Project

General

Profile

Bug #3040

pcap: with -r <single file> pcap_open_offline failure does not lead to non-zero exit code

Added by Victor Julien 3 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

[19811] 11/6/2019 -- 18:21:03 - (suricata.c:1067) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev b5f3e0320) running in USER mode
[19812] 11/6/2019 -- 18:21:03 - (source-pcap-file-helper.c:174) <Error> (InitPcapFile) -- [ERRCODE: SC_ERR_FOPEN(44)] - invalid interface capture length 524288, bigger than maximum of 262144
[19812] 11/6/2019 -- 18:21:03 - (source-pcap-file.c:274) <Warning> (ReceivePcapFileThreadInit) -- [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - Failed to init pcap file <pcap file>, skipping
[19811] 11/6/2019 -- 18:21:03 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 4 management threads initialized, engine started.
[19812] 11/6/2019 -- 18:21:03 - (source-pcap-file.c:161) <Error> (ReceivePcapFileLoop) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - pcap file reader thread failed to initialize
[19811] 11/6/2019 -- 18:21:03 - (suricata.c:2843) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
# echo $?
0

Expected outcome is that this would return an error.

History

#1

Updated by Andreas Herz 3 months ago

  • Assignee set to OISF Dev
  • Target version set to TBD

How did you trigger this, so I can reproduce it?

#2

Updated by Victor Julien 3 months ago

This was with a pcap that had a capture size of 512k, which my libpcap rejects. Can't share the pcap itself. Maybe it's possible to craft one.

#3

Updated by Danny Browning about 1 month ago

This is an outcome of not having the process not return the thread error information when the initialize fails.

The thread initialize has to return ok, otherwise the thread error information is output instead.

Also available in: Atom PDF