-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCitrixNetScalerResetCodeReference.lua
334 lines (319 loc) · 15.7 KB
/
CitrixNetScalerResetCodeReference.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
--------------------------------------------------------------------------------
-- Citrix ADC (NetScaler) Reset Code Post-Dissector
-- Original idea and code by Todd Maxey (github.com/toddmaxey)
-- Updated to incorporate recommended improvements for stable operation
-- References:
-- - https://support.citrix.com/article/CTX200852/citrix-adc-netscaler-reset-codes-reference
-- - Wireshark Lua API documentation
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-- 1. Define a new protocol
--------------------------------------------------------------------------------
local citrix_reset_proto = Proto("citrix_reset", "Citrix ADC Reset Codes")
--------------------------------------------------------------------------------
-- 2. Define the fields for this protocol
--------------------------------------------------------------------------------
citrix_reset_proto.fields.reset_window = ProtoField.uint16(
"citrix_reset.window_size",
"Citrix Reset Window Size",
base.DEC
)
--------------------------------------------------------------------------------
-- 3. Define field extractors from the existing TCP dissector
--------------------------------------------------------------------------------
local f_tcp_srcport = Field.new("tcp.srcport")
local f_tcp_dstport = Field.new("tcp.dstport")
local f_tcp_window_size = Field.new("tcp.window_size") -- or "tcp.window_size_value"
local f_tcp_flags_reset = Field.new("tcp.flags.reset")
--------------------------------------------------------------------------------
-- 4. Define the lookup table for Citrix ADC reset codes
--------------------------------------------------------------------------------
local window_size_lookup = {
[8196] = "SSL bad record.",
[8201] = "NSDBG_RST_SSTRAY, 8201 – NSDBG_RST_SSTRAY",
[8202] = "NSDBG_RST_CSTRAY: Triggered when the NetScaler receives data on a connection with an expired SYN cookie.",
[8204] = "Client retransmitted SYN with the wrong sequence number.",
[8205] = "ACK number in the final ACK from peer during connection establishment is wrong.",
[8206] = "Received a bad packet in TCPS_SYN_SENT state (non-RST). Possibly reused 4-tuple from old connection.",
[8207] = "Received SYN on an established connection within the window. Protects from spoofing attacks.",
[8208] = "Reset after receiving more than the configured number of duplicate retransmissions.",
[8209] = "Memory allocation failure (system out of memory).",
[8210] = "HTTP DoS protection triggered by a bad client request.",
[8211] = "Cleanup of idle connections.",
[8212] = "Stray SYN packet with no listening service or invalid SYN cookie.",
[8213] = "Sure Connect feature, bad client sending post on a closing connection.",
[8214] = "MSS in SYN exceeded NIC/VLAN MTU.",
[9100] = "NSDBG_RST_ORP: Orphan HTTP connection timed out waiting for completion.",
[9212] = "HTTP invalid request.",
[9214] = "Cache resource store failed.",
[9216] = "Cache async no memory.",
[9217] = "HTTP state machine error from receiving content longer than specified Content-Length.",
[9218] = "Terminated due to extra orphan data.",
[9219] = "NSB allocation failure.",
[9220] = "Could not allocate new NSB (various reasons).",
[9221] = "vurl includes an invalid domain shard.",
[9222] = "Response was RFC-noncompliant (e.g., both Content-Length and Transfer-Encoding invalid).",
[9300] = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
[9301] = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
[9302] = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
[9303] = "NSDBG_RST_ZSSSR: Zombie timer/idle timeout or service-down event.",
[9304] = "NSDBG_RST_LINK_GIVEUPS: Freed session after zero window probe limit exceeded.",
[9305] = "Server ACK to SYN had an invalid ACK number.",
[9306] = "TCP buffering undone due to duplicate TCPB enablement.",
[9307] = "Small window protection triggered reset.",
[9308] = "Small window protection triggered reset.",
[9309] = "Small window protection triggered reset.",
[9310] = "TCP keepalive probing failed.",
[9311] = "DHT retry failed.",
[9400] = "Reset server connections in reusepool that are not reusable.",
[9401] = "Reset older connections to free capacity for new ones or when removing an entity with active connections.",
[9450] = "SQL HS failed.",
[9451] = "SQL response failed.",
[9452] = "SQL request list failed.",
[9453] = "SQL UNK not linked.",
[9454] = "SQL NSB hold failed.",
[9455] = "SQL Server First Packet.",
[9456] = "SQL login response arrived before request.",
[9457] = "SQL server login failed.",
[9458] = "SQL no memory.",
[9459] = "SQL bad server.",
[9460] = "SQL link failed.",
[9600] = "Reset if # of pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",
[9601] = "Reset if # of data pkts with Sequence/ACK mismatch > nscfg_max_orphan_pkts.",
[9602] = "SSL VPN CS probe limit exceeded.",
[9700] = "NSDBG_RST_PASS: RST forwarded from client or server.",
[9701] = "NSDBG_RST_ACK_PASS: RST + ACK forwarded from client or server.",
[9702] = "Data received after FIN.",
[9704] = "NSB dropped (hold limit or transaction error).",
[9800] = "NSDBG_RST_PROBE: Monitoring service reset due to timeout.",
[9810] = "Responses match the configured NAI status code.",
[9811] = "NSDBG_RST_ERRHANDLER: Used with SSL after sending a Fatal Alert.",
[9812] = "Connection flushing: existing IP removed from configuration.",
[9813] = "Closing the SSF connection.",
[9814] = "NSDBG_RST_PETRIGGER: Reset triggered by policy engine match.",
[9816] = "Bad SSL record.",
[9817] = "SSL connection changed while updating bound certificate.",
[9818] = "Bad SSL header value.",
[9819] = "Failed to allocate memory for SPCB.",
[9820] = "SSL card operation failed.",
[9821] = "SSL feature disabled; resetting the connection.",
[9822] = "SSL cipher changed; old-cipher connection flush.",
[9823] = "Malformed NSC_AAAC cookie or memory failure in certificate processing.",
[9824] = "Reset on AAA orphan connections.",
[9825] = "DBG_WRONG_GSLBRECDLEN: MEP error reset code, typically from version mismatch.",
[9826] = "Insufficient memory for NET buffers.",
[9827] = "Reset on SSL config change.",
[9829] = "Reset on GSLB other site down/out of reach.",
[9830] = "Reset for sessions matching ACL DENY rule.",
[9831] = "Connection had no application data but needed it.",
[9832] = "Application error.",
[9833] = "Fatal SSL error.",
[9834] = "Reset while flushing all SPCB (fips or hsm init).",
[9835] = "DTLS record too large.",
[9836] = "DTLS record zero length.",
[9837] = "SSLv2 record too large.",
[9838] = "NSBE_DBG_RST_SSL_BAD_RECORD: SSL record lookup error.",
[9839] = "SSL max NSB hold limit reached.",
[9841] = "SSL/DTLS split packet failure.",
[9842] = "SSL NSB allocation failure.",
[9843] = "Monitor wide IP probe.",
[9844] = "SSL reneg max NSB limit or allocation failure.",
[9845] = "Reset on Appsec policy.",
[9846] = "Delta compression aborted or failed.",
[9847] = "Delta compression aborted or failed.",
[9848] = "Reset on new SSL connection accepted during config change.",
[9849] = "GSLB conflict from misconfiguration.",
[9850] = "DNS TCP connection untrackable (compact NSB failure, etc.).",
[9851] = "DNS TCP failure (invalid payload length, etc.).",
[9852] = "RTSP (ALG) session handling error.",
[9853] = "MSSQL Auth response error.",
[9854] = "Indirect GSLB sites tried to establish connection.",
[9855] = "For HTTP/SSL vservers, SO threshold reached.",
[9856] = "AppFW ASYNC failure.",
[9857] = "Reset while flushing HTTP waiting PCB.",
[9858] = "Reset on re-chunk abort.",
[9859] = "New client connection deferrable by server on the label.",
[9860] = "pcb->link cleaned, connection reset.",
[9861] = "Push vserver connection reset if push disabled on client vserver.",
[9862] = "Reset to client for duplicate server connection.",
[9863] = "Reset old connection if new connection established but old one not freed.",
[9864] = "CVPN HINFO restore failed.",
[9865] = "CVPN MCMX error.",
[9866] = "URL policy transform error.",
[9868] = "MSSQL login errors.",
[9870] = "SQL login parse error.",
[9871] = "MSSQL memory allocation failure.",
[9872] = "Websocket upgrade request dropped due to disabled Websocket in HTTP profile.",
[9873] = "Agsvc MCMX failure.",
[9874] = "NSB hold limit reached.",
[9875] = "RADIUS request parse error.",
[9876] = "RADIUS response parse error.",
[9877] = "RADIUS request dropped.",
[9878] = "RADIUS response dropped.",
[9879] = "Invalid RADIUS request.",
[9880] = "Invalid RADIUS response.",
[9881] = "RADIUS no memory.",
[9882] = "RADIUS link failed.",
[9883] = "RADIUS unlinked.",
[9884] = "RADIUS unexpected error.",
[9885] = "RADIUS unhandled response.",
[9886] = "RADIUS unhandled request.",
[9887] = "RADIUS missing UNK.",
[9888] = "RADIUS wrong UNK.",
[9889] = "RADIUS UNK refcnt.",
[9890] = "RADIUS UNK purge.",
[9891] = "RADIUS tunnel reject.",
[9892] = "RADIUS unknown error.",
[9893] = "Monitor probe reset.",
[9894] = "Monitor mark down.",
[9895] = "Monitor probe flush.",
[9896] = "Monitor payload too small.",
[9897] = "SNMP wrong packet.",
[9898] = "SNMP wrong version.",
[9899] = "SNMP wrong community.",
[9900] = "SNMP wrong community.",
[9901] = "SNMP wrong PDU.",
[9902] = "SNMP wrong type.",
[9903] = "SNMP wrong request ID.",
[9904] = "SNMP wrong error status.",
[9905] = "SNMP wrong error index.",
[9906] = "SNMP no such object.",
[9907] = "SNMP no such instance.",
[9908] = "SNMP too big.",
[9909] = "SNMP read only.",
[9910] = "SNMP gen error.",
[9911] = "SNMP wrong encoding.",
[9912] = "SNMP wrong length.",
[9913] = "SNMP wrong value.",
[9914] = "SNMP no memory.",
[9915] = "SNMP no response.",
[9916] = "SNMP not writable.",
[9917] = "SNMP auth error.",
[9918] = "SNMP wrong digest.",
[9919] = "SNMP bad value.",
[9920] = "SNMP not in MIB.",
[9921] = "SNMP too many indices.",
[9922] = "SNMP not enough indices.",
[9923] = "SNMP wrong index type.",
[9924] = "SNMP wrong index length.",
[9925] = "SNMP wrong index value.",
[9926] = "SNMP no such name.",
[9927] = "SNMP wrong varbind list.",
[9928] = "SNMP end of MIB.",
[9929] = "SNMP too big for packet.",
[9930] = "SNMP no such view.",
[9931] = "SNMP no such context.",
[9932] = "SNMP no such user.",
[9933] = "SNMP not in view.",
[9934] = "SNMP unsupported security level.",
[9935] = "SNMP unsupported auth protocol.",
[9936] = "SNMP unsupported priv protocol.",
[9937] = "SNMP unknown user name.",
[9938] = "SNMP unknown engine ID.",
[9939] = "SNMP wrong security model.",
[9940] = "SNMP bad security level.",
[9941] = "SNMP bad engine ID.",
[9942] = "SNMP bad user name.",
[9943] = "SNMP bad auth protocol.",
[9944] = "SNMP bad priv protocol.",
[9945] = "SNMP bad security name.",
[9946] = "SNMP bad security model.",
[9947] = "SNMP bad message.",
[9948] = "SNMP bad PDU.",
[9949] = "SNMP bad SPI.",
[9950] = "SNMP bad context.",
[9951] = "SNMP bad security state ref.",
[9952] = "SNMP bad security name.",
[9953] = "SNMP bad community.",
[9954] = "SNMP bad community uses.",
[9955] = "SNMP bad community name.",
[9956] = "SNMP bad community indexing.",
[9957] = "SNMP bad party.",
[9958] = "SNMP bad party uses.",
[9959] = "SNMP bad party name.",
[9960] = "SNMP bad party indexing.",
[9961] = "SNMP bad party TDomain.",
[9962] = "SNMP bad party TAddress.",
[9963] = "SNMP bad party identity.",
[9964] = "SNMP bad party TTimeout.",
[9965] = "SNMP bad party TMaxMessageSize.",
[9966] = "SNMP bad party priv proto.",
[9967] = "SNMP bad party auth clock.",
[9968] = "SNMP bad party auth lifetime.",
[9969] = "SNMP bad party auth private.",
[9970] = "SNMP bad party auth public.",
[9971] = "SNMP bad party auth clock skew.",
[9972] = "SNMP bad party auth truncated.",
[9973] = "SNMP bad party auth wrong digest.",
[9974] = "SNMP bad party auth wrong.",
[9975] = "SNMP bad context.",
[9976] = "SNMP bad context uses.",
[9977] = "SNMP bad context name.",
[9978] = "SNMP bad context indexing.",
[9979] = "SNMP bad ACL.",
[9980] = "SNMP bad ACL uses.",
[9981] = "SNMP bad ACL name.",
[9982] = "SNMP bad ACL indexing.",
[9983] = "SNMP bad ACL party.",
[9984] = "SNMP bad ACL context.",
[9985] = "SNMP bad ACL privs.",
[9986] = "SNMP bad view.",
[9987] = "SNMP bad view uses.",
[9988] = "SNMP bad view name.",
[9989] = "SNMP bad view indexing.",
[9990] = "SNMP bad view subtree.",
[9991] = "SNMP bad view mask.",
[9992] = "SNMP bad view type.",
[9993] = "SNMP bad view storage.",
[9994] = "SNMP bad view status.",
[9995] = "SNMP bad MIB.",
[9996] = "SNMP bad MIB name.",
[9997] = "SNMP bad MIB syntax.",
[9998] = "SNMP bad MIB write syntax.",
[9999] = "SNMP bad MIB access.",
[10000] = "SNMP bad MIB status.",
[10001] = "SNMP bad MIB indexes.",
[10002] = "SNMP bad MIB deps.",
[10003] = "SNMP bad MIB inits."
}
--------------------------------------------------------------------------------
-- 5. Dissection function
--------------------------------------------------------------------------------
function citrix_reset_proto.dissector(buffer, pinfo, tree)
-- Fetch extracted fields
local tcp_srcport = f_tcp_srcport()
local tcp_dstport = f_tcp_dstport()
local tcp_rstflag = f_tcp_flags_reset()
local tcp_win = f_tcp_window_size()
-- If any required fields are nil, no further processing
if not (tcp_srcport and tcp_dstport and tcp_rstflag and tcp_win) then
return
end
-- Convert to numeric
local rst_val = tonumber(tostring(tcp_rstflag))
local win_val = tonumber(tostring(tcp_win))
-- Check if the RST flag is set
if rst_val == 1 and win_val then
local description = window_size_lookup[win_val]
if description then
-- Create a subtree for Citrix ADC info
local subtree = tree:add(
citrix_reset_proto,
buffer(),
"Citrix ADC Reset Info"
)
-- Add window size field
local item = subtree:add(
citrix_reset_proto.fields.reset_window,
buffer(),
win_val
)
-- Append textual description
item:append_text(" (" .. description .. ")")
end
end
end
--------------------------------------------------------------------------------
-- 6. Register the post-dissector
--------------------------------------------------------------------------------
register_postdissector(citrix_reset_proto)