You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@drill.apache.org by Giovanni Conte <gi...@gmail.com> on 2019/02/06 16:38:54 UTC
Drill fails to query pcap files
Hi,
I'm trying to query a pcap file and I know that there are corrupted rows
(precisely line 6407),
I need a command to skip this rows to avoid the following error:
Error: INTERNAL_ERROR ERROR: null
Fragment 0:0
Please, refer to logs for more information.
[Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
(state=,code=0)
[...]
the complete error is attached in the txt file ()for java exceptions, along
with the pcap file used for testing this issue. I would like to avoid a
pre-parsing of the pcap when a corrupted row is found.
Is there a way to avoid this problem?
Thanks,
Giovanni
OS: Ubuntu 18.4
Drill version: 1.15.0
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
Angelo
Can you please share an example? That will help in fixing this issue.
Sent from my iPhone
> On Feb 22, 2019, at 09:40, Angelo Mantellini <am...@gmail.com> wrote:
>
> Hi,
> I tried the patch, but I see that the lines are always corrupted after the first exception.
> So, if my corrupted line is in the first row, the rest of the file is corrupted.
>
>
>
> On 10/02/2019, 18:01, "Charles Givre" <cg...@gmail.com> wrote:
>
> Actually, some good news here…
> I ran some test queries on the corrupted file and it seemed to work pretty well. I didn’t get any exceptions!
>
> jdbc:drill:zk=local> select src_ip, COUNT(*) as packet_count from dfs.test.`testv1.pcap`WHERE is_corrupt=1 GROUP BY src_ip ORDER BY packet_count DESC
> . . . . . . .semicolon> LIMIT 10;
> +-----------------------------------------+---------------+
> | src_ip | packet_count |
> +-----------------------------------------+---------------+
> | 150.249.255.161 | 176 |
> | 150.249.255.24 | 28 |
> | 131.38.3.15 | 26 |
> | 111.248.196.128 | 25 |
> | 202.13.230.242 | 20 |
> | 163.28.217.199 | 19 |
> | 27.18.36.151 | 18 |
> | 2001:320f:c2ed:8693:1dff:f8f8:500:f1ed | 17 |
> | 203.70.190.81 | 16 |
> | 203.70.182.104 | 13 |
> +-----------------------------------------+---------------+
> 10 rows selected (0.944 seconds)
>
>
> select src_ip, dst_ip from dfs.test.`testv1.pcap`WHERE is_corrupt=1 LIMIT 10;
> +------------------+------------------+
> | src_ip | dst_ip |
> +------------------+------------------+
> | 118.233.244.60 | 150.249.255.161 |
> | 150.249.255.161 | 165.63.110.188 |
> | 150.249.255.161 | 165.63.110.188 |
> | 172.40.96.180 | 131.39.133.22 |
> | 150.249.255.161 | 165.63.110.188 |
> | 150.249.255.161 | 165.63.110.188 |
> | 150.249.255.161 | 165.63.110.188 |
> | 150.249.255.161 | 165.63.110.188 |
> | 150.249.162.60 | 180.32.119.25 |
> | 150.249.255.161 | 165.63.110.188 |
> +------------------+------------------+
> 10 rows selected (1.031 seconds)
>
>
> 0: jdbc:drill:zk=local> SELECT src_port , dst_port , src_mac_address , dst_mac_address
> . . . . . . .semicolon> FROM dfs.test.`testv1.pcap`
> . . . . . . .semicolon> WHERE is_corrupt =1 LIMIT 10;
> +-----------+-----------+--------------------+--------------------+
> | src_port | dst_port | src_mac_address | dst_mac_address |
> +-----------+-----------+--------------------+--------------------+
> | 57058 | 443 | 00:0C:DB:1F:72:41 | 88:E0:F3:7A:66:F0 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 443 | 55972 | 00:0C:DB:1F:72:41 | CC:4E:24:1F:4E:00 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 4016 | 7699 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> | 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
> +-----------+-----------+--------------------+--------------------+
> 10 rows selected (0.751 seconds)
>
> SELECT getCountryName(src_ip) AS country, COUNT(*) as packet_count FROM dfs.test.`testv1.pcap` WHERE is_corrupt=1 GROUP BY getCountryName(src_ip) ORDER BY packet_count DESC LIMIT 10;
> +----------------+---------------+
> | country | packet_count |
> +----------------+---------------+
> | Japan | 269 |
> | Taiwan | 124 |
> | United States | 105 |
> | Unknown | 49 |
> | China | 26 |
> | South Korea | 8 |
> | Australia | 4 |
> | Germany | 3 |
> | Hong Kong | 2 |
> | Italy | 1 |
> +----------------+---------------+
> 10 rows selected (1.519 seconds)
>
> SELECT is_corrupt, COUNT(*) as packet_count FROM dfs.test.`testv1.pcap` GROUP BY is_corrupt;
> +-------------+---------------+
> | is_corrupt | packet_count |
> +-------------+---------------+
> | 0 | 6408 |
> | 1 | 592 |
> +-------------+---------------+
> 2 rows selected (0.931 seconds)
>
>
> This PCAP file worked well with Superset also.
>
>
>> On Feb 10, 2019, at 10:59, Charles Givre <cg...@gmail.com> wrote:
>>
>> If I can get some more examples of corrupted files I’ll test more thoroughly. Also, we’ll need to apply the same methodology to PCAP-NG, so I’ll need some examples there as well. My strategy is going to be get as much data as possible out of the corrupt packet.
>> — C
>>
>>
>>
>>> On Feb 10, 2019, at 10:54, Ted Dunning <te...@gmail.com> wrote:
>>>
>>> I think that accessing fields in corrupted packets will also cause
>>> exceptions. But this is a great start. Conditionalizing field access on
>>> !is_corrupt() might be sufficient for the next step.
>>>
>>>
>>>
>>>> On Sun, Feb 10, 2019 at 4:58 AM Charles Givre <cg...@gmail.com> wrote:
>>>>
>>>> All,
>>>> I posted the following PR for this issue:
>>>> https://github.com/apache/drill/pull/1637 <
>>>> https://github.com/apache/drill/pull/1637>
>>>>
>>>> Basically this PR does two things.
>>>> 1. It creates a boolean column called is_corrupt and
>>>> 2. If the PCAP file has a corrupt row, it marks that row as corrupt by
>>>> setting is_corrupt to true and keeps going
>>>>
>>>> WIth the example from Giovanni, I was able to find 590 or so corrupt rows
>>>> out of 7000 in that PCAP file. It was late and I don’t know if that was
>>>> what ti was supposed to find, but it worked and was able to query that.
>>>> If you guys could send a few more examples, I’d like to test this on other
>>>> files to make sure it works with them. We’re also going to have to do the
>>>> same thing for the PCAP-NG format I would assume.
>>>>
>>>>> On Feb 10, 2019, at 03:07, Ted Dunning <te...@gmail.com> wrote:
>>>>>
>>>>> On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
>>>>>
>>>>>> ...
>>>>>> And, I did indeed find a few and am just waiting for a formal review so
>>>> I
>>>>>> can submit them for the Drill dev & tests.
>>>>>>
>>>>>
>>>>> Awesome!
>>>>
>>>>
>>
>
>
>
>
Re: Drill fails to query pcap files
Posted by Angelo Mantellini <am...@gmail.com>.
Hi,
I tried the patch, but I see that the lines are always corrupted after the first exception.
So, if my corrupted line is in the first row, the rest of the file is corrupted.
On 10/02/2019, 18:01, "Charles Givre" <cg...@gmail.com> wrote:
Actually, some good news here…
I ran some test queries on the corrupted file and it seemed to work pretty well. I didn’t get any exceptions!
jdbc:drill:zk=local> select src_ip, COUNT(*) as packet_count from dfs.test.`testv1.pcap`WHERE is_corrupt=1 GROUP BY src_ip ORDER BY packet_count DESC
. . . . . . .semicolon> LIMIT 10;
+-----------------------------------------+---------------+
| src_ip | packet_count |
+-----------------------------------------+---------------+
| 150.249.255.161 | 176 |
| 150.249.255.24 | 28 |
| 131.38.3.15 | 26 |
| 111.248.196.128 | 25 |
| 202.13.230.242 | 20 |
| 163.28.217.199 | 19 |
| 27.18.36.151 | 18 |
| 2001:320f:c2ed:8693:1dff:f8f8:500:f1ed | 17 |
| 203.70.190.81 | 16 |
| 203.70.182.104 | 13 |
+-----------------------------------------+---------------+
10 rows selected (0.944 seconds)
select src_ip, dst_ip from dfs.test.`testv1.pcap`WHERE is_corrupt=1 LIMIT 10;
+------------------+------------------+
| src_ip | dst_ip |
+------------------+------------------+
| 118.233.244.60 | 150.249.255.161 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 172.40.96.180 | 131.39.133.22 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.162.60 | 180.32.119.25 |
| 150.249.255.161 | 165.63.110.188 |
+------------------+------------------+
10 rows selected (1.031 seconds)
0: jdbc:drill:zk=local> SELECT src_port , dst_port , src_mac_address , dst_mac_address
. . . . . . .semicolon> FROM dfs.test.`testv1.pcap`
. . . . . . .semicolon> WHERE is_corrupt =1 LIMIT 10;
+-----------+-----------+--------------------+--------------------+
| src_port | dst_port | src_mac_address | dst_mac_address |
+-----------+-----------+--------------------+--------------------+
| 57058 | 443 | 00:0C:DB:1F:72:41 | 88:E0:F3:7A:66:F0 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 443 | 55972 | 00:0C:DB:1F:72:41 | CC:4E:24:1F:4E:00 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 4016 | 7699 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
+-----------+-----------+--------------------+--------------------+
10 rows selected (0.751 seconds)
SELECT getCountryName(src_ip) AS country, COUNT(*) as packet_count FROM dfs.test.`testv1.pcap` WHERE is_corrupt=1 GROUP BY getCountryName(src_ip) ORDER BY packet_count DESC LIMIT 10;
+----------------+---------------+
| country | packet_count |
+----------------+---------------+
| Japan | 269 |
| Taiwan | 124 |
| United States | 105 |
| Unknown | 49 |
| China | 26 |
| South Korea | 8 |
| Australia | 4 |
| Germany | 3 |
| Hong Kong | 2 |
| Italy | 1 |
+----------------+---------------+
10 rows selected (1.519 seconds)
SELECT is_corrupt, COUNT(*) as packet_count FROM dfs.test.`testv1.pcap` GROUP BY is_corrupt;
+-------------+---------------+
| is_corrupt | packet_count |
+-------------+---------------+
| 0 | 6408 |
| 1 | 592 |
+-------------+---------------+
2 rows selected (0.931 seconds)
This PCAP file worked well with Superset also.
> On Feb 10, 2019, at 10:59, Charles Givre <cg...@gmail.com> wrote:
>
> If I can get some more examples of corrupted files I’ll test more thoroughly. Also, we’ll need to apply the same methodology to PCAP-NG, so I’ll need some examples there as well. My strategy is going to be get as much data as possible out of the corrupt packet.
> — C
>
>
>
>> On Feb 10, 2019, at 10:54, Ted Dunning <te...@gmail.com> wrote:
>>
>> I think that accessing fields in corrupted packets will also cause
>> exceptions. But this is a great start. Conditionalizing field access on
>> !is_corrupt() might be sufficient for the next step.
>>
>>
>>
>> On Sun, Feb 10, 2019 at 4:58 AM Charles Givre <cg...@gmail.com> wrote:
>>
>>> All,
>>> I posted the following PR for this issue:
>>> https://github.com/apache/drill/pull/1637 <
>>> https://github.com/apache/drill/pull/1637>
>>>
>>> Basically this PR does two things.
>>> 1. It creates a boolean column called is_corrupt and
>>> 2. If the PCAP file has a corrupt row, it marks that row as corrupt by
>>> setting is_corrupt to true and keeps going
>>>
>>> WIth the example from Giovanni, I was able to find 590 or so corrupt rows
>>> out of 7000 in that PCAP file. It was late and I don’t know if that was
>>> what ti was supposed to find, but it worked and was able to query that.
>>> If you guys could send a few more examples, I’d like to test this on other
>>> files to make sure it works with them. We’re also going to have to do the
>>> same thing for the PCAP-NG format I would assume.
>>>
>>>> On Feb 10, 2019, at 03:07, Ted Dunning <te...@gmail.com> wrote:
>>>>
>>>> On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
>>>>
>>>>> ...
>>>>> And, I did indeed find a few and am just waiting for a formal review so
>>> I
>>>>> can submit them for the Drill dev & tests.
>>>>>
>>>>
>>>> Awesome!
>>>
>>>
>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
Actually, some good news here…
I ran some test queries on the corrupted file and it seemed to work pretty well. I didn’t get any exceptions!
jdbc:drill:zk=local> select src_ip, COUNT(*) as packet_count from dfs.test.`testv1.pcap`WHERE is_corrupt=1 GROUP BY src_ip ORDER BY packet_count DESC
. . . . . . .semicolon> LIMIT 10;
+-----------------------------------------+---------------+
| src_ip | packet_count |
+-----------------------------------------+---------------+
| 150.249.255.161 | 176 |
| 150.249.255.24 | 28 |
| 131.38.3.15 | 26 |
| 111.248.196.128 | 25 |
| 202.13.230.242 | 20 |
| 163.28.217.199 | 19 |
| 27.18.36.151 | 18 |
| 2001:320f:c2ed:8693:1dff:f8f8:500:f1ed | 17 |
| 203.70.190.81 | 16 |
| 203.70.182.104 | 13 |
+-----------------------------------------+---------------+
10 rows selected (0.944 seconds)
select src_ip, dst_ip from dfs.test.`testv1.pcap`WHERE is_corrupt=1 LIMIT 10;
+------------------+------------------+
| src_ip | dst_ip |
+------------------+------------------+
| 118.233.244.60 | 150.249.255.161 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 172.40.96.180 | 131.39.133.22 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.255.161 | 165.63.110.188 |
| 150.249.162.60 | 180.32.119.25 |
| 150.249.255.161 | 165.63.110.188 |
+------------------+------------------+
10 rows selected (1.031 seconds)
0: jdbc:drill:zk=local> SELECT src_port , dst_port , src_mac_address , dst_mac_address
. . . . . . .semicolon> FROM dfs.test.`testv1.pcap`
. . . . . . .semicolon> WHERE is_corrupt =1 LIMIT 10;
+-----------+-----------+--------------------+--------------------+
| src_port | dst_port | src_mac_address | dst_mac_address |
+-----------+-----------+--------------------+--------------------+
| 57058 | 443 | 00:0C:DB:1F:72:41 | 88:E0:F3:7A:66:F0 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 443 | 55972 | 00:0C:DB:1F:72:41 | CC:4E:24:1F:4E:00 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 4016 | 7699 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
| 80 | 20706 | 00:0C:DB:1F:72:41 | 00:12:E2:C0:3F:09 |
+-----------+-----------+--------------------+--------------------+
10 rows selected (0.751 seconds)
SELECT getCountryName(src_ip) AS country, COUNT(*) as packet_count FROM dfs.test.`testv1.pcap` WHERE is_corrupt=1 GROUP BY getCountryName(src_ip) ORDER BY packet_count DESC LIMIT 10;
+----------------+---------------+
| country | packet_count |
+----------------+---------------+
| Japan | 269 |
| Taiwan | 124 |
| United States | 105 |
| Unknown | 49 |
| China | 26 |
| South Korea | 8 |
| Australia | 4 |
| Germany | 3 |
| Hong Kong | 2 |
| Italy | 1 |
+----------------+---------------+
10 rows selected (1.519 seconds)
SELECT is_corrupt, COUNT(*) as packet_count FROM dfs.test.`testv1.pcap` GROUP BY is_corrupt;
+-------------+---------------+
| is_corrupt | packet_count |
+-------------+---------------+
| 0 | 6408 |
| 1 | 592 |
+-------------+---------------+
2 rows selected (0.931 seconds)
This PCAP file worked well with Superset also.
> On Feb 10, 2019, at 10:59, Charles Givre <cg...@gmail.com> wrote:
>
> If I can get some more examples of corrupted files I’ll test more thoroughly. Also, we’ll need to apply the same methodology to PCAP-NG, so I’ll need some examples there as well. My strategy is going to be get as much data as possible out of the corrupt packet.
> — C
>
>
>
>> On Feb 10, 2019, at 10:54, Ted Dunning <te...@gmail.com> wrote:
>>
>> I think that accessing fields in corrupted packets will also cause
>> exceptions. But this is a great start. Conditionalizing field access on
>> !is_corrupt() might be sufficient for the next step.
>>
>>
>>
>> On Sun, Feb 10, 2019 at 4:58 AM Charles Givre <cg...@gmail.com> wrote:
>>
>>> All,
>>> I posted the following PR for this issue:
>>> https://github.com/apache/drill/pull/1637 <
>>> https://github.com/apache/drill/pull/1637>
>>>
>>> Basically this PR does two things.
>>> 1. It creates a boolean column called is_corrupt and
>>> 2. If the PCAP file has a corrupt row, it marks that row as corrupt by
>>> setting is_corrupt to true and keeps going
>>>
>>> WIth the example from Giovanni, I was able to find 590 or so corrupt rows
>>> out of 7000 in that PCAP file. It was late and I don’t know if that was
>>> what ti was supposed to find, but it worked and was able to query that.
>>> If you guys could send a few more examples, I’d like to test this on other
>>> files to make sure it works with them. We’re also going to have to do the
>>> same thing for the PCAP-NG format I would assume.
>>>
>>>> On Feb 10, 2019, at 03:07, Ted Dunning <te...@gmail.com> wrote:
>>>>
>>>> On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
>>>>
>>>>> ...
>>>>> And, I did indeed find a few and am just waiting for a formal review so
>>> I
>>>>> can submit them for the Drill dev & tests.
>>>>>
>>>>
>>>> Awesome!
>>>
>>>
>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
If I can get some more examples of corrupted files I’ll test more thoroughly. Also, we’ll need to apply the same methodology to PCAP-NG, so I’ll need some examples there as well. My strategy is going to be get as much data as possible out of the corrupt packet.
— C
> On Feb 10, 2019, at 10:54, Ted Dunning <te...@gmail.com> wrote:
>
> I think that accessing fields in corrupted packets will also cause
> exceptions. But this is a great start. Conditionalizing field access on
> !is_corrupt() might be sufficient for the next step.
>
>
>
> On Sun, Feb 10, 2019 at 4:58 AM Charles Givre <cg...@gmail.com> wrote:
>
>> All,
>> I posted the following PR for this issue:
>> https://github.com/apache/drill/pull/1637 <
>> https://github.com/apache/drill/pull/1637>
>>
>> Basically this PR does two things.
>> 1. It creates a boolean column called is_corrupt and
>> 2. If the PCAP file has a corrupt row, it marks that row as corrupt by
>> setting is_corrupt to true and keeps going
>>
>> WIth the example from Giovanni, I was able to find 590 or so corrupt rows
>> out of 7000 in that PCAP file. It was late and I don’t know if that was
>> what ti was supposed to find, but it worked and was able to query that.
>> If you guys could send a few more examples, I’d like to test this on other
>> files to make sure it works with them. We’re also going to have to do the
>> same thing for the PCAP-NG format I would assume.
>>
>>> On Feb 10, 2019, at 03:07, Ted Dunning <te...@gmail.com> wrote:
>>>
>>> On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
>>>
>>>> ...
>>>> And, I did indeed find a few and am just waiting for a formal review so
>> I
>>>> can submit them for the Drill dev & tests.
>>>>
>>>
>>> Awesome!
>>
>>
Re: Drill fails to query pcap files
Posted by Ted Dunning <te...@gmail.com>.
I think that accessing fields in corrupted packets will also cause
exceptions. But this is a great start. Conditionalizing field access on
!is_corrupt() might be sufficient for the next step.
On Sun, Feb 10, 2019 at 4:58 AM Charles Givre <cg...@gmail.com> wrote:
> All,
> I posted the following PR for this issue:
> https://github.com/apache/drill/pull/1637 <
> https://github.com/apache/drill/pull/1637>
>
> Basically this PR does two things.
> 1. It creates a boolean column called is_corrupt and
> 2. If the PCAP file has a corrupt row, it marks that row as corrupt by
> setting is_corrupt to true and keeps going
>
> WIth the example from Giovanni, I was able to find 590 or so corrupt rows
> out of 7000 in that PCAP file. It was late and I don’t know if that was
> what ti was supposed to find, but it worked and was able to query that.
> If you guys could send a few more examples, I’d like to test this on other
> files to make sure it works with them. We’re also going to have to do the
> same thing for the PCAP-NG format I would assume.
>
> > On Feb 10, 2019, at 03:07, Ted Dunning <te...@gmail.com> wrote:
> >
> > On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
> >
> >> ...
> >> And, I did indeed find a few and am just waiting for a formal review so
> I
> >> can submit them for the Drill dev & tests.
> >>
> >
> > Awesome!
>
>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
All,
I posted the following PR for this issue:
https://github.com/apache/drill/pull/1637 <https://github.com/apache/drill/pull/1637>
Basically this PR does two things.
1. It creates a boolean column called is_corrupt and
2. If the PCAP file has a corrupt row, it marks that row as corrupt by setting is_corrupt to true and keeps going
WIth the example from Giovanni, I was able to find 590 or so corrupt rows out of 7000 in that PCAP file. It was late and I don’t know if that was what ti was supposed to find, but it worked and was able to query that. If you guys could send a few more examples, I’d like to test this on other files to make sure it works with them. We’re also going to have to do the same thing for the PCAP-NG format I would assume.
> On Feb 10, 2019, at 03:07, Ted Dunning <te...@gmail.com> wrote:
>
> On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
>
>> ...
>> And, I did indeed find a few and am just waiting for a formal review so I
>> can submit them for the Drill dev & tests.
>>
>
> Awesome!
Re: Drill fails to query pcap files
Posted by Ted Dunning <te...@gmail.com>.
On Sat, Feb 9, 2019 at 2:25 PM Bob Rudis <bo...@rud.is> wrote:
> ...
> And, I did indeed find a few and am just waiting for a formal review so I
> can submit them for the Drill dev & tests.
>
Awesome!
Re: Drill fails to query pcap files
Posted by Bob Rudis <bo...@rud.is>.
Agreed. The reason we have some malformed PCAPs from the global honeypot network is those pesky attackers trying to be clever as they "scapy" their way into breaking their attacks due to shoddy code (more incompetence in this case than capable maliciousness).
And, I did indeed find a few and am just waiting for a formal review so I can submit them for the Drill dev & tests.
-Bob
> On Feb 9, 2019, at 15:55, Ted Dunning <te...@gmail.com> wrote:
>
> I think that returning any usable information from the corrupt packet
> (notably including the package content itself) is important because a
> primary use case of the pcap query is in network forensics where you are
> often looking for malware that is purposely corrupting packets.
>
>
>
> On Thu, Feb 7, 2019 at 9:00 AM Charles Givre <cg...@gmail.com> wrote:
>
>> Hey Ted
>> What do you think the desired behavior should be for corrupt packets?
>> Should Drill just ignore, or should we maybe create a Boolean field like
>> isCorrupt or something and mark corrupt packets as such?
>>
>> Sent from my iPhone
>>
>>> On Feb 7, 2019, at 11:45, Ted Dunning <te...@gmail.com> wrote:
>>>
>>> Giovanni,
>>>
>>> A critical thing to help progress here is sample corrupted data. Even
>> just
>>> information about what kind of corruption you are seeing is important.
>>>
>>> Packet corruption is a key technique of malware so handling bad records
>>> well is of great importance.
>>>
>>>
>>>
>>>> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gi...@gmail.com> wrote:
>>>>
>>>> Unfortunately I don’t have more of them at the moment.
>>>>
>>>>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com>
>>>> ha scritto:
>>>>>
>>>>> Hi Giovanni,
>>>>> Can you post additional PCAP files that don’t work? Basically, I’m
>>>> going to add some code that will let you set a tolerance level of how
>> many
>>>> errors Drill will tolerate before throwing an exception.
>>>>> — C
>>>>>
>>>>>> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
>>>>>>
>>>>>> I can help you by doing some test.
>>>>>>
>>>>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <
>> cgivre@gmail.com>
>>>> ha scritto:
>>>>>>>
>>>>>>> Just create a ticket and I will work on it.
>>>>>>>
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> I would like to, but I am not a java dev :(
>>>>>>>>
>>>>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
>>>>>>>> arina.yelchiyeva@gmail.com> ha scritto:
>>>>>>>>
>>>>>>>>> Contributions are always welcome :)
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arina
>>>>>>>>>
>>>>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com>
>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Giovanni
>>>>>>>>>> I think it would be useful for Drill to have some ability to
>> ignore
>>>>>>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>>>>>>>>>>
>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>
>>>>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
>>>> arina.yelchiyeva@gmail.com
>>>>>>>>>>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Giovanni,
>>>>>>>>>>>
>>>>>>>>>>> I don't think Drill pcap format reader has such functionality.
>>>>>>>>>>>
>>>>>>>>>>> Kind regards,
>>>>>>>>>>> Arina
>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <
>> gio.cnt@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>> I'm trying to query a pcap file and I know that there are
>>>> corrupted
>>>>>>>>> rows
>>>>>>>>>>>> (precisely line 6407),
>>>>>>>>>>>> I need a command to skip this rows to avoid the following error:
>>>>>>>>>>>>
>>>>>>>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>>>>>>>> Fragment 0:0
>>>>>>>>>>>> Please, refer to logs for more information.
>>>>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>>>>>>>>>>>> (state=,code=0)
>>>>>>>>>>>>
>>>>>>>>>>>> [...]
>>>>>>>>>>>>
>>>>>>>>>>>> the complete error is attached in the txt file ()for java
>>>> exceptions,
>>>>>>>>>>>> along with the pcap file used for testing this issue. I would
>>>> like to
>>>>>>>>>> avoid
>>>>>>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
>>>>>>>>>>>> Is there a way to avoid this problem?
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>
>>>>>>>>>>>> Giovanni
>>>>>>>>>>>>
>>>>>>>>>>>> OS: Ubuntu 18.4
>>>>>>>>>>>> Drill version: 1.15.0
>>>>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>
>>>>
>>
Re: Drill fails to query pcap files
Posted by Ted Dunning <te...@gmail.com>.
I think that returning any usable information from the corrupt packet
(notably including the package content itself) is important because a
primary use case of the pcap query is in network forensics where you are
often looking for malware that is purposely corrupting packets.
On Thu, Feb 7, 2019 at 9:00 AM Charles Givre <cg...@gmail.com> wrote:
> Hey Ted
> What do you think the desired behavior should be for corrupt packets?
> Should Drill just ignore, or should we maybe create a Boolean field like
> isCorrupt or something and mark corrupt packets as such?
>
> Sent from my iPhone
>
> > On Feb 7, 2019, at 11:45, Ted Dunning <te...@gmail.com> wrote:
> >
> > Giovanni,
> >
> > A critical thing to help progress here is sample corrupted data. Even
> just
> > information about what kind of corruption you are seeing is important.
> >
> > Packet corruption is a key technique of malware so handling bad records
> > well is of great importance.
> >
> >
> >
> >> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gi...@gmail.com> wrote:
> >>
> >> Unfortunately I don’t have more of them at the moment.
> >>
> >>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com>
> >> ha scritto:
> >>>
> >>> Hi Giovanni,
> >>> Can you post additional PCAP files that don’t work? Basically, I’m
> >> going to add some code that will let you set a tolerance level of how
> many
> >> errors Drill will tolerate before throwing an exception.
> >>> — C
> >>>
> >>>> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
> >>>>
> >>>> I can help you by doing some test.
> >>>>
> >>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <
> cgivre@gmail.com>
> >> ha scritto:
> >>>>>
> >>>>> Just create a ticket and I will work on it.
> >>>>>
> >>>>> Sent from my iPhone
> >>>>>
> >>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
> >>>>>>
> >>>>>> I would like to, but I am not a java dev :(
> >>>>>>
> >>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
> >>>>>> arina.yelchiyeva@gmail.com> ha scritto:
> >>>>>>
> >>>>>>> Contributions are always welcome :)
> >>>>>>>
> >>>>>>> Kind regards,
> >>>>>>> Arina
> >>>>>>>
> >>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com>
> >> wrote:
> >>>>>>>>
> >>>>>>>> Hi Giovanni
> >>>>>>>> I think it would be useful for Drill to have some ability to
> ignore
> >>>>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
> >>>>>>>>
> >>>>>>>> Sent from my iPhone
> >>>>>>>>
> >>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
> >> arina.yelchiyeva@gmail.com
> >>>>>>>>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi Giovanni,
> >>>>>>>>>
> >>>>>>>>> I don't think Drill pcap format reader has such functionality.
> >>>>>>>>>
> >>>>>>>>> Kind regards,
> >>>>>>>>> Arina
> >>>>>>>>>
> >>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <
> gio.cnt@gmail.com>
> >>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>> I'm trying to query a pcap file and I know that there are
> >> corrupted
> >>>>>>> rows
> >>>>>>>>>> (precisely line 6407),
> >>>>>>>>>> I need a command to skip this rows to avoid the following error:
> >>>>>>>>>>
> >>>>>>>>>> Error: INTERNAL_ERROR ERROR: null
> >>>>>>>>>> Fragment 0:0
> >>>>>>>>>> Please, refer to logs for more information.
> >>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> >>>>>>>>>> (state=,code=0)
> >>>>>>>>>>
> >>>>>>>>>> [...]
> >>>>>>>>>>
> >>>>>>>>>> the complete error is attached in the txt file ()for java
> >> exceptions,
> >>>>>>>>>> along with the pcap file used for testing this issue. I would
> >> like to
> >>>>>>>> avoid
> >>>>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
> >>>>>>>>>> Is there a way to avoid this problem?
> >>>>>>>>>> Thanks,
> >>>>>>>>>>
> >>>>>>>>>> Giovanni
> >>>>>>>>>>
> >>>>>>>>>> OS: Ubuntu 18.4
> >>>>>>>>>> Drill version: 1.15.0
> >>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>
> >>
>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
Hey Ted
What do you think the desired behavior should be for corrupt packets? Should Drill just ignore, or should we maybe create a Boolean field like isCorrupt or something and mark corrupt packets as such?
Sent from my iPhone
> On Feb 7, 2019, at 11:45, Ted Dunning <te...@gmail.com> wrote:
>
> Giovanni,
>
> A critical thing to help progress here is sample corrupted data. Even just
> information about what kind of corruption you are seeing is important.
>
> Packet corruption is a key technique of malware so handling bad records
> well is of great importance.
>
>
>
>> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gi...@gmail.com> wrote:
>>
>> Unfortunately I don’t have more of them at the moment.
>>
>>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com>
>> ha scritto:
>>>
>>> Hi Giovanni,
>>> Can you post additional PCAP files that don’t work? Basically, I’m
>> going to add some code that will let you set a tolerance level of how many
>> errors Drill will tolerate before throwing an exception.
>>> — C
>>>
>>>> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
>>>>
>>>> I can help you by doing some test.
>>>>
>>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cg...@gmail.com>
>> ha scritto:
>>>>>
>>>>> Just create a ticket and I will work on it.
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
>>>>>>
>>>>>> I would like to, but I am not a java dev :(
>>>>>>
>>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
>>>>>> arina.yelchiyeva@gmail.com> ha scritto:
>>>>>>
>>>>>>> Contributions are always welcome :)
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Arina
>>>>>>>
>>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com>
>> wrote:
>>>>>>>>
>>>>>>>> Hi Giovanni
>>>>>>>> I think it would be useful for Drill to have some ability to ignore
>>>>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
>> arina.yelchiyeva@gmail.com
>>>>>>>>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi Giovanni,
>>>>>>>>>
>>>>>>>>> I don't think Drill pcap format reader has such functionality.
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arina
>>>>>>>>>
>>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>> I'm trying to query a pcap file and I know that there are
>> corrupted
>>>>>>> rows
>>>>>>>>>> (precisely line 6407),
>>>>>>>>>> I need a command to skip this rows to avoid the following error:
>>>>>>>>>>
>>>>>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>>>>>> Fragment 0:0
>>>>>>>>>> Please, refer to logs for more information.
>>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>>>>>>>>>> (state=,code=0)
>>>>>>>>>>
>>>>>>>>>> [...]
>>>>>>>>>>
>>>>>>>>>> the complete error is attached in the txt file ()for java
>> exceptions,
>>>>>>>>>> along with the pcap file used for testing this issue. I would
>> like to
>>>>>>>> avoid
>>>>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
>>>>>>>>>> Is there a way to avoid this problem?
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Giovanni
>>>>>>>>>>
>>>>>>>>>> OS: Ubuntu 18.4
>>>>>>>>>> Drill version: 1.15.0
>>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>
>>
Re: Drill fails to query pcap files
Posted by Ted Dunning <te...@gmail.com>.
Giovanni,
A critical thing to help progress here is sample corrupted data. Even just
information about what kind of corruption you are seeing is important.
Packet corruption is a key technique of malware so handling bad records
well is of great importance.
On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gi...@gmail.com> wrote:
> Unfortunately I don’t have more of them at the moment.
>
> > Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com>
> ha scritto:
> >
> > Hi Giovanni,
> > Can you post additional PCAP files that don’t work? Basically, I’m
> going to add some code that will let you set a tolerance level of how many
> errors Drill will tolerate before throwing an exception.
> > — C
> >
> >> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
> >>
> >> I can help you by doing some test.
> >>
> >>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cg...@gmail.com>
> ha scritto:
> >>>
> >>> Just create a ticket and I will work on it.
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
> >>>>
> >>>> I would like to, but I am not a java dev :(
> >>>>
> >>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
> >>>> arina.yelchiyeva@gmail.com> ha scritto:
> >>>>
> >>>>> Contributions are always welcome :)
> >>>>>
> >>>>> Kind regards,
> >>>>> Arina
> >>>>>
> >>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com>
> wrote:
> >>>>>>
> >>>>>> Hi Giovanni
> >>>>>> I think it would be useful for Drill to have some ability to ignore
> >>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
> arina.yelchiyeva@gmail.com
> >>>>>>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> Hi Giovanni,
> >>>>>>>
> >>>>>>> I don't think Drill pcap format reader has such functionality.
> >>>>>>>
> >>>>>>> Kind regards,
> >>>>>>> Arina
> >>>>>>>
> >>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
> >>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>> I'm trying to query a pcap file and I know that there are
> corrupted
> >>>>> rows
> >>>>>>>> (precisely line 6407),
> >>>>>>>> I need a command to skip this rows to avoid the following error:
> >>>>>>>>
> >>>>>>>> Error: INTERNAL_ERROR ERROR: null
> >>>>>>>> Fragment 0:0
> >>>>>>>> Please, refer to logs for more information.
> >>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> >>>>>>>> (state=,code=0)
> >>>>>>>>
> >>>>>>>> [...]
> >>>>>>>>
> >>>>>>>> the complete error is attached in the txt file ()for java
> exceptions,
> >>>>>>>> along with the pcap file used for testing this issue. I would
> like to
> >>>>>> avoid
> >>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
> >>>>>>>> Is there a way to avoid this problem?
> >>>>>>>> Thanks,
> >>>>>>>>
> >>>>>>>> Giovanni
> >>>>>>>>
> >>>>>>>> OS: Ubuntu 18.4
> >>>>>>>> Drill version: 1.15.0
> >>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> >>>>>>>>
> >>>>>>
> >>>>>
> >
>
Re: Drill fails to query pcap files
Posted by Ted Dunning <te...@gmail.com>.
Bob,
That would be an awesome contribution!
On Thu, Feb 7, 2019 at 5:45 PM Bob Rudis <bo...@rud.is> wrote:
> Sir Givre:
>
> I'll be able to (likely this weekend) go back ~18mos and re-test a
> bunch of our honeypot PCAP files (I remember various ones failing at
> the time). If I do find "bad" ones, they'll be old enough that we
> won't care abt a sample PCAP or two exposing honeypots IPs (since
> they're not there anymore) and shld provide a good base for dev and
> unit tests.
>
> -Bbo
>
> On Thu, Feb 7, 2019 at 9:54 AM GiovanniC <gi...@gmail.com> wrote:
> >
> > Unfortunately I don’t have more of them at the moment.
> >
> > > Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com>
> ha scritto:
> > >
> > > Hi Giovanni,
> > > Can you post additional PCAP files that don’t work? Basically, I’m
> going to add some code that will let you set a tolerance level of how many
> errors Drill will tolerate before throwing an exception.
> > > — C
> > >
> > >> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
> > >>
> > >> I can help you by doing some test.
> > >>
> > >>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <
> cgivre@gmail.com> ha scritto:
> > >>>
> > >>> Just create a ticket and I will work on it.
> > >>>
> > >>> Sent from my iPhone
> > >>>
> > >>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
> > >>>>
> > >>>> I would like to, but I am not a java dev :(
> > >>>>
> > >>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
> > >>>> arina.yelchiyeva@gmail.com> ha scritto:
> > >>>>
> > >>>>> Contributions are always welcome :)
> > >>>>>
> > >>>>> Kind regards,
> > >>>>> Arina
> > >>>>>
> > >>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com>
> wrote:
> > >>>>>>
> > >>>>>> Hi Giovanni
> > >>>>>> I think it would be useful for Drill to have some ability to
> ignore
> > >>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
> > >>>>>>
> > >>>>>> Sent from my iPhone
> > >>>>>>
> > >>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
> arina.yelchiyeva@gmail.com
> > >>>>>>
> > >>>>>> wrote:
> > >>>>>>>
> > >>>>>>> Hi Giovanni,
> > >>>>>>>
> > >>>>>>> I don't think Drill pcap format reader has such functionality.
> > >>>>>>>
> > >>>>>>> Kind regards,
> > >>>>>>> Arina
> > >>>>>>>
> > >>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <
> gio.cnt@gmail.com>
> > >>>>>> wrote:
> > >>>>>>>>
> > >>>>>>>> Hi,
> > >>>>>>>> I'm trying to query a pcap file and I know that there are
> corrupted
> > >>>>> rows
> > >>>>>>>> (precisely line 6407),
> > >>>>>>>> I need a command to skip this rows to avoid the following error:
> > >>>>>>>>
> > >>>>>>>> Error: INTERNAL_ERROR ERROR: null
> > >>>>>>>> Fragment 0:0
> > >>>>>>>> Please, refer to logs for more information.
> > >>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> > >>>>>>>> (state=,code=0)
> > >>>>>>>>
> > >>>>>>>> [...]
> > >>>>>>>>
> > >>>>>>>> the complete error is attached in the txt file ()for java
> exceptions,
> > >>>>>>>> along with the pcap file used for testing this issue. I would
> like to
> > >>>>>> avoid
> > >>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
> > >>>>>>>> Is there a way to avoid this problem?
> > >>>>>>>> Thanks,
> > >>>>>>>>
> > >>>>>>>> Giovanni
> > >>>>>>>>
> > >>>>>>>> OS: Ubuntu 18.4
> > >>>>>>>> Drill version: 1.15.0
> > >>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> > >>>>>>>>
> > >>>>>>
> > >>>>>
> > >
>
Re: Drill fails to query pcap files
Posted by Bob Rudis <bo...@rud.is>.
Sir Givre:
I'll be able to (likely this weekend) go back ~18mos and re-test a
bunch of our honeypot PCAP files (I remember various ones failing at
the time). If I do find "bad" ones, they'll be old enough that we
won't care abt a sample PCAP or two exposing honeypots IPs (since
they're not there anymore) and shld provide a good base for dev and
unit tests.
-Bbo
On Thu, Feb 7, 2019 at 9:54 AM GiovanniC <gi...@gmail.com> wrote:
>
> Unfortunately I don’t have more of them at the moment.
>
> > Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com> ha scritto:
> >
> > Hi Giovanni,
> > Can you post additional PCAP files that don’t work? Basically, I’m going to add some code that will let you set a tolerance level of how many errors Drill will tolerate before throwing an exception.
> > — C
> >
> >> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
> >>
> >> I can help you by doing some test.
> >>
> >>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cg...@gmail.com> ha scritto:
> >>>
> >>> Just create a ticket and I will work on it.
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
> >>>>
> >>>> I would like to, but I am not a java dev :(
> >>>>
> >>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
> >>>> arina.yelchiyeva@gmail.com> ha scritto:
> >>>>
> >>>>> Contributions are always welcome :)
> >>>>>
> >>>>> Kind regards,
> >>>>> Arina
> >>>>>
> >>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
> >>>>>>
> >>>>>> Hi Giovanni
> >>>>>> I think it would be useful for Drill to have some ability to ignore
> >>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <arina.yelchiyeva@gmail.com
> >>>>>>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> Hi Giovanni,
> >>>>>>>
> >>>>>>> I don't think Drill pcap format reader has such functionality.
> >>>>>>>
> >>>>>>> Kind regards,
> >>>>>>> Arina
> >>>>>>>
> >>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
> >>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>> I'm trying to query a pcap file and I know that there are corrupted
> >>>>> rows
> >>>>>>>> (precisely line 6407),
> >>>>>>>> I need a command to skip this rows to avoid the following error:
> >>>>>>>>
> >>>>>>>> Error: INTERNAL_ERROR ERROR: null
> >>>>>>>> Fragment 0:0
> >>>>>>>> Please, refer to logs for more information.
> >>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> >>>>>>>> (state=,code=0)
> >>>>>>>>
> >>>>>>>> [...]
> >>>>>>>>
> >>>>>>>> the complete error is attached in the txt file ()for java exceptions,
> >>>>>>>> along with the pcap file used for testing this issue. I would like to
> >>>>>> avoid
> >>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
> >>>>>>>> Is there a way to avoid this problem?
> >>>>>>>> Thanks,
> >>>>>>>>
> >>>>>>>> Giovanni
> >>>>>>>>
> >>>>>>>> OS: Ubuntu 18.4
> >>>>>>>> Drill version: 1.15.0
> >>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> >>>>>>>>
> >>>>>>
> >>>>>
> >
Re: Drill fails to query pcap files
Posted by GiovanniC <gi...@gmail.com>.
Unfortunately I don’t have more of them at the moment.
> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cg...@gmail.com> ha scritto:
>
> Hi Giovanni,
> Can you post additional PCAP files that don’t work? Basically, I’m going to add some code that will let you set a tolerance level of how many errors Drill will tolerate before throwing an exception.
> — C
>
>> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
>>
>> I can help you by doing some test.
>>
>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cg...@gmail.com> ha scritto:
>>>
>>> Just create a ticket and I will work on it.
>>>
>>> Sent from my iPhone
>>>
>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
>>>>
>>>> I would like to, but I am not a java dev :(
>>>>
>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
>>>> arina.yelchiyeva@gmail.com> ha scritto:
>>>>
>>>>> Contributions are always welcome :)
>>>>>
>>>>> Kind regards,
>>>>> Arina
>>>>>
>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
>>>>>>
>>>>>> Hi Giovanni
>>>>>> I think it would be useful for Drill to have some ability to ignore
>>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <arina.yelchiyeva@gmail.com
>>>>>>
>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Giovanni,
>>>>>>>
>>>>>>> I don't think Drill pcap format reader has such functionality.
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Arina
>>>>>>>
>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I'm trying to query a pcap file and I know that there are corrupted
>>>>> rows
>>>>>>>> (precisely line 6407),
>>>>>>>> I need a command to skip this rows to avoid the following error:
>>>>>>>>
>>>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>>>> Fragment 0:0
>>>>>>>> Please, refer to logs for more information.
>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>>>>>>>> (state=,code=0)
>>>>>>>>
>>>>>>>> [...]
>>>>>>>>
>>>>>>>> the complete error is attached in the txt file ()for java exceptions,
>>>>>>>> along with the pcap file used for testing this issue. I would like to
>>>>>> avoid
>>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
>>>>>>>> Is there a way to avoid this problem?
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Giovanni
>>>>>>>>
>>>>>>>> OS: Ubuntu 18.4
>>>>>>>> Drill version: 1.15.0
>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>>>
>>>>>>
>>>>>
>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
Hi Giovanni,
Can you post additional PCAP files that don’t work? Basically, I’m going to add some code that will let you set a tolerance level of how many errors Drill will tolerate before throwing an exception.
— C
> On Feb 7, 2019, at 07:33, GiovanniC <gi...@gmail.com> wrote:
>
> I can help you by doing some test.
>
>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cg...@gmail.com> ha scritto:
>>
>> Just create a ticket and I will work on it.
>>
>> Sent from my iPhone
>>
>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
>>>
>>> I would like to, but I am not a java dev :(
>>>
>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
>>> arina.yelchiyeva@gmail.com> ha scritto:
>>>
>>>> Contributions are always welcome :)
>>>>
>>>> Kind regards,
>>>> Arina
>>>>
>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
>>>>>
>>>>> Hi Giovanni
>>>>> I think it would be useful for Drill to have some ability to ignore
>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <arina.yelchiyeva@gmail.com
>>>>>
>>>>> wrote:
>>>>>>
>>>>>> Hi Giovanni,
>>>>>>
>>>>>> I don't think Drill pcap format reader has such functionality.
>>>>>>
>>>>>> Kind regards,
>>>>>> Arina
>>>>>>
>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>> I'm trying to query a pcap file and I know that there are corrupted
>>>> rows
>>>>>>> (precisely line 6407),
>>>>>>> I need a command to skip this rows to avoid the following error:
>>>>>>>
>>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>>> Fragment 0:0
>>>>>>> Please, refer to logs for more information.
>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>>>>>>> (state=,code=0)
>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>> the complete error is attached in the txt file ()for java exceptions,
>>>>>>> along with the pcap file used for testing this issue. I would like to
>>>>> avoid
>>>>>>> a pre-parsing of the pcap when a corrupted row is found.
>>>>>>> Is there a way to avoid this problem?
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Giovanni
>>>>>>>
>>>>>>> OS: Ubuntu 18.4
>>>>>>> Drill version: 1.15.0
>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>>
>>>>>
>>>>
Re: Drill fails to query pcap files
Posted by GiovanniC <gi...@gmail.com>.
I can help you by doing some test.
> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <cg...@gmail.com> ha scritto:
>
> Just create a ticket and I will work on it.
>
> Sent from my iPhone
>
>> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
>>
>> I would like to, but I am not a java dev :(
>>
>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
>> arina.yelchiyeva@gmail.com> ha scritto:
>>
>>> Contributions are always welcome :)
>>>
>>> Kind regards,
>>> Arina
>>>
>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
>>>>
>>>> Hi Giovanni
>>>> I think it would be useful for Drill to have some ability to ignore
>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <arina.yelchiyeva@gmail.com
>>>>
>>>> wrote:
>>>>>
>>>>> Hi Giovanni,
>>>>>
>>>>> I don't think Drill pcap format reader has such functionality.
>>>>>
>>>>> Kind regards,
>>>>> Arina
>>>>>
>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>> I'm trying to query a pcap file and I know that there are corrupted
>>> rows
>>>>>> (precisely line 6407),
>>>>>> I need a command to skip this rows to avoid the following error:
>>>>>>
>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>> Fragment 0:0
>>>>>> Please, refer to logs for more information.
>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>>>>>> (state=,code=0)
>>>>>>
>>>>>> [...]
>>>>>>
>>>>>> the complete error is attached in the txt file ()for java exceptions,
>>>>>> along with the pcap file used for testing this issue. I would like to
>>>> avoid
>>>>>> a pre-parsing of the pcap when a corrupted row is found.
>>>>>> Is there a way to avoid this problem?
>>>>>> Thanks,
>>>>>>
>>>>>> Giovanni
>>>>>>
>>>>>> OS: Ubuntu 18.4
>>>>>> Drill version: 1.15.0
>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>
>>>>
>>>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
Just create a ticket and I will work on it.
Sent from my iPhone
> On Feb 6, 2019, at 12:35, Giovanni Conte <gi...@gmail.com> wrote:
>
> I would like to, but I am not a java dev :(
>
> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
> arina.yelchiyeva@gmail.com> ha scritto:
>
>> Contributions are always welcome :)
>>
>> Kind regards,
>> Arina
>>
>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
>>>
>>> Hi Giovanni
>>> I think it would be useful for Drill to have some ability to ignore
>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>>>
>>> Sent from my iPhone
>>>
>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <arina.yelchiyeva@gmail.com
>>>
>>> wrote:
>>>>
>>>> Hi Giovanni,
>>>>
>>>> I don't think Drill pcap format reader has such functionality.
>>>>
>>>> Kind regards,
>>>> Arina
>>>>
>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
>>> wrote:
>>>>>
>>>>> Hi,
>>>>> I'm trying to query a pcap file and I know that there are corrupted
>> rows
>>>>> (precisely line 6407),
>>>>> I need a command to skip this rows to avoid the following error:
>>>>>
>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>> Fragment 0:0
>>>>> Please, refer to logs for more information.
>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>>>>> (state=,code=0)
>>>>>
>>>>> [...]
>>>>>
>>>>> the complete error is attached in the txt file ()for java exceptions,
>>>>> along with the pcap file used for testing this issue. I would like to
>>> avoid
>>>>> a pre-parsing of the pcap when a corrupted row is found.
>>>>> Is there a way to avoid this problem?
>>>>> Thanks,
>>>>>
>>>>> Giovanni
>>>>>
>>>>> OS: Ubuntu 18.4
>>>>> Drill version: 1.15.0
>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>
>>>
>>
Re: Drill fails to query pcap files
Posted by Giovanni Conte <gi...@gmail.com>.
I would like to, but I am not a java dev :(
Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva <
arina.yelchiyeva@gmail.com> ha scritto:
> Contributions are always welcome :)
>
> Kind regards,
> Arina
>
> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
>
> > Hi Giovanni
> > I think it would be useful for Drill to have some ability to ignore
> > corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
> >
> > Sent from my iPhone
> >
> > > On Feb 6, 2019, at 12:15, Arina Yelchiyeva <arina.yelchiyeva@gmail.com
> >
> > wrote:
> > >
> > > Hi Giovanni,
> > >
> > > I don't think Drill pcap format reader has such functionality.
> > >
> > > Kind regards,
> > > Arina
> > >
> > >> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
> > wrote:
> > >>
> > >> Hi,
> > >> I'm trying to query a pcap file and I know that there are corrupted
> rows
> > >> (precisely line 6407),
> > >> I need a command to skip this rows to avoid the following error:
> > >>
> > >> Error: INTERNAL_ERROR ERROR: null
> > >> Fragment 0:0
> > >> Please, refer to logs for more information.
> > >> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> > >> (state=,code=0)
> > >>
> > >> [...]
> > >>
> > >> the complete error is attached in the txt file ()for java exceptions,
> > >> along with the pcap file used for testing this issue. I would like to
> > avoid
> > >> a pre-parsing of the pcap when a corrupted row is found.
> > >> Is there a way to avoid this problem?
> > >> Thanks,
> > >>
> > >> Giovanni
> > >>
> > >> OS: Ubuntu 18.4
> > >> Drill version: 1.15.0
> > >> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> > >>
> >
>
Re: Drill fails to query pcap files
Posted by Arina Yelchiyeva <ar...@gmail.com>.
Contributions are always welcome :)
Kind regards,
Arina
On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cg...@gmail.com> wrote:
> Hi Giovanni
> I think it would be useful for Drill to have some ability to ignore
> corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
>
> Sent from my iPhone
>
> > On Feb 6, 2019, at 12:15, Arina Yelchiyeva <ar...@gmail.com>
> wrote:
> >
> > Hi Giovanni,
> >
> > I don't think Drill pcap format reader has such functionality.
> >
> > Kind regards,
> > Arina
> >
> >> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com>
> wrote:
> >>
> >> Hi,
> >> I'm trying to query a pcap file and I know that there are corrupted rows
> >> (precisely line 6407),
> >> I need a command to skip this rows to avoid the following error:
> >>
> >> Error: INTERNAL_ERROR ERROR: null
> >> Fragment 0:0
> >> Please, refer to logs for more information.
> >> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> >> (state=,code=0)
> >>
> >> [...]
> >>
> >> the complete error is attached in the txt file ()for java exceptions,
> >> along with the pcap file used for testing this issue. I would like to
> avoid
> >> a pre-parsing of the pcap when a corrupted row is found.
> >> Is there a way to avoid this problem?
> >> Thanks,
> >>
> >> Giovanni
> >>
> >> OS: Ubuntu 18.4
> >> Drill version: 1.15.0
> >> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
> >>
>
Re: Drill fails to query pcap files
Posted by Charles Givre <cg...@gmail.com>.
Hi Giovanni
I think it would be useful for Drill to have some ability to ignore corrupt rows in a PCAP file. Can you open a JIRA ticket for this?
Sent from my iPhone
> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <ar...@gmail.com> wrote:
>
> Hi Giovanni,
>
> I don't think Drill pcap format reader has such functionality.
>
> Kind regards,
> Arina
>
>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com> wrote:
>>
>> Hi,
>> I'm trying to query a pcap file and I know that there are corrupted rows
>> (precisely line 6407),
>> I need a command to skip this rows to avoid the following error:
>>
>> Error: INTERNAL_ERROR ERROR: null
>> Fragment 0:0
>> Please, refer to logs for more information.
>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
>> (state=,code=0)
>>
>> [...]
>>
>> the complete error is attached in the txt file ()for java exceptions,
>> along with the pcap file used for testing this issue. I would like to avoid
>> a pre-parsing of the pcap when a corrupted row is found.
>> Is there a way to avoid this problem?
>> Thanks,
>>
>> Giovanni
>>
>> OS: Ubuntu 18.4
>> Drill version: 1.15.0
>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>
Re: Drill fails to query pcap files
Posted by Arina Yelchiyeva <ar...@gmail.com>.
Hi Giovanni,
I don't think Drill pcap format reader has such functionality.
Kind regards,
Arina
On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte <gi...@gmail.com> wrote:
> Hi,
> I'm trying to query a pcap file and I know that there are corrupted rows
> (precisely line 6407),
> I need a command to skip this rows to avoid the following error:
>
> Error: INTERNAL_ERROR ERROR: null
> Fragment 0:0
> Please, refer to logs for more information.
> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010]
> (state=,code=0)
>
> [...]
>
> the complete error is attached in the txt file ()for java exceptions,
> along with the pcap file used for testing this issue. I would like to avoid
> a pre-parsing of the pcap when a corrupted row is found.
> Is there a way to avoid this problem?
> Thanks,
>
> Giovanni
>
> OS: Ubuntu 18.4
> Drill version: 1.15.0
> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>