Wireshark-dev: Re: [Wireshark-dev] TCP: Retrieving connection initiator as well as looping thro
>Is that option present in all TCP packets or just in the initial 3-way handshake? If the former, then you have the problem I described above, with the indicated workaround.
This is one of the problems (and advantages) of these multipath protocols, it's easier to evade data capture.
Especially for MPTCP, you have to get all SYN/ACKs to be able to map a subflow to an MPTCP
connection, otherwise you can't tell anything (MPTCP exchanges keys/nonces to authenticate a subflow during the3WHS).
I wished to propose expert info in case of packet retransmission (such as detecting wrong keys) but it's not mandatory.
In fact, an MPTCP communication starts with a TCP 3WHS that exchanges some cryptographic keys with the TCP option MPTCP_CAPABLE.Then data is sent on this TCP connection.
At anytime a new TCP connection can be made to join the precedent MPTCP connection. It is achieved with the establishment of a new TCP connection with the TCP option MP_JOIN. THis tcp option carries tokens derived from the keys exchanged during the MPTCP connection. So I need to check the token against all previous keys to see if it maches a previously registered MPTCP connection.
That's why I need to loop through TCP connections
find_conversation() returns one conversation based on IP addresses/ports but I want to run a check against token/keys and I dunno how to do it.
Thanks for your help