[Bro-Dev] IP-in-IP tunnel: issue with capture length

Dirk Leinenbach dirk.leinenbach at consistec.de
Thu Jul 21 06:41:13 PDT 2016


Hi,

I'm having problems with IP-in-IP tunneled traffic which contains an 
ethernet frame check sequence (FCS).

1) Bro seems to attribute the FCS to the length of the outer IP packet 
and then complains that the inner IP packet is too small compared to the 
capture length (in weird.log: "inner_IP_payload_length_mismatch")

Then I thought it would be ok to simply drop the corresponding check in 
Sessions.c: ParseIPPacket() because too much content shouldn't "hurt".

     -     if ( (uint32)caplen != inner->TotalLen() )
     -        return (uint32)caplen < inner->TotalLen() ? -1 : 1;


     + if ( (uint32)caplen < inner->TotalLen() )
     +        return -1;


Would that be ok in your opinion? If not, what would be a better way to 
deal with this?

2) With the above patch applied, bro correctly sees the inner traffic, 
but from time to time it segfaults (every other day roughtly). Until now 
i figured out the following information, but cannot really see what's 
going wrong:

     a) bro always crashes at a tunneled TCP packet with active reset flag
     b) I see very few such packets (it might be that the crashing one 
is the only within quite some time before the crash: I don't have all 
traffic available)
     c) I cannot reproduce the problem by simply starting bro on a pcap 
file with the offending packet (and ~100MB traffic before the crash) 
(even valgrind doesn't report anything useful)


 From the stacktrace of the core file (cf. below) it looks as if 
PacketWithRst() somehow triggered the destructor of (my own) SIP plugin. 
However, I have no idea how that could happen.

Could you help me with this problem?

Thanks,

Dirk

#0 std::_List_base<plugin::BifItem, std::allocator<plugin::BifItem> 
 >::_M_clear (this=this at entry=0x2f373b0) at 
/usr/include/c++/4.7/bits/list.tcc:74
#1 0x00000000006a0ade in ~_List_base (this=0x2f373b0, 
__in_chrg=<optimized out>) at /usr/include/c++/4.7/bits/stl_list.h:379
#2 ~list (this=0x2f373b0, __in_chrg=<optimized out>) at 
/usr/include/c++/4.7/bits/stl_list.h:436
#3 plugin::Plugin::~Plugin (this=0x2f37360, __in_chrg=<optimized out>) 
at bro/src/plugin/Plugin.cc:136
#4 0x00007f1fa7d2ef77 in ~Plugin (this=0x2f37360, __in_chrg=<optimized 
out>) at sip/src/Plugin.cc:8
#5 plugin::Consistec_SIP::Plugin::~Plugin (this=0x2f37360, 
__in_chrg=<optimized out>) at sip/src/Plugin.cc:8
#6 0x000000000079d4bd in PacketWithRST (this=0x3482680) at 
bro/src/analyzer/protocol/tcp/TCP.cc:1810
#7 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x3482680, len=0, 
data=0x7f1fa16f9aca <Address 0x7f1fa16f9aca out of bounds>, 
is_orig=false, seq=<optimized out>, ip=0x34e05c0, caplen=0)
at bro/src/analyzer/protocol/tcp/TCP.cc:1280
#8 0x0000000000807a6a in analyzer::Analyzer::NextPacket (this=0x3482680, 
len=20, data=<optimized out>, is_orig=<optimized out>, seq=<optimized 
out>, ip=<optimized out>, caplen=20)
at bro/src/analyzer/Analyzer.cc:222
#9 0x000000000055ecee in Connection::NextPacket (this=0x2f48c00, 
t=<optimized out>, is_orig=<optimized out>, ip=<optimized out>, 
len=<optimized out>, caplen=<optimized out>, data=<optimized out>, 
record_packet=@0x7ffc33d50898: 1,
record_content=@0x7ffc33d5089c: 1, hdr=0x7ffc33d50b10, 
pkt=0x7f1fa16f9aa2 <Address 0x7f1fa16f9aa2 out of bounds>, hdr_size=0) 
at bro/src/Conn.cc:260
#10 0x00000000005f819a in NetSessions::DoNextPacket 
(this=this at entry=0xf25000, t=1468916092.7505391, t at entry=<error reading 
variable: Could not find type for DW_OP_GNU_const_type>, 
hdr=hdr at entry=0x7ffc33d50b10,
ip_hdr=ip_hdr at entry=0x34e05c0, pkt=pkt at entry=0x7f1fa16f9aa2 <Address 
0x7f1fa16f9aa2 out of bounds>, hdr_size=hdr_size at entry=0, 
encapsulation=0x0, encapsulation at entry=0x34b3138)
at bro/src/Sessions.cc:757
#11 0x00000000005f91a4 in NetSessions::DoNextInnerPacket (this=0xf25000, 
t=1468916092.7505391, hdr=<optimized out>, inner=0x34e05c0, 
prev=<optimized out>, ec=...)
at bro/src/Sessions.cc:805
#12 0x00000000005f88ca in NetSessions::DoNextPacket 
(this=this at entry=0xf25000, t=1468916092.7505391, t at entry=<error reading 
variable: Could not find type for DW_OP_GNU_const_type>, 
hdr=hdr at entry=0xf762a0, ip_hdr=<optimized out>,
ip_hdr at entry=0x7ffc33d50e60, pkt=pkt at entry=0x7f1fa16f9a80 <Address 
0x7f1fa16f9a80 out of bounds>, hdr_size=hdr_size at entry=14, 
encapsulation=encapsulation at entry=0x0)
at bro/src/Sessions.cc:665
#13 0x00000000005f96d6 in NetSessions::NextPacket (this=0xf25000, 
t=1468916092.7505391, hdr=0xf762a0, pkt=0x7f1fa16f9a80 <Address 
0x7f1fa16f9a80 out of bounds>, hdr_size=14)
at bro/src/Sessions.cc:231
#14 0x00000000005c8048 in net_packet_dispatch (t=1468916092.7505391, 
hdr=0xf762a0, pkt=0x7f1fa16f9a80 <Address 0x7f1fa16f9a80 out of bounds>, 
hdr_size=14, src_ps=0xf76160)
at bro/src/Net.cc:277

-- 

Dr.-Ing. Dirk Leinenbach - Leitung Softwareentwicklung
consistec Engineering & Consulting GmbH
------------------------------------------------------------------

Europaallee 5                      Fon:   +49 (0)681 / 959044-0
D-66113 Saarbrücken                Fax:   +49 (0)681 / 959044-11
http://www.consistec.de            e-mail: dirk.leinenbach at consistec.de

Registergericht: Amtsgericht Saarbrücken
Registerblatt:   HRB12003
Geschäftsführer: Dr. Thomas Sinnwell, Volker Leiendecker, Stefan Sinnwell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160721/80c0ee6e/attachment-0001.html 


More information about the bro-dev mailing list