Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Mon, 3 Mar 2008 16:15:12 -0600
Good catch!  

I used that information to put together a batch file that repairs all the
entries in the packet flow that I have.  It came down to 4 different cases.
I basically end up stripping out the PPPoE section.

REM Mostly ipversion=0 and all of ipversion=5
"C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "eth[19:2] == 4500
&& !(eth[17:2] == 0800)" -w c:\temp\tmp-a.pcap
c:\temp\bittwist-1.0\bin\bittwiste -I c:\temp\tmp-a.pcap -O
c:\temp\tmp-b-a.pcap -D 15-19

REM ipversion=1
"C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "eth[22:2] == 4500"
-w c:\temp\tmp-b.pcap
c:\temp\bittwist-1.0\bin\bittwiste -I c:\temp\tmp-b.pcap -O
c:\temp\tmp-b-b.pcap -D 15-22

REM ipversion=4
"C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "ip.version==4" -w
c:\temp\tmp-c.pcap

REM ipversion=11
"C:\Program Files\Wireshark\tshark.exe" -r "%1.pcap" -R "eth[34:2] == 4500"
-w c:\temp\tmp-d.pcap
c:\temp\bittwist-1.0\bin\bittwiste -I c:\temp\tmp-d.pcap -O
c:\temp\tmp-b-d.pcap -D 15-34

REM merge them together
"C:\Program Files\Wireshark\mergecap.exe" -w "%1-repaired.pcap"
c:\temp\tmp-b-a.pcap c:\temp\tmp-b-b.pcap c:\temp\tmp-c.pcap
c:\temp\tmp-b-d.pcap

Regards,

Frank

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jim Young
Sent: Sunday, March 02, 2008 9:55 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

>>> Bill Meier <wmeier@xxxxxxxxxxx> 2008-03-02 09:28 >>>
> On additional note: Looking at the packets in the longer capture it
> appears to me that some are messed up in different ways from the first.
> In addition there are a few packets which seem to have had all the PPOE
> stuff stripped so that they look like good packets in the original
capture.

Here's perhaps a different way to look at these files....

Using Wireshark's new "custom" column feature create a column
for the filter "ip.version".  If you then sort the trace by this new
"ip.version" column you will notice that there are five values.

Could Cisco's "fixup" mentioned in an earlier message simply be
looking at the offset of where the ip.version field would be located
in a "normal" frame to make a determination on how to parse/correct
the record?

In the sample trace ip_traffic-export(more).pcap (which contained 179)
frames I saw the following five IP version values:

  ip.version==0
  ip.version==1
  ip.version==4
  ip.version==5
  ip.version==11

Only the frames with "ip.version==4" dissected in expected manner! ;-)

At a minimum, using these filters could make it easier to generate subset
trace files which can then be post-processed with different rules by
bittwiste and then combined back together mergecap for further
analysis within Wireshark.


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users