Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Possible Session Crash.

Help
TCB13
2012-01-14
2013-04-29
  • TCB13
    TCB13
    2012-01-14

    Hi,

    I was trying to parse some pcap files and I found out that since version 0.88 NetworkMiner crashes. I think the problem is related so the sessions feature since in version 0.88 it can successfully parse the file.

    Is this a known bug? Is there a fix? :S

    Thanks.

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2012-01-14

    Hi,

    This is not a known bug if your are able to crash the latest version (1.2) of NetworkMiner.
    Is the crash reliable, i.e. does it crash the same way every time you open a specific pcap file?

    Also, is there some way you would be able to share some pcap data, which we can use to recreate the crash you are experiencing?

    Regards,
    Erik Hjelmik

     
  • TCB13
    TCB13
    2012-01-14

    Hi,

    Yes, I can crash version 1.2. The crash is reliable, in one pcap I've it crashes always at about 2% after 31 sessions. I've split the file in smaller ones and the crash also happens. Other captures also make it crash.

    After some time messing around with my pcap files, I noticed that all the files that make it crash have fragmented ip protocol, If I filter them on Wireshark using "!ip.fragments" and make a new pcap of the results, it works fine.

    Hope this get fixed.

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2012-01-14

    I've now loaded multiple pcap files containing fragmented IP packets (I've looked for "ip.fragments" as well as "ip.flags.mf eq 1"). But I have not yet been able to crash NetworkMiner.

    May I ask what application layer protocol the fragmented IP packet(s) contains?

     
  • TCB13
    TCB13
    2012-01-15

    Hi,

    Most of the traffic is HTTP, but is there a way I can debug NetworkMiner to tell you exactly what made it crash and what it was processing?

    Thanks.

     
  • TCB13
    TCB13
    2012-01-15

    Hi,

    Starting with SplitCap, everything seems to be ok:

    C:\Users\TCB13>C:\Users\TCB13\Desktop\SplitCap_1-9\SplitCap.exe -r C:\Users\TCB1
    3\Desktop\splt_00158_20120112133149-crash.pcap  -s noplit
    Splitting pcap file into seperate pcap files...
    100%
    Please wait while closing all file handles...
    C:\Users\TCB13>
    

    Now VS debug on NetworkMiner:

    I get "NullReferenceException was unhandled" at (NetworkTcpSession.cs line: 46) :

    "public bool FinPacketReceived { get { return this.finPacketReceived && (clientToServerTcpDataStream == null || (this.clientToServerFinPacketSequenceNumber <= clientToServerTcpDataStream.ExpectedTcpSequenceNumber && this.serverToClientFinPacketSequenceNumber < serverToClientTcpDataStream.ExpectedTcpSequenceNumber) || serverToClientTcpDataStream == null); } }"

    Also a screenshot of this:

    So this after all seems to be something related to sessions management…

    Have a nice day!

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2012-01-15

    The details you've supplied were (hopefully) enough to solve the bug. I have now modified the code for the FinPacketReceived getter to avoid null references.

    Please send an email to me at: erik.hjelmvik  gmail.com in order to get the fixed version to try on your pcap file.

    Thanks!

    /erik