Wireshark mailing list archives

Re: TCP: Retrieving connection initiator as well as looping through connections

From: Alexis La Goutte <alexis.lagoutte () gmail com>
Date: Thu, 30 Oct 2014 09:16:25 +0100

On Wed, Oct 29, 2014 at 12:23 PM, Matt <mattator () gmail com> wrote:

For posterity, here is how I've done it:
conv = (conversation_t*)g_hash_table_find(
get_conversation_hashtable_exact(), check_mptcp_token, (gpointer)&token);

I am now looking for a way to debug. printf seems the way(and not
g_log/Q_INFO ?)  to go but I need to display the con sole to see the
messages and I 've been unable to find a way to do so with the Qt version.
I've set gui.console.open to ALWAYS in .wireshark/preferences (since prefs
dialog didn't save my changes) but I still have no console. Whaat do I do
wrong please ?

There is some "bug" with console window and Qt...
You can use proto_tree_add_debug_text to display in output and also
add info on tree.

Regards,


2014-10-28 14:23 GMT+01:00 Matt <mattator () gmail com>:


From what I understand, I need either to redissect with a tcp filter  (ie
dfilter("tcp") ) but it looks slow. I would rather search through created
TCP conversations. My problem is that conversations look saved into
different hashtables such as "GHashTable* conversation_hashtable_exact". To
compare my token with a key against all TCP connections, I believe I should
compare it over the conversations in the 4 hashtables. Is that correct ?

2014-10-28 9:58 GMT+01:00 Matt <mattator () gmail com>:

Is that option present in all TCP packets or just in the initial 3-way
handshake?  If the former, then you have the problem I described above, with
the indicated workaround.

This is one of the problems (and advantages) of these multipath
protocols, it's easier to evade data capture.
Especially for MPTCP, you have to get all SYN/ACKs to be able to map a
subflow to an MPTCP
connection, otherwise you can't tell anything (MPTCP exchanges
keys/nonces to authenticate a subflow during the3WHS).
I wished to propose expert info in case of packet retransmission (such as
detecting wrong keys) but it's not mandatory.

In fact, an MPTCP communication starts with a TCP 3WHS that exchanges
some cryptographic keys with the TCP option MPTCP_CAPABLE.Then data is sent
on this TCP connection.

At anytime a new TCP connection can be made to join the precedent MPTCP
connection. It is achieved with the establishment of a new TCP connection
with the TCP option MP_JOIN. THis tcp option carries tokens derived from the
keys exchanged during the MPTCP connection. So I need to check the token
against all previous keys to see if it maches a previously registered MPTCP
connection.
That's why I need to loop through TCP connections
find_conversation() returns one conversation based on IP addresses/ports
but I want to run a check against token/keys and I dunno how to do it.

Thanks for your help




2014-10-27 14:47 GMT+01:00 Matt <mattator () gmail com>:


Hi,

I am trying to improve the MPTCP support in the TCP dissector. To
provide expert infos, I need to identify which host initiated the
connection (ie sent the SYN). I wonder how to do that, I could use
tcp_analysis::server_port if ports were guaranted to be different on
both sides.

Secondly, I am trying to setup an MPTCP *stream* identifier , similar
to tcp stream. Indeed a single MPTCP connection can be composed of
several TCP connections. Thing is to know to which MPTCP stream a TCP
stream is bound to, I have to check a token (in a TCP option) against
all MPTCP connections until I find a match. So I need to loop through
TCP connections. How can I do that.

Regards
Matt



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 27)
- Re: TCP: Retrieving connection initiator as well as looping through connections Guy Harris (Oct 27)
- Re: TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 28)
  - Re: TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 28)
    - Re: TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 29)
    - Re: TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 29)
    - Re: TCP: Retrieving connection initiator as well as looping through connections Alexis La Goutte (Oct 30)