Re: [Pandora] extrange behaviour of tcpscan component

[Simon Patarin]

> while doing some tests on pandora I found that the following stacks doesn't
> print the same amount of packets
>
> %prova12ip {
> #       @pcap [ $device = "eth0" ];
>       @pcap [ $file = "/home/ulisses/prova11.dump" ];
> #      @ipfragswitch (
> #                        @demux [ $algo = "ipquad" ]
> #                        < @ipreass [ $timeout = 30 ] >
> #                    )
>       @print;
>       @discard;
> }
>
> %prova12tcp {
>       @pcap [ $file = "/home/ulisses/prova11.dump" ];
> #      @ipfragswitch (
> #                        @demux [ $algo = "ipquad" ]
> #                        < @ipreass [ $timeout = 30 ] >
> #                    )
>       @tcpscan;
>       @print;
>       @discard;
> }

A simple explanation would be that there are non TCP packets in your dump:
the @tcpscan component discards any IP packet that is not TCP. What does
`tcpdump -n -q -S -r prova11.dump not tcp|wc -l' returns? if this is not
the exact difference between the two counts, then, this is strange!
However, when building TCP packets from IP ones, pandora might discard
some (supposedly) malformed TCP packets, but it should print a warning
message when doing so.

As a side note, you do not need a @discard component after the @print:
@print never forwards packets to the rest of the stack. At the opposite,
if you do want packets to be printed _and_ forwarded, you should use a
@trace component. Finally, there is also a @count component that counts
the number of packets seen in one point of the stack, for example you can
use:

%prova12 {
      @pcap [ $file = "/home/ulisses/prova11.dump" ];
      @count;
      @tcpscan;
      @count;
      @discard;
}

to see immediately the difference mentionned above.

Simon