Re: Problems capturing sebek win32 3.0.3 traffic on roo honeywall

[Edward Balas <ebalas () iu edu>]

Truong, Thanh V. wrote:

> Michael,
> I have the same problem.  After a little debugging, I found that
> pcapheader->caplen is always equal to [(datlen*2) + pkt_head_sz] but in
> your "if" statement (in sbk_extract.c) you check to see if
> pcapheader->caplen = datlen + pkt_head_sz.  That will fail.  So, it
> will complain about the malformed package.
>
> After putting that in, it seems to work fine.  But I haven't fully
> tested to see if all functions work.
>
> I'm running sebekd-3.0.3 on Fedora 4.  I hope that and pcap output from
> Rich Compton will help you looking into it.
>
>  
Hey all,

This a not the recomended way to work around this.  datalen+pkt_head_sz 
should
equal caplen, if it does not then the client is sending malformed records.

Looking at Rich's data, we see the following for the first packet.

rectype=0
caplen=176
len=39
discrepancy=39 
data*2=0x4d6963726f736f66742057696e646f7773205850205b56657273696f6e20352e312e323630305d000000000000000000000000000000000000000

Firing up this same packet into ethereal or other sniffer here is what 
we see.

caplength of 176
ip total length of 123

Ethernet header shows a trailer which should not be there of 35 bytes
and another 4 bytes which should be the frame check sequence are
also null.  So at the tail end of the frame we see 39 null bytes, same
as the length of the data.

This is a malformed packet.  Can you provide details on the client system?


Edward