[ERROR] Parsing field: ipv6.addr

[dragonxtek]

Hi again,
I installed the last version 2.0.5 but the error still appears, is not solved as you said in #17

[shramos]

Hi @dragonxtek,

This error seems to be related with the permissions with which you execute the capture.

Run Polymorph with the administration user, without using sudo, as there are several processes that run the tool that require high privileges, including the capture through pyshark and tshark.

[dragonxtek]

Is very rare, because that error I started to see since version 2 and before that it didn't appear.
I tried it from the root user but the same result.

In a docker with --privileged flag I don't have this issue, but in my machine I couldn't run it successfully.

[shramos]

Hi @dragonxtek,

I cannot reproduce the error in my test environment. Can you tell me more details about the environment in which you are running Polymorph?

Additionally, could you attach in the comment the .tmp.pcap file that is in path /usr/local/lib/python3.6/dist-packages/polymorph-2.0.5-py3.6.egg/polymorph/.tmp.pcap generated immediately after the exception occurs?

Thanks!

[dragonxtek]

Hi @shramos,
I'm using a ubuntu 18.10. In the docker file I'm running the same operative system and inside it's works fine. I don't know what could be happening.
The message said that .tmp.pcap have 0 packets, but it's a lie. It contain packets without issues.

[dragonxtek]

UPDATE:
I think that its a capture command issue, because I import a pcap file without issues and I got the same problem:

I attached the pcap file just in case
icmp2.zip

[dragonxtek]

UPDATE2:
Additionally, if I import a template, I can execute intercept without issues.

[shramos]

Hi @dragonxtek,

Thank you for your response. I tried to reproduce the error in the same environment you have and I can't.

Importing a template and performing network packet interception works well because it does not involve the external pyshark library. The error seems not to be related to Polymorph but to this library (Pyshark) used during the initial capture process.

We will continue to perform some additional testing to see if we can find the error. On the same operating system where the error occurs, run the following commands to see if we can isolate the error:

santi@ubuntu:~$ sudo python3
Python 3.8.5 (default, Jul 28 2020, 12:59:40) 
GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 
>>> import pyshark
>>> capture = pyshark.FileCapture(input_file="Desktop/icmp2.pcap", keep_packets=False, use_json=True, include_raw=True, display_filter=None)
>>> capture
<FileCapture Desktop/icmp2.pcap (0 packets)>
>>> capture.next()
<ICMP_RAW Packet>
>>> capture.next()
<ICMP_RAW Packet>
>>> capture.next()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/dist-packages/pyshark/capture/file_capture.py", line 59, in next
    return self._packet_generator.send(None)
StopIteration
>>>

[dragonxtek]

Here is the output:

sudo python3 
Python 3.6.8 (default, Apr  9 2019, 04:59:38) 
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyshark
>>> capture = pyshark.FileCapture(input_file="/home/dragonxtek/icmp2.pcap", keep_packets=False, use_json=True, include_raw=True, display_filter=None)
>>> capture
<FileCapture /home/dragonxtek/icmp2.pcap (0 packets)>
>>> capture.next()
<ICMP_RAW Packet>
>>> capture.next()
<ICMP_RAW Packet>
>>> capture.next()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/dist-packages/pyshark-0.4.2.9-py3.6.egg/pyshark/capture/file_capture.py", line 62, in next
    return self._packet_generator.send(None)
StopIteration
>>> 

[jzablot]

Note that on CentOS 7 with tshark 2.6 I hit the 'int' object is not subscritable issue parsing field ip.addr during capture. Per my comment in #25 I can get by this by downgrading to tshark 2.2, but I face other issues as outlined in #25

[dragonxtek]

Now, I have tshark 3.3 and I can't capture any packets

^C[ERROR] Parsing field: ip.addr
[!] Exception: Error processing the previous command. More info:

'int' object is not subscriptable

Can you fix it to do it compatible with recent tshark versions?

[krater]

I have tshark 2.64 and the same problem. Can you give me any hint where to search in the code to fix it?

[krater]

I added some prints to _traverse_fields and I would bet the problem lies in a format change of pyshark in the ip.addr field.
My ip.addr_raw field looks like this: ['7f000001', 26, 4, 0, 32, ['7f000001', 30, 4, 0, 32]]
My ip.addr like this ['127.0.0.1', '127.0.0.1']

Maybee this helps. Has anyone a working version and can help me?