I'm filtering packets with libpcap with a filter like "tcp src localhost". It filters all the packets whose source is localhost (my host).
When localhost doesn't receive a TCP confirmation of an already sendt packet, localhost will forward the packet.
Not all the packets filtered by libpcap will arrive to its destination, and I need to identify when a packet is a "forwarded packet". Is there any way with libpcap to identify a forwarded packet?
By my understanding, you're looking for TCP retransmissions. These can be found by display fitters in wireshark after capturing. These two should help you:
Retransmitted packets can be found through the display filter tcp.analysis.retransmission (more such filters).
When the receiver gets an out-of-order packet (usually indicates lost packet), it sends a ACK for the missing seq number. This is a duplicate ACK and these can be found by using tcp.analysis.duplicate_ack (details).
Related
I am confused to identify the retransmitted TCP segment in the captured segments at Wireshark. Is there any notes showing that a segment is a retransmitted one in Wireshark?
For wireshark to identify a segment as a retransmitte one, it has to identify both packets (original and retransmitted) in the pcap file.
If for example, you sniff on the receiving endpoint for a certain packet, you might only see the retransmitted instance (as sometimes, though not always, the retransmission would happen due to the packet not arriving to destination). In that case wireshark will only see one instance of the packet and won't know it was retransmitted.
If you do have both packets in the pcap file (e.g. for the example above, but sniffing on the source of the packet), wireshark will identify it.
The way wireshark marks TCP retransmissions varies between WS versions but in the later ones it will usually default to black color (and anyway you can always see in the "expert info" field under TCP).
My objective is to obtain in a unique capture the sendt tcp packets from a source host, NOT including the retransmitted packets. Is it possible to not include in the packet the retransmitted packets?
I'm using libpcap but any help with wireshark/tshark/snort could be useful (because they use libpcap library)
From Wiresharks Documentation try the following:
not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission
I use raw socket to create TCP packets, with focus on the sequence number and TCP flags(SYN, ACK)
I used one machine S to send a tcp ACK packet (flag ACK is set to 1) and another machine R to receive it these two machines are in different subnets, all in my school
meanwhile, I used tcpdump to capture the packets.
Strange things happens! On machine S, the captured packet is as expected, it is an ACK packet however, on the receiving machine R, the packet becomes a SYN packet, and the sequence number is changed, the seq no is 1 smaller the expected and the ack_seq become 0!
what are potential problems?
my guess is that the router/firewall modified the ACK packet to a SYN packet because it never sees a SYN SYN/ACK exchange ahead of the ACK?
is it possible or not?
the two captured packets are:
https://docs.google.com/file/d/0B09y_TWqTtwlVnpuUlNwUmM1YUE/edit?usp=sharing
https://docs.google.com/file/d/0B09y_TWqTtwlTXhjUms4ZnlkMVE/edit?usp=sharing
The biggest problem you will encounter will be that the receiving TCP stack in each case will receive the packet and possibly reply to it. What you are attempting is really not possible.
I have a question on how TCP_ACK works when the original packet are fragmented.
For example, original packet size is 1,500*N bytes and MTU is 1,500. Then, the packet will be frgmented into (approximately) N packets.
In this case, how does the receiver sends TCP_ACK to the sender?
I checked with wireshark, it seems that the receiver sends TCP_ACK for every two fragmented packet. Is it right?
Could you give me some refereces for this or explanation?
Thanks.
IP layer on the receiver stack reassembles all the IP fragments into a single TCP segment before handing the packet over to TCP. Under normal conditions, TCP should send only one ACK for the entire TCP segment. The ACK # would be the next expected SEQ # as usual.
So I have trouble finding a source that describes whether the TCP Packet is the payload of the IP Datagram or vice versa. I imagine the TCP Packet must be the payload because presumably the router can divide the IP Datagram therefore splitting up the TCP Packet and then the final router would have to reassamble them. Am I right?
If by "payload" you're referring to the data that comes after an IP header, then TCP is the "payload" of an IP packet when receiving data, since it's an upper level protocol.
The proper term for networking is actually encapsulation though.
It basically works by adding on progressive layers of protocols as information travels down from the application to the wire. After transmission, the packets are re-assembled and then the packets are error checked, the headers are stripped off, and what you are referring to as the "payload" becomes the next chunk of information that is checked. Once all of the outer protocol layers are stripped off the server/client has the information that directly corresponds to what the application sent.
Tcp\IP are two important proctocols. Tcp is connection oriented, while IP is a connection-less protocol. IP stands for a logical address, which works as packet address. The source packet has destination address for its destination. Tcp works with this logical address and helps the packets to reach their destinations, and provides acknowledgement when packet reached to its destination.