Skip to content

analyzer: Have exited processes read all data #332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mattnibs merged 2 commits into from
Jan 29, 2024
Merged

analyzer: Have exited processes read all data #332

mattnibs merged 2 commits into from
Jan 29, 2024

Conversation

@mattnibs
Copy link
Collaborator

@mattnibs mattnibs commented Jan 25, 2024

This commit changes the behavior for analyzer processes so that processes that have successfully exited without reading all the data will continue to consume data from the byte stream insteading of returning an error and putting a stop to the copy goroutine.

Closes #331

@mattnibs mattnibs force-pushed the proc-readall branch 5 times, most recently from 39e916b to 8f4d167 Compare January 25, 2024 18:03
@mattnibs mattnibs requested a review from nwt January 25, 2024 18:03
@philrz
Copy link
Contributor

philrz commented Jan 25, 2024

tl;dr

This is a functional 👍 for me!

Details

I pointed my Zui at the Brimcap commit from this branch and tested it out with the pcaps I mentioned in #331 comments and saw the improvements expected in both cases.

  1. For the one in Analyzers that exit clean without reading input until EOF #331 (comment), the error changes from this incorrect one:

image

to this accurate one:

image

and that latter error message will go away entirely when the Zeek v6.0.3-based artifact is in use since that has support for this link type.

  1. For the one in Analyzers that exit clean without reading input until EOF #331 (comment), it goes from showing this incorrect error message:

image

to a successful import:

image

i.e., Suricata quietly refused to do anything with this pcap since it doesn't support the link layer protocol, but since it returned an exit code of 0 the Zui user gets only Zeek events. This seems like a fine place to be while we wait to see if the Suricata people ever catch up and address the existing issues.

@mattnibs
analyzer: Have exited processes read all data
20ff91e 
This commit changes the behavior for analyzer processes so that
processes that have successfully exited without reading all the data
will continue to consume data from the byte stream insteading of
returning an error and putting a stop to the copy goroutine.

Closes #331
@philrz philrz mentioned this pull request Jan 25, 2024
Merged
nwt
nwt approved these changes Jan 29, 2024
View reviewed changes
@mattnibs mattnibs merged commit 070d2a0 into main Jan 29, 2024
@mattnibs mattnibs deleted the proc-readall branch January 29, 2024 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nwt nwt nwt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Analyzers that exit clean without reading input until EOF

4 participants

@mattnibs @philrz @nwt