Re: [Pandora] extrange behaviour of tcpscan component

[uaca]

Hi Simon

On Tue, Dec 03, 2002 at 09:06:42AM +0100, Simon Patarin wrote:

[...]
> > #                        < @ipreass [ $timeout = 30 ] >
> > #                    )
> >       @tcpscan;
> >       @print;
> >       @discard;
> > }
> 
> A simple explanation would be that there are non TCP packets in your dump:
> the @tcpscan component discards any IP packet that is not TCP. What does
> `tcpdump -n -q -S -r prova11.dump not tcp|wc -l' returns? 

address@hidden ulisses]$ tcpdump -n -q -S -r prova11.dump not tcp|wc -l
      0

> if this is not
> the exact difference between the two counts, then, this is strange!
> However, when building TCP packets from IP ones, pandora might discard
> some (supposedly) malformed TCP packets, but it should print a warning
> message when doing so.

well I think I found where some packets are removed 

tcppacket.h:reject()

it rejects for instance the usual final segment of the three way handshake

I will send you a patch that adds an option to optionally reject no packet

> As a side note, you do not need a @discard component after the @print:
> @print never forwards packets to the rest of the stack. At the opposite,
> if you do want packets to be printed _and_ forwarded, you should use a
> @trace component. Finally, there is also a @count component that counts
> the number of packets seen in one point of the stack, for example you can
> use:
> 
> %prova12 {
>       @pcap [ $file = "/home/ulisses/prova11.dump" ];
>       @count;
>       @tcpscan;
>       @count;
>       @discard;
> }

Thanks so much for your notes

I'm going to work on this right now, I try to extend this thread

        Ulisses

-----------------------------------------------------------------------------
"Computers are useless. They can only give answers."            Pablo Picasso

--->    Visita http://www.valux.org/ para saber acerca de la    <---
--->    Asociación Valenciana de Usuarios de Linux              <---