Closed dunst0 closed 4 years ago
Please disable core logging in the kamailio.
This would let kamailio stop complain about these things but this are messages that are then missing in the call trace.
you should check this messages if they are ok. Do you use nonsip_hook ? Is it tcp SIP ?
I checked the original messages with wireshark and couldn't find any null byte char near Content-Length. I don't use any nosip_hook and its only udp.
please check that messages you have sent in HEP, just run ngrep or wireshark on your HEP port i.e. 9061 ... and read it using wireshark hep-lua https://github.com/sipcapture/hep-wireshark
From what I see is there some problem with fragmentation, but I'm not sure.
The following setting seems to be the solution, looks like works as designed.
<profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
<settings>
....
<param name="promisc" value="true"/>
<param name="reasm" value="true"/>
<param name="tcpdefrag" value="false"/>
<param name="capture-plan" value="sip_capture_plan.cfg"/>
....
</settings>
</profile>
@dunst0 actually the default tcpdefrag
is set to false in captagent https://github.com/sipcapture/captagent/blob/master/conf/socket_pcap.xml#L9 .
Can u please share us the pcap with this traffic ? I'd like to do some test later.
Thanks
Its actual udp traffic, still it seems that traffic is missing but no warning from capture node or homer node
Do you want a PCAP from caputure node or the HEP capture or both?
both could be nice ;)
I still get warnings in the log, can I send the pcap's to a email address?
<profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
<settings>
....
<param name="promisc" value="true"/>
<param name="reasm" value="true"/>
<param name="tcpdefrag" value="true"/>
<param name="capture-plan" value="sip_capture_plan.cfg"/>
....
</settings>
</profile>
Feb 5 10:56:11 monitor kernel: em0: promiscuous mode enabled
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: pv [pv_core.c:1827]: pv_get_hdr(): error parsing headers
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: sipcapture [sipcapture.c:1417]: sip_capture_prepare(): cannot parse headers
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_ppi_pai.c:150]: parse_pai_header(): Error looking for subsequent PAI header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb 5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_ppi_pai.c:171]: parse_ppi_header(): Error parsing PPI header
Feb 5 10:57:43 monitor kernel: em0: promiscuous mode disabled
@dunst0 send pcap to fci1908@gmail.com Thanks
I've send you the traces yesterday.
Hello, I am wondering if you ever found a solution to this? I am seeing the same thing in my logs?
Thanks, D
This is just a parser error letting you know something about the message was invalid at protocol level, and entirely depends on the traffic being fed to the agent - the message should make its way into the database no less in most cases. Keep in mind, there are going to be invalid or non-RFC compliant formats flowing through causing errors like this particularly if sh&*$% UAs or scanners are around.
It is just a parser error but its happening as far as a see because the parser seems to get incomplete packages.
Any news about this issue ? Is still present ?
When I capture traffic with captagent the homer kamailio complains about errors when parsing, nothing happens when I send hep with sngrep, nearly identical traffic can be parsed with no errors. I tried to dig into the traffic, but can't find the null-Byte char the parser is complaining about. The captagent version is latest master.