bhudson33
commented
5 years ago do you have a cap file that generates this error?
Closed Str-Gen closed 5 years ago
bhudson33
commented
5 years ago do you have a cap file that generates this error?
Str-Gen
commented
5 years ago The files with errors in processing were removed. I will regenerate files that produce the error and get back to you.
Str-Gen
commented
5 years ago I have encountered a new file that reports the error during processing. The pcap is available here. https://www.dropbox.com/s/t6i0k8vweag5qz8/1fb1b6c1-7b04-41f7-b3ba-8d84dd2bc079.pcap?dl=0
bhudson33
commented
5 years ago So looking over the packet capture, the invalid TCP header lengths are coming from the partial packets. For instance, packets #5, #6 and #7 make up a full TCP packet. Packets #5 and #6 are just fragments. So the code throws the error clause on packets #5 and #6 because there are only 8 bytes in each. On packet #7, the full packet gets processed. Maybe we should make these "info" logs when the packet is marked as fragmented?
Str-Gen
commented
5 years ago Yes that would be a suitable solution, certainly if the full packet does get processed it shouldn't be marked as an error.
bhudson33
commented
5 years ago fix has been merged into master. Actually modified the fragment check to include fragment flags and fragment offset.
When processing some files, I repeatedly came across this error. A 20 byte header for TCP packets is valid and should be interpreted.
ERR: process_tcp: 473: Invalid TCP header length: 20 bytes