View unanswered posts | View active topics It is currently Sun Sep 22, 2019 9:10 pm



Post new topic Reply to topic  [ 10 posts ] 
 Xplico in command line - Unable to read configuration file 
Author Message

Joined: Tue Nov 03, 2009 1:18 am
Posts: 4
Reply with quote
Post Xplico in command line - Unable to read configuration file
Hi,

I have a 400MB+ .pcap file that I tried to analyze using xplico.
I used the command line method and followed the installation and usage procedures given in the Wiki (http://wiki.xplico.org/doku.php/tutorial)

I am using Ubuntu 9.04

Can you please help me out with this error.
------------------------------------------------------------------------------------------------------------------------------------------------------------

diago@mm:/opt/xplico/bin$ sudo ./xplico -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap
[sudo] password for diago:
xplico v0.5.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.

Copyright 2007-2009 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Unable to read configuration file.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Any help will be appreciated.

-Diago


Tue Nov 03, 2009 1:29 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hi Diago,
maybe I understood the problem.
I think you have first tried with the script /opt/xplico/script/sqlite_demo.sh. This script overwrite the file /opt/xplico/cfg/xplico.cfg used by Xplico in cli mode. Then I suggest you to use the configuration file source.
There are two possibilities:
  • if your source code has path /xplico_path then: sudo /opt/xplico/bin/xplico -c /xplico_path/config/xplico_fix.cfg -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap
  • copy xplico_fix.cfg from source code to /opt/xplico/cfg/xplico.cfg in this way the command sudo /opt/xplico/bin/xplico -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap can operate.

The Xplico 0.5.3 version no longer has this problem.


Tue Nov 03, 2009 7:31 am
Profile WWW

Joined: Tue Nov 03, 2009 1:18 am
Posts: 4
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hi Gianluca,

Thanks a lot your solution worked.
But Now I am getting this error.

Is it because the .pcap file is too big ?

How do I handle pcap file of 408 MB in the command line mode.

-------------------------------------------------------------------------------------------------------
tcp-grb: running: 20/11386, subflow:0/0, tot pkt:187124
udp-grb: running: 0/0, subflow:0/0, tot pkt:0
Pei inserted: 0
Pei to be insert: 0
Fthread: 45/100
Groups: 0/100
Dns DB: ip number: 166, total size: 206640
Segmentation Fault: see log file and report
diago@mm:/opt/xplico$
----------------------------------------------------------------------------------------------------------

Many Thanks.

-diago


Tue Nov 03, 2009 9:24 am
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hi Diago,
could you attach the logs? (tmp/)

Thanks.


Tue Nov 03, 2009 9:44 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hi Diago,
Not a problem of size. I think it is a bug.
Can you try with 0.5.3 beta release: viewtopic.php?f=3&t=30
If even with this release you have a crash then can you make this steps:
1) ./xplico -m pcap -f <your pcap file>
2) wait fault
3) at fault you can see in tmp directory (where is the log files) the file oops_xxxx.xml
4) launch /opt/script/xml2pcap.php <tmp/oops_xxxx.xml> bug.pcap or system/script/xml2pcap.php <tmp/oops_xxxx.xml> bug.pcap
5) and then run ./xplico -m pcap -f bug.pcap
6) wait fault
7) if the fault does not appear then... I would describe the procedure in the next post ;) .
8) if you see the fault then the bug.pcap "contains" the bug
9) check the bug.pcap file with Wireshark and if you can send me (bug@xplico.org) or post in this forum, I'll be happy :) .

This procedure can be used even with 0.5.2.


Tue Nov 03, 2009 11:08 am
Profile WWW

Joined: Tue Nov 03, 2009 1:18 am
Posts: 4
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Thanks Gianluca,

I will try out your soloution.

In the mean while here are the contents of the log files.


1. xplico_2009_10_03.log ( its a 300mb file I have just put a few lines from it that show a segfault)
---------------------------------------------------------
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020901
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020902
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020903
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [dns]{59}-DEBUG: DNS id: 59
04:08:55 [ip]{c}-WARNING: IP packet dimension overflow the real dimension of packet
04:08:55 [CORE]{c}-INFO: frame 0 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: eth.type: 2048
04:08:55 [CORE]{c}-INFO: frame 1 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{c}-INFO: pcapf.layer1: 1
04:08:55 [CORE]{c}-INFO: pcapf.count: 1020913
04:08:55 [CORE]{c}-INFO: pcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
04:08:55 [CORE]{59}-OOPS: (2) SegFault
04:08:55 [CORE]{59}-INFO: [0Cframe 0 - prot: 6, flow: yes, id: 59 -
04:08:55 [CORE]{59}-INFO: [3Ctcp.srcport: 1542
04:08:55 [CORE]{59}-INFO: [3Ctcp.dstport: 53
04:08:55 [CORE]{59}-INFO: [3Ctcp.clnt: 1
04:08:55 [CORE]{59}-INFO: [3Ctcp.lost: 0
04:08:55 [CORE]{59}-INFO: [3Cframe 1 - prot: 4, flow: no, id: -1 -
04:08:55 [CORE]{59}-INFO: [6Cip.proto: 6
04:08:55 [CORE]{59}-INFO: [6Cip.src: 10.1.2.10
04:08:55 [CORE]{59}-INFO: [6Cip.dst: 10.100.1.50
04:08:55 [CORE]{59}-INFO: [6Cframe 2 - prot: 2, flow: no, id: -1 -
04:08:55 [CORE]{59}-INFO: [9Ceth.type: 2048
04:08:55 [CORE]{59}-INFO: [9Cframe 3 - prot: 0, flow: no, id: -1 -
04:08:55 [CORE]{59}-INFO: [12Cpcapf.layer1: 1
04:08:55 [CORE]{59}-INFO: [12Cpcapf.count: 1020908
04:08:55 [CORE]{59}-INFO: [12Cpcapf.file: /home/diago/Desktop/forensics/221710072007.pcap
------------------------------------------------------------------------------------------------------

2. fault_1257239335
-------------------------------------------------------------------------------------------------
Event: Segmentation Fault
Reduce pcap size with this tshark filter (tshark -r <original_pcap> -R "<all line below>" -w fault.pcap):

( tcp.port==22984 and tcp.port==3268 and ip.addr==10.1.2.11 and ip.addr==10.1.1.1 ) or ( udp.port==137 and udp.port==137 and ip.addr==10.1.2.10 and ip.addr==10.1.2.255 ) or ...................
--------------------------------------------------------------------------------------------------

3. oops_2_1257239335
------------------------------------------------------------------------------------------------

--- Decoding info: stream 0 --- tcp tcp.srcport 1542 tcp.dstport 53 tcp.clnt 1 tcp.lost 0 ip ip.proto 6 ip.src 10.1.2.10 ip.dst 10.100.1.50 eth eth.type 2048 pcapf pcapf.layer1 1 pcapf.count 1020908 pcapf.file /home/diago/Desktop/forensics/221710072007.pcap

-------------------------------------------------------------------------------------------------

4.warn_1_1257239330
------------------------------------------------------------------------------------------------
--- Decoding info: stream 0 --- tcp tcp.srcport 4824 tcp.dstport 80 tcp.clnt 1 tcp.lost 0 ip ip.proto 6 ip.src 10.100.1.50 ip.dst 10.1.2.10 eth eth.type 2048 pcapf pcapf.layer1 1 pcapf.count 997222 pcapf.file /home/diago/Desktop/forensics/221710072007.pcap
------------------------------------------------------------------------------------------------

I will try out the solution that you have given above and will let you know.

Many Thanks.

-Diago


Tue Nov 03, 2009 5:38 pm
Profile

Joined: Tue Nov 03, 2009 1:18 am
Posts: 4
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hi Gianluca,

I tried using version 0.5.3. I got the segmentation fault again.

I got a bug.pcap file from the process that you had mentioned in your previous post.

I analyzed the bug.pcap file in wireshark and got a few packets with unknown operations and unknown error.

I have attached the bug.pcap file below.

How can I over come this problem?

Thank a lot
-Diago


You do not have the required permissions to view the files attached to this post.


Tue Nov 03, 2009 8:59 pm
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hello Diago,
please try this, on beta version 0.5.3:

Code:
diago@mm:/opt/xplico/bin$ sudo ./xplico -c /opt/xplico/cfg/xplico_nc.cfg -m pcap -f /home/diago/Desktop/forensics/221710072007.pcap


This will use a config file which doesn't checksum validation, perhaps it could help you if the pcap has many errors. Anyway, a segmentation seems to be a bug :(


Tue Nov 03, 2009 9:50 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Ok. it is a bug in DNS dissector and it is also present in version 0.5.3.
For now you can disable the DNS dissector. From configuration file changes the line:
Code:
MODULE=dis_dns.so        LOG=FEWS

to
Code:
#MODULE=dis_dns.so        LOG=FEWS

Once we have solved the problem we put the new code here for testing.

Thanks for the helpful information.


Wed Nov 04, 2009 6:48 am
Profile WWW

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Xplico in command line - Unable to read configuration file
Hello Diago,
Gianluca has released a new beta version this morning to fix your bug, could you try it?
http://forum.xplico.org/viewtopic.php?f=3&t=30


Wed Nov 04, 2009 10:17 am
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.