Context Navigation

← Previous Ticket
Next Ticket →

Ticket #130 (closed defect: wontfix)

Last modified 7 months ago

Gracefully handle broken pcaps where snaplen < caplen

Reported by:	aturner	Owned by:	aturner
Priority:	high	Milestone:	3.0.RC1
Component:	tcpreplay	Version:	3.0.beta12
Keywords:	libpcap	Cc:
Operating System:	all	Add to FAQ?:	yes
Hardware:	All
Output of tcpreplay -V:

Description

Weird bug in libpcap or wireshark or??? Basically, when the caplen != len (tcpdump didn't capture the entire packet), when you read that saved capture file via libpcap, the caplen is 14 bytes less then the value reported by Wireshark. Wireshark also seems to find valid data for those 14 bytes, so it appears the larger value reported by Wireshark is correct.

Need to track this bug down and get a fix.

Attachments

pcap_snapshot_override.patch (4.7 kB) - added by aturner 19 months ago.: pcap_snapshot_override() patch

Change History

Changed 19 months ago by aturner

keywords libpcap added
os set to all

Guy from the tcpdump-workers list has tracked down the issue. Basically:

test/test.pcap was created using RH's hacked libpcap which had a bug. The issue is basically that the snaplen < caplen, so libpcap reduces the caplen to equal the snaplen. Unfortunately, there's no good way to detect this issue using libpcap. I'm trying to work with Guy to either introduce a workaround in libpcap behind the scenes or introduce an API enhancement to increase the snaplen at runtime.

Either way, this is a real issue and I need assistance from the libpcap guys to fix it.

Changed 19 months ago by ilanch

About the above issue,
I tried to examine packets in the test/test.pcap of original data and the captured data that generated by tcpreplay, and used the packetdump of tcpstat.
In two packet dumps, if PACKET SIZE is over 130 bytes then it is suspicious, otherwise that is same. Why the 130 bytes is? What means the 130 bytes?

When I use tcpwrite, the original and output by tcpwrite were same.
If the libpcap has any problem, the output of tcpwrite also might be different.
But the result of output was same to the original packets.
Why the result was different?

Changed 18 months ago by aturner

add_to_faq unset

Email from Guy:

...and, after looking at various versions of the hacked libpcap, it's
obvious where the bug was coming from - the snapshot length was used in
the recvfrom() call as the count, so up to that many bytes were
received, but, if the capture was done in cooked mode, a fake Ethernet
header is prepended, so the effective snapshot length is 14 greater than
the one supplied to the program.

I've checked into the main and x.9 branches a change that sets the
pcap_t's snaplen value to 14 more than the value from the file header if
the capture was an Ethernet capture with the modified libpcap (based on
the magic number).  This isn't ideal - I'd like to do it only if the
capture was done in cooked mode - but there's no easy way to determine
whether it was a cooked-mode capture or not, so, while that means that a
raw-mode Ethernet capture will appear to have a snapshot length 14 more
than the real snapshot, that's probably the best we can do.  That
modified libpcap hasn't, as far as I know, been in any Linux
distribution for a while, so there shouldn't be many *more* of those
files showing up.

So long story short, sounds like Guy came up with an alternate fix which solves for this issue silently. Since configure.in has to detect my API enhancement, I'm not going to pull it out of my code in case Guy's fix doesn't work for me.

Add/Change #130 (Gracefully handle broken pcaps where snaplen < caplen)

Author

Your email or username:

Comment (you may use WikiFormatting here):

Action

leave as closed

reopen Next status will be 'reopened'

Note: See TracTickets for help on using tickets.

Download in other formats: