Feature #751
closedAdd invalid packet counter
Description
To be able to detect bad interface setting, it could be interesting to add a per-interface invalid counter.
Updated by Victor Julien almost 12 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to 1.4.1
Updated by Eric Leblond almost 12 years ago
There is no inheritance of failure between Decode functions and these functions are chained: DecodePcap->DecodeEthernet->DecodeVlan->DecodeIpv4 to mention a simple example chain.
So, to detect a decoding failure, it seems we need to update all the functions. An alternative could be to check the value of header pointers (like ip4h or tcph). If they are null there is an issue with the packet. But this suppose we are able to easily get a picture of what should be non-NULL...
A last alternative I see would be to only update the higher protocol level (TCP, UDP, SCTP) so the impact of the patch is minimal.
Updated by Victor Julien almost 12 years ago
I think we should just add the increment of this counter to each decoder (maybe we can macro it?). Higher level only won't help as the higher level won't be invoked if ipv4 iplen > caplen.
Updated by Eric Leblond almost 12 years ago
The following branch contains a series proposal for this bug and #752: https://github.com/regit/suricata/commits/bug751
I'm not really happy with it so any idea welcome.
Updated by Victor Julien almost 12 years ago
- Target version changed from 1.4.1 to 2.0beta1
Updated by Victor Julien over 11 years ago
- Priority changed from Normal to High
Not sure about https://github.com/regit/suricata/commit/3fe5b1d405b0cebb6794057df810e5f48fc9a653, but the other two patches look good. In the "Update auto checksum API" patch you also flag bad csums as invalid, not sure if we should do that. The other "invalids" are (almost?) all for malformed packets, invalid csum is a lot more common. Thoughts?
Updated by Eric Leblond over 11 years ago
After reading this "Update auto checksum API" patch again, I'm not happy with it. If having a counter for invalid_pkts is a good idea, it is not interesting for to use it for packet checksum. So I think we need an other approach. Here's the PR with rebased patches: https://github.com/inliniac/suricata/pull/393
Updated by Victor Julien over 11 years ago
- Target version changed from 2.0beta1 to 2.0beta2
Updated by Eric Leblond about 11 years ago
- Status changed from Assigned to Closed
Implemented in https://github.com/inliniac/suricata/pull/671
Updated by Victor Julien about 11 years ago
- Tracker changed from Bug to Feature