#Filter tcp retransmission wireshark code
Running this code yields 45 and I can't understand why. Which amounts to 88 retransmissions for this pcap. I use the smallFlows.pcap file found here and I believe that the results that I should have, should be the same as the & not _retransmission filter in wireshark. The results I get are somewhat correct, some Retransmissions go unnoticed, I get a lot of DUP-ACK packets and some normal traffic gets through as well (checked with wireshark).
#Filter tcp retransmission wireshark how to
I literally have clicked every page google has to offer on how to approach this analysis but this was the only thing I was able to find. This approach is based on the wireshark wiki paragraph about Retransmission. Printf("Total Retransmissions: %d\n",retransmissions) Printf(" |-Payload Length : %d Bytes\n",Size - header_size) (unsigned int)iph->ihl,((unsigned int)(iph->ihl))*4) Printf(" |-IP Header Length : %d DWORDS or %d Bytes\n", Printf(" |-Protocol : %d\n",(unsigned int)iph->protocol) Printf(" |-Destination Port : %u\n", ntohs(tcph->dest)) Printf(" |-Source Port : %u\n", ntohs(tcph->source)) Printf(" |-Destination IP : %s\n", inet_ntoa(dest.sin_addr) ) Printf(" |-Source IP : %s\n", inet_ntoa(source.sin_addr) ) Printf(" |-IP Version : %d\n",(unsigned int)iph->version) & (previous_tcp.ack != 1)) // Last seen ACK is set & (previous_tcp.th_seq>tcph->th_seq) // Next sequence number is || (segmentlength>0)) // Either segmentlength >0 & (previous_tcp.th_seq-1 != tcph->th_ack) // Not Keepalive If((previous_tcp.dest=tcph->source) // Swapped ports & (previous_packets.protocol = iph->protocol)) // Same protocol
& (previous_packets.saddr =iph->daddr) // Same for IP dest addreses If ((previous_packets.daddr = iph->saddr) // Swapped IP source addresses Find packets going to the reverse direction Now Check previous communication to check for retransmission At this point the packets are almost identical & (tcph->syn=1 || tcph->fin=1 ||segmentlength>0)) // Check if SYN or FIN are & (previous_tcp.th_flags = tcph->th_flags) // Same flags & (previous_tcp.th_win = tcph->th_win) // Same window & (previous_tcp.th_ack=tcph->th_ack) // Same acknowledge number & (previous_tcp.th_seq = tcph->th_seq) // Same sequence number & (previous_tcp.dest = tcph->dest) // Same destination port If((previous_tcp.source = tcph->source) // Same source port & (temphdrlen = iphdrlen)) // Same header length & (previous_packets.protocol = iph->protocol) //Same protocol & (previous_packets.daddr = iph->daddr) // Same destination Ip address * First check if a same TCP packet has been received */įor(int i=0 isaddr) // Same source IP address Int header_size = sizeof(struct ethhdr) + iphdrlen + tcph->doff*4 Struct tcphdr *tcph=(struct tcphdr*)(Buffer Struct iphdr *iph = (struct iphdr *)(Buffer + sizeof(struct ethhdr)) Void find_retransmissions(const u_char * Buffer, int Size) Struct iphdr *iph = (struct iphdr*)(buffer +sizeof(struct ethhdr)) Struct ethhdr *eth = (struct ethhdr *)buffer Pcap_loop(handle, -1, process_packet, NULL) Handle = pcap_open_offline("smallFlows.pcap", errbuff) Void find_retransmissions(const u_char *, int )
Void process_packet(u_char *,const struct pcap_pkthdr *, const u_char *) The function find_retransmissions is where the packet is analyzed. This is an MRE that reads a pcap file and analyzes the TCP packets sent over IPv4. What I actually want to achieve is, to do on a basic level, what the filter does in wireshark. After searching extensively the web, I've concluded that in order to so, I need to track the traffic behaviour and this means also analyzing previously received packets.
I want to be able to deduce whether a TCP packet I parsed is a TCP retransmission or not. I can parse the packets one by one and analyze them up to a point. I've written a simple source file that can read pcap files using the libpcap library in C.
0 kommentar(er)
