Project

General

Profile

Actions

Bug #1555

closed

Suricata core dumps on OpenBSD 5.7 in decode.c:229

Added by Anonymous over 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

uname -a
OpenBSD fw 5.7 GENERIC.MP#767 i386

suricata -V
This is Suricata version 2.1dev (rev 4a73802)

gdb suricata suricata.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd5.7"...
Core was generated by `suricata'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libpthread.so.18.1...done.
Loaded symbols for /usr/lib/libpthread.so.18.1
Loaded symbols for /usr/local/bin/suricata
Reading symbols from /usr/local/lib/libhtp.so.1.0...done.
Loaded symbols for /usr/local/lib/libhtp.so.1.0
Reading symbols from /usr/local/lib/libGeoIP.so.9.0...done.
Loaded symbols for /usr/local/lib/libGeoIP.so.9.0
Reading symbols from /usr/local/lib/libmagic.so.4.2...done.
Loaded symbols for /usr/local/lib/libmagic.so.4.2
Reading symbols from /usr/lib/libz.so.5.0...done.
Loaded symbols for /usr/lib/libz.so.5.0
Reading symbols from /usr/local/lib/libiconv.so.6.0...done.
Loaded symbols for /usr/local/lib/libiconv.so.6.0
Reading symbols from /usr/lib/libpcap.so.8.0...done.
Loaded symbols for /usr/lib/libpcap.so.8.0
Reading symbols from /usr/local/lib/libnet.so.11.0...done.
Loaded symbols for /usr/local/lib/libnet.so.11.0
Reading symbols from /usr/local/lib/libjansson.so.1.0...done.
Loaded symbols for /usr/local/lib/libjansson.so.1.0
Symbols already loaded for /usr/lib/libpthread.so.18.1
Reading symbols from /usr/local/lib/libyaml.so.0.0...done.
Loaded symbols for /usr/local/lib/libyaml.so.0.0
Reading symbols from /usr/local/lib/libpcre.so.3.0...done.
Loaded symbols for /usr/local/lib/libpcre.so.3.0
Reading symbols from /usr/local/lib/libplds4.so.23.1...done.
Loaded symbols for /usr/local/lib/libplds4.so.23.1
Reading symbols from /usr/local/lib/libplc4.so.23.1...done.
Loaded symbols for /usr/local/lib/libplc4.so.23.1
Reading symbols from /usr/local/lib/libnspr4.so.23.1...done.
Loaded symbols for /usr/local/lib/libnspr4.so.23.1
Reading symbols from /usr/lib/libc.so.78.1...done.
Loaded symbols for /usr/lib/libc.so.78.1
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0  memcpy (dst0=0x7b376a08, src0=0x7b97336f, length=0)
    at /usr/src/lib/libc/string/memcpy.c:88
88                      TLOOP1(*dst++ = *src++);
(gdb) print dst
$1 = 0x7b43d699 "" 
(gdb) print src
$2 = 0x7ba3a000 <Address 0x7ba3a000 out of bounds>
(gdb) where
#0  memcpy (dst0=0x7b376a08, src0=0x7b97336f, length=0)
    at /usr/src/lib/libc/string/memcpy.c:88
#1  0x1ac0ea3a in PacketCopyData (p=0x7b376550, pktdata=0x7b97336f "", pktlen=-83919010)
    at decode.c:229
#2  0x1ad292de in PcapCallbackLoop (user=0x833c7500 "", h=0x7b96c7f0, pkt=0x7b97336f "")
    at source-pcap.c:253
#3  0x0190928d in pcap_read (p=0x8b64ae00, cnt=64, callback=0x1ad29220 <PcapCallbackLoop>, 
    user=0x833c7500 "") at /usr/src/lib/libpcap/pcap-bpf.c:188
#4  0x01907b9d in pcap_dispatch (p=0x8b64ae00, cnt=64, 
    callback=0x1ad29220 <PcapCallbackLoop>, user=0x833c7500 "")
    at /usr/src/lib/libpcap/pcap.c:59
#5  0x1ad29702 in ReceivePcapLoop (tv=0x7ad63f80, data=0x833c7500, slot=0x7fde6a00)
    at source-pcap.c:316
#6  0x1ad51f73 in TmThreadsSlotPktAcqLoop (td=0x7ad63f80) at tm-threads.c:336
#7  0x0f00580e in _rthread_start (v=0x7ad19e00) at /usr/src/lib/librthread/rthread.c:145
#8  0x0d2c2b06 in __tfork_thread () at /usr/src/lib/libc/arch/i386/sys/tfork_thread.S:95
(gdb) up
#1  0x1ac0ea3a in PacketCopyData (p=0x7b376550, pktdata=0x7b97336f "", pktlen=-83919010)
    at decode.c:229
229             memcpy(p->ext_pkt + offset, data, datalen);
(gdb) print *p
$3 = {src = {family = 0 '\0', address = {address_un_data32 = {0, 0, 0, 0}, 
      address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
      address_un_data8 = '\0' <repeats 15 times>}}, dst = {family = 0 '\0', address = {
      address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
      address_un_data8 = '\0' <repeats 15 times>}}, {sp = 0, type = 0 '\0'}, {dp = 0, 
    code = 0 '\0'}, proto = 0 '\0', recursion_level = 0 '\0', vlan_id = {0, 0}, 
  vlan_idx = 0 '\0', flowflags = 0 '\0', flags = 0, flow = 0x0, ts = {tv_sec = 528, 
    tv_usec = 65554}, {pcap_v = {tenant_id = 0}}, 
  ReleasePacket = 0x1ad4b070 <PacketPoolReturnPacket>, pktvar = 0x0, ethh = 0x0, 
  level3_comp_csum = -1, level4_comp_csum = -1, ip4h = 0x0, ip6h = 0x0, {ip4vars = {
      comp_csum = 0, ip_src_u32 = 0, ip_dst_u32 = 0, ip_opts = {{type = 0 '\0', 
          len = 0 '\0', data = 0x7b376a2c ""}, {type = 0 '\0', len = 0 '\0', 
          data = 0x0} <repeats 39 times>}, ip_opt_cnt = 0 '\0', o_rr = 0x0, o_qs = 0x0, 
      o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, o_sid = 0x0, o_ssrr = 0x0, 
      o_rtralt = 0x0}, {ip6vars = {ip_opts_len = 0 '\0', l4proto = 0 '\0'}, ip6eh = {
        ip6fh = 0x0, fh_offset = 0, ip6rh = 0x0, ip6ah = 0x7b376a2c, ip6eh = 0x0, 
        ip6dh1 = 0x0, ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\0', 
          ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
                0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {ip6ra_type = 0 '\0', 
          ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6hh_opt_jumbo = {ip6j_type = 0 '\0', 
          ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh1_opt_hao = {
          ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
                0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {ip6ra_type = 0 '\0', 
          ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh1_opt_jumbo = {ip6j_type = 0 '\0', 
          ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh2_opt_hao = {
          ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
                0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh2_opt_ra = {ip6ra_type = 0 '\0', 
          ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh2_opt_jumbo = {ip6j_type = 0 '\0', 
          ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\0', 
            next = 0 '\0', len = 0 '\0', data = 0x0} <repeats 40 times>}, 
        ip6_exthdrs_cnt = 0 '\0'}}}, {tcpvars = {tcp_opt_cnt = 0 '\0', tcp_opts = {{
          type = 8 '\b', len = 10 '\n', data = 0x7b376a42 ""}, {type = 4 '\004', 
          len = 2 '\002', data = 0x7b376a44 ""}, {type = 8 '\b', len = 10 '\n', 
          data = 0x7b376a46 ""}, {type = 3 '\003', len = 3 '\003', data = 0x7b376a51 ""}, {
          type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 16 times>}, ts = 0x0, 
      sack = 0x0, sackok = 0x0, ws = 0x0, mss = 0x0}, udpvars = {<No data fields>}, 
    icmpv4vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv4h = 0x204, 
      emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv4h = 0x7b376a46, emb_ip4_src = {
        s_addr = 771}, emb_ip4_dst = {s_addr = 2067229265}, emb_ip4_hlen = 0 '\0', 
      emb_ip4_proto = 0 '\0', emb_sport = 0, emb_dport = 0}, icmpv6vars = {id = 0, 
      seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv6h = 0x204, 
      emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv6h = 0x7b376a46, emb_ip6_src = {
        771, 2067229265, 0, 0}, emb_ip6_dst = {0, 0, 0, 0}, emb_ip6_proto_next = 0 '\0', 
      emb_sport = 0, emb_dport = 0}}, tcph = 0x0, udph = 0x0, sctph = 0x0, icmpv4h = 0x0, 
  icmpv6h = 0x0, ppph = 0x0, pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, vlanh = {0x0, 0x0}, 
  payload = 0x0, payload_len = 0, action = 0 '\0', pkt_src = 1 '\001', 
  pktlen = 4211048286, ext_pkt = 0x0, livedev = 0x8398bd80, alerts = {cnt = 0, alerts = {{
        num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, {
        num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, {
        num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0} <repeats 13 times>}, 
    drop = {num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0}}, 
  host_src = 0x0, host_dst = 0x0, pcap_cnt = 0, events = {cnt = 0 '\0', 
    events = "\210w", '\0' <repeats 12 times>}, app_layer_events = 0x0, next = 0x0, 
  prev = 0x0, datalink = 1, debuglog_flowbits_names_len = 0, 
  debuglog_flowbits_names = 0x0, root = 0x0, tunnel_mutex = 0x877d14c0, 
  tunnel_rtv_cnt = 0, tunnel_tpr_cnt = 0, tenant_id = 0, pool = 0x7acd8600}
(gdb) print pktlen
$4 = -83919010
(gdb) print pktdata
$5 = (uint8_t *) 0x7b97336f "" 
(gdb) print *pktdata
$6 = 0 '\0'
(gdb) up
#2  0x1ad292de in PcapCallbackLoop (user=0x833c7500 "", h=0x7b96c7f0, pkt=0x7b97336f "")
    at source-pcap.c:253
253         if (unlikely(PacketCopyData(p, pkt, h->caplen))) {
(gdb) print *p
$7 = {src = {family = 0 '\0', address = {address_un_data32 = {0, 0, 0, 0}, 
      address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
      address_un_data8 = '\0' <repeats 15 times>}}, dst = {family = 0 '\0', address = {
      address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
      address_un_data8 = '\0' <repeats 15 times>}}, {sp = 0, type = 0 '\0'}, {dp = 0, 
    code = 0 '\0'}, proto = 0 '\0', recursion_level = 0 '\0', vlan_id = {0, 0}, 
  vlan_idx = 0 '\0', flowflags = 0 '\0', flags = 0, flow = 0x0, ts = {tv_sec = 528, 
    tv_usec = 65554}, {pcap_v = {tenant_id = 0}}, 
  ReleasePacket = 0x1ad4b070 <PacketPoolReturnPacket>, pktvar = 0x0, ethh = 0x0, 
  level3_comp_csum = -1, level4_comp_csum = -1, ip4h = 0x0, ip6h = 0x0, {ip4vars = {
      comp_csum = 0, ip_src_u32 = 0, ip_dst_u32 = 0, ip_opts = {{type = 0 '\0', 
          len = 0 '\0', data = 0x7b376a2c ""}, {type = 0 '\0', len = 0 '\0', 
          data = 0x0} <repeats 39 times>}, ip_opt_cnt = 0 '\0', o_rr = 0x0, o_qs = 0x0, 
      o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, o_sid = 0x0, o_ssrr = 0x0, 
      o_rtralt = 0x0}, {ip6vars = {ip_opts_len = 0 '\0', l4proto = 0 '\0'}, ip6eh = {
        ip6fh = 0x0, fh_offset = 0, ip6rh = 0x0, ip6ah = 0x7b376a2c, ip6eh = 0x0, 
        ip6dh1 = 0x0, ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\0', 
          ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
                0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {ip6ra_type = 0 '\0', 
          ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6hh_opt_jumbo = {ip6j_type = 0 '\0', 
          ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh1_opt_hao = {
          ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
                0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {ip6ra_type = 0 '\0', 
          ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh1_opt_jumbo = {ip6j_type = 0 '\0', 
          ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh2_opt_hao = {
          ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
                0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh2_opt_ra = {ip6ra_type = 0 '\0', 
          ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh2_opt_jumbo = {ip6j_type = 0 '\0', 
          ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\0', 
            next = 0 '\0', len = 0 '\0', data = 0x0} <repeats 40 times>}, 
        ip6_exthdrs_cnt = 0 '\0'}}}, {tcpvars = {tcp_opt_cnt = 0 '\0', tcp_opts = {{
          type = 8 '\b', len = 10 '\n', data = 0x7b376a42 ""}, {type = 4 '\004', 
          len = 2 '\002', data = 0x7b376a44 ""}, {type = 8 '\b', len = 10 '\n', 
          data = 0x7b376a46 ""}, {type = 3 '\003', len = 3 '\003', data = 0x7b376a51 ""}, {
          type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 16 times>}, ts = 0x0, 
      sack = 0x0, sackok = 0x0, ws = 0x0, mss = 0x0}, udpvars = {<No data fields>}, 
    icmpv4vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv4h = 0x204, 
      emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv4h = 0x7b376a46, emb_ip4_src = {
        s_addr = 771}, emb_ip4_dst = {s_addr = 2067229265}, emb_ip4_hlen = 0 '\0', 
      emb_ip4_proto = 0 '\0', emb_sport = 0, emb_dport = 0}, icmpv6vars = {id = 0, 
      seq = 0, mtu = 2568, error_ptr = 2067229250, emb_ipv6h = 0x204, 
      emb_tcph = 0x7b376a44, emb_udph = 0xa08, emb_icmpv6h = 0x7b376a46, emb_ip6_src = {
        771, 2067229265, 0, 0}, emb_ip6_dst = {0, 0, 0, 0}, emb_ip6_proto_next = 0 '\0', 
      emb_sport = 0, emb_dport = 0}}, tcph = 0x0, udph = 0x0, sctph = 0x0, icmpv4h = 0x0, 
  icmpv6h = 0x0, ppph = 0x0, pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, vlanh = {0x0, 0x0}, 
  payload = 0x0, payload_len = 0, action = 0 '\0', pkt_src = 1 '\001', 
  pktlen = 4211048286, ext_pkt = 0x0, livedev = 0x8398bd80, alerts = {cnt = 0, alerts = {{
        num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, {
        num = 17151, action = 1 '\001', flags = 0 '\0', s = 0x8307d000, tx_id = 0}, {
        num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0} <repeats 13 times>}, 
    drop = {num = 0, action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0}}, 
  host_src = 0x0, host_dst = 0x0, pcap_cnt = 0, events = {cnt = 0 '\0', 
    events = "\210w", '\0' <repeats 12 times>}, app_layer_events = 0x0, next = 0x0, 
  prev = 0x0, datalink = 1, debuglog_flowbits_names_len = 0, 
  debuglog_flowbits_names = 0x0, root = 0x0, tunnel_mutex = 0x877d14c0, 
  tunnel_rtv_cnt = 0, tunnel_tpr_cnt = 0, tenant_id = 0, pool = 0x7acd8600}
(gdb) up
#3  0x0190928d in pcap_read (p=0x8b64ae00, cnt=64, callback=0x1ad29220 <PcapCallbackLoop>, 
    user=0x833c7500 "") at /usr/src/lib/libpcap/pcap-bpf.c:188
188                     (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen);
(gdb) print *bp
$8 = 16 '\020'
(gdb) 
(gdb) print hdrlen
$9 = 27519
(gdb) print user
$10 = (u_char *) 0x833c7500 "" 
(gdb) print *user
$11 = 0 '\0'
(gdb) up
#4  0x01907b9d in pcap_dispatch (p=0x8b64ae00, cnt=64, 
    callback=0x1ad29220 <PcapCallbackLoop>, user=0x833c7500 "")
    at /usr/src/lib/libpcap/pcap.c:59
59              return (pcap_read(p, cnt, callback, user));
(gdb) print *p
$12 = {fd = 9, snapshot = 1516, linktype = 1, tzoff = 0, offset = 0, activated = 1, 
  oldstyle = 0, break_loop = 0, sf = {rfile = 0x0, swapped = 0, version_major = 0, 
    version_minor = 0, base = 0x0}, md = {stat = {ps_recv = 0, ps_drop = 0, 
      ps_ifdrop = 0}, use_bpf = 0, TotPkts = 0, TotAccepted = 0, TotDrops = 0, 
    TotMissed = 0, OrigMissed = 0, timeout = 500, must_do_on_close = 0, next = 0x0}, 
  opt = {buffer_size = 0, source = 0x7be25610 "em0", promisc = 1, rfmon = 0}, 
  bufsize = 32768, buffer = 0x7b966000 "+{?Usk\b", bp = 0x7b96b384 "\004\016", cc = 0, 
  pkt = 0x0, fcode = {bf_len = 0, bf_insns = 0x0}, dlt_count = 1, dlt_list = 0x80f150e0, 
  errbuf = '\0' <repeats 255 times>, pcap_header = {ts = {tv_sec = 0, tv_usec = 0}, 
    caplen = 0, len = 0}}

Actions #1

Updated by Victor Julien over 8 years ago

  • Description updated (diff)

Can you privately share the pcap?

Actions #2

Updated by Anonymous over 8 years ago

This was during live traffic inspection, no recording taking place at the time. I've started independent pcap recording now (so even if Suricata crashes, the packet will be captured). I should have a packet dump with the crash within a few hours.

FWIW, this has happened several times, typically within 3-6 hours after I start Suricata.

Actions #3

Updated by Victor Julien over 8 years ago

Ah yes, I misread the bt. Looking forward to the pcap once you have it.

Actions #4

Updated by Anonymous over 8 years ago

Got a crash again, same details. Unfortunately, the pcap doesn't trigger the problem. Either it's a state-dependent bug (I doubt it, given where it manifests) or the offending packet is so weird that it doesn't pass sanity checking before being saved to disk.

I'm open to ideas (including testing diagnostic patches).

Actions #5

Updated by Anonymous over 8 years ago

Correction: the crash details are similar, although the packet that triggered it *seems* to be different:

(gdb) print *p
$1 = {src = {family = 0 '\0', address = {address_un_data32 = {0, 0, 0, 0}, 
      address_un_data16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
      address_un_data8 = '\0' <repeats 15 times>}}, dst = {family = 0 '\0', 
    address = {address_un_data32 = {0, 0, 0, 0}, address_un_data16 = {0, 0, 0, 
        0, 0, 0, 0, 0}, address_un_data8 = '\0' <repeats 15 times>}}, {sp = 0, 
    type = 0 '\0'}, {dp = 0, code = 0 '\0'}, proto = 0 '\0', 
  recursion_level = 0 '\0', vlan_id = {0, 0}, vlan_idx = 0 '\0', 
  flowflags = 0 '\0', flags = 0, flow = 0x0, ts = {tv_sec = 3780035699, 
    tv_usec = -2011678025}, {pcap_v = {tenant_id = 0}}, 
  ReleasePacket = 0x161bb070 <PacketPoolReturnPacket>, pktvar = 0x0, 
  ethh = 0x0, level3_comp_csum = -1, level4_comp_csum = -1, ip4h = 0x0, 
  ip6h = 0x0, {ip4vars = {comp_csum = 0, ip_src_u32 = 0, ip_dst_u32 = 0, 
      ip_opts = {{type = 0 '\0', len = 0 '\0', 
          data = 0x0} <repeats 40 times>}, ip_opt_cnt = 0 '\0', o_rr = 0x0, 
      o_qs = 0x0, o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, 
      o_sid = 0x0, o_ssrr = 0x0, o_rtralt = 0x0}, {ip6vars = {
        ip_opts_len = 0 '\0', l4proto = 0 '\0'}, ip6eh = {ip6fh = 0x0, 
        fh_offset = 0, ip6rh = 0x0, ip6ah = 0x0, ip6eh = 0x0, ip6dh1 = 0x0, 
        ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\0', 
          ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 
                0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {
          ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, 
        ip6hh_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', 
          ip6j_payload_len = 0}, ip6dh1_opt_hao = {ip6hao_type = 0 '\0', 
          ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 
                0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {
          ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, 
        ip6dh1_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', 
          ip6j_payload_len = 0}, ip6dh2_opt_hao = {ip6hao_type = 0 '\0', 
          ip6hao_len = 0 '\0', ip6hao_hoa = {__u6_addr = {
              __u6_addr8 = '\0' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 
                0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}}, ip6dh2_opt_ra = {
          ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, 
        ip6dh2_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', 
          ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\0', next = 0 '\0', 
            len = 0 '\0', data = 0x0} <repeats 40 times>}, 
        ip6_exthdrs_cnt = 0 '\0'}}}, {tcpvars = {tcp_opt_cnt = 0 '\0', 
      tcp_opts = {{type = 8 '\b', len = 10 '\n', data = 0x76272a42 ""}, {
          type = 5 '\005', len = 10 '\n', data = 0x76272a4e ""}, {
          type = 3 '\003', len = 3 '\003', data = 0x76272a49 "\004"}, {
          type = 8 '\b', len = 10 '\n', data = 0x76272a4e ""}, {
          type = 20 '\024', len = 0 '\0', data = 0x0}, {type = 0 '\0', 
          len = 0 '\0', data = 0x0} <repeats 15 times>}, ts = 0x0, sack = 0x0, 
      sackok = 0x0, ws = 0x0, mss = 0x0}, udpvars = {<No data fields>}, 
    icmpv4vars = {id = 0, seq = 0, mtu = 2568, error_ptr = 1982278210, 
      emb_ipv4h = 0xa05, emb_tcph = 0x76272a4e, emb_udph = 0x303, 
      emb_icmpv4h = 0x76272a49, emb_ip4_src = {s_addr = 2568}, emb_ip4_dst = {
        s_addr = 1982278222}, emb_ip4_hlen = 20 '\024', 
      emb_ip4_proto = 0 '\0', emb_sport = 0, emb_dport = 0}, icmpv6vars = {
      id = 0, seq = 0, mtu = 2568, error_ptr = 1982278210, emb_ipv6h = 0xa05, 
      emb_tcph = 0x76272a4e, emb_udph = 0x303, emb_icmpv6h = 0x76272a49, 
      emb_ip6_src = {2568, 1982278222, 20, 0}, emb_ip6_dst = {0, 0, 0, 0}, 
      emb_ip6_proto_next = 0 '\0', emb_sport = 0, emb_dport = 0}}, tcph = 0x0, 
  udph = 0x0, sctph = 0x0, icmpv4h = 0x0, icmpv6h = 0x0, ppph = 0x0, 
  pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, vlanh = {0x0, 0x0}, payload = 0x0, 
  payload_len = 0, action = 0 '\0', pkt_src = 1 '\001', pktlen = 3229159843, 
  ext_pkt = 0x0, livedev = 0x847afe40, alerts = {cnt = 0, alerts = {{
        num = 17129, action = 1 '\001', flags = 0 '\0', s = 0x7d6e6000, 
        tx_id = 0}, {num = 17151, action = 1 '\001', flags = 0 '\0', 
        s = 0x84d91800, tx_id = 0}, {num = 0, action = 0 '\0', flags = 0 '\0', 
        s = 0x0, tx_id = 0} <repeats 13 times>}, drop = {num = 0, 
      action = 0 '\0', flags = 0 '\0', s = 0x0, tx_id = 0}}, host_src = 0x0, 
  host_dst = 0x0, pcap_cnt = 0, events = {cnt = 0 '\0', 
    events = "nw", '\0' <repeats 12 times>}, app_layer_events = 0x80f43f10, 
  next = 0x0, prev = 0x0, datalink = 1, debuglog_flowbits_names_len = 0, 
  debuglog_flowbits_names = 0x0, root = 0x0, tunnel_mutex = 0x834116c0, 
  tunnel_rtv_cnt = 0, tunnel_tpr_cnt = 0, tenant_id = 0, pool = 0x76198880}

Note the difference in TCP options. Not sure the dump can be trusted, of course.
Actions #6

Updated by Victor Julien over 8 years ago

The bt is different, but the packet looks somewhat similar to #1572. Esp the parsed icmp4vars. It's interesting though, that we see this even before any of the decoders is called.

Actions #7

Updated by Victor Julien almost 8 years ago

Is this still an issue with 3.0.1?

Actions #8

Updated by Victor Julien almost 8 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF