getting parser error in homer when capturing with captagent

[dunst0]

When I capture traffic with captagent the homer kamailio complains about errors when parsing, nothing happens when I send hep with sngrep, nearly identical traffic can be parsed with no errors. I tried to dig into the traffic, but can't find the null-Byte char the parser is complaining about. The captagent version is latest master.

Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: pv [pv_core.c:1827]: pv_get_hdr(): error parsing headers
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: sipcapture [sipcapture.c:1417]: sip_capture_prepare(): cannot parse headers
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_ppi_pai.c:150]: parse_pai_header(): Error looking for subsequent PAI header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Jan 10 16:53:49 monitor homer[10446]: ERROR: <core> [core/parser/parse_ppi_pai.c:171]: parse_ppi_header(): Error parsing PPI header

[adubovikov]

Please disable core logging in the kamailio.

[dunst0]

This would let kamailio stop complain about these things but this are messages that are then missing in the call trace.

[adubovikov]

you should check this messages if they are ok. Do you use nonsip_hook ? Is it tcp SIP ?

[dunst0]

I checked the original messages with wireshark and couldn't find any null byte char near Content-Length. I don't use any nosip_hook and its only udp.

[adubovikov]

please check that messages you have sent in HEP, just run ngrep or wireshark on your HEP port i.e. 9061 ... and read it using wireshark hep-lua https://github.com/sipcapture/hep-wireshark

[dunst0]

From what I see is there some problem with fragmentation, but I'm not sure.

[dunst0]

The following setting seems to be the solution, looks like works as designed.

<profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
         <settings>
....
        <param name="promisc" value="true"/>
        <param name="reasm" value="true"/>
        <param name="tcpdefrag" value="false"/>
        <param name="capture-plan" value="sip_capture_plan.cfg"/>
....
         </settings>
</profile>

[kYroL01]

@dunst0 actually the default tcpdefrag is set to false in captagent https://github.com/sipcapture/captagent/blob/master/conf/socket_pcap.xml#L9 . Can u please share us the pcap with this traffic ? I'd like to do some test later.

Thanks

[dunst0]

Its actual udp traffic, still it seems that traffic is missing but no warning from capture node or homer node

[dunst0]

Do you want a PCAP from caputure node or the HEP capture or both?

[kYroL01]

both could be nice ;)

[dunst0]

I still get warnings in the log, can I send the pcap's to a email address?

<profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
         <settings>
....
        <param name="promisc" value="true"/>
        <param name="reasm" value="true"/>
        <param name="tcpdefrag" value="true"/>
        <param name="capture-plan" value="sip_capture_plan.cfg"/>
....
         </settings>
</profile>

Feb  5 10:56:11 monitor kernel: em0: promiscuous mode enabled
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: pv [pv_core.c:1827]: pv_get_hdr(): error parsing headers
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: sipcapture [sipcapture.c:1417]: sip_capture_prepare(): cannot parse headers
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_ppi_pai.c:150]: parse_pai_header(): Error looking for subsequent PAI header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_content.c:251]: parse_content_length(): parse error near char [0][
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:178]: get_hdr_field(): bad content_length header
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/msg_parser.c:331]: parse_headers(): bad header field [Content-Length: 257]
Feb  5 10:57:16 monitor homer[763]: ERROR: <core> [core/parser/parse_ppi_pai.c:171]: parse_ppi_header(): Error parsing PPI header
Feb  5 10:57:43 monitor kernel: em0: promiscuous mode disabled

[kYroL01]

@dunst0 send pcap to fci1908@gmail.com Thanks

[dunst0]

I've send you the traces yesterday.

[dehebert]

Hello, I am wondering if you ever found a solution to this? I am seeing the same thing in my logs?

Thanks, D

[lmangani]

This is just a parser error letting you know something about the message was invalid at protocol level, and entirely depends on the traffic being fed to the agent - the message should make its way into the database no less in most cases. Keep in mind, there are going to be invalid or non-RFC compliant formats flowing through causing errors like this particularly if sh&*$% UAs or scanners are around.

[dunst0]

It is just a parser error but its happening as far as a see because the parser seems to get incomplete packages.

[kYroL01]

Any news about this issue ? Is still present ?