 11:22 am |
|
|
|
gianluca.costa
Site Admin
Joined: Wed Sep 16, 2009 10:09 pm
Posts: 173
|
Re: IP packet dimension overflow the real dimension of packe Hi lexlth You found a bug: Quote: 07:56:25 [CORE]{360}-OOPS: (1) SegFault
In your dir /opt/xplico/pol_x/log (where is the log file) there is a file named oops_xplico_xxxx.xml. If you can use this xml file with script /opt/xplico/script/xml2pcap.php Code: /opt/xplico/script/xml2pcap.php /opt/xplico/pol_x/logoops_xplico_xxxx.xml bug.pcap
you can extract the flows that generate the crash/fault. Can you send me (or post here) this pcap files (bug[@]xplico.org) ? I think that the bug is inside the file /opt/xplico/pol_1/sol_6/decode/test.pcap7 from packet 369199. Ciao. Gianluca
|
| Sat Jun 19, 2010 7:31 am |
|
|
|
|
|
Page 1 of 1
|
[ 5 posts ] |
|
Who is online |
Users browsing this forum: No registered users and 1 guest |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
|