View unanswered posts | View active topics It is currently Thu Aug 16, 2018 4:57 am



Post new topic Reply to topic  [ 5 posts ] 
 IP packet dimension overflow the real dimension of packet 
Author Message

Joined: Thu May 20, 2010 11:29 pm
Posts: 28
Reply with quote
Post IP packet dimension overflow the real dimension of packet
Hello,

I am generating a 590Mb file to xplico decode, but in the process of decoding, I get a lot of this messages in its log:


Code:
10:36:34 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
10:36:34 [CORE]{c}-INFO: frame 0 - prot: 2,  flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO:    eth.type: 2048
10:36:34 [CORE]{c}-INFO:    frame 1 - prot: 1,  flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO:       pol.layer1: 1
10:36:34 [CORE]{c}-INFO:       pol.count: 11
10:36:34 [CORE]{c}-INFO:       pol.file: /opt/xplico/pol_1/sol_6/decode/gra2-2.pcap
10:36:34 [CORE]{c}-INFO:       pol.sesid: 6
10:36:34 [CORE]{c}-INFO:       pol.polid: 1
10:36:34 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
10:36:34 [CORE]{c}-INFO: frame 0 - prot: 2,  flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO:    eth.type: 2048
10:36:34 [CORE]{c}-INFO:    frame 1 - prot: 1,  flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO:       pol.layer1: 1
10:36:34 [CORE]{c}-INFO:       pol.count: 15
10:36:34 [CORE]{c}-INFO:       pol.file: /opt/xplico/pol_1/sol_6/decode/gra2-2.pcap
10:36:34 [CORE]{c}-INFO:       pol.sesid: 6
10:36:34 [CORE]{c}-INFO:       pol.polid: 1
10:36:34 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
10:36:34 [CORE]{c}-INFO: frame 0 - prot: 2,  flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO:    eth.type: 2048
10:36:34 [CORE]{c}-INFO:    frame 1 - prot: 1,  flow: no, id: -1 -
10:36:34 [CORE]{c}-INFO:       pol.layer1: 1
10:36:34 [CORE]{c}-INFO:       pol.count: 16
10:36:34 [CORE]{c}-INFO:       pol.file: /opt/xplico/pol_1/sol_6/decode/gra2-2.pcap
10:36:34 [CORE]{c}-INFO:       pol.sesid: 6
10:36:34 [CORE]{c}-INFO:       pol.polid: 1


I am also experiencing that it does not show all videos we access, I tried to make an ftp session, but it did not apeared too...

Thanks for any help...


Thu Jun 17, 2010 11:53 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: IP packet dimension overflow the real dimension of packe
I think is not a bug, but only a acquisition problem. You can verify it if you open the file gra2-2.pcap with Wireshark and go to the packet 11 or 15 or 16.

If you use tcpdump then remember to use '-s 0' option.

Ciao.
Gianluca


Thu Jun 17, 2010 12:44 pm
Profile WWW

Joined: Thu May 20, 2010 11:29 pm
Posts: 28
Reply with quote
Post Re: IP packet dimension overflow the real dimension of packe
Thank you , Gianluca. I had disabled the -s 0 option on tcpdump to test and forgot to enable again. I will test now with this option.


Thu Jun 17, 2010 1:00 pm
Profile

Joined: Thu May 20, 2010 11:29 pm
Posts: 28
Reply with quote
Post Re: IP packet dimension overflow the real dimension of packe
Gianluca,

This solved the problem, thank you....

But I am still having some issues here, I put 2 files to decode, and after it has been decoded, something went wrong. I have a machine that is just for test.
First, it did not apeared a telnet section I had made to test.
Second, I accessed a lot of videos from youtube and other sites, but it did not apeared too.
And finally, the processing of the 2x590Mb files were too fast, I got about 5 seconds or less to decode them, and I got this message on the log (riped some personal information, of course):
Code:
07:56:24 [CORE]{243}-INFO: frame 0 - prot: 7,  flow: yes, id: 243 -
07:56:24 [CORE]{243}-INFO:    tcp.srcport: 110
07:56:24 [CORE]{243}-INFO:    tcp.dstport: 52644
07:56:24 [CORE]{243}-INFO:    tcp.clnt: 0
07:56:24 [CORE]{243}-INFO:    tcp.lost: 0
07:56:24 [CORE]{243}-INFO:    frame 1 - prot: 5,  flow: no, id: -1 -
07:56:24 [CORE]{243}-INFO:       ip.proto: 6
07:56:24 [CORE]{243}-INFO:       ip.src: xxx.xxx.xxx.xxx
07:56:24 [CORE]{243}-INFO:       ip.dst: yyy.yyy.yyy.yy
07:56:24 [CORE]{243}-INFO:       ip.offset: 14
07:56:24 [CORE]{243}-INFO:       frame 2 - prot: 2,  flow: no, id: -1 -
07:56:24 [CORE]{243}-INFO:          eth.type: 2048
07:56:24 [CORE]{243}-INFO:          frame 3 - prot: 1,  flow: no, id: -1 -
07:56:24 [CORE]{243}-INFO:             pol.layer1: 1
07:56:24 [CORE]{243}-INFO:             pol.count: 367724
07:56:24 [CORE]{243}-INFO:             pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:24 [CORE]{243}-INFO:             pol.sesid: 6
07:56:24 [CORE]{243}-INFO:             pol.polid: 1
07:56:25 [CORE]{296}-INFO: frame 0 - prot: 7,  flow: yes, id: 296 -
07:56:25 [CORE]{296}-INFO:    tcp.srcport: 110
07:56:25 [CORE]{296}-INFO:    tcp.dstport: 52650
07:56:25 [CORE]{296}-INFO:    tcp.clnt: 0
07:56:25 [CORE]{296}-INFO:    tcp.lost: 0
07:56:25 [CORE]{296}-INFO:    frame 1 - prot: 5,  flow: no, id: -1 -
07:56:25 [CORE]{296}-INFO:       ip.proto: 6
07:56:25 [CORE]{296}-INFO:       ip.src: xxx.xxx.xxx.xxx
07:56:25 [CORE]{296}-INFO:       ip.dst: yyy.yyy.yyy.yy
07:56:25 [CORE]{296}-INFO:       ip.offset: 14
07:56:25 [CORE]{296}-INFO:       frame 2 - prot: 2,  flow: no, id: -1 -
07:56:25 [CORE]{296}-INFO:          eth.type: 2048
07:56:25 [CORE]{296}-INFO:          frame 3 - prot: 1,  flow: no, id: -1 -
07:56:25 [CORE]{296}-INFO:             pol.layer1: 1
07:56:25 [CORE]{296}-INFO:             pol.count: 368564
07:56:25 [CORE]{296}-INFO:             pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:25 [CORE]{296}-INFO:             pol.sesid: 6
07:56:25 [CORE]{296}-INFO:             pol.polid: 1
07:56:25 [CORE]{366}-INFO: frame 0 - prot: 7,  flow: yes, id: 366 -
07:56:25 [CORE]{366}-INFO:    tcp.srcport: 110
07:56:25 [CORE]{366}-INFO:    tcp.dstport: 52656
07:56:25 [CORE]{366}-INFO:    tcp.clnt: 0
07:56:25 [CORE]{366}-INFO:    tcp.lost: 0
07:56:25 [CORE]{366}-INFO:    frame 1 - prot: 5,  flow: no, id: -1 -
07:56:25 [CORE]{366}-INFO:       ip.proto: 6
07:56:25 [CORE]{366}-INFO:       ip.src: xxx.xxx.xxx.xxx
07:56:25 [CORE]{366}-INFO:       ip.dst: yyy.yyy.yyy.yy
07:56:25 [CORE]{366}-INFO:       ip.offset: 14
07:56:25 [CORE]{366}-INFO:       frame 2 - prot: 2,  flow: no, id: -1 -
07:56:25 [CORE]{366}-INFO:          eth.type: 2048
07:56:25 [CORE]{366}-INFO:          frame 3 - prot: 1,  flow: no, id: -1 -
07:56:25 [CORE]{366}-INFO:             pol.layer1: 1
07:56:25 [CORE]{366}-INFO:             pol.count: 369542
07:56:25 [CORE]{366}-INFO:             pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:25 [CORE]{366}-INFO:             pol.sesid: 6
07:56:25 [CORE]{366}-INFO:             pol.polid: 1
07:56:25 [CORE]{360}-OOPS: (1) SegFault
07:56:25 [CORE]{360}-INFO: frame 0 - prot: 7,  flow: yes, id: 360 -
07:56:25 [CORE]{360}-INFO:    tcp.srcport: 1716
07:56:25 [CORE]{360}-INFO:    tcp.dstport: 80
07:56:25 [CORE]{360}-INFO:    tcp.clnt: 1
07:56:25 [CORE]{360}-INFO:    tcp.lost: 0
07:56:25 [CORE]{360}-INFO:    frame 1 - prot: 5,  flow: no, id: -1 -
07:56:25 [CORE]{360}-INFO:       ip.proto: 6
07:56:25 [CORE]{360}-INFO:       ip.src: xxx.xxx.xxx.xxx
07:56:25 [CORE]{360}-INFO:       ip.dst: 87.230.74.43
07:56:25 [CORE]{360}-INFO:       ip.offset: 14
07:56:25 [CORE]{360}-INFO:       frame 2 - prot: 2,  flow: no, id: -1 -
07:56:25 [CORE]{360}-INFO:          eth.type: 2048
07:56:25 [CORE]{360}-INFO:          frame 3 - prot: 1,  flow: no, id: -1 -
07:56:25 [CORE]{360}-INFO:             pol.layer1: 1
07:56:25 [CORE]{360}-INFO:             pol.count: 369199
07:56:25 [CORE]{360}-INFO:             pol.file: /opt/xplico/pol_1/sol_6/decode/test.pcap7
07:56:25 [CORE]{360}-INFO:             pol.sesid: 6
07:56:25 [CORE]{360}-INFO:             pol.polid: 1


Fri Jun 18, 2010 11:22 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: IP packet dimension overflow the real dimension of packe
Hi lexlth
You found a bug:
Quote:
07:56:25 [CORE]{360}-OOPS: (1) SegFault

In your dir /opt/xplico/pol_x/log (where is the log file) there is a file named oops_xplico_xxxx.xml. If you can use this xml file with script /opt/xplico/script/xml2pcap.php
Code:
/opt/xplico/script/xml2pcap.php /opt/xplico/pol_x/logoops_xplico_xxxx.xml  bug.pcap

you can extract the flows that generate the crash/fault.
Can you send me (or post here) this pcap files (bug[@]xplico.org) ?
I think that the bug is inside the file /opt/xplico/pol_1/sol_6/decode/test.pcap7 from packet 369199.


Ciao.
Gianluca


Sat Jun 19, 2010 7:31 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.