Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] safe_pcap_next ERROR: Invalid packet length in send_packets.c:get_next_packet() line 1068: 92442 is greater than maximum 65549 #571

Closed
cgi1 opened this issue Dec 27, 2019 · 6 comments
Closed

[Bug] safe_pcap_next ERROR: Invalid packet length in send_packets.c:get_next_packet() line 1068: 92442 is greater than maximum 65549 #571

cgi1 opened this issue Dec 27, 2019 · 6 comments
Assignees
@fklassen
Labels
4.3.3 bug
Milestone
4.3.3

Comments

@cgi1
Copy link

cgi1 commented Dec 27, 2019
edited
Loading

Steps to reproduce the behavior:

  1. Loading a PCAP using
$ sudo tcpreplay -i lo mine.pcap
  1. results in
safe_pcap_next ERROR: Invalid packet length in send_packets.c:get_next_packet() line 1068: 92442 is greater than maximum 65549

Digging into source code, It looks like there are packages within the PCAP over the MAXPACKET variable, which is why the code fails here. I suggest upgrading MAXPACKET from 65549 to 131098 in here.

So:

#define MAXPACKET 65549         /* was 16436 linux loopback, but maybe something is bigger then
                                   linux loopback */
#define MAX_SNAPLEN 65535       /* tell libpcap to capture the entire packet */

Will become:

#define MAXPACKET 131098         /* was 16436 linux loopback, but maybe something is bigger then
                                   linux loopback */
#define MAX_SNAPLEN 131098       /* tell libpcap to capture the entire packet */

I just want to know, if you see any problems here. I am also a bit worried about the comment 16436 linux loopback, which looks like I should go with anouther type of interface to replay on.

System (please complete the following information):

  • Ubuntu 18.04
cgi@cgires:~$ sudo tcpreplay -V
tcpreplay version: 4.3.2 (build git:v4.3.2)
Copyright 2013-2018 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.9.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Packet editing: disabled
Fragroute engine: disabled
Injection method: PF_PACKET send()
Not compiled with netmap

Additional context
Could provide example PCAP private.
@fklassen
Copy link
Member

fklassen commented May 8, 2020

If PCAP is small enough, rename to mine.pcap.txt and drag into issue.

@fklassen fklassen self-assigned this May 20, 2020
@zynzynack zynzynack mentioned this issue May 29, 2020
Closed
@zynzynack
Copy link

Also see the-tcpdump-group/tcpdump#856

@guyharris
Copy link

Also see the-tcpdump-group/tcpdump#856

Including my comment, in which tcpdump, when run by a version of tcpprep compiled and run on macOS, printed "tcpdump: unknown file format" when I handed tcpprep a pcap file written by tcpdump. (That happened both with Apple's tcpdump, which was not writing pcapng files in this case, and a built-from-tip-of-master and linked-with-libpcap-built-from-tip-of-master tcpdump writing the file.)

Configure output from tcpreplay:

##########################################################################
             TCPREPLAY Suite Configuration Results (4.3.1)
##########################################################################
libpcap:                    /usr/local (>= 0.9.6)
PF_RING libpcap             no   
libdnet:                    /usr/local   1.12
autogen:                     (unknown - man pages will not be built)
Use libopts tearoff:        yes
64bit counter support:      yes
tcpdump binary path:        /usr/sbin/tcpdump
fragroute support:          yes
tcpbridge support:          yes
tcpliveplay support:        no

Supported Packet Injection Methods (*):
Linux TX_RING:              no
Linux PF_PACKET:            no
BSD BPF:                    yes
libdnet:                    yes
pcap_inject:                yes
pcap_sendpacket:            yes **
pcap_netmap                 no
Linux/BSD netmap:           no
Tuntap device support:      no

* In order of preference; see configure --help to override
** Required for tcpbridge

configure: WARNING: Apple OS X versions prior to 10.5 (Leopard) have a serious problem!
Please see: http://tcpreplay.synfin.net/trac/ticket/142 for more details

(Note, BTW, that the tcpreplay.synfin.net link doesn't work.)

@guyharris
Copy link

Digging into source code, It looks like there are packages within the PCAP over the MAXPACKET variable

Packets within the "my.pcap" file, or packets within whatever tcpprep is piping to tcpdump?

If tcpdump can read your my.pcap file, it's probably not a problem with packets within the "my.pcap" file. Perhaps the code that's writing to the pipe to tcpdump is writing mangled output.

@fklassen fklassen added this to the 4.3.3 milestone Jun 2, 2020
@fklassen
Copy link
Member

fklassen commented Jun 2, 2020
edited
Loading

I am starting work on this, but and finding it difficult to find a capture with a packet > 65535 bytes.

Also, the maximum packet size should be 262144 to match maximum snaplen in Wireshark. It reflects libpcap's MAXIMUM_SNAPLEN.

fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571 Increase SNAPLEN to 262144
824bbd3
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571: remove extract_data function
c0e9780 
This function was not used anywhere, yet it consumed
a complete packet buffer on the stack.
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571 Increase SNAPLEN to 262144
9a1c94d
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571: remove extract_data function
7f933e2 
This function was not used anywhere, yet it consumed
a complete packet buffer on the stack.
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571 do not allocate MAXPACKET on stack
0e071da 
Now that MAXPACKET size has increased, it is no longer
reasonable to allocate this much on the stack.
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571 Increase SNAPLEN to 262144
f3f5324
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571: remove extract_data function
6c2e9dc 
This function was not used anywhere, yet it consumed
a complete packet buffer on the stack.
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571 do not allocate MAXPACKET on stack
a416f7c 
Now that MAXPACKET size has increased, it is no longer
reasonable to allocate this much on the stack.
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Bug #571 tcpcapinfo: fail on excessive snaplen
6b84b18
fklassen added a commit that referenced this issue Jun 2, 2020
@fklassen
Merge pull request #593 from appneta/Bug_#571_max_packet_from_65549_t…
00ef0e8 
…o_262144

Bug #571 max packet from 65549 to 262144
@fklassen
Copy link
Member

fklassen commented Jun 2, 2020

Fixed in PR #593

@fklassen fklassen closed this as completed Jun 2, 2020
@fklassen fklassen mentioned this issue Jun 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
4.3.3 bug
Projects
None yet
Milestone
4.3.3
Development

No branches or pull requests
4 participants
@fklassen @guyharris @cgi1 @zynzynack