The following shell script searches IP fragment pcap files in a folder:
#!/bin/sh
for file in ./*.pcap
do
frag_packets=$(tshark -r $file -Y "ip.flags.mf==1 || ip.frag_offset>0")
if [[ "${frag_packets}" != "" ]]
then
echo "$file"
fi
done
We should pay attention to -Y option which is for display filters; if what you want is capture filters, -f is the right choice.
P.S., the code can be downloaded here.
Wireshark has a handy feature which can follow TCP stream, but sometimes, it may not work as you expect. Check following diagram:
The IP packet carries a GTP payload, but since it is fragmented, and only first one is captured, so Wireshark won’t dissect it, and if you try follow TCP stream of this session, this packet will be ignored.
stripe is a cool tool which can peel away encapsulating headers. But from my testing, you should add -f option, otherwise the IP fragmented packet which I mentioned previously will be skipped, but even with this option, stripe will not remove the headers. So I write a simple program which just removes headers for specified packet (The code is here for reference).
In TCP protocol, because MSS limitation, sometimes one endpoint needs to split one TCP packet into multiple packets and send them. Today, I met a case which requires to reassemble them into one.
Firstly, I used Wireshark to “Hex Dump” first need-reassemble packet:
0000 18 cf 24 4c 71 4b 54 89 98 76 b8 30 08 00 45 00
......
Modify the length in IP header, append remaining TCP payload, then used colrm to remove offset:
# colrm 1 4 < data > data.txt
Used awk to prepend 0x and append , for every value:
awk '{ for(i = 1; i <= NF; i++) {$i="0x"$i","} print}' data.txt
Added the variable definition for array:
const u_char new_packet_4[] = {
0x18, 0xcf, ......
.......
}
Lastly, write a small program to insert new packet 4 and remove original packet 4 and 5, and code is here (Don’t forget to modify the header of packet 4).
Capture the packets on loopback network card on Linux:
# tcpdump -i lo -w lo.pcap port 33333
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
......
Download it onto Windows and use wireshark to analyze it:
We can see every packet conforms to standard ethernet format.
Capture lookback packets on OpenBSD:
# tcpdump -i lo0 -w lo.pcap port 33333
tcpdump: listening on lo0, link-type LOOP
......
Also download it onto Windows and open it with wireshark:
The wireshark just recognizes the packet as “Raw IP” format, but can’t show details.
After referring discussion in Wireshark mailing list, I know it is related to network link-layer header type. 0x0C stands for “Raw IP”:
I modified the 0x0C to 0x6C, which means “OpenBSD loopback”:
Now the packets can be decoded successfully:
P.S., I also started a discussion about this issue in mailing list.
Update: I write a script to do this conversion.
The establishment of SSH session consists of 2 parts: build up the encryption channel and authenticate user. To understand the whole flow better, I usetcpdump/Wireshark to capture and analyze the packets. Server is OpenBSD 6.1 and client is ArchLinux. The tcpdump command is like this:
sudo tcpdump -A -s 0 'net 192.168.38.176' -i enp7s0f0 -w capture.pcap
(1) Connect server first time:
The captured packets:
We can see the client/server negotiated SSH version first (In fact, client and server sent SSH version simultaneously, so please don’t misunderstand client sent first, then server responded. Use “nc 192.168.38.176 22” command to check.)
, then exchanged public key to generate secret key. The server issued “New Keys” message, and waited for client to answer.
(2) Accept server’s public key but not input password:
The captured packets:
The first packet should be client acknowledged server’s “New Keys” message, then there are some interactions. Now the encryption channel is set up.
(3) Enter password and authenticate user:
The captured packets:
These packets are all encrypted data. If user’s password is correct, the whole SSH session will be ready, and you can administrator server now.
Reference:
Understanding the SSH Encryption and Connection Process.