search

msantos / epcap

Erlang packet capture interface using pcap
http://listincomprehension.com/2009/12/erlang-packet-sniffer-using-ei-and.html
BSD 3-Clause "New" or "Revised" License
178 stars 56 forks source link

Invalid decoding of Fin-Ack to contain payload #11

Closed josemic closed 10 years ago

josemic commented 10 years ago

This packet is decoded by epcap as to have 6 bytes payload, while Wireshark does not show any payload.

<<0,37,34,169,124,93,156,199,166,109,119,220,8, 0,69,0,0,40,79,99,64,0,56,6,192,67,91,215,100, 139,192,168,178,30,0,80,225,205,214,149,255, 217,25,137,180,211,80,17,0,46,245,145,0,0,0,0, 0,0,0,0>>

Here are overlapping screenshots from whiresharks output: screenshot from 2013-10-13 11 21 20 screenshot from 2013-10-13 11 21 29

ates commented 10 years ago

Could you please send me(ates@ipv6.dp.ua) this pcap file? I will check it and fix. Thank you.

josemic commented 10 years ago

By the way for the image I have configured Wireshark to show real sequence numbers: Edit->Preferences->Protocols->TCP->Relative Sequence Numbers (unselect) and Edit->Preferences->Protocols->TCP-> Allow subdissectors to reassemble TCP streams (unselect)-

josemic commented 10 years ago

This bug was unintentionally closed by me.

ates commented 10 years ago

I believe this issue should be closed and created in msantos/pkt project instead. epcap is not responsible for decoding of the binary data. epcap_net module is present for the legacy compatibility.

josemic commented 10 years ago

I agree. I suggest that when you can confirm the bug, either you or me open a new bug in msantos/pkt project instead. We will then refer to that one and close this one.

ates commented 10 years ago

Michael, what do you think about removing the epcap_net from epcap project at all?

josemic commented 10 years ago

If you are refering to "epcap_net.erl" - I am not using it. It just caues confusion.

I use pkt directly. I have created a wrapper around the functions from the Sniffer example and put it into a file: https://github.com/josemic/eNose/blob/master/epcap_port_app/src/epcap_port_lib.erl

ates commented 10 years ago

Looks like it's not related to TCP decoding but related to Ethernet decoding. Ethernet packets which have a length size less than 64 bytes are padded to 64 bytes.

josemic commented 10 years ago

Ok. Is the bug in msanto/pkt ? Is there a chance to fix it?

ates commented 10 years ago

Yes, this bug is related to pkt project not to epcap. I will try to fix that soon.

msantos commented 10 years ago

Thanks for the bug report, josemic! I remember seeing this but I forgot to follow up on it. I will have to check my notes. In fact, I seem to just truncated the frame??!:

https://github.com/msantos/perv/blob/master/src/perv.erl#L191

I've created an issue here:

msantos/pkt#5

ates: if you feel like fixing this, I added you as a collaborator to pkt/epcap, if you want to commit directly (feel free to use merge requests if you prefer them).

Otherwise, I will have look at this in a few days!

BTW, I also remove epcap_net as suggested.