Wireshark : how to force to drop packets with LUA? - tcp

I'm am facing to an issue when sniffing on the loopback interface when using a JTAG debug probe, which uses a TCP socket. It completly flood the loopback, and freeze Wireshark after a few seconds.
As a workaround, I have made a dummy LUA dissector for this case (redlink-server protocol). Wireshark is no longer freezing, but it produces like 8Gb of packets in a few minutes...
(the plugin consists in an empty dissector function, add register this dissector for TCP port 3490)
Is there a simple way to delete those packets from dump file not to overflow my RAM ?
Tanks by advance
Thomas.

You can apply a capture filter, not a display filter, to avoid capturing the traffic. In your case, the capture filter to exclude the unwanted traffic would be not tcp port 3490.
Refer to pcap-filter for more information on capture filters, as well as the Wireshark User Guide, Section 4.10. Filtering while capturing.

Related

is the UDP or TCP protocol best for sending back un-noticed packets / datagrams

so I'm working on a project where the program can detect when its being scanned for malicious purposes by checking how many ports are being scanned at the same time and scanning them back using the SYN method and I would like to know if the TCP or UDP protocol is better for a so called "counter-scan" to the target without getting noticed I have some ideas like:
I can send them using UDP and the attacker wouldn't notice them .
using the TCP method use the existing 3 way handshake to mask the
SYN packets with his responses
sorry I have no source code since I'm still brain storming
Yes, UDP scan can be done by looking at ICMP (NOT IMCP) port unreachables, but these are often filtered.
I guess UDP would not be less "noticed"--TCP does more harm since it needs state saved (waiting for ACKs).
(nit: please work on your English)

does packet capturng bypass part of TCP/IP stack?

When I capture network packets with wireshark or tcpdump on Linux, very often it saves segmented TCP which wireashark can reassemble (as long as Edit->Preferences->Protocols ... has this options checked for a protocol, for example HTTP).
However, I thought that the TCP/IP stack would reassemble the packets before delivering it to the user application, e.g. a WEB browser.
So my question is: is capturing packets bypassing some portion of TCP/IP stack?
Short answer: yes
Longer answer: "packet capturing" doesn't interfere with the normal packet handling -- it just makes copies of the packets at a point where they pass through the kernel. The normal place for this to happen is between the device driver and the networking stack, but depending on how you have filtering set up, it can happen other places as well.

Wireshark: How to filter for a specific SYN packet?

I'm pretty new to Wireshark and stuck with a filter task.
I have network traffic and error messages from a certain system. I need to trace the SYN packet of one of my error messages.
For Wireshark, that means I need to filter for one specific IP-port combination x.x.x.x:xxxx among the SYN packets.
With tcp.flags.syn == 1 as a display filter I have been able to narrow down Wireshark's output to only SYN packets, but it's still far too many to find the one packet belonging to the port where we see the error and that we would like to follow.
Can you help me with that?
Looking only at SYN packets is not very helpful if you need to find a conversation that has problems - it's usually better to gather as much information about the IPs involved in the problem and filter on them. E.g. if you know that the computer with the IP 192.168.1.1 has a problem, and your capture has tons of conversations, you can filter on that IP by using the following filter:
ip.addr==192.168.1.1
If you also know the layer 4 protocol and port (e.g. TCP on port 1025) you can filter on both IP and port, like this:
ip.addr==192.168.1.1 and tcp.port==1025.
If you have a plain text protocol and know the text of the error message (if it is actually visible in a packet, and not just some coded thing), you could use the "find" option and search for the string (don't forget to set the search type to "string", because the default is "display filter").

Can we use ping to see packet dropped in traffic control?

I am studying in traffic control and want to know how we can check packet dropped in a traffic control that I config it. Can we use ping icmp not?
You can use ping to check if there is currently some packet loss, but if you need to see if any packets were dropped before something like "netstat -s" or regularly checking the data in /proc/net/netstat (on unix-like systems) might be more useful.

sending multiple tcp packets in an ip packet

is it possible to send multiple tcp or udp packets on a single ip packet? are there any specifications in the protocol that do not allow this.
if it is allowed by the protocol but is generally not done by tcp/udp implementations could you point me to the relevant portion in the linux source code that proves this.
are there any implementations of tcp/udp on some os that do send multiple packets on a single ip packet. (if it is allowed).
It is not possible.
The TCP seqment header does not describe its length. The length of the TCP payload is derived from the length of the IP packet(s) minus the length of the IP and TCP headers. So only one TCP segment per IP packet.
Conversely, however, a single TCP segment can be fragmented over several IP packets by IP fragmentation.
Tcp doesn't send packets: it is a continuous stream. You send messages.
Udp, being packet based, will only send one packet at a time.
The protocol itself does not allow it. It won't break, it just won't happen.
The suggestion to use tunneling is valid, but so is the warning.
You might want to try tunneling tcp over tcp, although it's generally considered a bad idea. Depending on your needs, your mileage may vary.
You may want to take a look at the Stream Control Transmission Protocol which allows multiple data streams across a single TCP connection.
EDIT - I wasn't aware that TCP doesn't have it's own header field so there would be no way of doing this without writing a custom TCP equivalent that contains this info. SCTP may still be of use though so I'll leave that link.
TCP is a public specification, why not just read it?
RFC4164 is the roadmap document, RFC793 is TCP itself, and RFC1122 contains some errata and shows how it fits together with the rest of the (IPv4) universe.
But in short, because the TCP header (RFC793 section 3.1) does not have a length field, TCP data extends from the end of the header padding to the end of the IP packet. There is nowhere to put another data segment in the packet.
You cannot pack several TCP packets into one IP packet - that is a restriction of specification as mentioned above. TCP is the closest API which is application-oriented. Or you want to program sending of raw IP messages? Just tell us, what problem do you want to solve. Think about how you organize the delivery of the messages from one application to another, or mention that you want to hook into TCP/IP stack. What I can suggest you:
Consider packing whatever you like into UDP packet. I am not sure, how easy is to initiate routing of "unpacked" TCP packages on remote side.
Consider using PPTP or similar tunnelling protocol.

Resources