I have a pcap with tcp stream that is sent in one packet.
I am looking for a way to split the stream to several tcp frames,
for instance: say I have this pcap,
c2s : syn
s2c : synack
c2s : ack
c2s : datainfo
s2c : ack
....
The requested result is
c2s : syn
s2c : synack
c2s : ack
c2s : data
s2c : ack
c2s : info
s2c : ack
....
is there any tool that can help?
I found a way not to edit a pcap, but to create a new transport easily.
Use the tool NetCat. It create a tcp connection to another host and you can write in the terminal the payload of the tcp. Each new line ends the packet. In that way it possible to create a new transport that has the data you want and divided to tcp frames in the way you want.
Also, I didnt do it yet, but you can create a pcap file of this new transport that you send by capture it with Wireshark.
Related
i want to know the difference between sr() and sniff()
i will clear myself:
when i send packets with sr() and then print the answer, it's giving me just one packet:
Received 1 packets, got 1 answers, remaining 0 packets
[(<IP frag=0 ttl=64 proto=tcp dst=216.58.210.4 |<TCP sport=37945 dport=http seq=1 ack=1477254816 flags=A |<Raw load='GET /index.html HTTP/1.0 \n\n' |>>>, <IP version=4L ihl=5L tos=0x0 len=40 id=1338 flags= frag=0L ttl=128 proto=tcp chksum=0xe12d src=216.58.210.4 dst=192.168.233.128 options=[] |<TCP sport=http dport=37945 seq=1477254816 ack=28 dataofs=5L reserved=0L flags=A window=64240 chksum=0x5528 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>)]
but when i do the same with sniff i got alot more packets, and one of them its the packet with the answer i asked:
<Ether dst=00:0c:29:bb:8e:79 src=00:50:56:e9:b8:b1 type=0x800 |<IP version=4L ihl=5L tos=0x0 len=537 id=1339 flags= frag=0L ttl=128 proto=tcp chksum=0xdf3b src=216.58.210.4 dst=192.168.233.128 options=[] |<TCP sport=http dport=37945 seq=1477254816 ack=28 dataofs=5L reserved=0L flags=PA window=64240 chksum=0x98df urgptr=0 options=[] |<Raw load='HTTP/1.0 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=UTF-8\r\nLocation: http://www.google.co.il/index.html?gfe_rd=cr&ei=_geSV8u1C6Xb8AeaxJCoDQ\r\nContent-Length: 271\r\nDate: Fri, 22 Jul 2016 11:48:14 GMT\r\n\r\n<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">\n<TITLE>302 Moved</TITLE></HEAD><BODY>\n<H1>302 Moved</H1>\nThe document has moved\nhere.\r\n</BODY></HTML>\r\n' |>>>>
if you will see - the second packet have the html code i asked for (that was with sniffing it.) but wht first not have this.
You can use the lsc() in scapy bash to check out all the required commands and their usage.
sr : Send and receive packets at layer 3
sr1 : Send packets at layer 3 and return only the first answer
srp : Send and receive packets at layer 2
srp1 : Send and receive packets at layer 2 and return only the first answer
srloop : Send a packet at layer 3 in loop and print the answer each time
srploop : Send a packet at layer 2 in loop and print the answer each time
sniff : Sniff packets
send : Send packets at layer 3
sendp : Send packets at layer 2
You can use the sniff(iface ="your interface", filter = "dst aa:bb:cc:dd:ee") to get the packets that you want.
The sniff function has lots of parameters to shortlist the packets.
sr() is Send and receive packets. The function sends specific packets and then looks for the response to only those packets
sniff() acts as a sniffer and reads all of the traffic on the ethernet line, even if it is not directed towards your IP address or your specific socket that you used to send the original packet. This allows you to see other traffic on the network
I have problem with identifying communication established by TCP.
I have to identify first completed communication, for example first complete http communication.
I have dump .pcap file with capture. I know that communication should start by three way handshake ( SYN, SYN - ACK, ACK ) and then closing of communication by double FIN flag from both side.
But I have a lot of communication in that dump file.
So here is the question. Which things i need to remember to match exact one communication ?
I thought about source IP, destination IP, protocol, maybe port but i am not sure.
Thank you for every advice.
And sorry for my english.
You stated that you need:
To identify a particular conversation
To identify the first completed conversation
You can identify a particular TCP or UDP conversation by filtering for
the 5-tuple of the connection:
Source IP
Source Port
Destination IP
Destination Port
Transport (TCP or UDP)
As Shane mentioned, this is protocol dependent e.g. ICMP does not have the concept of
ports like TCP and UDP do.
A libpcap filter like the following would work for TCP and UDP:
tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80
Apply it with tcpdump:
$ tcpdump -nnr myfile.pcap 'tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80'
To identify the first completed connection you will have to follow the timestamps.
Using a tool like Bro to read a PCAP would yield the answer as it will list each connection
attempt seen (complete or incomplete):
$ bro -r myfile.pcap
$ bro-cut -d < conn.log | head -1
2014-03-14T10:00:09-0500 CPnl844qkZabYchIL7 1.1.1.1 57596 1.1.1.2 80 tcp http 0.271392 248 7775 SF F ShADadfF 14 1240 20 16606 (empty) US US
Use the flag data for TCP to judge whether there was a successful handshake and tear down.
For other protocols you can make judgements based on byte counts, sent and received.
Identifying the first completed communication is highly protocol specific. You are on the right track with your filters. If your protocol is a commonly used one there are plug ins called protocol analyzers and filters that can locate "conversations" for you from a pcap data stream. If you know approximate start time and end time that would help narrow it down too.
I am using tcpdump/wireshark to capture tcp packets while tcp client sending data to tcp server. The client simply sends 4096 bytes to server in one "send()" call. And I get different tcp packets on two sides, two packets on the sender side seem to be "compacted" on the receiver side, this conflicts with how i understand the tcp protocol and I stuck on this issue for a few days and really need some help.
Please notice the packet length in following packets:
client (sender) sends 2 packets 0Xbcac (4) and 0xbcae (5), sends 2896 + 1200 = 4096 bytes in all.
(0xbcac) 4 14:31:33.838305 192.168.91.194 192.168.91.193 TCP 2962 59750 > 9877 [ACK] Seq=1 Ack=1 Win=14720 **Len=2896** TSval=260728 TSecr=3464603 0
(0xbcae) 5 14:31:33.838427 192.168.91.194 192.168.91.193 TCP 1266 59750 > 9877 [PSH, ACK] Seq=2897 Ack=1 Win=14720 **Len=1200** TSval=260728 TSecr=3464603 0
However on the server (receiver) side, only one packet is presented, with ip.id=0xbcac and length = 4096 (receiver.packet.0xbcac = sender.packet.0xbcac + 0xbcae):
(0xbcac) 4 14:31:33.286296 192.168.91.194 192.168.91.193 TCP 4162 59750 > 9877 [PSH, ACK] Seq=1 Ack=1 Win=14720 **Len=4096** TSval=260728 TSecr=3464603 0
I'm aware that tcp is a stream protocol and data sent can be divided into packets according to MSS (or MTU), but i guess the division happens before packets are sent to NIC, thus before captured. I'm also aware that the PSH flag in packet 0xbcae lead to writing data from buffer to NIC, but that cannot explain the "compacted" packet. Also I tried in client to send 999999 bytes in one "send" call and the data are divided into small packets and sent, but still mismatch the packets captured on server side. At last I disable tcp nagle, get the same result, and ruled out that reason.
So my question is the mismatching i encountered normal? If it is, what caused this? If not, i'm using ubuntu 12.04 and ubuntu 13.10 in LAN, and what is the possible reason to this "compacted" packet?
Thanks in advance for any help!
two packets on the sender side seem to be "compacted" on the receiver
side
It looks like a case of generic receive offload or large receive offload. Long story short, the receiving network card does some smart stuff and coalesces segments before they hit the kernel, which improves performance.
To check if this is the case you can try to disable it using:
$ ethtool -K eth0 gro off
$ ethtool -K eth0 lro off
Something complementary happens on the sending side: tcp segmentation offload or generic segmentation offload.
After disabling these don't forget to reenable them: they seriously improve performance.
I have a lot of pcap files
in each pcap file there are some tcp packets
I want to the following steps:
1 filter the pcap file to get expected tcp packets(if with tshark, the filter is like tcp.srcport==80 and tcp.dstport==20000). The tcp data in each tcp packet are of tens of bytes,
1) the first 2 bytes are sequence number
2) the second 2 bytes indicate a length: **n**
3) the following **n** bytes are random (if **n** is 2, then there are 2 random bytes)
4) immediately after the **n** bytes is an IP address
2 from each tcp packet, I want to get the source IP and the IP address string as mentioned in 4)
Above all, I just want to get an IP pair from each tcp packet, the source IP is easy to be obtained from tshark, but the IP address in the tcp data needs some effort
are there any good source code snippets or good ways that can be used for my target?
thanks!
I am wondering how, in detail, a program like wireshark detects duplicates from retransmission in a TCP stream. I've looked at the RFCs regarding TCP but haven't quite been able to figure out how it works. I'd very much appreciate a clear explanation.
An example situation that confused me was the following:
*C: 1227 + len = 1687
C: 1847+ len = 2299
S: ACK 2299
*C: 2299+len = 2751
*C: 2751+len = 3203
S: ACK 2751
Where the * indicates packets with duplicate payloads. How does wireshark and or TCP function to detect and discard the duplicates?