Improve macwifi parser - Githubissues

log2timeline / plaso

Super timeline all the things

https://plaso.readthedocs.io

Apache License 2.0

1.7k stars 334 forks source link

Improve macwifi parser #3610

Open joachimmetz opened 3 years ago

joachimmetz commented 3 years ago

Warnings seen in the end-to-end tests on the dean-macbook Greendale test image.

********************************** Warning: 6 **********************************
           Message : unable to parse log line: "<airportd[123]>
                     _processIPv4Changes: ARP/NDP offloads disabled, not
                     programmi..." at offset: 47730
      Parser chain : macwifi
Path specification : type: OS, location:
                     dean-macbook.E01
                   : type: EWF
                   : type: TSK_PARTITION, location: /p2, part index: 5, start
                     offset: 0x12c06000
                   : type: APFS_CONTAINER, location: /apfs1, volume index: 0
                   : type: APFS, identifier: 889861, location:
                     /private/var/log/wifi.log
--------------------------------------------------------------------------------

joachimmetz commented 3 years ago

Looking at the logs, there appears to be an entry without a date and time value.

Mon Sep 30 17:13:22.751 <airportd[123]> ERROR: SecurityAgent (228) is not entitled for com.apple.wifi.events, but allowing anyways for event type 6
<airportd[123]> _processIPv4Changes: ARP/NDP offloads disabled, not programming the offload
Mon Sep 30 17:13:41.891 <airportd[123]> ERROR: rapportd (283) is not entitled for com.apple.wifi.join_history, will not allow request

Is this a software write error or should this be interpreted as the last date and time value Mon Sep 30 17:13:22.751?

joachimmetz commented 3 years ago

Need more digging if this is a data format edge case or a software error.