I have wrote a plugin to analyze (translate to different Protocol name) packet in Wireshark with LUA APIs. All I needed to do to only analyze packets that shows UDP or TCP in Wireshark. I am using that following code to get protocol value:
pinfo.cols.protocol
to only analyze the packets that will show as TCP or UDP in Protocol column.
Sometime it retrains the value that is in Protocol column (e.g. TCP, SSH, or ...) but most of the time it returns "(protocol)".
How can I fix it? Is there any way possible that I can figure it out?
Thanks
Related
I am writing a Lua script to capture profisafe packets on wireshark.It is above the profinet layer in the stack.The wireshark dissect the profinet packets but does not dissect the profisafe.
For other protocols built on tcp or udp protocol one can do something like
local tcp_port = Dissector.get("tcp.port")
tcp_port:add(1234,foo_protocol)
to capture the packets that arises and received by the port 1234.
But profisafe is built on profinet and does not contain tcp or udp as the underlying layer.How to capture the packets in this case? I tried giving ethernet frame address in the place of port name but it did not work.
Use the menu Edit, Preferences, Protocols and search for PNIO:
PNIO options
Then select the checkbox "Enable detailed PROFIsafe dissection" and define a directory, where the GSDML file of the PROFIsafe device is located.
I have a dissector which can read 2 udp packets and combine data from those.
Every time I select a packet (N) that is based on combining data from previous packet (N-1
) and current packet (N), I'm getting an error on the packet details on the custom protocol section.
Only when I select previous packet (N-1) and then the current packet (N), I can see the dissection as I expect and without any error.
Any idea how to solve the issue?
I'm trying to inspect and analyze my network traffic. Suddenly I found something confusing. I was thought that packets are splited to streams based on their (SRC_IP, DES_IP, SRC_PORT, SRC_PORT , PROTOCOL_NUM). But now I found two groups of packets with equal above features but interpreted as two different streams in Wireshark:
As you see below, the RTP packets with even packet numbers are a single stream and the RTP packets with odd packet number are another stream, while both has equal (SRC_IP, DES_IP, SRC_PORT, SRC_PORT , PROTOCOL_NUM). Why?
To compare the statistics:
They are interpreted as two different streams:
You are just looking at the UDP traffic from either direction. UDP stream 2 is from 192.168.1.162 to 192.168.1.159 and UDP stream 3 is from 192.168.1.159 to 192.168.1.162.
While there are two UDP streams, there is only one RTP session. This is because the RFC protocol states that you cannot multiplex on the same port. From RTP RFC Section 5.2.
In RTP, multiplexing is provided by the destination transport address
(network address and port number) which is different for each RTP session.
So, yes there are two simultaneous UDP streams, but it is just both hosts talking to each other during a RTP session.
I am trying to see TCP retransmission packet in tcpdump.
I find commands to filter sync packet, ACK packet but could not able to find filter of retransmitted packet
Is there any command for filter such packets.
Thanks in advance.
I've just been using this for tracing re transmissions in wireshark:
tcp.analysis.retransmission
This also is useful:
tcp.flags.reset==1
In tcpdump, you can do resets with this expression (not tried re-transmissions yet, but if I figure that out I'll reply to my answer):
'tcp[tcpflags] & (tcp-rst) != 0'
When you use Wireshark or TShark you can use a display filter:
field name: tcp.analysis.retransmission
AFAIK there is no capture filter to do the trick on tcpdump, dumpcap, Wireshark or TShark.
In Erlang, it is very simple to send UDP packet, that is to use gen_udp:open() to create a socket, then use gen_udp:send() to send out the data.
However, by default, the Linux TCP/IP stack will set the don't fragment (DF)flag in IP header if the size of IP packet doesn't exceed the MTU size. If the size exceeds the MTU size, the UDP packet will be fragmented.
Is there some way to not set DF flag for UDP packet only?
I know in C language, the following code could be used to clear the DF flag. But i couldn't find a way in Erlang.
int optval=0;
if(-1 == setsockopt(sockfd,IPPROTO_IP,IP_MTU_DISCOVER,&optval,sizeof(optval))) {
printf("Error: setsockopt %d\n",errno);
exit(1);
}
Thanks
i found the solution after i posted this question :-(...:-)...
The solution is to set socket raw option by using inet:setopts() like what is done in C language, but the difference is that you need to know the definition of IPPROTO_IP and IP_MTU_DISCOVER.
The value of IPPROTO_IP is 0, defined in netinet/in.h
The value of IP_MTU_DISCOVER is 10, defined in linux/in.h
Below is example.
inet:setopts(Socket,[{raw,0,10,<<0:32/native>>}]).
I have tested it using small program, it is working.
You can find detail help for inet:setopts on erlang man page: http://www.erlang.org/doc/man/inet.html
Thanks.