Bogus packets generated by packet capture

[oshaked1]

Description

When capturing network packets on an active system, bogus packets are generated. This only seems to happen when snaplen is set to max.

To reproduce the issue, first create some network activity. I found that running the following client-server python script generates enough traffic:

# Server
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 12345))
s.listen()
c, _ = s.accept()
while True:
    c.recv(1024)

# Client
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 12345))
while True:
    s.send(b'hello'*100)

After that, run tracee as follows:

$ sudo dist/tracee -c network -c pcap:single -c pcap-snaplen:max

After a few seconds, stop tracee and open /tmp/tracee/out/pcap/single.pcap in Wireshark. Bogus packets should appear, for example:

As can be seen, the size is massive (64KB), the protocol field does not make sense and the addresses are bogus.

Output of tracee version:

Tracee version: v0.21.0-rc-46-g940917f54

Output of uname -a:

Linux ********** 6.1.21.2-microsoft-standard-WSL2 #1 SMP Sun Mar 17 10:40:08 IST 2024 x86_64 x86_64 x86_64 GNU/Linux