First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

TCP analysis on packets captured with smaller snaplength

  • retag add tags

We are capturing packets and only first 100 Bytes are captured due to privacy reasons, but because of that TCP analysis becomes wrong, all TCp segments believe that previous segment is lost ( because of sequence numbers). Is there a way to modify the capture file i.e look at Ip.length and based on that add '00' to the packet bytes, so that analysis becomes correct? I know TCp checksum will be wrong but at least TCP analysis will be good

rr's avatar
1
rr
asked 2024-01-09 17:59:47 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Are there extra protocol layers before TCP?
100 bytes should be enough to capture the full TCP header and options.

Chuckc's avatar Chuckc (2024-01-09 18:27:44 +0000) edit
more
  • delete

But for TCP analysis we need complete packet else TCP analysis becomes wrong in Wireshark

rr's avatar rr (2024-01-09 18:53:36 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The TCP dissector usually works just fine without the payload, as long as you have the complete TCP header, which you should have unless there is some tunneling involved (eth:14, ip:20, tcp:20-60 => 54-94 bytes for eth/ip/tcp info). How are the packets sliced, by a libpcap library, resulting in "Frame 366: 534 bytes on wire, 100 bytes captured on interface en0, id 0" or by a packetbroker, resulting in: Frame 366: 100 bytes on wire, 100 bytes captured on interface en0, id 0", even though there were 534 bytes on the wire before slicing. AFAIK, Wireshark sometimes has problems handling the second case.

Of course a pcap file with an example of where TCP analysis fails in your case could be handy to determine what is going on and whether or not this is a bug.

SYN-bit's avatar
18.5k
SYN-bit
answered 2024-01-10 08:27:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks @SYN-bit, this was really useful. I modified the bytes on wire and that resolved this issue

rr's avatar rr (2024-01-10 18:00:19 +0000) edit
more
  • delete

Glad my answer helped you in solving your issue.

I reopened the question and selected my answer as the one that answered the question. We keep questions open with a selected answer as a knowledge base for others :-)

SYN-bit's avatar SYN-bit (2024-01-10 23:26:05 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer