Wireshark-users: Re: [Wireshark-users] match packets at sender and receiver

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Wed, 7 Apr 2010 11:05:57 +0900
Hi Ian,

Thank you very much! That is more than I hoped for :)

Cheers,
Andrej

On Wed, Apr 7, 2010 at 8:54 AM, Ian Schorr <ian.schorr@xxxxxxxxx> wrote:
> On Tue, Apr 6, 2010 at 10:45 PM, Andrej van der Zee
> <andrejvanderzee@xxxxxxxxx> wrote:
>> What I would like to know is how to match packets on both ends of the
>> line, provided that I have the IP numbers. Are there any unique packet
>> identifiers that appear in the cap-files on both ends? What should I
>> use? For example, when I study the cap-file in Wireshark, I see under
>> "Internet Protocol" an "Identification" number that seems to be
>> incremented for packets over the same connection (or conversation?).
>> Is this Identification number generated by Wireshark or is it really
>> in the packet headers? Does it appear in both cap files? In that case,
>> I could use a tuple <IP, Identification> to match packets on both
>> ends.
>
> IP IDs are actually in the packet header.  Two ways to know:  1) Click
> on the field.  Notice how 4 bytes (containing the IP ID value) are
> highlighted in the bottom pane, the data portion of the packet.  2)
> Generally Wireshark-generated fields should be enclosed in square
> brackets (though those things aren't necessarily always going to be
> the case, they're generally true and are SUPPOSED to always be true)
>
> You could use an ID field like IP ID to identify your packets.
> However, IP ID is not only not guaranteed to be unique within your
> capture, but it's one of the most likely fields to not be unique.  For
> one thing, it's a relatively small field (16-bit) and even if a host
> increments the ID steadily (i.e. it doesn't re-use IDs more often than
> it has to), it will re-use an ID after sending only 65536 packets.  A
> reasonably busy system is going to wrap IDs pretty quickly.
>
>    Incidentally, different hosts increment the IDs differently.  Some
> increment it globally - once per
>    packet they send.  Some have an incrementing counter for each host
> they're talking to.  One host that
>    I was looking at yesterday does some weird things - it seems to be
> aware at IP-level what
>    packets are still in-flight on the network (based on being
> unacknowledged at TCP level).  It only
>    generated unique IDs for each in-flight packet, but once they'd
> been acknowledged, it'd reuse that
>    IP ID.  So it tended to use IDs 0, 1, and maybe 2 ALL the time.  Weird.
>
> And really, that's the tricky part.  There aren't really any fields in
> TCP/IP packets that are guaranteed to be unique.  There's always SOME
> chance of miscorrelating two packets that share the same properties
> that you're checking for.
>
> Anyway, if you were going to go that route, the TCP sequence number is
> probably much better for your you'd get better results by comparing
> TCP Sequence number (tcp.seq), plus the 4-tuple (source and
> destination IPs and ports).  Although it's still not 100% guaranteed
> to be unique, it's much, much more likely.  Although the numbers will
> wrap, it will only happen after 4billion bytes have been transferred.
> There's a chance that if connections are being opened and closed
> frequently, then port numbers will be reused and that the host will
> also start TCP sequence numbers at the same point, but that's also
> extremely unlikely (and a big no-no - to avoid attacks hosts typically
> should assign a random sequence ID).
>
> Now compare the IP IDs as well, and it's now very, very, VERY unlikely
> that two packets you compare match criteria but aren't actually the
> same.  Theoretically there is a chance of misidentification, but
> practically, for your purposes, that's probably plenty accurate.
>
>
> Keep in mind also that if the network is modifying your packets
> enroute, you'll have troubles.  If there is a TCP proxy of some kind,
> a NAT/PAT device, or even a router that "fragments" packets, it may
> seriously impact what you're comparing.
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>