Packetbeat cannot capture redis command CONFIG GET

mazhechao · November 29, 2019, 2:16am

Packetbeat cannot capture redis command CONFIG GET *

This command is incorrectly handled as response.

Packetbeat version 7.4.2 (amd64), libbeat 7.4.2 [15075156388b44390301f070960fd8aeac1c9712 built 2019-10-28 19:33:55 +0000 UTC]

Logs here:

2019-11-28T09:30:20.302-0500    DEBUG   [tcp]   tcp/tcp.go:265  Connection src[***.***.147.44:51165] dst[***.***.226.128:6399] doesn't exist, creating new
2019-11-28T09:30:20.302-0500    DEBUG   [tcp]   tcp/tcp.go:177  tcp flow id: 0x0
2019-11-28T09:30:20.302-0500    DEBUG   [tcp]   tcp/tcp.go:190  pkt.start_seq=2334452451 pkt.last_seq=2334452483 stream.last_seq=0 (len=32)
2019-11-28T09:30:20.302-0500    DEBUG   [redis] redis/redis.go:176      new stream: 0xc0015de3f0 (dir=1, len=32)
2019-11-28T09:30:20.302-0500    DEBUG   [redis] redis/redis.go:187      stream add data: 0xc0015de3f0 (dir=1, len=32)
2019-11-28T09:30:20.302-0500    DEBUG   [redis] redis/redis_parse.go:370        line *3: 4
2019-11-28T09:30:20.302-0500    DEBUG   [redis] redis/redis.go:216      REDIS (0xc00176cd20) response message: [config, get, *]
2019-11-28T09:30:20.302-0500    DEBUG   [redis] redis/redis.go:268      Response from unknown transaction. Ignoring

mazhechao · December 1, 2019, 10:55am

Actually it is a bug of the function parseArray() in redis_parse.go.
When handling top-level request command, only content[0] (It is CONFIG for command CONFIG GET *) is passed into function isRedisCommand(), and as a result command CONFIG GET * is incorrectly handled as response.
But for command CONFIG GET *, content[0:2] should be passed into function isRedisCommand().

// handle top-level request command
	if depth == 0 && isRedisCommand(content[0]) {
		p.message.isRequest = true
		p.message.method = content[0]
		if len(content) > 1 {
			p.message.path = content[1]
		}

		var value common.NetString
		if contentLen > 1 {
			tmp := make([]byte, contentLen+(len(content)-1)*1)
			join(tmp, content, []byte(" "))
			value = common.NetString(tmp)
		} else {
			value = common.NetString(content[0])
		}
		return value, iserror, true, true
	}

mazhechao · December 1, 2019, 10:57am

I will fill a bug issue and make a pull request.

system · December 29, 2019, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.