ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] TCP: Retrieving connection initiator as well as looping thro

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Matt <mattator@xxxxxxxxx>
Date: Tue, 28 Oct 2014 14:23:23 +0100
From what I understand, I need either to redissect with a tcp filter  (ie dfilter("tcp") ) but it looks slow. I would rather search through created TCP conversations. My problem is that conversations look saved into different hashtables such as "GHashTable* conversation_hashtable_exact". To compare my token with a key against all TCP connections, I believe I should compare it over the conversations in the 4 hashtables. Is that correct ?

2014-10-28 9:58 GMT+01:00 Matt <mattator@xxxxxxxxx>:
>Is that option present in all TCP packets or just in the initial 3-way handshake?  If the former, then you have the problem I described above, with the indicated workaround.
This is one of the problems (and advantages) of these multipath protocols, it's easier to evade data capture.
Especially for MPTCP, you have to get all SYN/ACKs to be able to map a subflow to an MPTCP
connection, otherwise you can't tell anything (MPTCP exchanges keys/nonces to authenticate a subflow during the3WHS).
I wished to propose expert info in case of packet retransmission (such as detecting wrong keys) but it's not mandatory.

In fact, an MPTCP communication starts with a TCP 3WHS that exchanges some cryptographic keys with the TCP option MPTCP_CAPABLE.Then data is sent on this TCP connection.
At anytime a new TCP connection can be made to join the precedent MPTCP connection. It is achieved with the establishment of a new TCP connection with the TCP option MP_JOIN. THis tcp option carries tokens derived from the keys exchanged during the MPTCP connection. So I need to check the token against all previous keys to see if it maches a previously registered MPTCP connection.
That's why I need to loop through TCP connections
find_conversation() returns one conversation based on IP addresses/ports but I want to run a check against token/keys and I dunno how to do it.

Thanks for your help

2014-10-27 14:47 GMT+01:00 Matt <mattator@xxxxxxxxx>:
Hi,

I am trying to improve the MPTCP support in the TCP dissector. To
provide expert infos, I need to identify which host initiated the
connection (ie sent the SYN). I wonder how to do that, I could use
tcp_analysis::server_port if ports were guaranted to be different on
both sides.

Secondly, I am trying to setup an MPTCP *stream* identifier , similar
to tcp stream. Indeed a single MPTCP connection can be composed of
several TCP connections. Thing is to know to which MPTCP stream a TCP
stream is bound to, I have to check a token (in a TCP option) against
all MPTCP connections until I find a match. So I need to loop through
TCP connections. How can I do that.

Regards
Matt


Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube