drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charles Givre <cgi...@gmail.com>
Subject Re: Drill fails to query pcap files
Date Thu, 07 Feb 2019 16:59:55 GMT
Hey Ted
What do you think the desired behavior should be for corrupt packets?  Should Drill just ignore,
or should we maybe create a Boolean field like isCorrupt or something and  mark corrupt packets
as such?

Sent from my iPhone

> On Feb 7, 2019, at 11:45, Ted Dunning <ted.dunning@gmail.com> wrote:
> 
> Giovanni,
> 
> A critical thing to help progress here is sample corrupted data. Even just
> information about what kind of corruption you are seeing is important.
> 
> Packet corruption is a key technique of malware so handling bad records
> well is of great importance.
> 
> 
> 
>> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gio.cnt@gmail.com> wrote:
>> 
>> Unfortunately I don’t have more of them at the moment.
>> 
>>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cgivre@gmail.com>
>> ha scritto:
>>> 
>>> Hi Giovanni,
>>> Can you post additional PCAP files that don’t work?  Basically, I’m
>> going to add some code that will let you set a tolerance level of how many
>> errors Drill will tolerate before throwing an exception.
>>> — C
>>> 
>>>> On Feb 7, 2019, at 07:33, GiovanniC <gio.cnt@gmail.com> wrote:
>>>> 
>>>> I can help you by doing some test.
>>>> 
>>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cgivre@gmail.com>
>> ha scritto:
>>>>> 
>>>>> Just create a ticket and I will work on it.
>>>>> 
>>>>> Sent from my iPhone
>>>>> 
>>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gio.cnt@gmail.com>
wrote:
>>>>>> 
>>>>>> I would like to, but I am not a java dev :(
>>>>>> 
>>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
>>>>>> arina.yelchiyeva@gmail.com> ha scritto:
>>>>>> 
>>>>>>> Contributions are always welcome :)
>>>>>>> 
>>>>>>> Kind regards,
>>>>>>> Arina
>>>>>>> 
>>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cgivre@gmail.com>
>> wrote:
>>>>>>>> 
>>>>>>>> Hi Giovanni
>>>>>>>> I think it would be useful for Drill to have some ability
to ignore
>>>>>>>> corrupt rows in a PCAP file.  Can you open a JIRA ticket
for this?
>>>>>>>> 
>>>>>>>> Sent from my iPhone
>>>>>>>> 
>>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
>> arina.yelchiyeva@gmail.com
>>>>>>>> 
>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>> Hi Giovanni,
>>>>>>>>> 
>>>>>>>>> I don't think Drill pcap format reader has such functionality.
>>>>>>>>> 
>>>>>>>>> Kind regards,
>>>>>>>>> Arina
>>>>>>>>> 
>>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gio.cnt@gmail.com>
>>>>>>>> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi,
>>>>>>>>>> I'm trying to query a pcap file and I know that there
are
>> corrupted
>>>>>>> rows
>>>>>>>>>> (precisely line 6407),
>>>>>>>>>> I need a command to skip this rows to avoid the following
error:
>>>>>>>>>> 
>>>>>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>>>>>> Fragment 0:0
>>>>>>>>>> Please, refer to logs for more information.
>>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on
ubuntu:31010]
>>>>>>>>>> (state=,code=0)
>>>>>>>>>> 
>>>>>>>>>> [...]
>>>>>>>>>> 
>>>>>>>>>> the complete error is attached in the txt file ()for
java
>> exceptions,
>>>>>>>>>> along with the pcap file used for testing this issue.
I would
>> like to
>>>>>>>> avoid
>>>>>>>>>> a pre-parsing of the pcap when a corrupted row is
found.
>>>>>>>>>> Is there a way to avoid this problem?
>>>>>>>>>> Thanks,
>>>>>>>>>> 
>>>>>>>>>> Giovanni
>>>>>>>>>> 
>>>>>>>>>> OS: Ubuntu 18.4
>>>>>>>>>> Drill version: 1.15.0
>>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>> 
>> 

Mime
View raw message