No results running live capture's plugins on interfaces

[paulofdantas]

Hey! I hope this message finds you well.

So, I'm trying to run some plugins to live capture on a well configured interface and I got no results.

The Dshell prompt is presented again after I execute the decode command.

Dshell> decode -i ens5f0 -d search --search_expression UPDATE Dshell>

Any help?

Best regards.

[dev195]

That's unusual. Does the command immediately exit on its own when you try to run it, or does it stop after a keyboard interrupt or similar?

Are you running the command as root? Superuser privileges are required to listen on an interface, though Dshell usually throws an error when that is not the case.

Could you try running the command again with the --debug flag and posting the results? There may be a warning or error message we do not see.

[paulofdantas]

That's unusual. Does the command immediately exit on its own when you try to run it, or does it stop after a keyboard interrupt or similar?

Are you running the command as root? Superuser privileges are required to listen on an interface, though Dshell usually throws an error when that is not the case.

Could you try running the command again with the --debug flag and posting the results? There may be a warning or error message we do not see.

The command exits immediately no matter how much I try to execute it. Yes, I'm running as root. The output running with --debug:

Dshell> decode --interface ens5f0 -d search --search_expression UPDATE SELECT --debug DEBUG (dshell.core) - {'name': 'search', 'description': 'Search for patterns in connections', 'longdescription': '\nReconstructs streams and searches the content for a user-provided regular\nexpression. Requires definition of the --search_expression argument. Additional\noptions can be provided to alter behavior.\n ', 'bpf': 'tcp or udp', 'compiled_bpf': None, 'vlan_bpf': True, 'author': 'dev195', 'logger': <Logger dshell.plugins.misc.search (DEBUG)>, 'seen_packet_count': <Synchronized wrapper for c_int(0)>, 'handled_packet_count': <Synchronized wrapper for c_int(0)>, 'optiondict': {'expression': {'help': 'Search expression', 'type': <class 'str'>, 'metavar': 'REGEX'}, 'ignorecase': {'help': 'Ignore case when searching', 'action': 'store_true'}, 'invert': {'help': 'Return connections that DO NOT match expression', 'action': 'store_true'}, 'quiet': {'help': 'Do not display matches from this plugin. Useful when chaining plugins.', 'action': 'store_true'}}, '_packet_queue': [], 'out': <dshell.output.alertout.AlertOutput object at 0x7f6982491be0>, 'link_layer_type': 1, 'defrag_ip': False, 'current_pcap_file': None, '_packet_fragments': defaultdict(<class 'dict'>, {}), '_connection_queue': [], '_production_ready': True, '_connection_tracker': {}, 'seen_conn_count': <Synchronized wrapper for c_int(0)>, 'handled_conn_count': <Synchronized wrapper for c_int(0)>, 'maxblobs': inf, 'timeout': datetime.timedelta(0, 3600), 'timeout_frequency': 300, 'max_open_connections': 1000, 'expression': 'UPDATE', 'ignorecase': False, 'invert': False, 'quiet': False, 'regex': re.compile(b'UPDATE')} INFO (dshell.core) - working on file "ens5f0" DEBUG (dshell.core) - Compiling BPF as '(tcp or udp) or (vlan and tcp or udp)' INFO (__main__) - Datalink: 1 - Ethernet INFO (dshell.core) - 0 seen packets, 0 handled packets INFO (dshell.core) - 0 seen connections, 0 handled connections

[paulofdantas]

Finaly I got dshel-decode running after run the command lot of times. It seems to be a specific situation that enables the command to run.

[dev195]

Oh, that's good. Did you change anything? I can close the issue, but additional information would be useful if anybody else sees this problem.

Also, remember that --search_expression accepts regular expressions. If you're searching for "UPDATE" or "SELECT", you should change the search expression to "(UPDATE|SELECT)".

[paulofdantas]

Oh, that's good. Did you change anything? I can close the issue, but additional information would be useful if anybody else sees this problem.

Also, remember that --search_expression accepts regular expressions. If you're searching for "UPDATE" or "SELECT", you should change the search expression to "(UPDATE|SELECT)".

I didn't change anything, I just ran the command again and again till I got it running. Thank you, I'll adjust the regex to deploy in production. I think you can close the issue.

[dev195]

We did some more debugging and found what might be causing this issue. A fix was just committed to the master branch.

[paulofdantas]

We did some more debugging and found what might be causing this issue. A fix was just committed to the master branch.

Thanks! I'll test!