View unanswered posts | View active topics It is currently Fri Dec 15, 2017 7:48 pm



Post new topic Reply to topic  [ 9 posts ] 
 Xplico 1.1.1 pauses/hangs while DECODING 
Author Message

Joined: Wed Oct 28, 2015 5:42 pm
Posts: 2
Reply with quote
Post Xplico 1.1.1 pauses/hangs while DECODING
Dear Xplico Team:

Configuration:
1. One Case with One or Multiple Sessions
2. PCAP is approximately 4 days of capture with multiple protocols
3. PCAP has been sliced and diced multiple ways and either copied directly to the sol_#/new/ folder or streamed through PCAP to IP):
3.a. One large 60GB PCAP
3.b. Split pcap by 6 hour blocks of ranging size from 100MB to 22GB
3.c. Split pcap of 1000000 frames ranging in size from 400 to 750MB
4. Checksum on and off
5. The following dissectors off: VLAN, NNTP, ARP, PPPoE, IPv6, L2TP, IEEE80211
6. /opt/xplico/ is mounted to a dedicated RAID0 array of 4x 2TB disks.

Problem:
Xplico moves through the phases of EMPTY, BEGIN DECODING, and DECODING, but on occasion does not reach DECODING COMPLETE. I am unable to consistently reproduce the problem. I am able to pass the pause/hang using two methods:

A. Using the command line "service xplico restart" (not ideal, because it re-processes and creates duplicate entries for information already processed in that session).
B. Creating a new session, moving the pcap from /sol_#/raw/ to /sol_#+1/new/ and deleting the old session.

This problem occurred in the previous version, and was sometimes (but not always) accompanied by mime_dump.pyc crashes. In this version I am not getting any alerts that mime_dump.pyc has crashed.

I am unable to send you any segment of the PCAPs because they contain sensitive information.

Sincerely,

Eric


Mon Nov 30, 2015 5:53 pm
Profile

Joined: Wed Oct 28, 2015 5:42 pm
Posts: 2
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
Follow Up. The log file is filled with these messages when it hangs.

.
.
.
15:04:24 ERROR: Xplico or a Manipulator is dead!

15:04:24 ERROR: Xplico or a Manipulator is dead!

15:04:24 ERROR: Xplico or a Manipulator is dead!

15:04:24 ERROR: Xplico or a Manipulator is dead!

15:04:25 ERROR: Xplico or a Manipulator is dead!


Attachments:
dema_2015_11_30.log [15.84 KiB]
Downloaded 274 times
Mon Nov 30, 2015 8:12 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
Hi Eric,
  • the version of Linux distribution that you use?
  • the other log (any manipulator generates a log file, in the same dir of the xplico log dir)
  • can you send us (privately) the pcap set? we will use it only to debug and fix the issue.
  • otherwise can you give us the access to the data (pcap) in a your machine, with a ssh connection?

Ciao.
Gianluca


Sun Dec 13, 2015 10:15 am
Profile WWW

Joined: Sun Feb 07, 2016 5:30 pm
Posts: 4
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
Hi!

I have exactly the same symptoms:

My status with Xplico: Noob
Xplico version 1.1.2
Linux version: Kali Linux 2016.01 - Live USB Persistence mode
Installed Xplico using apt-get install Xplico
Everything is default default, no changes to configs or whatsoever.

Pcap is a 9 MB Pcap made with Wireshark (saved as tcp dump pcap).
After uploading pcap via web gui the status stays on "decoding" forever.
Dema log gets filled up with "Xplico or a Manipulator is dead!" message.
htop shows 6 /opt/xplico/ processes re-spawning every 5 or 6 seconds (see image).
Image

Running Xplico from cli also gives errors.
bin/xplico -c cfg/xplico_cli.cfg -m pcap -f Downloads/test.pcap
It shows only it has found the config file but nothing else. Looking at the Xplico log in /opt/xplico/tmp shows the following errors:
19:44:35 [CORE]{c}-ERROR: Can't load module /opt/xplico/bin/modules/dis_tcp_grb.so: undefined symbol: ndpi_protocol2name
19:44:35 [CORE]{c}-FATAL: Load modules failed

Any suggestions on how to fix?

Tnx!


Sun Feb 07, 2016 6:51 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
Hi "Rodger Moore",
the issue related to the CLI execution is the nDPI library (linking).

Which version of nDPI are you using?

Ciao.
Gianluca


Mon Feb 08, 2016 6:08 pm
Profile WWW

Joined: Sun Feb 07, 2016 5:30 pm
Posts: 4
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
gianluca.costa wrote:
Hi "Rodger Moore",
the issue related to the CLI execution is the nDPI library (linking).

Which version of nDPI are you using?

Ciao.
Gianluca


Ok good question! Seems on the new Kali Rolling Release nDPI is not installed at all. So what I tried is:

apt-get install dh-autoreconf tcpdump tshark apache2 php5 php5-sqlite build-essential perl libzip-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python3 python3-httplib2 python3-psycopg2 sqlite3 recode sox lame libnet1 libnet1-dev binfmt-support libssl-dev
mkdir xbuild
cd xbuild/
svn co https://svn.ntop.org/svn/ntop/trunk/nDPI
cd nDPI/
./configure
NOT WORKING BECAUSE IT WAS AN EMPTY DIR -> nDPI moved to Git

git clone https://github.com/ntop/nDPI.git
cd nDPI/
./autogen.sh
./configure --prefix=/usr
make
make install
cd /opt/xplico/bin
./xplico -m pcap ~/Documents/test.pcap

Still the same error... :(

Any suggestions?


Thu Feb 11, 2016 9:48 am
Profile

Joined: Sun Feb 07, 2016 5:30 pm
Posts: 4
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
rodgermoore wrote:
gianluca.costa wrote:
Hi "Rodger Moore",
the issue related to the CLI execution is the nDPI library (linking).

Which version of nDPI are you using?

Ciao.
Gianluca


Ok good question! Seems on the new Kali Rolling Release nDPI is not installed at all. So what I tried is:

apt-get install dh-autoreconf tcpdump tshark apache2 php5 php5-sqlite build-essential perl libzip-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python3 python3-httplib2 python3-psycopg2 sqlite3 recode sox lame libnet1 libnet1-dev binfmt-support libssl-dev
mkdir xbuild
cd xbuild/
svn co https://svn.ntop.org/svn/ntop/trunk/nDPI
cd nDPI/
./configure
NOT WORKING BECAUSE IT WAS AN EMPTY DIR -> nDPI moved to Git

git clone https://github.com/ntop/nDPI.git
cd nDPI/
./autogen.sh
./configure --prefix=/usr
make
make install
cd /opt/xplico/bin
./xplico -m pcap ~/Documents/test.pcap

Still the same error... :(

Any suggestions?


When I ldd bin/xplico I don't see any link to libndpi... Is this correct?
Code:
root@kali:/opt/xplico# ldd bin/xplico
   linux-vdso.so.1 (0x00007fff6d9e1000)
   libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f17bfdee000)
   libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f17bfbd1000)
   libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f17bf9b5000)
   libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007f17bf74c000)
   libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007f17bf2ea000)
   libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f17bef45000)
   /lib64/ld-linux-x86-64.so.2 (0x000056184a2f4000)


I installed the nDPI 1.7 branche from Github. Just double checking if ndpi_protocol2name is present in /usr/lib/libndpi.so.1.0.0 and this seems the case:

Code:
root@kali:/opt/xplico# nm /usr/lib/libndpi.so.1.0.0 | grep "protocol2name"
000000000000f510 t ndpi_protocol2name


Suggestions?


Fri Feb 12, 2016 1:16 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
Hi Rodger,
the original source code of Xplico uses nDPi statically. This is why nDPi must be compiled before Xplico and its source code must be in the same level (parent dir) of Xplico:
Code:
<dir_prj>/nDPI
<dir_prj>/xplico

the modules (dissectors) which use nDPI are:
  • tcp_grb
  • udp_grb
  • tcp_ca (added on xplico 1.1.2)
  • udp_ca (added on xplico 1.1.2)
If you are using a modified version of Xplico where the nDPI is linked dynamically to Xplico try to see where the nDPi has been installed in your distro, for example seeing where xplico links the nDPi library.
Code:
ldd  /opt/xplico/bin/modules/dis_tcp_grb.so


I hope it can help you.

Ciao.
Gianluca


Sat Feb 13, 2016 9:02 am
Profile WWW

Joined: Sun Feb 07, 2016 5:30 pm
Posts: 4
Reply with quote
Post Re: Xplico 1.1.1 pauses/hangs while DECODING
gianluca.costa wrote:
Hi Rodger,
the original source code of Xplico uses nDPi statically. This is why nDPi must be compiled before Xplico and its source code must be in the same level (parent dir) of Xplico:
Code:
<dir_prj>/nDPI
<dir_prj>/xplico

the modules (dissectors) which use nDPI are:
  • tcp_grb
  • udp_grb
  • tcp_ca (added on xplico 1.1.2)
  • udp_ca (added on xplico 1.1.2)
If you are using a modified version of Xplico where the nDPI is linked dynamically to Xplico try to see where the nDPi has been installed in your distro, for example seeing where xplico links the nDPi library.
Code:
ldd  /opt/xplico/bin/modules/dis_tcp_grb.so


I hope it can help you.

Ciao.
Gianluca


Hi Gianluca,

Thanks for your answer. So it seems to be an error in the Kali repository, Ubuntu installation using your repo works fine. I posted a bugtracker here : https://bugs.kali.org/view.php?id=3065. Hope it gets solved soon.

Cheers.


Sat Feb 13, 2016 11:52 am
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.