New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tcpflow doesn't handle MPLS data #35
Comments
Hi. Can you please provide me with some MPLS data so that I can test this? I need the data before I can incorporate it. What is the "most common solution" ? On Jan 15, 2013, at 1:16 AM, Yuriy Ershov notifications@github.com wrote:
|
I'll try to get some but I'm not sure because it might contain some "sensitive data". How do I give it to you if I do?
Hmm.. Maybe.. A special layer to decode the whole set of all known protocols, possibly, one wrapped in another? I understand that tcpflow is rather a quick lightweight hack than a thorough heavy solution, which is an advantage and drawback at the same time. In general, the most proper way to do it is possibly to hack into tcpdump itself at point where it extracts an IP frame and pass it to tcpflow module to do it's work. If you do so, you would be able to process any network data known to tcpdump, including all future versions. |
Hi. I am interested in adding this fix, but I can't do so without some test data. Just a few packets is all I need. Perhaps a Google query? |
Oh.. Sorry, I forgot about it :( |
Hi! |
Thanks. I'll get to this within the next few days. On Mar 14, 2013, at 8:30 AM, Yuriy Ershov notifications@github.com wrote:
|
The patch you gave me is susceptible to buffer overruns when it encounters malformed mpls packets. |
You're right. struct _sll_header {
u_int16_t sll_pkttype; /* packet type */
u_int16_t sll_hatype; /* link-layer address type */
u_int16_t sll_halen; /* link-layer address length */
u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
u_int16_t sll_protocol; /* protocol */
};
_sll_header *sllp = (_sll_header*)p;
int mpls_sz = 0;
if (htons(sllp->sll_protocol) == ETHERTYPE_MPLS) {
// unwind MPLS stack
do {
mpls_sz += 4;
if (caplen < SLL_HDR_LEN + mpls_sz) {
DEBUG(6) ("warning: MPLS stack overrun");
return;
}
} while ( ((*(p+SLL_HDR_LEN + mpls_sz - 2)) & 1) == 0 );
}
demux.process_ip(&h->ts,p + SLL_HDR_LEN + mpls_sz, caplen - SLL_HDR_LEN - mpls_sz,flow::NO_VLAN); |
Thanks. I prefer this:
Any objection? On Mar 14, 2013, at 10:10 AM, Yuriy Ershov notifications@github.com wrote:
|
Maybe remove one more ()'s then? } while ( (p[SLL_HDR_LEN + mpls_sz - 2] & 1) == 0 ); |
Yep. That's what I had, if not what I emailed.
|
Subj.
Here's a patch to fix this:
Sorry for not providing the most common solution ;) I just needed this only case.
Just sharing back my own patch.
// Yury Ershov
The text was updated successfully, but these errors were encountered: