NetworkMiner Abruptly crashes shortly after

Help
2010-12-10
2013-04-29
  • Chris Faulkner
    Chris Faulkner
    2010-12-10

    Right after I select the network card and hit start, it sniffs a few packets and then it crashes.   PCAP and Direct Socket.

    Windows 7 64-bit

    Description:
      Stopped working
    Problem signature:
      Problem Event Name:   CLR20r3
      Problem Signature 01: networkminer.exe
      Problem Signature 02: 0.92.0.0
      Problem Signature 03: 4bfed6e2
      Problem Signature 04: PacketParser
      Problem Signature 05: 1.0.0.0
      Problem Signature 06: 4bfed6dc
      Problem Signature 07: 31d
      Problem Signature 08: 0
      Problem Signature 09: System.NullReferenceException
      OS Version:   6.1.7600.2.0.0.256.1
      Locale ID:    1033
    
     
  • Erik Hjelmvik
    Erik Hjelmvik
    2010-12-11

    Hi Chris,

    Could you please answer these questions so that I can narrow the problem down:
    1. Is it a normal Ethernet interface you are sniffing from? If not please provide some details on the interface you are sniffing from.
    2. Does NetworkMiner crash even when the traffic volume is low?
    3. Do you get the same problem if you first sniff with Wireshark and then load that PCAP into NetworkMiner?

     
  • psteier
    psteier
    2011-02-21

    I have gotten the same sort of bull pointer reference crash.  Platform is 32 bit XP with up-to-date patches;  internet is Lenovo T61 WiFi chip.  I downloaded the source; built with MSVC 2010 Express C# and ran under the debugger.

    Information about the crash is:

    System.NullReferenceException was unhandled
      Message=Object reference not set to an instance of an object.
      Source=PacketParser
      StackTrace:
           at PacketParser.PacketHandler.GetFrame(PacketReceivedEventArgs packet) in
    C:\p\nmsource\PacketParser\PacketHandler.cs:line 410
           at PacketParser.PacketHandler.CreateFramesFromPacketsInPacketQueue() in C
    :\p\nmsource\PacketParser\PacketHandler.cs:line 339
           at PacketParser.PacketHandler.<.ctor>b__0() in C:\p\nmsource\PacketParser
    \PacketHandler.cs:line 139
           at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
           at System.Threading.ThreadHelper.ThreadStart()
      InnerException:

    PacketHandler.cs:line 410 is

                   if(packet.PacketType==NetworkWrapper.PacketReceivedEventArgs.PacketTypes.Ethernet2Packet) {

    packet has value null.

    PacketHandler.cs:line 339 is

                            Frame frame=this.GetFrame(packet);

    The value of packet came from line 337

                                  packet=receivedPacketsQueue.Dequeue();

    At the time of the crash, this.receivedPacketsQueue.Count is 319 .
    this.receivedPacketsQueue to  seem OK.
    this.receivedPacketsQueue is also null.

    I've gotten 4 crashes so far.  There is no obvious pattern.

    PCAP has been installed and I was running using it.  Crash has also occurred without use of PCAP.

     
  • psteier
    psteier
    2011-02-21

    In PacketHandler.cs, I updated method TryEnqueueReceivedPacket to add error reporting:

            public bool TryEnqueueReceivedPacket(object sender, NetworkWrapper.PacketReceivedEventArgs packet) {
                if(packet==null) {
                    this.OnAnomalyDetected("Null packet");
                    //this.parentForm.ShowError("Null packet");
                    return false;
                }
                else if(this.receivedPacketsQueue.Count<RECEIVED_PACKETS_QUEUE_MAX_SIZE) {
                    lock(this.receivedFramesQueue)
                        this.receivedPacketsQueue.Enqueue(packet);

                    if(this.receivedPacketsQueue.Count>0 && this.receivedPacketsQueue.Peek()==null) {
                        this.OnAnomalyDetected("Null put on queue");
                    }

                    this.OnBufferUsageChanged(new Events.BufferUsageEventArgs((this.receivedPacketsQueue.Count*100)/RECEIVED_PACKETS_QUEUE_MAX_SIZE));
                    //this.parentForm.SetBufferUsagePercent((this.receivedPacketsQueue.Count*100)/RECEIVED_PACKETS_QUEUE_MAX_SIZE);
                    return true;
                }
                else {
                    this.OnAnomalyDetected("Packet dropped");
                    //this.parentForm.ShowError("Packet dropped");
                    return false;
                }
            }

    and put breakpoints on the calls to OnAnomalyDetected.  Using PCAP,  I found that the call to this.receivedPacketsQueue.Enqueue was failing.  this.receivedPacketsQueue.Message has value "Destination array was not long enough. Check destIndex and length, and the array's lower bounds.".  The problem may be that packet.data is 1314 bytes.  packet.PacketType is Ethernet2Packet.

    call stack is

    > PacketParser.dll!PacketParser.PacketHandler.TryEnqueueReceivedPacket(object sender, NetworkWrapper.PacketReceivedEventArgs packet) Line 317

                        this.OnAnomalyDetected("Null put on queue");

    NetworkMiner.exe!NetworkMiner.PacketHandlerWrapper.SnifferPacketReceived(object sender, NetworkWrapper.PacketReceivedEventArgs packet) Line 162 + 0x1a bytes

                if(packetHandler.TryEnqueueReceivedPacket(sender, packet)) {

    NetworkWrapper.dll!NetworkWrapper.WinPCapSniffer.ReceivePacketListener(object sender, NetworkWrapper.PcapHeader ph, byte data) Line 177

                PacketReceived(this, eventArgs);

    NetworkWrapper.dll!NetworkWrapper.WinPCapWrapper.ReadNextLoop() Line 315

                            PacketArrival.Invoke(this, packetHeader, arr);

    The code I showed above is not always at the line shown in the stack.

     
  • psteier
    psteier
    2011-02-21

    I think the bug is in method TryEnqueueReceivedPacket in PacketHandler.cs.  The lines:

                    lock(this.receivedFramesQueue)
                        this.receivedPacketsQueue.Enqueue(packet);

    should be

                    lock(this.receivedPacketsQueue)
                        this.receivedPacketsQueue.Enqueue(packet);

    i.e., one queue is being locked and another one is being updated, leading to threading problems.

    Also in method ResetCapturedData, I think that

                    lock(this.receivedPacketsQueue) {
                    }

    should surround the body of the method and that a call to lock() should be used for each call to Reset(), i.e.

            public void ResetCapturedData(){
                lock(this.receivedPacketsQueue) {
                    lock(this.networkHostList)
                        this.networkHostList.Clear();
                    nFramesReceived=0;
                    nBytesReceived=0;
                    lock(receivedFramesQueue)
                        receivedFramesQueue.Clear();
                    this.fileStreamAssemblerList.ClearAll();
                    lock(this.networkTcpSessionList)
                        this.networkTcpSessionList.Clear();
                    lock(this.reconstructedFileList)
                        this.reconstructedFileList.Clear();
                    lock(this.credentialList)
                        this.credentialList.Clear();
                    this.lastBufferUsagePercent=null;

                    foreach(PacketHandlers.IPacketHandler packetHandler in this.packetHandlerList)
                        packetHandler.Reset();
                    foreach(PacketHandlers.ITcpSessionPacketHandler packetHandler in this.tcpSessionPacketHandlerList)
                        packetHandler.Reset();

                    this.receivedPacketsQueue.Clear();
                }
            }

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2011-02-22

    Thanks for your input psteier!

    I think this is the first time a NetworkMiner user solves a bug completely on his own! It's a bit hard for me to validate your solution since I haven't been able to trigger the bug myself, but you are very right about the fact that the wrong queue was locked in PacketHandler.cs.

    This bug will be corrected in the next release of NetworkMiner.

    BTW: I don't recommend using the "Reload Case Files" button or "Tools > Delete Captured Data" while sniffing or loading a pcap file. Make sure you abort the packet capturing / file loading before you press Reload/Delete.

    Anyway, great work with finding + solving the bug!