tcptrace-bugs [patch] 257th, 1025th flow

From: Akihiro Sagawa (@sohgoh.net)
Date: 03/24/06

• Next message: B IWK: "tcptrace-bugs $B%U%j%a$G%A%c%s%9(B"
• Previous message: ÁõÏÈÉú: "tcptrace-bugs ÓŻݴú¿ª·¢Æ±£¡£¡"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 25 Mar 2006 04:30:05 +0900
From: Akihiro Sagawa <"qbin atusers.sourceforge.net"@sohgoh.net>
Subject: tcptrace-bugs [patch] 257th, 1025th flow
Message-Id: <20060325042930.7E44.QBIN@sohgoh.net>

Hi,
I found a tcptrace bug for -o option with specific number (eg. 257, 1025...)

For example,
% tcptrace -n -o256 -O256th.pcap large_chunk.pcap
83689 packets seen, 83689 TCP packets traced
elapsed wallclock time: 0:00:00.260733, 320975 pkts/sec analyzed
trace file elapsed time: 2925:52:13.445255
TCP connection info:
256: XXX.XXX.XXX.XXX:XXXX - XXX.XXX.XXX.XXX:XX (sq2sr) 7> 7< (complete)
% ls 256th.pcap
256th.pcap (OK -- this is correct)
% tcptrace -n -o257 -O257th.pcap large_chunk.pcap
(snip)
TCP connection info:
% ls 257th.pcap
(Nothing -- where is 257th flow?)
% tcptrace -n -o258 -O258th.pcap large_chunk.pcap
(snip)
TCP connection info:
258: XX.XXX.XXX.XXX:XXXXX - XXX.XXX.XXX.XXX:XX (su2sv) 14> 12< (complete) (reset)
% ls 258th.pcap
258th.pcap (OK -- No problem)

[Background]
With -o option, OnlyConn calls with nth flow number, eg 257.
OnlyConn function decrements ix val and calls MoreTcpPairs function to
enlarge ignore_pairs[] and max_tcp_pairs. In MoreTcpPairs func.,
they grow up to 256 (because after ix--). After calling MoreTcpPairs,
ignore_pairs[] are initialized to TRUE. And more_conns_ignored is also
TRUE. Just only ignore_pairs[256] is set to FALSE. (Ah! 256 seems to be
out of range.)

Now, ethernet frames read from a file. When 256th tcp pairs found
(meaning num_tcp_pairs == 256), num_tcp_pairs+1 > max_tcp_pairs(256) is
TRUE (on trace.c line 512). Thus MoreTcpPairs function is called with
257. In MoreTcpPairs ignore_pairs[] and max_tcp_pairs set to 1024
(=256*4), and (this is important) ignore_pairs[256] ~ ignore_pairs[1023]
is cleared with more_conns_ignored (currentry TRUE!).
Therefore 257th flow is not output because ignore_pairs[256] is turned
to TRUE.

The same point in IgnoreConn function, I inclueded to the patch, too.

--- tcptrace-6.6.7.orig/trace.c 2004-11-05 07:43:51.000000000 +0900
+++ tcptrace-6.6.7/trace.c 2006-03-25 01:54:14.017718072 +0900
@@ -2758,11 +2758,11 @@
     if (debug) fprintf(stderr,"ignoring conn %d\n", ix);

 // trace_init();
-
- --ix;

     MoreTcpPairs(ix);

+ --ix;
+
     more_conns_ignored = FALSE;
     ignore_pairs[ix] = TRUE;
 }
@@ -2778,11 +2778,11 @@
     if (debug) fprintf(stderr,"only printing conn %d\n", ix_only);

 // trace_init();
-
- --ix_only;

     MoreTcpPairs(ix_only);

+ --ix_only;
+
     if (!cleared) {
         for (ix = 0; ix < max_tcp_pairs; ++ix) {
             ignore_pairs[ix] = TRUE;

Regards
Akihiro SAGAWA <qbin at users.sourceforge.net>

• Next message: B IWK: "tcptrace-bugs $B%U%j%a$G%A%c%s%9(B"
• Previous message: ÁõÏÈÉú: "tcptrace-bugs ÓŻݴú¿ª·¢Æ±£¡£¡"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : 03/25/06 EST