Xplico.org
http://forum.xplico.org/

How is recognized packets of specified flow_id?
http://forum.xplico.org/viewtopic.php?f=3&t=245
Page 1 of 1

Author:  Raamin [ Mon Aug 16, 2010 8:37 am ]
Post subject:  How is recognized packets of specified flow_id?

Hello,

When FlowGetPkt(flow_id) is called, it gives next packet from the flow_id.

How is recognized packets of specified flow_id? How is distinguished packets of specified flow_id from other packets? For example flow_id is key of component (src_ip, dest_ip, src_port, dest_port) and when a packet has these four features equal, is assigned to related flow_id. Is it right? If yes, consequently there should be exist one unique flow_id for each unique (src_ip, dest_ip, src_ip, dest_ip)?

Author:  gianluca.costa [ Mon Aug 16, 2010 8:57 am ]
Post subject:  Re: How is recognized packets of specified flow_id?

Quote:
When FlowGetPkt(flow_id) is called, it gives next packet from the flow_id.

You can not use FlowGetPkt inside the hdep.ProtCheck (proto_heury_dep) and dep.ProtCheck (proto_dep) functions, but you must use FlowGetPktCp(flow_id).

Quote:
How is recognized packets of specified flow_id?

For TCP and UDP the flow (and so flow_id) is defined by IP source, IP destination, Port source and Port destination.
Quote:
For example flow_id is key of component (src_ip, dest_ip, src_port, dest_port) and when a packet has these four features equal, is assigned to related flow_id. Is it right?

Yes

Quote:
If yes, consequently there should be exist one unique flow_id for each unique (src_ip, dest_ip, src_ip, dest_ip)?

Yes, this is true.

Author:  Raamin [ Sun Aug 22, 2010 10:04 am ]
Post subject:  Re: How is recognized packets of specified flow_id?

I wrote a dissector module that it doesn't use ProtDep, only uses ProtHeuDep. Also MSNCkeck(same hdep.ProtCheck) always returns TRUE.

In ProtoDissector(flow_id) function using FlowGetPkt(flow_id) is got pkt recursively and printf(pkt->data).

Problem is here:
Only packets that are from out, is printed their data and if i send a packet, isn't printed its data.
Is it related to Xplico core? Can it relate to Checksum(because in log file, i saw message "[tcp]{c}-WARNING: TCP packet chechsum error 0x229f"?

Author:  gianluca.costa [ Tue Aug 24, 2010 8:44 am ]
Post subject:  Re: How is recognized packets of specified flow_id?

Quote:
Only packets that are from out, is printed their data and if i send a packet, isn't printed its data.
Is it related to Xplico core?

Not, it is related to dissectors TCP, IP, ethernet, ....
Quote:
Can it relate to Checksum(because in log file, i saw message "[tcp]{c}-WARNING: TCP packet chechsum error 0x229f"?

Yes, the packer has a checksum error then it is thrown away.
Try with checksum verification disabled.

Author:  Raamin [ Tue Aug 24, 2010 9:46 am ]
Post subject:  Re: How is recognized packets of specified flow_id?

Ok. thank you.
The problem was related to tcp checksum error, that by using dis_tcp_nocheck.so instead of dis_tcp.so solved.

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/