I am testing zeek 7.1
when i compare the output of zeek 6.2 and zeek 7.1 i see parsing errors in dpd.log
The error in dpd.log is:
./dpd.log:{“ts”:“2025-03-17T00:00:00.000000Z”,…,“id.resp_p”:389,“proto”:“tcp”,“analyzer”:“LDAP_TCP”,“failure_reason”:“data is missing (/src/zeek/src/analyzer/protocol/ldap/asn1.spicy:115:10-115:14)”}
Also, i see the same message in analyzer.log
./analyzer.log:{“ts”:“2025-03-17T00:00:00.000000Z”,“cause”:“violation”,“analyzer_kind”:“protocol”,“analyzer_name”:“LDAP_TCP”,…,“id.resp_p”:389,“failure_reason”:“data is missing (/src/zeek/src/analyzer/protocol/ldap/asn1.spicy:115:10-115:14)”}
In that case, we can only be of limited help to you.
To figure out what is going on, you will have to isolate the specific connection that is being sent. Then you will have to look at the bytes that the error is being raised for, to see if this is a connection error or an error in the parser.
In this case, it looks like Zeek is expecting to parse some more ASN1 data, where the data is missing from the connection.
:“data is missing (/src/zeek/src/analyzer/protocol/ldap/asn1.spicy:115:10-115:14)”}
Hey @w2k8 - long shot, but could you check whether the TCP stream has gaps first? You can do by looking at conn.log’s history field for g for G and checking the missed_bytes column from conn.log might give an indication.
There’s also the following recent ticket - could you check if it’s the same for you?
That specific pcap give me an other parsings error: {"ts":"2025-03-10T08:54:48.525312Z","uid":"CJ7c1bGkGLYveYMJh","id.orig_h":"192.168.226.131","id.orig_p":54544,"id.resp_h":"192.168.226.136","id.resp_p":389,"proto":"tcp","analyzer":"LDAP_TCP","failure_reason":"&size amount not consumed: expected 813813248 bytes, but got 203 bytes (/src/zeek/src/analyzer/protocol/ldap/ldap.spicy:288:5-288:26)"}
the code in asn1.spicy, line 115:10
/usr/local/zeek/share/spicy/ldap/asn1.spicy