Skip to content

CQL protocol parsing issues with `Result` frames from open source Cassandra

Summary

The CQL dissector identifies certain Result frames from open source Cassandra packet captures as 'malformed' and parses them incorrectly. The pictures below show packet captures of the same CQL protocol traffic against two different data stores -- Scylladb and open source Cassandra (in that order).

Scylladb packet capture

Cassandra packet capture

Steps to reproduce

  1. Install Pixie
  2. Install the Cassandra demo application via the px cli. This will generate the problematic Cassandra traffic constantly
px demo deploy px-k8ssandra
  1. Enter the network namespace of the Cassandra server and collect a packet capture -- tcpdump -i any -w cassandra.pcap port 9042
  2. Load packet capture in Wireshark UI

Alternatively, I've provided the packet captures mentioned above.

What is the current bug behavior?

CQL protocol packets captured from open source Cassandra are frequently identified as malformed and many of the fields of a CQL packet are corrupt.

What is the expected correct behavior?

Both packet captures should render properly in Wireshark.

I've tracked this parsing error down to how the CQL dissector handles the No Metadata flag when the Global Tables Spec flag is present. Open source Cassandra sets the No Metadata and Global Table Spec flag. No Metadata implies that there is never a Global Table Spec, so while it's odd that Cassandra sets Global Table Spec when No Metadata is enabled it is still within the protocol spec.

Scylladb's Global Table Spec flag is always 0 when No Metadata is present and therefore the CQL dissector parses the frames correctly. I would argue that Scylladb's implementation is slightly more correct, however, the spec states that the No Metadata flag dictates that the Global Table Spec will be absent. So while it's strange that Cassandra encodes its Result frames this way, both payloads can be understood by Wireshark.

The likely fix for this issue is to have the CQL dissector only parse the Global Tables Spec content if its flag is true and the No Metadata flag is not present.

Sample capture file

scylladb_petclinic_cql.pcap -- successful parsing opensource_cassandra_petclinic_cql.pcap -- unsuccessful parsing

Relevant logs and/or screenshots

N/A

Build information

Version 4.0.5 (v4.0.5-0-ge556162d8da3).

Compiled (64-bit) using Clang 13.0.0 (clang-1300.0.29.30), with GLib 2.68.4,
with PCRE2, with zlib 1.2.11, with Qt 6.2.4, with libpcap, without POSIX
capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with
Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi
0.4.8, with QtMultimedia, with automatic updates using Sparkle, with SpeexDSP
(using system library), with Minizip, with binary plugins.

Running on macOS 13.3.1, build 22E261 (Darwin 22.4.0), with Apple M1 Max, with
65536 MB of physical memory, with GLib 2.68.4, with PCRE2 10.39 2021-10-29, with
zlib 1.2.11, with Qt 6.2.4, with libpcap 1.10.1, with c-ares 1.15.0, with GnuTLS
3.6.15, with Gcrypt 1.8.7, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4
1.9.2, with Zstandard 1.4.2, with libsmi 0.4.8, with light display mode, with
HiDPI, with LC_TYPE=C, binary plugins supported.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information