Wireshark mailing list archives
Re: TCP: Retrieving connection initiator as well as looping through connections
From: Matt <mattator () gmail com>
Date: Tue, 28 Oct 2014 14:23:23 +0100
From what I understand, I need either to redissect with a tcp filter (ie
dfilter("tcp") ) but it looks slow. I would rather search through created TCP conversations. My problem is that conversations look saved into different hashtables such as "GHashTable* conversation_hashtable_exact". To compare my token with a key against all TCP connections, I believe I should compare it over the conversations in the 4 hashtables. Is that correct ? 2014-10-28 9:58 GMT+01:00 Matt <mattator () gmail com>:
Is that option present in all TCP packets or just in the initial 3-way handshake? If the former, then you have the problem I described above, with the indicated workaround.This is one of the problems (and advantages) of these multipath protocols, it's easier to evade data capture. Especially for MPTCP, you have to get all SYN/ACKs to be able to map a subflow to an MPTCP connection, otherwise you can't tell anything (MPTCP exchanges keys/nonces to authenticate a subflow during the3WHS). I wished to propose expert info in case of packet retransmission (such as detecting wrong keys) but it's not mandatory. In fact, an MPTCP communication starts with a TCP 3WHS that exchanges some cryptographic keys with the TCP option MPTCP_CAPABLE.Then data is sent on this TCP connection. At anytime a new TCP connection can be made to join the precedent MPTCP connection. It is achieved with the establishment of a new TCP connection with the TCP option MP_JOIN. THis tcp option carries tokens derived from the keys exchanged during the MPTCP connection. So I need to check the token against all previous keys to see if it maches a previously registered MPTCP connection. That's why I need to loop through TCP connections find_conversation() returns one conversation based on IP addresses/ports but I want to run a check against token/keys and I dunno how to do it. Thanks for your help 2014-10-27 14:47 GMT+01:00 Matt <mattator () gmail com>:Hi, I am trying to improve the MPTCP support in the TCP dissector. To provide expert infos, I need to identify which host initiated the connection (ie sent the SYN). I wonder how to do that, I could use tcp_analysis::server_port if ports were guaranted to be different on both sides. Secondly, I am trying to setup an MPTCP *stream* identifier , similar to tcp stream. Indeed a single MPTCP connection can be composed of several TCP connections. Thing is to know to which MPTCP stream a TCP stream is bound to, I have to check a token (in a TCP option) against all MPTCP connections until I find a match. So I need to loop through TCP connections. How can I do that. Regards Matt
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 27)
- Re: TCP: Retrieving connection initiator as well as looping through connections Guy Harris (Oct 27)
- Re: TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 28)
- Re: TCP: Retrieving connection initiator as well as looping through connections Matt (Oct 28)