Wireshark-dev: Re: [Wireshark-dev] TCP: Retrieving connection initiator as well as looping thro

From: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Date: Thu, 30 Oct 2014 09:16:25 +0100
On Wed, Oct 29, 2014 at 12:23 PM, Matt <mattator@xxxxxxxxx> wrote:
> For posterity, here is how I've done it:
> conv = (conversation_t*)g_hash_table_find(
> get_conversation_hashtable_exact(), check_mptcp_token, (gpointer)&token);
>
> I am now looking for a way to debug. printf seems the way(and not
> g_log/Q_INFO ?)  to go but I need to display the con sole to see the
> messages and I 've been unable to find a way to do so with the Qt version.
> I've set gui.console.open to ALWAYS in .wireshark/preferences (since prefs
> dialog didn't save my changes) but I still have no console. Whaat do I do
> wrong please ?
There is some "bug" with console window and Qt...
You can use proto_tree_add_debug_text to display in output and also
add info on tree.

Regards,
>
> 2014-10-28 14:23 GMT+01:00 Matt <mattator@xxxxxxxxx>:
>>
>> From what I understand, I need either to redissect with a tcp filter  (ie
>> dfilter("tcp") ) but it looks slow. I would rather search through created
>> TCP conversations. My problem is that conversations look saved into
>> different hashtables such as "GHashTable* conversation_hashtable_exact". To
>> compare my token with a key against all TCP connections, I believe I should
>> compare it over the conversations in the 4 hashtables. Is that correct ?
>>
>> 2014-10-28 9:58 GMT+01:00 Matt <mattator@xxxxxxxxx>:
>>>
>>> >Is that option present in all TCP packets or just in the initial 3-way
>>> > handshake?  If the former, then you have the problem I described above, with
>>> > the indicated workaround.
>>> This is one of the problems (and advantages) of these multipath
>>> protocols, it's easier to evade data capture.
>>> Especially for MPTCP, you have to get all SYN/ACKs to be able to map a
>>> subflow to an MPTCP
>>> connection, otherwise you can't tell anything (MPTCP exchanges
>>> keys/nonces to authenticate a subflow during the3WHS).
>>> I wished to propose expert info in case of packet retransmission (such as
>>> detecting wrong keys) but it's not mandatory.
>>>
>>> In fact, an MPTCP communication starts with a TCP 3WHS that exchanges
>>> some cryptographic keys with the TCP option MPTCP_CAPABLE.Then data is sent
>>> on this TCP connection.
>>>
>>> At anytime a new TCP connection can be made to join the precedent MPTCP
>>> connection. It is achieved with the establishment of a new TCP connection
>>> with the TCP option MP_JOIN. THis tcp option carries tokens derived from the
>>> keys exchanged during the MPTCP connection. So I need to check the token
>>> against all previous keys to see if it maches a previously registered MPTCP
>>> connection.
>>> That's why I need to loop through TCP connections
>>> find_conversation() returns one conversation based on IP addresses/ports
>>> but I want to run a check against token/keys and I dunno how to do it.
>>>
>>> Thanks for your help
>>>
>>>
>>>
>>>
>>> 2014-10-27 14:47 GMT+01:00 Matt <mattator@xxxxxxxxx>:
>>>>
>>>> Hi,
>>>>
>>>> I am trying to improve the MPTCP support in the TCP dissector. To
>>>> provide expert infos, I need to identify which host initiated the
>>>> connection (ie sent the SYN). I wonder how to do that, I could use
>>>> tcp_analysis::server_port if ports were guaranted to be different on
>>>> both sides.
>>>>
>>>> Secondly, I am trying to setup an MPTCP *stream* identifier , similar
>>>> to tcp stream. Indeed a single MPTCP connection can be composed of
>>>> several TCP connections. Thing is to know to which MPTCP stream a TCP
>>>> stream is bound to, I have to check a token (in a TCP option) against
>>>> all MPTCP connections until I find a match. So I need to loop through
>>>> TCP connections. How can I do that.
>>>>
>>>> Regards
>>>> Matt
>>>
>>>
>>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe