0/18 byte files in replay folder #169
Comments
|
We had a feature where empty files were deleted, has there been a regression? 🤔 |
|
Oh shit, maybe i just need to update, cool. |
|
Report back if it works, if it doesnt tell us if the files are actually empty, or very small! |
|
so i did a git pull and its is still making 0b and 18b files =/
|
|
I think that 18 bytes files are not simple SYN/SYNACK/ACK scans, but service scans, where the first RDP packet is sent to make sure the destination is an RDP server. Packet capture analysis could confirm that.... If it is the case, I'm not sure that we want to delete those files 🤔 @obilodeau thoughts? |
|
The 0 bytes ones should probably not be created but the 18 bytes ones might be interesting to dig deeper into what is going on.
Quickly grepping the codebase for So to me, this is two issues: a. interactive player should open tab only when something was recorded (session logs should still be session logs, any non-zero log is interesting) For either issue, I need to be able to reproduce the problem locally. @Norup123 can you provide a pcap or are you willing to wait until I get similar traffic in my honeypots? |
|
#158 trying to make a tcpdump for this. Havnt been able to capture the error in the other issue in the dump im currently making, but the error appeared right before i started, so hoping it will show again. My /replay folder is FILLED with 0 or 18 byte files. |
|
Hope this is what you meant |
|
tcpdump2.zip |
|
i may or may not have found my issue with the breaking. Could have been the windows machine, going on standby... kay i actually think this was my issue.. unbelievable... Still all the scans are showing up as 0 or 18b cluttering the replay folder, And also showing up on the player as "empty" closed tabs
|
|
As far as the player tabs are concerned, we could auto-close all tabs that last less than N seconds and all tabs that receive no data but are not disconnected after a long enough period of time. The former would take care of scanners, while the latter would take care of "hung" connections that we have been seeing in some cases. Alternatively, I'm pretty sure in either cases we never get far enough in the connection sequence to get video, so tabs that never made it to connection established after N seconds could be closed automatically. This approach would be cleaner. |
|
I suggest to track the tab creation issue in #142, and use this issue to track the small replay files. |
alxbl
changed the title
fix: Buffer replays until connection is established. Fixes #169
Is there a way to stop it from making replay files and the player tabs on every scan? It makes it rather difficult to sort through.
The text was updated successfully, but these errors were encountered: