Cannot use -S enable_report=NO in write protected directory

[erik4711]

I sometimes read capture files from write protected media and pipe the output to grep in order to look for specific content. I'd like to use -S enable_report=NO since I'm not interested in getting a report.xml file and because the XML file cannot be written to the write protected media anyway. However, unfortunately tcpflow crashes when issuing -S enable_report=NO from a write protected directory. See output below:

/media/readonly$ tcpflow -v -S enable_report=NO -r evidence.pcap -c > /dev/null
tcpflow[12940]: printing packets to console only
tcpflow: TCPFLOW version 1.4.5 
terminate called after throwing an instance of 'std::invalid_argument*'
Aborted (core dumped)

[simsong]

Neat. Have you tried running under a debugger to get the stack trace?

…

---- Sent from my phone. On Apr 22, 2021, at 5:48 AM, erik4711 ***@***.***> wrote:  I sometimes read capture files from write protected media and pipe the output to grep in order to look for specific content. I'd like to use -S enable_report=NO since I'm not interested in getting a report.xml file and because the XML file cannot be written to the write protected media anyway. However, unfortunately tcpflow crashes when issuing -S enable_report=NO from a write protected directory. See output below: /media/readonly$ tcpflow -v -S enable_report=NO -r evidence.pcap -c > /dev/null tcpflow[12940]: printing packets to console only tcpflow: TCPFLOW version 1.4.5 terminate called after throwing an instance of 'std::invalid_argument*' Aborted (core dumped) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[erik4711]

Here's the tail from strace's output:

set_tid_address(0x7f1399d0eb90)         = 11527
set_robust_list(0x7f1399d0eba0, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f1398163cb0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f1398170980}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f1398163d50, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f1398170980}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL)                               = 0x5569f2474000
brk(0x5569f2495000)                     = 0x5569f2495000
futex(0x7f1398cb909c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f1398cb90a8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
brk(0x5569f24b6000)                     = 0x5569f24b6000
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
getpid()                                = 11527
brk(0x5569f24d7000)                     = 0x5569f24d7000
brk(0x5569f24f8000)                     = 0x5569f24f8000
brk(0x5569f2519000)                     = 0x5569f2519000
brk(0x5569f253a000)                     = 0x5569f253a000
brk(0x5569f255b000)                     = 0x5569f255b000
brk(0x5569f257c000)                     = 0x5569f257c000
brk(0x5569f259d000)                     = 0x5569f259d000
brk(0x5569f25be000)                     = 0x5569f25be000
brk(0x5569f25df000)                     = 0x5569f25df000
brk(0x5569f2600000)                     = 0x5569f2600000
brk(0x5569f2621000)                     = 0x5569f2621000
brk(0x5569f2642000)                     = 0x5569f2642000
brk(0x5569f2663000)                     = 0x5569f2663000
brk(0x5569f2684000)                     = 0x5569f2684000
brk(0x5569f26a5000)                     = 0x5569f26a5000
brk(0x5569f26c6000)                     = 0x5569f26c6000
brk(0x5569f26e7000)                     = 0x5569f26e7000
brk(0x5569f2708000)                     = 0x5569f2708000
brk(0x5569f2729000)                     = 0x5569f2729000
brk(0x5569f274a000)                     = 0x5569f274a000
brk(0x5569f276b000)                     = 0x5569f276b000
brk(0x5569f278c000)                     = 0x5569f278c000
brk(0x5569f27ad000)                     = 0x5569f27ad000
stat(".", {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0
access(".", W_OK)                       = -1 EROFS (Read-only file system)
futex(0x7f13985941a0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "terminate called after throwing "..., 48terminate called after throwing an instance of ') = 48
write(2, "std::invalid_argument*", 22std::invalid_argument*)  = 22
write(2, "'\n", 2'
)                      = 2
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid()                                = 11527
gettid()                                = 11527
tgkill(11527, 11527, SIGABRT)           = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=11527, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++

[simsong]

That's great. If you can compile it with debug symbols, we will get a full stack trace. Without it, it looks like the problem is coming from here:

tcpflow/src/be13_api/feature_recorder_set.cpp

Lines 50 to 53 in 04b0dab

	if ((outdir != NO_OUTDIR) && (access(outdir.c_str(),W_OK)!=0)) {
	throw new std::invalid_argument("output directory not writable");
	}

Can you try running with -o /tmp/tempdir$$ to see if that resolves your problem?

[erik4711]

Yes changing output dir to a writeable one with -o resolves the problem.
Would it be possible to avoid throwing that exception when -c or -C is used together with -S enable_report=NO, since nothing will be written to disk in these cases? Personally I would probably have removed that if statement altogether since it doesn't add any significant improvement over what would have happened if tcpflow would attempt to actually write data to a write protected directory.

It would also make sense setting -S enable_report to NO by default when -c or -C is used (feature request).

[simsong]

You have disabled the report, but you have not disabled the output of the feature recorders. It seems that you want to disable all output except what goes to stdout. That will require code modification to how the feature recorders work.

…

On Apr 22, 2021, at 7:52 AM, erik4711 ***@***.***> wrote: Yes changing output dir to a writeable one with -o resolves the problem. Would it be possible to avoid throwing that exception when -c or -C is used together with -S enable_report=NO, since nothing will be written to disk in these cases? It would also make sense for setting -S enable_report to NO by default when -c or -C is used (feature request). — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#242 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMFHLBKC5DGCIJXTXW7QJTTKAEYHANCNFSM43MDEAMQ>.

[erik4711]

Okay, thanks. I understand.
You're right, I want to disable all file output and only push reassembled TCP to stdout. However, to my knowledge nothing is written to disk if I run this command from a directory with write permissions or if I use -o /somewhereicanwrite. Would it be possible to just replace the
throw new std::invalid_argument("output directory not writable");
with something that just writes a warning message to stderr and then proceeds? That would most likely be sufficient for what I need and not require a huge rewrite.