[
https://issues.apache.org/jira/browse/DRILL-5693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bob Rudis updated DRILL-5693:
-----------------------------
Description:
I was testing out the new ++amazingly helpful PCAP functionality and hit an
exception.
the query was basic, on the order of:
{{select * from dfs.captures.`capture.pcap`}}
And, it generated an error:
{{Error: SYSTEM ERROR: IllegalStateException: Packet too long (%d bytes)
[1506]}}
{{Fragment 0:0}}
{{[Error Id: bc4f1505-5689-4cb8-ad3b-8af934ebf318 on ##.##.##.##:31010]
(state=,code=0)}}
tcpdump reads the file fine but there are likely some "interesting" packets in
there since it's from one of our network honeypot sensors.
I can't post the file here but can share it privately with someone if it's
required for testing.
A similar issue occurs when it comes across IPv6 packets:
You can test that with
http://panda.gtisc.gatech.edu/malrec/pcap/07939e77-7c7d-4ddf-9a99-85b4edf349ba.pcap
It returns:
{{Error: SYSTEM ERROR: IllegalStateException: Unknown V6 extension or protocol:
[58]}}
I'm not suggesting that Drill should be able to turn "abnormal" packets into
data or necessarioy support v6 out of the box but it would be helpful if it
either didn't terminate the query. At the very least, it would be helpful if
the error included the filename so it can be moved/excluded from the directory
of files.
I'll try to poke around the 1.11.0 PCAP code to see if I might be able to work
on this but it'll likely be a while before I can get to it.
was:
I was testing out the new ++amazingly helpful PCAP functionality and hit an
exception.
the query was basic, on the order of:
{{select * from dfs.captures.`capture.pcap`}}
And, it generated an error:
{{Error: SYSTEM ERROR: IllegalStateException: Packet too long (%d bytes)
[1506]}}
{{Fragment 0:0}}
{{[Error Id: bc4f1505-5689-4cb8-ad3b-8af934ebf318 on ##.##.##.##:31010]
(state=,code=0)}}
tcpdump reads the file fine but there are likely some "interesting" packets in
there since it's from one of our network honeypot sensors.
I can't post the file here but can share it privately with someone if it's
required for testing.
I'm not suggesting that Drill should be able to turn "abnormal" packets into
data but it would be helpful if it either didn't terminate the query. At the
very least, it would be helpful if the error included the filename so it can be
moved/excluded from the directory of files.
I'll try to poke around the 1.11.0 PCAP code to see if I might be able to work
on this but it'll likely be a while before I can get to it.
> SYSTEM ERROR: IllegalStateException: Packet too long
> ----------------------------------------------------
>
> Key: DRILL-5693
> URL: https://issues.apache.org/jira/browse/DRILL-5693
> Project: Apache Drill
> Issue Type: Bug
> Components: Storage - Other
> Affects Versions: 1.11.0
> Environment: macOS 10.12 / 2017 13" MacBook Pro 16GB RAM
> Reporter: Bob Rudis
> Priority: Minor
>
> I was testing out the new ++amazingly helpful PCAP functionality and hit an
> exception.
> the query was basic, on the order of:
> {{select * from dfs.captures.`capture.pcap`}}
> And, it generated an error:
> {{Error: SYSTEM ERROR: IllegalStateException: Packet too long (%d bytes)
> [1506]}}
> {{Fragment 0:0}}
> {{[Error Id: bc4f1505-5689-4cb8-ad3b-8af934ebf318 on ##.##.##.##:31010]
> (state=,code=0)}}
> tcpdump reads the file fine but there are likely some "interesting" packets
> in there since it's from one of our network honeypot sensors.
> I can't post the file here but can share it privately with someone if it's
> required for testing.
> A similar issue occurs when it comes across IPv6 packets:
> You can test that with
> http://panda.gtisc.gatech.edu/malrec/pcap/07939e77-7c7d-4ddf-9a99-85b4edf349ba.pcap
> It returns:
> {{Error: SYSTEM ERROR: IllegalStateException: Unknown V6 extension or
> protocol: [58]}}
> I'm not suggesting that Drill should be able to turn "abnormal" packets into
> data or necessarioy support v6 out of the box but it would be helpful if it
> either didn't terminate the query. At the very least, it would be helpful if
> the error included the filename so it can be moved/excluded from the
> directory of files.
> I'll try to poke around the 1.11.0 PCAP code to see if I might be able to
> work on this but it'll likely be a while before I can get to it.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
