Jordi Espasa Clofent wrote:
> Hi all,
>
> Because of my previous problem I've seen the next output in
> /var/log/messages:
>
> -- Sep 22 19:00:01 ares newsyslog[21422]: logfile turned over
> Sep 22 19:00:01 ares syslogd: restart
> Sep 22 19:00:38 ares ftpsesame[15600]: drop: short capture
> Sep 22 19:01:04 ares last message repeated 3 times
> Sep 22 19:04:36 ares ftpsesame[15600]: drop: short capture
> Sep 22 19:04:47 ares last message repeated 11 times
> Sep 22 19:17:07 ares last message repeated 4 times
> Sep 22 20:00:01 ares syslogd: restart
> Sep 22 20:31:27 ares ftpsesame[15600]: drop: short capture
> Sep 22 21:31:43 ares ftpsesame[15600]: drop: short capture
> Sep 22 21:31:47 ares last message repeated 3 times
> Sep 22 21:34:32 ares last message repeated 6 times
> Sep 22 21:53:06 ares last message repeated 8 times
> Sep 22 22:00:01 ares syslogd: restart
> Sep 22 22:01:34 ares ftpsesame[15600]: drop: short capture
> Sep 22 22:02:28 ares ftpsesame[15600]: drop: short capture
> Sep 22 22:09:45 ares ftpsesame[15600]: drop: short capture
> Sep 22 22:10:00 ares last message repeated 62 times
> Sep 23 00:00:01 ares syslogd: restart
> Sep 23 00:08:46 ares ftpsesame[15600]: drop: short capture
> Sep 23 00:09:02 ares last message repeated 3 times
> Sep 23 00:09:28 ares last message repeated 2 times
> Sep 23 00:33:06 ares ftpsesame[15600]: drop: short capture
> Sep 23 00:34:02 ares last message repeated 4 times
> Sep 23 00:47:01 ares ftpsesame[15600]: drop: short capture
> Sep 23 01:30:54 ares ftpsesame[15600]: drop: short capture
> Sep 23 01:38:49 ares last message repeated 20 times
> Sep 23 01:47:12 ares last message repeated 2 times
> Sep 23 01:56:28 ares last message repeated 6 times
> Sep 23 02:00:01 ares syslogd: restart
> Sep 23 02:06:11 ares ftpsesame[15600]: drop: short capture
> Sep 23 02:06:20 ares ftpsesame[15600]: drop: short capture
> Sep 23 02:08:15 ares last message repeated 4 times
> Sep 23 04:00:01 ares syslogd: restart
> Sep 23 04:10:20 ares ftpsesame[15600]: drop: short capture
> Sep 23 04:10:35 ares last message repeated 2 times
> Sep 23 04:12:33 ares last message repeated 3 times
> Sep 23 04:13:43 ares ftpsesame[15600]: drop: short capture
> Sep 23 04:32:26 ares last message repeated 5 times
> Sep 23 04:35:09 ares last message repeated 2 times
> Sep 23 06:00:01 ares syslogd: restart
> Sep 23 08:00:01 ares syslogd: restart
> Sep 23 08:18:10 ares ftpsesame[15600]: drop: short capture
> Sep 23 08:39:54 ares ftpsesame[15600]: drop: short capture
> Sep 23 08:40:10 ares ftpsesame[15600]: drop: short capture
> Sep 23 08:54:00 ares ftpsesame[15600]: drop: short capture
> Sep 23 09:07:24 ares ftpsesame[15600]: drop: short capture
> Sep 23 09:15:40 ares last message repeated 10 times
> Sep 23 09:29:56 ares ftpsesame[15600]: drop: short capture
>
> So, I've donwload the ftpsesame sources and search the concrete string:
>
> $ grep -ir "short capture" *
> ftpsesame.c: logmsg(LOG_WARNING, "drop: short capture");
>
> $ vim ftpsesame.c
> [...]
> if (h->caplen != h->len) {
> logmsg(LOG_WARNING, "drop: short capture");
> return;
> [...]
>
> I understand that it's a basic check about the length of the processed
> packet. Anyway, I'm not a coder... only a learner.
>
> ¿It's really a problem or a simply warning about malformed packets?
It's not a problem, just a warning that bpf did not capture the full packet.
But maybe the '!=' should be a '<' though because of ethernet padding.
Can you change the logmsg line into:
logmsg(LOG_WARNING, "drop: short capture, len: %d, caplen: %d", h->len,
h->caplen);
