I am using libtrace to modify the payload of captured packet due to some research reason. In this case, I have to calculate the new checksum for the modified packet. My question is that is there an easy way to do this, for example, is there a function in libtrace can do this? Any comment is appreciate.
There's no API function in libtrace specifically for this at present, but there is code that generates correct IPv4, TCP and UDP checksums for packets inside of the tracereplay tool which you could use as the basis for writing your own functions to do it.
The code itself can be found in tools/tracereplay/tracereplay.c in the libtrace source. The libtrace source itself can be downloaded from here (in case you got libtrace via a packaging system).
There's also a mailing list for libtrace questions that is more likely to get prompt responses.
Related
I'm new to Lua and I'm trying to write a dissector that would decrypt an encrypted MQTT payload. Wireshark already has an MQTT dissector that extracts the payload, which at the moment looks like gibberish because it's encrypted. I'd like to access that payload object in a chained dissector in order to run the decryption function on it. I'm unsure whether I should be using a field extractor to pull it from the packet or if, because the existing MQTT dissector has already done that, there's some other better way to access it.
I'm not really sure whether this is possible so I haven't tried anything yet. Thanks in advance!
Yes, to get the data, you'd use the Field Extractor, something like:
my_msg = Field.new("mqtt.msg")
To decrypt the message, you will need to supply the encryption key, perhaps through a preference for your chained/post dissector, and then you'll also need to add decryption support. Luckily, there does exist luagcrypt, written by Peter Wu (aka Lekensteyn), which may suit your needs. Peter has even written a Wireshark Lua dissector for the WireGuard tunnel protocol where he makes use of luagcrypt and which may serve as a helpful place to start.
I would like to know if it's possible to completely remove a packet payload from a packet inside a .p4 program or at least modify it to random data. The reason behind this is that I'm cloning a packet and sending it to a different host (monitor) and this host does not need the packets payload.
Depends on what are you trying to do. If you would like to remove the some kind of header then it's enough to call
hdr.random_header.setInvalid()
if you call that in Egress it should remove fields of the header from the packet.
If you have len fields in headers you might also use
truncate(new_size)
when you know the size of packet without payload. If you already know easier option please share it here.
I am receiving data through a TCP socket and although this code has been working for years, I came across a very odd behaviour trying to integrate a new device (that acts as a server) into my system:
Before receiving the HTTP Body response, the recv() kernel function gives me strange characters like '283' or '7b'.
I am actually debuging with gdb and I can see that the variables hold these values right after recv() was called (so it is not just what printf shows me)
I always read byte-after-byte (one at a time) with the recv() function and the returned value is always positive.
This first line of the received HTTP Body cannot be seen in Wireshark (!) and is also not expected to be there. In Wireshark I see what I would expect to receive.
I changed the device that sends me the data and I still receive the exact same values
I performed a clean debug build and also tried a release version of my programm and still get the exact same values, so I assume these are not random values that happened to be in memory.
i am running Linux kernel 3.2.58 without the option to upgrade/update.
I am not sure what other information i should provide and I have no idea what else to try.
Found it. The problem is that I did not take the Transfer-Encoding into consideration, which is chunked. I was lucky because also older versions of Wireshark were showing these bytes in the payload so other people also posted similar problems in the wireshark forum.
Those "strange" bytes show you the payload length that you are supposed to receive. When you are done reading this amount of bytes, you will receive again a number that tells you whether you should continue reading (and, again, how many bytes you will receive). As far as I understood, this is usefull when you have data that change dynamically and you might want to continuously get their current value.
We have a group of users who need to see the payloads of packets in wireshark captures. I'm looking for a way to remind them users that the data contained within may not represent the exact frames on the wire (because the capture will have been pre-processed by the time they get it to remove, e.g. security-sensitive IP addresses). A hook in the capture file that triggered a popup with a short message would be perfect. Is there anyway to do this, short of wrapping Wireshark with another binary (which would be trivially bypass-able anyway)?
I've searched in the wireshark lists but come up empty.
The only thing you could do would be to have the pre-processing program write out the file in pcapng format and add a comment to the initial Section Header Block giving that warning. That won't produce a popup - but, then, not all the capture file reading programs in the Wireshark suite are GUI programs that could produce a popup.
I want write a program in Delphi to watch the internet connection, and if a certain response received (in response to request from a program), send request again encoded to another server, get a new encoded response, decode it, and pass it as response to the program who sent the main request. But I don't now how to hook internet connection. I want to use this program to pass through filter my country governments made using a private program to avoid blocking it. Is there any idea?
Thanks for your answer.
Magenta Systems released a free set of Delphi components that let you see the network traffic on your computer and examine the content. If you see the response you are looking for, your monitoring program can send a request to another server.
Off the top of my head, I'm not sure if it will let you alter the content of the original packet. If not, then Marcus' suggestion of using a proxy might suit you better.
You can either try to hook stuff at the Winsock level (there's plenty of examples for that around), but I suggest you go one level deeper and use a Layered Service provider (LSP).
I have used Komodia's redirector from http://www.komodia.com. Commercial, but well worth it.
See also this post
Is it possible to intercept dns queries using LSP/SPI?