search

kbandla / dpkt

fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols
Other
1.08k stars 270 forks source link

dpkt.dpkt.NeedData error #556

Closed brightpinefield closed 3 years ago

brightpinefield commented 3 years ago

Sorry if this has been discussed somewhere else. I have a pcap that is throwing a "dpkt.dpkt.NeedData: got 7, 16 needed at least".. I know this has something to do with the truncated data I've been having to deal with but I can't seem to figure out how to provide an exception to get around this error and just continue processing packets.. I'm attaching the pcap with the problem.
packet_test.pcap.zip

dpkt parses the DNS data appropriately..this is thanks to Oscar, Kiran and Brian's previous help with my truncated DNS packets.. I'm assuming my script is failing on the start of the next packet as it looks like the 7 bytes the script complains about is the timestamp bytes (and more?):

00000f0 ae a2 4b 5f da 92 08

The script I've been working with is here: bright.py.zip

I thought having the try / except exception right after the "for ts,buf in pap:" line would handle the NeedData error, but it doesn't.. so I'm wondering if anyone knows how I can work around this? Thank you for all the help and this project support. It is greatly appreciated <3

brifordwylie commented 3 years ago

Hi @brightpinefield, so I poked at this a bit.

1) Wireshark gives a big error box when you load this pcap about the capture being truncated/corrupt 2) I'm attaching an image that show the example/print_dns_truncated.py gives the exact same info as wireshark. 3) I've improved the print_dns_truncated.py script to also handle error when trying to grab the NEXT packet.

https://github.com/kbandla/dpkt/pull/557

So I'll merge this PR and you can try it out.. the new output on your PCAP looks like this...

> python print_dns_truncated.py
Timestamp:  2020-08-30 12:59:26.561863
<class 'bytes'>
Ethernet Frame:  10:f3:11:77:df:ac 74:26:ac:47:28:00 2048
IP: 192.168.1.100 -> 192.168.1.101   (len=268 ttl=62 DF=0 MF=0 offset=0)
UDP: sport=53 dport=1297 sum=53654 ulen=248

Error Parsing DNS, Might be a truncated packet...
Exception: error('unpack requires a buffer of 10 bytes')
Queries: 1
     mycelium-wallet.s3.amazonaws.com Type:1
Answers: 2
     mycelium-wallet.s3.amazonaws.com: type: CNAME Answer: s3-1-w.amazonaws.com
     s3-1-w.amazonaws.com: type: A Answer: 52.217.101.4

PCAP capture is truncated, stopping processing...
Screen Shot 2021-02-09 at 8 46 11 AM
brightpinefield commented 3 years ago

@brifordwylie Thanks a lot for your help. I see what you did and I think I can work with this. Thanks a bunch!

brifordwylie commented 3 years ago

cool 👍