Project

General

Profile

Actions
Copy link

Support #1882

closed

I don't know why the 2nd file TRUNCATED

Added by seungho yang over 7 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
seungho yang
Affected Versions:
Label:

Description

There are 2 files in the pcap file.
I get the pcap file from test network env. using TAP.

suricata 3.1.1 result
  • first file is closed
  • second file is truncated
wireshark 1.12.6 result
  • 2 files(systemd)
NetworkMiner 2.0 result
  • 2 files(systemd)

I don't know why the 2nd file TRUNCATED.
I tried to check the source, stream-tcp-reassemble.c

execution
[root@suricata suricata3]# /opt/suricata3/bin/suricata -c /opt/suricata3/config/suricata.yaml -r log.pcap.1472709340.tcp8080.dport49736.pcap

line 2920,add 3 printf
(stream->seg_list != NULL && /*2*/
SEQ_GT(stream->seg_list->seq, stream->ra_app_base_seq+1) &&
SEQ_LT(stream->seg_list->seq, stream->last_ack)))
printf("ysh-stream->seg_list->seq: %u\n", stream->seg_list->seq);
printf("ysh-stream->ra: %u\n", stream->ra_app_base_seq+1);
printf("ysh-stream->last_ack: %u\n", stream->last_ack);
then printed,
ysh-stream->seg_list->seq: 4098035050
ysh-stream->ra: 4098030962
ysh-stream->last_ack: 4098036510

suricata.yaml -config for file extraction, noting special
  • depth: 0
  • request-body-limit: 0
  • response-body-limit: 0

Files

Download all files
log.pcap.1472709340.tcp8080.dport49736.pcap (5.31 MB) log.pcap.1472709340.tcp8080.dport49736.pcap pcap file captured by suricata3(pcap-log) seungho yang, 09/02/2016 05:17 AM
wireshark1.12.6-http-object.png (53.4 KB) wireshark1.12.6-http-object.png wireshark 1.12.6 export objects result(2 files) seungho yang, 09/02/2016 05:18 AM
networkminer2.0.png (13.3 KB) networkminer2.0.png networkminer 2.0 result(2 files) seungho yang, 09/02/2016 05:21 AM
suricata3.1.1.png (29.2 KB) suricata3.1.1.png suricata 3.1.1 result(closed, truncated) seungho yang, 09/02/2016 05:25 AM
Actions
Copy link

Also available in: Atom PDF