Hi,
I'm having problems with IP-in-IP tunneled traffic which contains an
ethernet frame check sequence (FCS).
1) Bro seems to attribute the FCS to the length of the outer IP packet
and then complains that the inner IP packet is too small compared to the
capture length (in weird.log: "inner_IP_payload_length_mismatch")
Then I thought it would be ok to simply drop the corresponding check in
Sessions.c: ParseIPPacket() because too much content shouldn't "hurt".
- if ( (uint32)caplen != inner->TotalLen() )
- return (uint32)caplen < inner->TotalLen() ? -1 : 1;
+ if ( (uint32)caplen < inner->TotalLen() )
+ return -1;
Would that be ok in your opinion? If not, what would be a better way to
deal with this?
2) With the above patch applied, bro correctly sees the inner traffic,
but from time to time it segfaults (every other day roughtly). Until now
i figured out the following information, but cannot really see what's
going wrong:
a) bro always crashes at a tunneled TCP packet with active reset flag
b) I see very few such packets (it might be that the crashing one
is the only within quite some time before the crash: I don't have all
traffic available)
c) I cannot reproduce the problem by simply starting bro on a pcap
file with the offending packet (and ~100MB traffic before the crash)
(even valgrind doesn't report anything useful)
From the stacktrace of the core file (cf. below) it looks as if
PacketWithRst() somehow triggered the destructor of (my own) SIP plugin.
However, I have no idea how that could happen.
Could you help me with this problem?
Thanks,
Dirk
#0 std::_List_base<plugin::BifItem, std::allocator<plugin::BifItem>
>::_M_clear (this=this@entry=0x2f373b0) at
/usr/include/c++/4.7/bits/list.tcc:74
#1 0x00000000006a0ade in ~_List_base (this=0x2f373b0,
__in_chrg=<optimized out>) at /usr/include/c++/4.7/bits/stl_list.h:379
#2 ~list (this=0x2f373b0, __in_chrg=<optimized out>) at
/usr/include/c++/4.7/bits/stl_list.h:436
#3 plugin::Plugin::~Plugin (this=0x2f37360, __in_chrg=<optimized out>)
at bro/src/plugin/Plugin.cc:136
#4 0x00007f1fa7d2ef77 in ~Plugin (this=0x2f37360, __in_chrg=<optimized
out>) at sip/src/Plugin.cc:8
#5 plugin::Consistec_SIP::Plugin::~Plugin (this=0x2f37360,
__in_chrg=<optimized out>) at sip/src/Plugin.cc:8
#6 0x000000000079d4bd in PacketWithRST (this=0x3482680) at
bro/src/analyzer/protocol/tcp/TCP.cc:1810
#7 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x3482680, len=0,
data=0x7f1fa16f9aca <Address 0x7f1fa16f9aca out of bounds>,
is_orig=false, seq=<optimized out>, ip=0x34e05c0, caplen=0)
at bro/src/analyzer/protocol/tcp/TCP.cc:1280
#8 0x0000000000807a6a in analyzer::Analyzer::NextPacket (this=0x3482680,
len=20, data=<optimized out>, is_orig=<optimized out>, seq=<optimized
out>, ip=<optimized out>, caplen=20)
at bro/src/analyzer/Analyzer.cc:222
#9 0x000000000055ecee in Connection::NextPacket (this=0x2f48c00,
t=<optimized out>, is_orig=<optimized out>, ip=<optimized out>,
len=<optimized out>, caplen=<optimized out>, data=<optimized out>,
record_packet=@0x7ffc33d50898: 1,
record_content=@0x7ffc33d5089c: 1, hdr=0x7ffc33d50b10,
pkt=0x7f1fa16f9aa2 <Address 0x7f1fa16f9aa2 out of bounds>, hdr_size=0)
at bro/src/Conn.cc:260
#10 0x00000000005f819a in NetSessions::DoNextPacket
(this=this@entry=0xf25000, t=1468916092.7505391, t@entry=<error reading
variable: Could not find type for DW_OP_GNU_const_type>,
hdr=hdr@entry=0x7ffc33d50b10,
ip_hdr=ip_hdr@entry=0x34e05c0, pkt=pkt@entry=0x7f1fa16f9aa2 <Address
0x7f1fa16f9aa2 out of bounds>, hdr_size=hdr_size@entry=0,
encapsulation=0x0, encapsulation@entry=0x34b3138)
at bro/src/Sessions.cc:757
#11 0x00000000005f91a4 in NetSessions::DoNextInnerPacket (this=0xf25000,
t=1468916092.7505391, hdr=<optimized out>, inner=0x34e05c0,
prev=<optimized out>, ec=...)
at bro/src/Sessions.cc:805
#12 0x00000000005f88ca in NetSessions::DoNextPacket
(this=this@entry=0xf25000, t=1468916092.7505391, t@entry=<error reading
variable: Could not find type for DW_OP_GNU_const_type>,
hdr=hdr@entry=0xf762a0, ip_hdr=<optimized out>,
ip_hdr@entry=0x7ffc33d50e60, pkt=pkt@entry=0x7f1fa16f9a80 <Address
0x7f1fa16f9a80 out of bounds>, hdr_size=hdr_size@entry=14,
encapsulation=encapsulation@entry=0x0)
at bro/src/Sessions.cc:665
#13 0x00000000005f96d6 in NetSessions::NextPacket (this=0xf25000,
t=1468916092.7505391, hdr=0xf762a0, pkt=0x7f1fa16f9a80 <Address
0x7f1fa16f9a80 out of bounds>, hdr_size=14)
at bro/src/Sessions.cc:231
#14 0x00000000005c8048 in net_packet_dispatch (t=1468916092.7505391,
hdr=0xf762a0, pkt=0x7f1fa16f9a80 <Address 0x7f1fa16f9a80 out of bounds>,
hdr_size=14, src_ps=0xf76160)
at bro/src/Net.cc:277
--
Dr.-Ing. Dirk Leinenbach - Leitung Softwareentwicklung
consistec Engineering & Consulting GmbH
------------------------------------------------------------------
Europaallee 5 Fon: +49 (0)681 / 959044-0
D-66113 Saarbrücken Fax: +49 (0)681 / 959044-11
http://www.consistec.de e-mail: [email protected]
Registergericht: Amtsgericht Saarbrücken
Registerblatt: HRB12003
Geschäftsführer: Dr. Thomas Sinnwell, Volker Leiendecker, Stefan Sinnwell
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
