Support #1400
closedReordering packet in Suricata
Description
When extracting file from HTTP (upload or download file) and SMTP (attachment in mail), i find many files have been truncated.
After testing clearly, I know this issue due to the packets were out of order.
Once Suricata has packet out of order (or have GAP), it not supports and stop dumping file anyway.
So, extract file processing not done!
If we reorder whole packets in network, it costs expensively.
Should we reorder packets only in extracting file case?
Updated by Victor Julien about 9 years ago
- Tracker changed from Bug to Support
Suricata expects packets to come in in the same order as they are on the network. Have you disabled NIC offloading settings? See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Self_Help_Diagrams#File-Extraction-and-Logging-Issues
Updated by Peter Manev about 9 years ago
In addition to Victor's comments.
Can you share a pcap that can be used to reproduce the case?
With regards to stream gaps - if you have stream gaps there is no way to extract the whole file if Suricata can not see the full transmission.
Updated by john kely about 9 years ago
I disabled NIC offloading setting follow https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction
and done https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Self_Help_Diagrams#File-Extraction-and-Logging-Issues
However, in my stat.log file:
...
decoder.invalid = 165
tcp.invalid_checksum = 0
tcp.memcap_drop = 0
...
I certainly set http_request_body, http_response_body to unlimited (0) and stream.reassembly_depth to unlimited (0).
@Victor Julien: With those settings, are you sure that suricata receive correct order packets and not need any action for reordering in any case?
Thank you very much!
Updated by john kely about 9 years ago
In my stats.log:
tcp.reaseambly_gap = 841557
tcp.sessions = 18089165
...
-> I consider this is normal?
Thanks.
Updated by Andreas Herz about 8 years ago
As peter already mentioned, it would be very helpful if you have a pcap to reproduce the issue.