I think that returning any usable information from the corrupt packet (notably including the package content itself) is important because a primary use case of the pcap query is in network forensics where you are often looking for malware that is purposely corrupting packets.
On Thu, Feb 7, 2019 at 9:00 AM Charles Givre <[email protected]> wrote: > Hey Ted > What do you think the desired behavior should be for corrupt packets? > Should Drill just ignore, or should we maybe create a Boolean field like > isCorrupt or something and mark corrupt packets as such? > > Sent from my iPhone > > > On Feb 7, 2019, at 11:45, Ted Dunning <[email protected]> wrote: > > > > Giovanni, > > > > A critical thing to help progress here is sample corrupted data. Even > just > > information about what kind of corruption you are seeing is important. > > > > Packet corruption is a key technique of malware so handling bad records > > well is of great importance. > > > > > > > >> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <[email protected]> wrote: > >> > >> Unfortunately I don’t have more of them at the moment. > >> > >>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <[email protected]> > >> ha scritto: > >>> > >>> Hi Giovanni, > >>> Can you post additional PCAP files that don’t work? Basically, I’m > >> going to add some code that will let you set a tolerance level of how > many > >> errors Drill will tolerate before throwing an exception. > >>> — C > >>> > >>>> On Feb 7, 2019, at 07:33, GiovanniC <[email protected]> wrote: > >>>> > >>>> I can help you by doing some test. > >>>> > >>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre < > [email protected]> > >> ha scritto: > >>>>> > >>>>> Just create a ticket and I will work on it. > >>>>> > >>>>> Sent from my iPhone > >>>>> > >>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <[email protected]> wrote: > >>>>>> > >>>>>> I would like to, but I am not a java dev :( > >>>>>> > >>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva < > >>>>>> [email protected]> ha scritto: > >>>>>> > >>>>>>> Contributions are always welcome :) > >>>>>>> > >>>>>>> Kind regards, > >>>>>>> Arina > >>>>>>> > >>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <[email protected]> > >> wrote: > >>>>>>>> > >>>>>>>> Hi Giovanni > >>>>>>>> I think it would be useful for Drill to have some ability to > ignore > >>>>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this? > >>>>>>>> > >>>>>>>> Sent from my iPhone > >>>>>>>> > >>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva < > >> [email protected] > >>>>>>>> > >>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>> Hi Giovanni, > >>>>>>>>> > >>>>>>>>> I don't think Drill pcap format reader has such functionality. > >>>>>>>>> > >>>>>>>>> Kind regards, > >>>>>>>>> Arina > >>>>>>>>> > >>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte < > [email protected]> > >>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> Hi, > >>>>>>>>>> I'm trying to query a pcap file and I know that there are > >> corrupted > >>>>>>> rows > >>>>>>>>>> (precisely line 6407), > >>>>>>>>>> I need a command to skip this rows to avoid the following error: > >>>>>>>>>> > >>>>>>>>>> Error: INTERNAL_ERROR ERROR: null > >>>>>>>>>> Fragment 0:0 > >>>>>>>>>> Please, refer to logs for more information. > >>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010] > >>>>>>>>>> (state=,code=0) > >>>>>>>>>> > >>>>>>>>>> [...] > >>>>>>>>>> > >>>>>>>>>> the complete error is attached in the txt file ()for java > >> exceptions, > >>>>>>>>>> along with the pcap file used for testing this issue. I would > >> like to > >>>>>>>> avoid > >>>>>>>>>> a pre-parsing of the pcap when a corrupted row is found. > >>>>>>>>>> Is there a way to avoid this problem? > >>>>>>>>>> Thanks, > >>>>>>>>>> > >>>>>>>>>> Giovanni > >>>>>>>>>> > >>>>>>>>>> OS: Ubuntu 18.4 > >>>>>>>>>> Drill version: 1.15.0 > >>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12) > >>>>>>>>>> > >>>>>>>> > >>>>>>> > >>> > >> >
