search

angolo40 / mikrocata2selks

Mikrotik + Selks (Suricata) + Telegram + TZSP on Debian 12
GNU General Public License v3.0
71 stars 16 forks source link

Question to TZSPreplay37008 #18

Open foresthus opened 4 months ago

foresthus commented 4 months ago

Hi, I was wondering why the service "TZSPreplay37008@tzsp0.service" gets an error after 10 or 20 seconds. This is what I can see on the "cli".

systemctl status TZSPreplay37008@tzsp0.service
● TZSPreplay37008@tzsp0.service - TZSP Replay capture on dev tzsp0
     Loaded: loaded (/etc/systemd/system/TZSPreplay37008@.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-07-16 18:39:15 CEST; 22s ago
   Main PID: 489493 (sh)
      Tasks: 3 (limit: 9482)
     Memory: 1.9M
        CPU: 202ms
     CGroup: /system.slice/system-TZSPreplay37008.slice/TZSPreplay37008@tzsp0.service
             ├─489493 /bin/sh -c "/usr/local/bin/tzsp2pcap -p 37008 -f | /usr/local/bin/tcpreplay-edit --topspeed --mtu=\$(cat /sys/class/net/tzsp0/mtu) --mtu-trun>
             ├─489495 /usr/local/bin/tzsp2pcap -p 37008 -f
             └─489496 /usr/local/bin/tcpreplay-edit --topspeed --mtu=2000 --mtu-trunc -i tzsp0 -

Jul 16 18:39:15 VMidsips systemd[1]: Started TZSPreplay37008@tzsp0.service - TZSP Replay capture on dev tzsp0.
Jul 16 18:39:30 VMidsips sh[489496]: Warning: Unable to process unsupported DLT type: Ethernet (0x1)
Jul 16 18:39:30 VMidsips sh[489496]: Warning: Unable to process unsupported DLT type: Ethernet (0x1)

I installed an debian as an vm with proxmox.

uname -a
Linux VMidsips 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64 GNU/Linux

Evrything else is working. Suricata connects to the mikroTik and uses the function to block traffic. Therefor the instructions how to install this docker-enviroment works. This VM has got 6 CPU and 8GB RAM and 60GB filestorage.

Where can I find help or a solution to the problem?

thnx 4 your help.

angolo40 commented 4 months ago

Hello,

I've found that the issue is a known bug in tcpreplay. You can find more details about it in this GitHub issue: https://github.com/appneta/tcpreplay/issues/835.

U can try to upgrade tcpreplay to the latest version, as the version of my repo 4.4.2 has this bug. The latest version might have fixed this issue, although I haven't tested it.

I plan to test the new version in the coming days. If it works without any issues, I'll update the installation script in my repository.

angolo40 commented 1 month ago

Apologies for the delayed response.

Upgrading to the latest tcpreplay version (4.5.1) did not resolve the error. Here are the details:

● TZSPreplay37008@tzsp0.service - TZSP Replay capture on dev tzsp0
     Loaded: loaded (/etc/systemd/system/TZSPreplay37008@.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-10-18 21:03:41 UTC; 16s ago
   Main PID: 49063 (sh)
      Tasks: 3 (limit: 11881)
     Memory: 1.8M
        CPU: 3.237s
     CGroup: /system.slice/system-TZSPreplay37008.slice/TZSPreplay37008@tzsp0.service
             ├─49063 /bin/sh -c "/usr/local/bin/tzsp2pcap -p 37008 -f | /usr/local/bin/tcpreplay-edit --topspeed --mtu=\$(cat /sys/class/net/tzsp0/mtu) --mtu-trunc -i tzsp0 -"
             ├─49065 /usr/local/bin/tzsp2pcap -p 37008 -f
             └─49066 /usr/local/bin/tcpreplay-edit --topspeed --mtu=2000 --mtu-trunc -i tzsp0 -

Oct 18 21:03:57 localhost sh[49066]: Warning: skipping packet 73145 because caplen 70 minus L2 length 14 does not equal IPv4 header length 52. Consider option '--fixhdrlen'.
Oct 18 21:03:57 localhost sh[49066]: Warning: skipping packet 73167 because caplen 82 minus L2 length 14 does not equal IPv4 header length 64. Consider option '--fixhdrlen'.
Oct 18 21:03:57 localhost sh[49066]: Warning: skipping packet 73169 because caplen 70 minus L2 length 14 does not equal IPv4 header length 52. Consider option '--fixhdrlen'.

Even after adding the --fixhdrlen option, some packet header issues persist:

● TZSPreplay37008@tzsp0.service - TZSP Replay capture on dev tzsp0
     Loaded: loaded (/etc/systemd/system/TZSPreplay37008@.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-10-18 21:07:32 UTC; 16s ago
   Main PID: 51763 (sh)
      Tasks: 3 (limit: 11881)
     Memory: 1.6M
        CPU: 2.841s
     CGroup: /system.slice/system-TZSPreplay37008.slice/TZSPreplay37008@tzsp0.service
             ├─51763 /bin/sh -c "/usr/local/bin/tzsp2pcap -p 37008 -f | /usr/local/bin/tcpreplay-edit --fixhdrlen --topspeed --mtu=\$(cat /sys/class/net/tzsp0/mtu) --mtu-trunc -i tzsp0 -"
             ├─51764 /usr/local/bin/tzsp2pcap -p 37008 -f
             └─51765 /usr/local/bin/tcpreplay-edit --fixhdrlen --topspeed --mtu=2000 --mtu-trunc -i tzsp0 -

Oct 18 21:07:43 localhost sh[51765]: Warning: flow_decode failed to determine Ethernet header length for packet 42783
Oct 18 21:07:43 localhost sh[51765]: Warning: flow_decode failed to determine Ethernet header length for packet 42784
Oct 18 21:07:44 localhost sh[51765]: Warning: flow_decode failed to determine Ethernet header length for packet 46821
Oct 18 21:07:45 localhost sh[51765]: Warning: flow_decode failed to determine Ethernet header length for packet 51565

This is the currently flow pipe:

/bin/sh -c "/usr/local/bin/tzsp2pcap -p 37008 -f | /usr/local/bin/tcpreplay-edit --topspeed --mtu=\$(cat /sys/class/net/tzsp0/mtu) --mtu-trunc -i tzsp0 -"

This command captures TZSP packets on port 37008 and converts them to a PCAP file format using tzsp2pcap. The output is piped to tcpreplay-edit, which modifies and replays the packets at maximum speed on the tzsp0 interface, adjusting for the MTU size.

The error suggests that tcpreplay-edit is having difficulty interpreting the Ethernet header of the captured TZSP packets. Currently, I suspect the issue may be related to tzsp2pcap, and I prefer to retain the current version of tcpreplay. I will try to investigate further. If anyone can assist me in this, it would be greatly appreciated.

foresthus commented 3 weeks ago

thnx a lot 4 your answer. I will look at it and will be back.