Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zeek quietly exits with successful return code when processing corrupt pcapng #977

Closed
philrz opened this issue May 18, 2020 · 1 comment · Fixed by #1004
Closed

Zeek quietly exits with successful return code when processing corrupt pcapng #977

philrz opened this issue May 18, 2020 · 1 comment · Fixed by #1004
Assignees
@jsiwek
Labels
Area: Packet Capture Type: Bug 🐛 Unexpected behavior or output.
Projects
Release 3.2.0
Milestone
3.2.0

Comments

@philrz
Copy link
Contributor

philrz commented May 18, 2020

This symptom is originally described in brimdata/zui#790 (comment). Alas, it's only with large test data that I've been able to reproduce this, but at least it's all publicly available.

Download/uncompress these three files:

http://mawi.wide.ad.jp/mawi/samplepoint-F/2015/201508051400.dump.gz
https://download.netresec.com/pcap/maccdc-2011/maccdc2011_00010_20110312194033.pcap.gz
https://download.netresec.com/pcap/maccdc-2011/maccdc2011_00013_20110312202724.pcap.gz

Use mergecap to combine them into a single pcapng file:

$ mergecap -w brim-790.pcapng 201508051400.dump maccdc2011_00010_20110312194033.pcap maccdc2011_00013_20110312202724.pcap

With an out-of-the-box compile of Zeek v3.1.3 on my Mac, when I ask Zeek to process this 25 GB pcapng, it exits almost immediately with an error code of 0 (indicating success) but produces almost no data.

$ /usr/local/zeek-3.1.3/bin/zeek -C -r ../brim-790.pcapng local
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.

$ echo $?
0

$ ls -l
total 80
-rw-r--r--  1 phil  staff  30422 May 18 11:12 loaded_scripts.log
-rw-r--r--  1 phil  staff    254 May 18 11:12 packet_filter.log
-rw-r--r--  1 phil  staff    694 May 18 11:12 stats.log

As described at brimdata/zui#790, it seems likely the pcapng is corrupt (probably the fault of mergecap), but it's unfortunate that Zeek didn't surface any kind of error about the presumed corruption. For instance, tcpdump does complain:

$ tcpdump -r ../brim-790.pcapng 
reading from PCAP-NG file ../brim-790.pcapng
tcpdump: pcap_loop: invalid packet capture length 260, bigger than snaplen of 96

$ tcpdump --version
tcpdump version tcpdump version 4.9.3 -- Apple version 90.100.1
libpcap version 1.9.1
LibreSSL 2.8.3
@jsiwek jsiwek self-assigned this Jun 8, 2020
@jsiwek jsiwek added Area: Packet Capture Type: Bug 🐛 Unexpected behavior or output. labels Jun 8, 2020
@jsiwek jsiwek added this to Unassigned / Todo in Release 3.2.0 via automation Jun 8, 2020
@jsiwek jsiwek added this to the 3.2.0 milestone Jun 8, 2020
jsiwek added a commit that referenced this issue Jun 9, 2020
@jsiwek
GH-977: Improve pcap error handling
2000e2a 
Switches from pcap_next() to pcap_next_ex() to better handle all error
conditions.  This allows, for example, to have a non-zero exit code for
a Zeek process that fails to fully process all packets in a pcap file.
@jsiwek jsiwek mentioned this issue Jun 9, 2020
Merged
jsiwek added a commit that referenced this issue Jun 12, 2020
@jsiwek
Merge remote-tracking branch 'origin/topic/jsiwek/gh-977-improve-pcap…
6cec268 
…-error-handling'

* origin/topic/jsiwek/gh-977-improve-pcap-error-handling:
  Compare pcap_next_ex() result to PCAP_ERROR/PCAP_ERROR_BREAK
  GH-977: Improve pcap error handling
  Remove not-useful code in iosource::Manager::OpenPktSrc
Release 3.2.0 automation moved this from Unassigned / Todo to Done Jun 12, 2020
@philrz
Copy link
Contributor Author

philrz commented Jun 12, 2020

Thanks @jsiwek! I've verified with Zeek master compiled as of commit 6cec268 and the original repro steps that this problem has been addressed.

$ /usr/local/zeek-master/bin/zeek -C -r brim-790.pcapng local
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
fatal error: failed to read a packet from brim-790.pcapng: an interface has a snapshot length 4096 different from the type of the first interface

0xxon added a commit that referenced this issue Jun 15, 2020
@0xxon
Merge remote-tracking branch 'origin/master' into topic/johanna/table…
c8a3a90 
…-changes

* origin/master: (33 commits)
  Fix location where CI places build.tgz
  Update submodule(s)
  Disable some deprecation diagnostics for GCC
  Compare pcap_next_ex() result to PCAP_ERROR/PCAP_ERROR_BREAK
  Optimize Connection::RemovalEvent() for bare-mode usage
  Rename BroType to Type
  Update NEWS
  Review cleanup
  Move Type types to zeek namespace
  Review cleanup
  Restrict Cirrus CI to only zeek repo's branches
  GH-977: Improve pcap error handling
  Remove not-useful code in iosource::Manager::OpenPktSrc
  GH-999: Stop formatting DHCP Client ID Hardware Type 0 as MAC
  Remove inline from some static KeyedHash members
  Improve Func.h inclusion
  Fix NVT analyzer memory leak from multiple telnet authn name options
  Rename aux/ to auxil/
  Move Flare/Pipe from the bro namespace to zeek::detail
  Move Attr to the zeek::detail namespace
  ...
@JonZeolla JonZeolla mentioned this issue Sep 22, 2020
Closed
@JonZeolla JonZeolla mentioned this issue Oct 22, 2020
Open
9 tasks
@JonZeolla JonZeolla mentioned this issue Dec 31, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsiwek jsiwek

Labels
Area: Packet Capture Type: Bug 🐛 Unexpected behavior or output.
Projects
No open projects
Release 3.2.0
  
Done
Milestone
3.2.0
Development

Successfully merging a pull request may close this issue.

Improve pcap error handling zeek/zeek
2 participants
@jsiwek @philrz