From d4ea6632faa22cb3b8f95bb1d59b6af4613e9c9f Mon Sep 17 00:00:00 2001 From: Mattias Wadman Date: Mon, 20 Feb 2023 11:44:39 +0100 Subject: [PATCH] pcap: Add ipv4 fragments tcp test --- format/inet/flowsdecoder/flowsdecoder.go | 3 + format/pcap/testdata/tcp-ipv4frag.pcap | Bin 0 -> 1807 bytes format/pcap/testdata/tcp-ipv4frag.pcap.fqtest | 119 ++++++++++++++++++ 3 files changed, 122 insertions(+) create mode 100644 format/pcap/testdata/tcp-ipv4frag.pcap create mode 100644 format/pcap/testdata/tcp-ipv4frag.pcap.fqtest diff --git a/format/inet/flowsdecoder/flowsdecoder.go b/format/inet/flowsdecoder/flowsdecoder.go index 7882d69a..585ae6c5 100644 --- a/format/inet/flowsdecoder/flowsdecoder.go +++ b/format/inet/flowsdecoder/flowsdecoder.go @@ -223,6 +223,9 @@ func (fd *Decoder) packet(p gopacket.Packet) error { Datagram: sb.Bytes(), }) + // i think this replaces p with the newly defragmented ip packet and is + // used below when reassembling tcp streams + // see gopacket reassemblydump example pb, ok := p.(gopacket.PacketBuilder) if !ok { panic("not a PacketBuilder") diff --git a/format/pcap/testdata/tcp-ipv4frag.pcap b/format/pcap/testdata/tcp-ipv4frag.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ca8cdae11cfd26d40ce75a31842808665345b922 GIT binary patch literal 1807 zcmaKsOKcle6o#*z5W*CrmPJT5^r{5fw4Rq^=P_xdguLv;A%Qw1EGOe@dz8t{WM-1s z6^pQlpsLhL^s%f$Q;C*`P(!I6;@0F7nh(^}JWI(Znk&dI z)8l(&geaNMQ7WaQ@#O=T8!x;D^wyOZ8&L0gVAqFC|m0%&T>14UU9HH8F6lw249MRP(;XM#MFIx0^ULkixt} zY=zHi0LzQ zohbA)Bs@cLGR4unF{1)@aOjP`WFpbuEyNTdD(6kHAkP(aE$t|2by2kiISZ#8VrY2@ z3{_^X+R=1Z9HsN3|w2kPc3<_YhPkx z6XyOZ6Ccy7<694dTkzOOi0Ow@hrej4VI1kiV~RuHM6nQ)BBBIqhDK8%<`l6Oh$Z1( zQ&w_>k8lDP15*x?v|-6DAtou?4m%3{%%~*&A2b1g9&I2cL)(vtkv1Y`*tRs=+AdB< zGEw13x&3c}eTXgL=>lAz5c9Td6`;E7W7c<$+c*cVN;%_sX(yi~de+HFxHGc5$%$rpuxovi96d=%N06-z*>~b2eY$v+8jjE&bw-z6-#t7}u-Ymm4qM zfzj7yp7jUSQ~5b`&cUOV literal 0 HcmV?d00001 diff --git a/format/pcap/testdata/tcp-ipv4frag.pcap.fqtest b/format/pcap/testdata/tcp-ipv4frag.pcap.fqtest new file mode 100644 index 00000000..070518cc --- /dev/null +++ b/format/pcap/testdata/tcp-ipv4frag.pcap.fqtest @@ -0,0 +1,119 @@ +# tcprewrite --fragroute=<(echo ip_frag 1000) --infile=http_gzip.cap --outfile=tcp-ipv4frag.pcap +$ fq '.ipv4_reassembled, .tcp_connections | dv' tcp-ipv4frag.pcap + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.ipv4_reassembled[0:2]: 0x70f-NA (0) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| [0]{}: ipv4_packet (ipv4_packet) 0x0-0x1f0.7 (497) + 0x000|45 |E | version: 4 0x0-0x0.3 (0.4) + 0x000|45 |E | ihl: 5 0x0.4-0x0.7 (0.4) + 0x000| 00 | . | dscp: 0 0x1-0x1.5 (0.6) + 0x000| 00 | . | ecn: 0 0x1.6-0x1.7 (0.2) + 0x000| 01 f1 | .. | total_length: 497 0x2-0x3.7 (2) + 0x000| f5 db | .. | identification: 62939 0x4-0x5.7 (2) + 0x000| 00 | . | reserved: 0 0x6-0x6 (0.1) + 0x000| 00 | . | dont_fragment: false 0x6.1-0x6.1 (0.1) + 0x000| 00 | . | more_fragments: false 0x6.2-0x6.2 (0.1) + 0x000| 00 00 | .. | fragment_offset: 0 0x6.3-0x7.7 (1.5) + 0x000| 40 | @ | ttl: 64 0x8-0x8.7 (1) + 0x000| 06 | . | protocol: "tcp" (6) (Transmission control protocol) 0x9-0x9.7 (1) + 0x000| 77 d7 | w. | header_checksum: 0x77d7 (valid) 0xa-0xb.7 (2) + 0x000| c0 a8 45 02| ..E.| source_ip: "192.168.69.2" (0xc0a84502) 0xc-0xf.7 (4) + 0x001|c0 a8 45 01 |..E. | destination_ip: "192.168.69.1" (0xc0a84501) 0x10-0x13.7 (4) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (tcp_segment) 0x14-0x1f0.7 (477) + 0x001| 85 0b | .. | source_port: 34059 0x14-0x15.7 (2) + 0x001| 00 50 | .P | destination_port: "http" (80) (World Wide Web HTTP) 0x16-0x17.7 (2) + 0x001| 8f f5 a2 33 | ...3 | sequence_number: 2415239731 0x18-0x1b.7 (4) + 0x001| 96 18 93 27| ...'| acknowledgment_number: 2518192935 0x1c-0x1f.7 (4) + 0x002|80 |. | data_offset: 8 0x20-0x20.3 (0.4) + 0x002|80 |. | reserved: 0 0x20.4-0x20.6 (0.3) + 0x002|80 |. | ns: false 0x20.7-0x20.7 (0.1) + 0x002| 18 | . | cwr: false 0x21-0x21 (0.1) + 0x002| 18 | . | ece: false 0x21.1-0x21.1 (0.1) + 0x002| 18 | . | urg: false 0x21.2-0x21.2 (0.1) + 0x002| 18 | . | ack: true 0x21.3-0x21.3 (0.1) + 0x002| 18 | . | psh: true 0x21.4-0x21.4 (0.1) + 0x002| 18 | . | rst: false 0x21.5-0x21.5 (0.1) + 0x002| 18 | . | syn: false 0x21.6-0x21.6 (0.1) + 0x002| 18 | . | fin: false 0x21.7-0x21.7 (0.1) + 0x002| 00 2e | .. | window_size: 46 0x22-0x23.7 (2) + 0x002| 16 ca | .. | checksum: 0x16ca 0x24-0x25.7 (2) + 0x002| 00 00 | .. | urgent_pointer: 0 0x26-0x27.7 (2) + | | | options[0:3]: 0x28-0x33.7 (12) + | | | [0]{}: option 0x28-0x28.7 (1) + 0x002| 01 | . | kind: "nop" (1) (No operation) 0x28-0x28.7 (1) + | | | [1]{}: option 0x29-0x29.7 (1) + 0x002| 01 | . | kind: "nop" (1) (No operation) 0x29-0x29.7 (1) + | | | [2]{}: option 0x2a-0x33.7 (10) + 0x002| 08 | . | kind: "timestamp" (8) (Timestamp and echo of previous timestamp) 0x2a-0x2a.7 (1) + 0x002| 0a | . | length: 10 0x2b-0x2b.7 (1) + 0x002| 77 e3 57 eb| w.W.| value: 2011387883 0x2c-0x2f.7 (4) + 0x003|19 c9 2c e4 |..,. | echo_reply: 432614628 0x30-0x33.7 (4) + 0x003| 47 45 54 20 2f 74 65 73 74 2f 65 74| GET /test/et| payload: raw bits 0x34-0x1f0.7 (445) + 0x004|68 65 72 65 61 6c 2e 68 74 6d 6c 20 48 54 54 50|hereal.html HTTP| + * |until 0x1f0.7 (end) (445) | | + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| [1]{}: ipv4_packet (ipv4_packet) 0x0-0x1c5.7 (454) + 0x000|45 |E | version: 4 0x0-0x0.3 (0.4) + 0x000|45 |E | ihl: 5 0x0.4-0x0.7 (0.4) + 0x000| 00 | . | dscp: 0 0x1-0x1.5 (0.6) + 0x000| 00 | . | ecn: 0 0x1.6-0x1.7 (0.2) + 0x000| 01 c6 | .. | total_length: 454 0x2-0x3.7 (2) + 0x000| bf c4 | .. | identification: 49092 0x4-0x5.7 (2) + 0x000| 00 | . | reserved: 0 0x6-0x6 (0.1) + 0x000| 00 | . | dont_fragment: false 0x6.1-0x6.1 (0.1) + 0x000| 00 | . | more_fragments: false 0x6.2-0x6.2 (0.1) + 0x000| 00 00 | .. | fragment_offset: 0 0x6.3-0x7.7 (1.5) + 0x000| 40 | @ | ttl: 64 0x8-0x8.7 (1) + 0x000| 06 | . | protocol: "tcp" (6) (Transmission control protocol) 0x9-0x9.7 (1) + 0x000| ae 19 | .. | header_checksum: 0xae19 (valid) 0xa-0xb.7 (2) + 0x000| c0 a8 45 01| ..E.| source_ip: "192.168.69.1" (0xc0a84501) 0xc-0xf.7 (4) + 0x001|c0 a8 45 02 |..E. | destination_ip: "192.168.69.2" (0xc0a84502) 0x10-0x13.7 (4) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (tcp_segment) 0x14-0x1c5.7 (434) + 0x001| 00 50 | .P | source_port: "http" (80) (World Wide Web HTTP) 0x14-0x15.7 (2) + 0x001| 85 0b | .. | destination_port: 34059 0x16-0x17.7 (2) + 0x001| 96 18 93 27 | ...' | sequence_number: 2518192935 0x18-0x1b.7 (4) + 0x001| 8f f5 a3 f0| ....| acknowledgment_number: 2415240176 0x1c-0x1f.7 (4) + 0x002|80 |. | data_offset: 8 0x20-0x20.3 (0.4) + 0x002|80 |. | reserved: 0 0x20.4-0x20.6 (0.3) + 0x002|80 |. | ns: false 0x20.7-0x20.7 (0.1) + 0x002| 18 | . | cwr: false 0x21-0x21 (0.1) + 0x002| 18 | . | ece: false 0x21.1-0x21.1 (0.1) + 0x002| 18 | . | urg: false 0x21.2-0x21.2 (0.1) + 0x002| 18 | . | ack: true 0x21.3-0x21.3 (0.1) + 0x002| 18 | . | psh: true 0x21.4-0x21.4 (0.1) + 0x002| 18 | . | rst: false 0x21.5-0x21.5 (0.1) + 0x002| 18 | . | syn: false 0x21.6-0x21.6 (0.1) + 0x002| 18 | . | fin: false 0x21.7-0x21.7 (0.1) + 0x002| 19 20 | . | window_size: 6432 0x22-0x23.7 (2) + 0x002| 2e ef | .. | checksum: 0x2eef 0x24-0x25.7 (2) + 0x002| 00 00 | .. | urgent_pointer: 0 0x26-0x27.7 (2) + | | | options[0:3]: 0x28-0x33.7 (12) + | | | [0]{}: option 0x28-0x28.7 (1) + 0x002| 01 | . | kind: "nop" (1) (No operation) 0x28-0x28.7 (1) + | | | [1]{}: option 0x29-0x29.7 (1) + 0x002| 01 | . | kind: "nop" (1) (No operation) 0x29-0x29.7 (1) + | | | [2]{}: option 0x2a-0x33.7 (10) + 0x002| 08 | . | kind: "timestamp" (8) (Timestamp and echo of previous timestamp) 0x2a-0x2a.7 (1) + 0x002| 0a | . | length: 10 0x2b-0x2b.7 (1) + 0x002| 19 c9 2c e6| ..,.| value: 432614630 0x2c-0x2f.7 (4) + 0x003|77 e3 57 eb |w.W. | echo_reply: 2011387883 0x30-0x33.7 (4) + 0x003| 48 54 54 50 2f 31 2e 31 20 32 30 30| HTTP/1.1 200| payload: raw bits 0x34-0x1c5.7 (402) + 0x004|20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20| OK..Date: Fri, | + * |until 0x1c5.7 (end) (402) | | + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.tcp_connections[0:1]: 0x70f-NA (0) + | | | [0]{}: tcp_connection 0x70f-NA (0) + | | | client{}: 0x70f-NA (0) + | | | ip: "192.168.69.2" 0x70f-NA (0) + | | | port: 34059 0x70f-NA (0) + | | | has_start: true 0x70f-NA (0) + | | | has_end: true 0x70f-NA (0) + | | | skipped_bytes: 0 0x70f-NA (0) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| + 0x000|47 45 54 20 2f 74 65 73 74 2f 65 74 68 65 72 65|GET /test/ethere| stream: raw bits 0x0-0x1bc.7 (445) + * |until 0x1bc.7 (end) (445) | | + | | | server{}: 0x70f-NA (0) + | | | ip: "192.168.69.1" 0x70f-NA (0) + | | | port: "http" (80) (World Wide Web HTTP) 0x70f-NA (0) + | | | has_start: true 0x70f-NA (0) + | | | has_end: true 0x70f-NA (0) + | | | skipped_bytes: 0 0x70f-NA (0) + |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| + 0x000|48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d|HTTP/1.1 200 OK.| stream: raw bits 0x0-0x191.7 (402) + * |until 0x191.7 (end) (402) | |