justniffer icon indicating copy to clipboard operation
justniffer copied to clipboard

Published 20 hours ago verified publisher icon onotelli

Skips some HTTP requests for some reason

Open v0s opened this issue 4 years ago • 0 comments

Noticed that justniffer drops some requests, supposedly those that weren't correctly closed.

Example: https://vos.uz/f/t/1.pcap — drops this request https://vos.uz/f/t/2.pcap — parses this one fine

NIDS state transition on a normal stream: 7 → 1 → 2 → 2 → 3 (NIDS_CLOSE) On a buggy stream: 7 → 1 → 2 → 2 → 6 (NIDS_EXITING)

I also noticed that -t (bool handle_truncated) isn't used anywhere. Perhaps NIDS_EXITING should be handled like that:

diff --git a/src/formatter.cpp b/src/formatter.cpp
old mode 100644
new mode 100755
index 7f45024..aff0342
--- a/src/formatter.cpp
+++ b/src/formatter.cpp
@@ -60,6 +60,9 @@ void parser::nids_handler(struct tcp_stream *ts, void **yoda, struct timeval* t,
                        }
                        break;
                case NIDS_EXITING:
+                       if (theOnlyParser->handle_truncated) {
+                               theOnlyParser->process_timedout_connection(ts, t, packet);
+                       }
                    break;
                case NIDS_OPENING:
                        theOnlyParser->process_opening_connection(ts, t, packet);

I didn't look into the architecture though, this one outputs the postponed line after all the other ones of the dump file, out of order

v0s avatar May 21 '20 19:05 v0s