search

traffic-taffy / traffic-taffy

Traffic Analysis of Fluctuating Flows from PCAP data
https://traffic-taffy.github.io/
Other
4 stars 0 forks source link

Incorrect opcode output when running with -d3 (not -d10) #6

Open ltfiend opened 7 months ago

ltfiend commented 7 months ago

When running against PCAP files that have been converted from CDNS to PCAP I'm getting parse errors and strange opcode output with -d3 but not with -d10. I haven't reproduced this with straight PCAP data yet. The conversion process loses layer 2 data (replaced with 0s) but I don't think this should cause an issue.

Thoughts? Supporting data below.

tcpdump does not report any erroneous opcodes: tshark -T fields -e 'dns.flags.opcode' -r server1-151249.cdns.pcap|sort|uniq -c |sort -n 5712 5 486978 (TCP Frames, no opcode) 1923648 0

File sizes are rather large: 427M - server1-151249_300.cdns.pcap 683M - server1-151749_300.cdns.pcap

Taffy is updated to 0.6.4

Taffy with -d3 ----- Ethernet_IP_TCP_DNS_unparsable_dns PARSE_ERROR 568832 1633663 1064831 100.00 100.00 0.00

----- Ethernet_IP_UDP_DNS_unparsable_dns PARSE_ERROR 97275 67358 -29917 100.00 100.00 -0.00

----- TOTAL packet 2416338 5271397 2855059 100.00 100.00 0.00

----- Ethernet_IP_UDP_DNS_opcode 34736 0 176336 176336 0.00 2.51 100.00 384 134461 884226 749765 4.05 12.58 8.54 400 538425 1545910 1007485 16.20 22.00 5.80 33683 12225 106000 93775 0.37 1.51 1.14 34720 157 61440 61283 0.00 0.87 0.87 33667 10384 73828 63444 0.31 1.05 0.74 34323 27928 95894 67966 0.84 1.36 0.52 34179 7451 4281 -3170 0.22 0.06 -0.16 33152 8867 5397 -3470 0.27 0.08 -0.19 33795 18263 11597 -6666 0.55 0.17 -0.38 33154 22333 20197 -2136 0.67 0.29 -0.38 33808 21025 13554 -7471 0.63 0.19 -0.44 33168 21365 12601 -8764 0.64 0.18 -0.46 0 1688446 3534439 1845993 50.80 50.30 -0.50 34195 32064 16132 -15932 0.96 0.23 -0.74 33155 39743 16311 -23432 1.20 0.23 -0.96 33170 68594 53421 -15173 2.06 0.76 -1.30 32789 73804 53671 -20133 2.22 0.76 -1.46 33171 100600 28586 -72014 3.03 0.41 -2.62 33811 128470 34883 -93587 3.87 0.50 -3.37 16 330641 247699 -82942 9.95 3.53 -6.42 ...

Taffy with -d10 -- No parse errors --

----- Ethernet_IP_UDP_DNS_opcode 0 1753488 3577710 1824222 99.68 99.92 0.24 __NEW_VALUES 0 0 0 0.00 0.00 0.00 WIDTH__ 2 2 0 0.00 0.00 -0.00 5

----- TOTAL packet 2416338 5271397 2855059 100.00 100.00 0.00 __NEW_VALUES 0 0 0 0.00 0.00 0.00 WIDTH__ 1 1 0 0.00 0.00 -0.00

hardaker commented 7 months ago

So the story is that -d3 uses the dpkt parser internally, and -d10 uses scapy. The dpkt parser doesn't support all the DNS RR types, whereas scapy does (or at least many more). So the error counts you're seeing are related specifically to dpkt failing to parse some records. Even more specifically, they are almost certainly DNSSEC based records as these aren't handled at all by dpkt unfortunately.

I've wanted to submit a patch to dpkt to get it to include some more, but haven't put one together yet. And it's unclear how active that developer is as there is a number of un-accepted pull requests for the package. I will likely try to poke them at some point or else (hopefully not) fork it.