Packetbeat - “ERR Failed to read integer reply: Expected digit”

when analyzing pcap file for redis protocol with packetbeat, I get outputs as follow:

➜  packetbeat git:(master) ✗ ./packetbeat -c ./packetbeat.yml -e -I redis_xg-bjdev-rediscluster-1_prot-7101_20161222110711_20161222110721.pcap -E packetbeat.protocols.redis.ports=7101 -t
2017/01/11 09:42:37.664290 protos.go:89: INFO registered protocol plugin: amqp
2017/01/11 09:42:37.664309 protos.go:89: INFO registered protocol plugin: http
2017/01/11 09:42:37.664315 protos.go:89: INFO registered protocol plugin: mysql
2017/01/11 09:42:37.664320 protos.go:89: INFO registered protocol plugin: redis
2017/01/11 09:42:37.665784 beat.go:207: INFO packetbeat start running.
2017/01/11 09:47:45.218365 redis_parse.go:306: ERR Failed to read integer reply: Expected digit
2017/01/11 09:42:38.430211 sniffer.go:384: INFO Input finish. Processed 40644 packets. Have a nice day!
2017/01/11 09:42:38.430657 util.go:48: INFO flows worker loop stopped
2017/01/11 09:42:38.430709 logp.go:245: INFO Total non-zero values:  libbeat.publisher.published_events=8080 tcp.dropped_because_of_gaps=15 redis.unmatched_responses=15
2017/01/11 09:42:38.430722 logp.go:246: INFO Uptime: 909.957024ms
2017/01/11 09:42:38.430728 beat.go:211: INFO packetbeat stopped.
➜  packetbeat git:(master) ✗

The error message is "ERR Failed to read integer reply: Expected digit".

After analyzing with Wireshark in contrast, I find the root case behind this: When REDIS response is big enough and network is not good enough, "packet loss" might happen, which result in the ERROR above.

Snapshot in my test:

According to the sequence of packets, I find:

  • No.37642 - HMGET with key hr-e0acd6e0-4c21-4917-a676-c4fd8094f2aa:user
  • No.37642 - [TCP Previous segment not captured], this response is relative to HMGET's last two fields.
  • No.37648 - [TCP Fast Retransmission], just retransmit the lost data segments.

In this case, redis_parse.go module dose not work correctly, and packetbeat will stop running as soon as the ERROR happens.

so, I think it is a bug, or how can i fix it ? thanks in advance.

BTW, once the Redis response is split from another position, the Error message might be different I think.

the protocol analyzers in packetbeat must synchronize to the network stream. If they're not in sync, the parser might fail. In this case the internal state is dropped and a new parser instance is generated, in the hope of us being in sync with the next packet. As packet-loss might occur at any time, we have to drop the parser state in most cases and try to resync.

packetbeat stops running, because all packets have been send to the protcol analyzers. Not all events might be published yet. try -waitstop 10s to wait for 10 more seconds wether any events are stuck.

Without the original pcap and without being able to debug it myself I can not comment on any events you observed.

I did some work on my original pcap file, and split it into several parts.

so, my conclusion now is: when network is bad and redis response is big enough, something wrong might happen depending on splitting position from raw data.

packetbeat stops running, because all packets have been send to the protcol analyzers.

It's right, I get it.

what means big enough? Currently packetbeat internally drops a stream if the active message exceeds 10MB I think.

"big enough" means that the raw data in redis response should be split into multiple segmented packets (i.e. [PSH, ACK] segment in 37642-37651_plrt_s0_pbErr.pcap). Sorry about my description.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.