Hi,
I’m having problems with IP-in-IP tunneled traffic which contains an ethernet frame check sequence (FCS).
- Bro seems to attribute the FCS to the length of the outer IP packet and then complains that the inner IP packet is too small compared to the capture length (in weird.log: “inner_IP_payload_length_mismatch”)
Then I thought it would be ok to simply drop the corresponding check in Sessions.c: ParseIPPacket() because too much content shouldn’t “hurt”.
- if ( (uint32)caplen != inner->TotalLen() )
- return (uint32)caplen < inner->TotalLen() ? -1 : 1;
- if ( (uint32)caplen < inner->TotalLen() )
- return -1;
Would that be ok in your opinion? If not, what would be a better way to deal with this?
- With the above patch applied, bro correctly sees the inner traffic, but from time to time it segfaults (every other day roughtly). Until now i figured out the following information, but cannot really see what’s going wrong:
a) bro always crashes at a tunneled TCP packet with active reset flag
b) I see very few such packets (it might be that the crashing one is the only within quite some time before the crash: I don’t have all traffic available)
c) I cannot reproduce the problem by simply starting bro on a pcap file with the offending packet (and ~100MB traffic before the crash) (even valgrind doesn’t report anything useful)
From the stacktrace of the core file (cf. below) it looks as if PacketWithRst() somehow triggered the destructor of (my own) SIP plugin. However, I have no idea how that could happen.
Could you help me with this problem?
Thanks,
Dirk
#0 std::_List_base<plugin::BifItem, std::allocatorplugin::BifItem >::_M_clear (this=this@entry=0x2f373b0) at /usr/include/c++/4.7/bits/list.tcc:74
#1 0x00000000006a0ade in ~_List_base (this=0x2f373b0, __in_chrg=) at /usr/include/c++/4.7/bits/stl_list.h:379
#2 ~list (this=0x2f373b0, __in_chrg=) at /usr/include/c++/4.7/bits/stl_list.h:436
#3 plugin::Plugin::~Plugin (this=0x2f37360, __in_chrg=) at bro/src/plugin/Plugin.cc:136
#4 0x00007f1fa7d2ef77 in ~Plugin (this=0x2f37360, __in_chrg=) at sip/src/Plugin.cc:8
#5 plugin::Consistec_SIP::Plugin::~Plugin (this=0x2f37360, __in_chrg=) at sip/src/Plugin.cc:8
#6 0x000000000079d4bd in PacketWithRST (this=0x3482680) at bro/src/analyzer/protocol/tcp/TCP.cc:1810
#7 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x3482680, len=0, data=0x7f1fa16f9aca <Address 0x7f1fa16f9aca out of bounds>, is_orig=false, seq=, ip=0x34e05c0, caplen=0)
at bro/src/analyzer/protocol/tcp/TCP.cc:1280
#8 0x0000000000807a6a in analyzer::Analyzer::NextPacket (this=0x3482680, len=20, data=, is_orig=, seq=, ip=, caplen=20)
at bro/src/analyzer/Analyzer.cc:222
#9 0x000000000055ecee in Connection::NextPacket (this=0x2f48c00, t=, is_orig=, ip=, len=, caplen=, data=, record_packet=@0x7ffc33d50898: 1,
record_content=@0x7ffc33d5089c: 1, hdr=0x7ffc33d50b10, pkt=0x7f1fa16f9aa2 <Address 0x7f1fa16f9aa2 out of bounds>, hdr_size=0) at bro/src/Conn.cc:260
#10 0x00000000005f819a in NetSessions::DoNextPacket (this=this@entry=0xf25000, t=1468916092.7505391, t@entry=, hdr=hdr@entry=0x7ffc33d50b10,
ip_hdr=ip_hdr@entry=0x34e05c0, pkt=pkt@entry=0x7f1fa16f9aa2 <Address 0x7f1fa16f9aa2 out of bounds>, hdr_size=hdr_size@entry=0, encapsulation=0x0, encapsulation@entry=0x34b3138)
at bro/src/Sessions.cc:757
#11 0x00000000005f91a4 in NetSessions::DoNextInnerPacket (this=0xf25000, t=1468916092.7505391, hdr=, inner=0x34e05c0, prev=, ec=…)
at bro/src/Sessions.cc:805
#12 0x00000000005f88ca in NetSessions::DoNextPacket (this=this@entry=0xf25000, t=1468916092.7505391, t@entry=, hdr=hdr@entry=0xf762a0, ip_hdr=,
ip_hdr@entry=0x7ffc33d50e60, pkt=pkt@entry=0x7f1fa16f9a80 <Address 0x7f1fa16f9a80 out of bounds>, hdr_size=hdr_size@entry=14, encapsulation=encapsulation@entry=0x0)
at bro/src/Sessions.cc:665
#13 0x00000000005f96d6 in NetSessions::NextPacket (this=0xf25000, t=1468916092.7505391, hdr=0xf762a0, pkt=0x7f1fa16f9a80 <Address 0x7f1fa16f9a80 out of bounds>, hdr_size=14)
at bro/src/Sessions.cc:231
#14 0x00000000005c8048 in net_packet_dispatch (t=1468916092.7505391, hdr=0xf762a0, pkt=0x7f1fa16f9a80 <Address 0x7f1fa16f9a80 out of bounds>, hdr_size=14, src_ps=0xf76160)
at bro/src/Net.cc:277