View unanswered posts | View active topics It is currently Tue May 22, 2018 4:16 am



Post new topic Reply to topic  [ 5 posts ] 
 OOPS: Delete. flow descriptor error (a) 
Author Message

Joined: Mon Jun 13, 2011 4:17 pm
Posts: 6
Reply with quote
Post OOPS: Delete. flow descriptor error (a)
Hi guys

I hope you can help me try to work out the cause of the error I'm getting.

I'm currently trying to process a 45G pcap file, but xplico exists with the error after 5 seconds or so.

[CORE]{c}-OOPS: Delete. flow descriptor error (a).

before that there are lots and lots (1000's) of Sort errors.

Any help you can give into tracking down which packets might have caused this would be greatly appreciated. As there does not appear to be a error XML linked to the error.

Thanks in advance

Impy


Mon Jun 13, 2011 4:35 pm
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: OOPS: Delete. flow descriptor error (a)
By the moment, could you paste here the context of the error? (the output).
and, have you tried to use the last version? (nowadays 0.6.3).

Carlos.


Mon Jun 13, 2011 5:35 pm
Profile

Joined: Mon Jun 13, 2011 4:17 pm
Posts: 6
Reply with quote
Post Re: OOPS: Delete. flow descriptor error (a)
Oh yes I forgot to add it's on the latest version 0.6.3

The pcap file appears valid, capinfos does not report any errors.

Here is the last bit of the log file, run with all logging options set for all modules enabled in the default config.
Code:
22:15:06 [CORE]{c}-OOPS: Sort error: 137->194 => 138->140733193388226
22:15:06 [CORE]{c}-OOPS: Sort error: 139->220 => 140->140733193388252
22:15:06 [CORE]{c}-OOPS: Sort error: 142->123 => 143->140733193388155
22:15:06 [CORE]{c}-OOPS: Sort error: 144->178 => 145->140733193388210
22:15:06 [CORE]{c}-OOPS: Sort error: 146->201 => 147->140733193388233
22:15:06 [CORE]{c}-OOPS: Sort error: 148->174 => 149->140733193388206
22:15:06 [CORE]{c}-OOPS: Sort error: 150->212 => 151->140733193388244
22:15:06 [CORE]{c}-OOPS: Sort error: 152->195 => 153->140733193388227
22:15:06 [CORE]{c}-OOPS: Sort error: 154->65 => 155->140733193388097
22:15:06 [CORE]{c}-OOPS: Sort error: 156->176 => 157->140733193388208
22:15:06 [CORE]{c}-OOPS: Sort error: 158->170 => 159->140733193388202
22:15:06 [CORE]{c}-OOPS: Sort error: 160->169 => 161->140733193388201
22:15:06 [CORE]{c}-OOPS: Sort error: 162->54 => 163->140733193388086
22:15:06 [CORE]{c}-OOPS: Sort error: 164->81 => 165->140733193388113
22:15:06 [CORE]{c}-OOPS: Sort error: 166->51 => 167->140733193388083
22:15:06 [CORE]{c}-OOPS: Sort error: 169->115 => 170->140733193388147
22:15:06 [CORE]{c}-OOPS: Sort error: 171->2 => 172->140733193388034
22:15:06 [CORE]{c}-OOPS: Sort error: 172->2 => 173->140733193388034
22:15:06 [CORE]{c}-OOPS: Sort error: 173->2 => 174->140733193388034
22:15:06 [CORE]{c}-OOPS: Sort error: 175->232 => 176->140733193388264
22:15:06 [CORE]{c}-OOPS: Sort error: 177->69 => 178->140733193388101
22:15:06 [CORE]{c}-OOPS: Sort error: 179->159 => 180->140733193388191
22:15:06 [CORE]{c}-OOPS: Sort error: 182->124 => 183->140733193388156
22:15:06 [CORE]{c}-OOPS: Sort error: 184->108 => 185->140733193388140
22:15:06 [CORE]{c}-OOPS: Sort error: 185->108 => 186->140733193388140
22:15:06 [CORE]{c}-OOPS: Sort error: 186->108 => 187->140733193388140
22:15:06 [CORE]{c}-OOPS: Sort error: 188->48 => 189->140733193388080
22:15:06 [CORE]{c}-OOPS: Sort error: 189->48 => 190->140733193388080
22:15:06 [CORE]{c}-OOPS: Sort error: 190->48 => 191->140733193388080
22:15:06 [CORE]{c}-OOPS: Sort error: 192->207 => 193->140733193388239
22:15:06 [CORE]{c}-OOPS: Sort error: 194->17 => 195->140733193388049
22:15:06 [CORE]{c}-OOPS: Sort error: 195->17 => 196->140733193388049
22:15:06 [CORE]{c}-OOPS: Sort error: 196->17 => 197->140733193388049
22:15:06 [CORE]{c}-OOPS: Sort error: 198->25 => 199->140733193388057
22:15:06 [tcp-grb]{143}-DEBUG: TCP garbage id: 143
22:15:06 [tcp-grb]{143}-DEBUG:  SRC: xxx.xxx.xxx.xxx:xxxxx
22:15:06 [tcp-grb]{143}-DEBUG:  DST: xxx.xxx.xxx.xxx:xxxxx
22:15:06 [tcp-grb]{143}-DEBUG: TCP->finger garbage... bye bye  fid:143 count:1
22:15:06 [CORE]{c}-OOPS: Delete flow descriptor error (a).


A single error has now been logged aswell, I'm sure it was not before......
Code:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/css" href="/css/flows.css"?>

<grp>
<flow>
  <number>--- Decoding info: stream 0 ---</number>
  <frame>
    <frm_type>tcp</frm_type>
    <prop>
      <name>tcp.srcport</name>
      <value>49588</value>
    </prop>
    <prop>
      <name>tcp.dstport</name>
      <value>80</value>
    </prop>
    <prop>
      <name>tcp.clnt</name>
      <value>1</value>
    </prop>
    <prop>
      <name>tcp.lost</name>
      <value>0</value>
    </prop>
  </frame>
  <frame>
    <frm_type>ip</frm_type>
    <prop>
      <name>ip.proto</name>
      <value>6</value>
    </prop>
    <prop>
      <name>ip.src</name>
      <value>xxx.xxx.xxx.xxx</value>
    </prop>
    <prop>
      <name>ip.dst</name>
      <value>xxx.xxx.xxx.xxx</value>
    </prop>
    <prop>
      <name>ip.offset</name>
      <value>14</value>
    </prop>
  </frame>
  <frame>
    <frm_type>eth</frm_type>
    <prop>
      <name>eth.type</name>
      <value>2048</value>
    </prop>
  </frame>
  <frame>
    <frm_type>pcapf</frm_type>
    <prop>
      <name>pcapf.layer1</name>
      <value>1</value>
    </prop>
    <prop>
      <name>pcapf.count</name>
      <value>3016</value>
    </prop>
    <prop>
      <name>pcapf.file</name>
      <value>REMOVED.pcap</value>
    </prop>
  </frame>
</flow>
</grp>


I'll give your xml2pcap.php a go (might take a while, tshark on a 45G file is not the fastest of things!). I'll yet you know if that isolates the problem.

I have managed to get the xplico to pass the error by commenting out

Code:
# table of flows sorted
ifndef FTBL_NOSORT
#CFLAGS += -DFTBL_SORT=1
endif


The program then runs for 10 minutes or so, then segfaults, I have yet to look into why that happens.

Again thanks for the helps


Mon Jun 13, 2011 9:35 pm
Profile

Joined: Mon Jun 13, 2011 4:17 pm
Posts: 6
Reply with quote
Post Re: OOPS: Delete. flow descriptor error (a)
I have extracted the flows which generated the xml file. Rerunning xplico on this flow does not cause the " Delete. flow descriptor error (a)" error.


Tue Jun 14, 2011 6:22 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: OOPS: Delete. flow descriptor error (a)
Well,
This bug will be awkward to locate.. More likely it is a bug due by buffer overrun. It is essential to have the pcap (part of the pcap).
The first step is to reduce the pcap size.
From the original code, at line 684 (before exit call) of prot.c file add this lines:
Code:
        extern unsigned long crash_pkt_cnt;
        LogPrintf(LV_FATAL, "Last packet num: %lu", crash_pkt_cnt);
        printf("\nLast packet num: %lu\n", crash_pkt_cnt);

i.e.:
Code:
                                if (flowd_id != prot_tbl[id].flwd_del) {
                                    LogPrintf(LV_OOPS, "Delete: flow descriptor error (a).");
                                    extern unsigned long crash_pkt_cnt;
                                    LogPrintf(LV_FATAL, "Last packet num: %lu", crash_pkt_cnt);
                                    printf("\nLast packet num: %lu\n", crash_pkt_cnt);
                                    exit(-1);
                                }
                             

after the compilation, rerun the decoding of the pcap file (45G).
At the end (exit error), in the terminal (and in the log file) you can see the line:
Quote:
Last packet num: xxxx

Now, you create, from your pcap file (45G), a pcap file with all packages from 1 to xxx, zip (bzip2) it and send it to us (bug[@t]xplico.org).

To "reduce" the pcap file you can use our program named trigcap (system/trigcap):
Code:
./trigcap -f your.pcap -t xxxx -b xxxx -a 1 -o bug.pcap


Ciao.
Gianluca


Tue Jun 14, 2011 6:50 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.