Invalid TCP header length

Question

Invalid TCP header length

Str-Gen opened this issue 6 years ago · 6 comments

When processing some files, I repeatedly came across this error.
A 20 byte header for TCP packets is valid and should be interpreted.

ERR: process_tcp: 473: Invalid TCP header length: 20 bytes

Answer 1 · 2019-05-17T13:54:33.000Z

do you have a cap file that generates this error?

Answer 2 · 2019-05-20T12:38:08.000Z

The files with errors in processing were removed. I will regenerate files that produce the error and get back to you.

Answer 3 · 2019-05-23T14:03:06.000Z

I have encountered a new file that reports the error during processing. The pcap is available here.
https://www.dropbox.com/s/t6i0k8vweag5qz8/1fb1b6c1-7b04-41f7-b3ba-8d84dd2bc079.pcap?dl=0

Answer 4 · 2019-05-28T17:37:02.000Z

So looking over the packet capture, the invalid TCP header lengths are coming from the partial packets. For instance, packets #5, #6 and #7 make up a full TCP packet. Packets #5 and #6 are just fragments. So the code throws the error clause on packets #5 and #6 because there are only 8 bytes in each. On packet #7, the full packet gets processed. Maybe we should make these "info" logs when the packet is marked as fragmented?

Answer 5 · 2019-05-29T09:42:28.000Z

Yes that would be a suitable solution, certainly if the full packet does get processed it shouldn't be marked as an error.

Answer 6 · 2019-05-29T13:42:09.000Z

fix has been merged into master. Actually modified the fragment check to include fragment flags and fragment offset.