Wireshark · Ethereal-dev: [ethereal-dev] Duh! [WAS: TCP reconstruction]

Ethereal-dev: [ethereal-dev] Duh! [WAS: TCP reconstruction]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Mike Hall <mlh@xxxxxx>

Date: Wed, 16 Sep 1998 01:40:58 -0500 (CDT)

Sorry guys. I realized tonight that I sent a patch with out the follow.c
and follow.h file in it. follow.c has the bulk of the reconstruction code
in it. 

Guess I shouldn't try to make patches at 2:30am :)

This patch should work alot better. I compiled it on pow.zing.org
looks like the autoconfig process is different with what is in cvs
compared to the tar.gz. Maybe it's just sparc linux features. I did get it
to compile. Let me know if you want to merge it into the cvs tree.

I also patched a fresh -15 tree on intel-linux without a problem.

I ran the code on both sparc and intel and it's working great. One note
for doing session reconstruction, use a snaplen = MTU. For most this will
be tcpdump -s 1500.

Also, any chance we can get a CVS server setup on pow? This would allow us
to do cvs using the client/server method. I have been doing cvs admin
duties at work for the past week. I would be happy to help set this up.
You can put passwords on the cvs accounts and it's not too difficult to
set up. Let me know if you want some help with this :)

--Mike

+===================================================================+
| Mike Hall               Real programmers dream in Java.           |
| mlh@xxxxxx          Linux rules! Everything else just works.      |
+===================================================================+
|             finger mlh@xxxxxx for public PGP key                  |
+===================================================================+

---------- Forwarded message ----------
Date: Mon, 14 Sep 1998 01:55:47 -0500 (CDT)
From: Mike Hall <mlh@xxxxxx>
To: Ethereal Development List <ethereal-dev@xxxxxxxx>
Subject: TCP reconstruction


Well, here it is. First let me say I am sorry. I planned on delivering a
better product to you guys, but I don't have time for the next couple of
weeks. 

BAD THINGS:

o There is no filtering of the telnet control codes and this generally
makes the begining and end of the stream look bad.

o Because I was looking at getting a telnet/rsh/other filter setup, I am
currently writing the TCP data from the stream to a file in /tmp. This is
very bad for several reasons, including a big security problem. I do read
it in right away and then delete it, but its still not the "Right way
(TM)"

o I have only tried this on reading files saved with tcpdump -w. I don't
think it will work on live capture, but mostly because of the way you tell
it to follow the stream.

o I did very little testing because I am crunched for time. It seems to
work for all the capture files I have here. But, I did not test this well
at all.

o I use a global to store current packet information. I was lazy and
trying to get this working. I have not fixed this yet.

GOOD THINGS:

o It will reconstuct the TCP streams.

o It handles out of order TCP packets.

o It handles fragmented TCP (resent TCP with longer payload)

o The reconstruct code is very well commented.


HOW TO USE:

Load up your pcap file using File->Load.
Click on a packet in a TCP stream you wish to view.
Click Tools->Follow TCP Stream.

A (libpcap) filter will be constructed and used to re-read the capture
file. Only the packets in the stream will be visible on the packet list. A
popup text box will display the data payload from the stream. 

The filter is erased right after it finishes the re-read, so all you need
to do to see the full capture file is do a File->Open again.

THINGS TO DO: 

o We need a telnet, 3270, rsh, and any other filter you guys think we
might need. If we process the TCP payload through these filters, we should
get nice human readable text from the streams.

o Clean the code up. Sorry about this one.


Anyway, let me know what your guys think. Drop me a line if you have any
questions.

--Mike

+===================================================================+
| Mike Hall               Real programmers dream in Java.           |
| mlh@xxxxxx          Linux rules! Everything else just works.      |
+===================================================================+
|             finger mlh@xxxxxx for public PGP key                  |
+===================================================================+

Attachment: ethereal-0.3.15.tcp.diff.gz
Description: Binary data

Prev by Date: [ethereal-dev] Starting over with CVS
Next by Date: Re: [ethereal-dev] network object names
Previous by thread: [ethereal-dev] Starting over with CVS
Next by thread: [ethereal-dev] Thoughts
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$