fragmented cflow packets

  • retag add tags

I have a packet capture which has fragmented cflow packets, i am not able to reassemble using tshark. I am trying to use -o tcp.desegment_tcp_streams:TRUE, but still i cant reassemble it.

below is the example:

16        773  173.150.1.1 -> 172.148.1.50 TCP 570 50687 > personal-agent [ACK] Seq=257 Ack=1 Win=8192 Len=500 TSval=22838 TSecr=398428810
18        773  173.150.1.1 -> 172.148.1.50 TCP 570 50687 > personal-agent [ACK] Seq=757 Ack=1 Win=8192 Len=500 TSval=22838 TSecr=399197440
20        773  173.150.1.1 -> 172.148.1.50 TCP 520 50687 > personal-agent [PSH, ACK] Seq=1257 Ack=1 Win=8192 Len=450 TSval=22838 TSecr=399197440

I want to re-assemble this and then analyse it as a cflow packets and get the fields values.

Could you please help me.

meetsuraj's avatar
1
meetsuraj
asked 2020-10-19 17:09:19 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-10-20 08:01:27 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do you have access to the Wireshark Gui to test?
Edit -> Preferences... -> Protocols -> CFLOW

Looks like personal-agent in your question is TCP port 5555.
Have you added this to the list of Cflow TCP ports?

Chuckc's avatar Chuckc (2020-10-19 17:38:50 +0000) edit
more
  • delete

Hi, Thanks for your comment. I don't have gui access in my code, But yeah, i am able to decode when port number is 5555, i use below command:

tshark -d tcp.port==5555,cflow ---> this decodes the packet as cflow.

My only issue here is i am not able to reassemble the above three packets into one, so that i could get one cflow packet and analyze it for the field values.

meetsuraj's avatar meetsuraj (2020-10-20 02:49:50 +0000) edit
more
  • delete

Have you checked the other settings for cflow? (change findstr to grep on *nix)

C:\Program Files\Wireshark>tshark -G defaultprefs | findstr /I cflow
#cflow.netflow.ports: 2055,9996
#cflow.ipfix.ports: 4739
#cflow.max_template_fields: 60
#cflow.desegment: TRUE

C:\Program Files\Wireshark>tshark -G currentprefs | findstr /I cflow
#cflow.netflow.ports: 2055,9996
#cflow.ipfix.ports: 4739
#cflow.max_template_fields: 60
#cflow.desegment: TRUE
Chuckc's avatar Chuckc (2020-10-20 12:06:29 +0000) edit
more
  • delete

Exactly, This is what I was looking for. Thanks for the suggestion. 

tshark -o cflow.desegment: TRUE

This is working. But it looks like CentOS 7 comes with wireshark version 1.10, which is latest stable version, and in that version its not supported.

[suraj@host149-suraj robot]$ tshark -G defaultprefs | grep cflow
#cflow.netflow.ports: 2055,9996
#cflow.ipfix.ports: 4739
#cflow.max_template_fields: 60

Lets see if i can install a later version on CentOS 7. thanks again.

meetsuraj's avatar meetsuraj (2020-10-21 02:53:50 +0000) edit
more
  • delete
add a comment see more comments