drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Dunning <ted.dunn...@gmail.com>
Subject Re: Drill fails to query pcap files
Date Sat, 09 Feb 2019 20:55:00 GMT
I think that returning any usable information from the corrupt packet
(notably including the package content itself) is important because a
primary use case of the pcap query is in network forensics where you are
often looking for malware that is purposely corrupting packets.



On Thu, Feb 7, 2019 at 9:00 AM Charles Givre <cgivre@gmail.com> wrote:

> Hey Ted
> What do you think the desired behavior should be for corrupt packets?
> Should Drill just ignore, or should we maybe create a Boolean field like
> isCorrupt or something and  mark corrupt packets as such?
>
> Sent from my iPhone
>
> > On Feb 7, 2019, at 11:45, Ted Dunning <ted.dunning@gmail.com> wrote:
> >
> > Giovanni,
> >
> > A critical thing to help progress here is sample corrupted data. Even
> just
> > information about what kind of corruption you are seeing is important.
> >
> > Packet corruption is a key technique of malware so handling bad records
> > well is of great importance.
> >
> >
> >
> >> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gio.cnt@gmail.com> wrote:
> >>
> >> Unfortunately I don’t have more of them at the moment.
> >>
> >>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cgivre@gmail.com>
> >> ha scritto:
> >>>
> >>> Hi Giovanni,
> >>> Can you post additional PCAP files that don’t work?  Basically, I’m
> >> going to add some code that will let you set a tolerance level of how
> many
> >> errors Drill will tolerate before throwing an exception.
> >>> — C
> >>>
> >>>> On Feb 7, 2019, at 07:33, GiovanniC <gio.cnt@gmail.com> wrote:
> >>>>
> >>>> I can help you by doing some test.
> >>>>
> >>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <
> cgivre@gmail.com>
> >> ha scritto:
> >>>>>
> >>>>> Just create a ticket and I will work on it.
> >>>>>
> >>>>> Sent from my iPhone
> >>>>>
> >>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gio.cnt@gmail.com>
wrote:
> >>>>>>
> >>>>>> I would like to, but I am not a java dev :(
> >>>>>>
> >>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
> >>>>>> arina.yelchiyeva@gmail.com> ha scritto:
> >>>>>>
> >>>>>>> Contributions are always welcome :)
> >>>>>>>
> >>>>>>> Kind regards,
> >>>>>>> Arina
> >>>>>>>
> >>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cgivre@gmail.com>
> >> wrote:
> >>>>>>>>
> >>>>>>>> Hi Giovanni
> >>>>>>>> I think it would be useful for Drill to have some ability
to
> ignore
> >>>>>>>> corrupt rows in a PCAP file.  Can you open a JIRA ticket
for this?
> >>>>>>>>
> >>>>>>>> Sent from my iPhone
> >>>>>>>>
> >>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
> >> arina.yelchiyeva@gmail.com
> >>>>>>>>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi Giovanni,
> >>>>>>>>>
> >>>>>>>>> I don't think Drill pcap format reader has such
functionality.
> >>>>>>>>>
> >>>>>>>>> Kind regards,
> >>>>>>>>> Arina
> >>>>>>>>>
> >>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte
<
> gio.cnt@gmail.com>
> >>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>> I'm trying to query a pcap file and I know that
there are
> >> corrupted
> >>>>>>> rows
> >>>>>>>>>> (precisely line 6407),
> >>>>>>>>>> I need a command to skip this rows to avoid
the following error:
> >>>>>>>>>>
> >>>>>>>>>> Error: INTERNAL_ERROR ERROR: null
> >>>>>>>>>> Fragment 0:0
> >>>>>>>>>> Please, refer to logs for more information.
> >>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61
on ubuntu:31010]
> >>>>>>>>>> (state=,code=0)
> >>>>>>>>>>
> >>>>>>>>>> [...]
> >>>>>>>>>>
> >>>>>>>>>> the complete error is attached in the txt file
()for java
> >> exceptions,
> >>>>>>>>>> along with the pcap file used for testing this
issue. I would
> >> like to
> >>>>>>>> avoid
> >>>>>>>>>> a pre-parsing of the pcap when a corrupted row
is found.
> >>>>>>>>>> Is there a way to avoid this problem?
> >>>>>>>>>> Thanks,
> >>>>>>>>>>
> >>>>>>>>>> Giovanni
> >>>>>>>>>>
> >>>>>>>>>> OS: Ubuntu 18.4
> >>>>>>>>>> Drill version: 1.15.0
> >>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message