-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
802.11 protocol analysis #107
Comments
@jfedotov: Thanks for reporting. As you may be aware, Brim typically relies on some other tools (specifically Zeek and Suricata) to generate summary logs from pcaps. This particular error is coming from Zeek. To study a bit more closely, I reproduced the problem outside of Brim. The Zeek version bundled with Brim happens to be several revs back (based on As it turns out, Suricata would choke on this as well, but you didn't see that error because Zeek failed first. I tried with the latest stable release
I looked on the Wireshark web site where the capture was from and I see it's labeled as an "802.11n capture with PPI encapsulation containing HTTP data." Out of curiosity, is this PPI encapsulation something you're close studying, or were you just seeking out sample captures to try in Brim and this happened to be a random one you tried? I ask because I've seen this class of failures before, as these tools need to have special code to remove encapsulation layers before reconstructing flows for analysis. Since these projects all have their own feature backlogs, some of the more "niche" encapsulation protocols might not get as much attention as the best-known ones like GRE. I looked for open issues in each project regarding PPI encapsulation and I don't see any, so I'd be ready to open them. But I'm guessing the first question they might ask help to establish priority is what the use case is, so I figured I'd establish that with you first. Even if these tools are not quick to support the format, this seems like it'll be an interesting issue to keep mulling on in the Brimcap context. With its approach, one of the things that Brimcap could make easier is preprocessing captures. So for instance if there were some separate tool that existed (or could easily be written) that Brimcap could invoke to strip off the encapsulation layer before passing along the packet data to packet analyzers (Zeek/Suricata), that might make for an interesting cookbook. Right now Brimcap is still in its infancy so we're not quite yet ready for that kind of experimentation, but I'll plan to give that more thought as time allows. |
Hi @philrz! Thank you very much for your answer and the tests you made already! Here is the real pcap we want to parse: I tried to open such a pcap with Brim and filtered for anything 802.11 but it seems it doesn’t see the frames. it only looks above layer 3. Then the 802.11 header replaces the ethernet header when the frame is wireless, then “data” is the IP or whatever upper layer but often not decoded as such when the traffic is WPA-encrypted |
@jfedotov: Thanks for the additional detail. If your goal is to actually have the logs reflect meaningful analysis of the 802.11 layer, it does seem that Zeek (and therefore, by association, Brimcap/Brim) doesn't have an off-the-shelf solution for this analysis. I did some poking around and ultimately opened up a new Zeek issue zeek/zeek#1641 to ask their team if they have any pointers as to where one might get started with doing this analysis. As I get into in the comments there (and you can read more detail following the links I put in there, then on to the linked PRs), they do seem to have added some kind of "low-level analyzer framework" that's capable of doing the parsing, but I'm not sure how well-documented it is, if there's reference implementations that use it which you could follow, etc. Since you seem to have a solid working knowledge of the protocols involved, it does seem like you'd be in a decent position to put together the appropriate parsing. Hopefully they can provide some tips. Feel free to keep an eye on that issue, and I'll do the same and update here if I see anything. If you were so inclined as to come up with the parsing, the easier follow-on work would then be to create a custom Brimcap config that points at a Zeek install that can do the parsing. Per that article, Brim could be pointed at that Brimcap config and allow pcaps to be dragged into the app and logs generated from it. We can certainly assist with that if you hit any troubles there. Even if you're not game to take on the protocol analysis, I'm happy to hold this issue open indefinitely in the event other community users have the same inquiry and maybe one of them would be game to take up the analysis work. |
@jfedotov: The Zeek Dev folks responded quickly, and you can see their response here. I'll paste it here for ease of reference and search-ability within the Brimcap repo:
If you do decide to dig into this, the Zeek team does have their own public Slack (described here) and are quite responsive if people come with good questions, so that's another resource if you get stuck. (I don't know if this user is still active, but I'm cc'ing @lealog as well, as I actually discovered an older 802.11-related issue brimdata/zui#570 that had been opened one time and it was closed back then, but I'm happy to keep this one open and see who all is available to pitch in.) |
Hi. Thanks for the CC :) |
Before opening a new issue, please make sure you've reviewed the troubleshooting guide:
https://github.com/brimdata/brimcap/wiki/Troubleshooting
Describe the bug
Failed to upload pcap with wireless data 802.11n https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Http.cap
To Reproduce
Try to upload https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=Http.cap file to Brim.
Expected behavior
The summary data generated should be produced
Screenshots
Desktop Info
The text was updated successfully, but these errors were encountered: