View unanswered posts | View active topics It is currently Tue Oct 16, 2018 9:46 am



Post new topic Reply to topic  [ 13 posts ]  Go to page Previous  1, 2
 windows and linux pcap 
Author Message

Joined: Sun Mar 21, 2010 10:15 am
Posts: 6
Reply with quote
Post Re: windows and linux pcap
hey thanks...that solved my problem


Tue Mar 23, 2010 12:11 pm
Profile

Joined: Tue Mar 23, 2010 1:13 am
Posts: 2
Reply with quote
Post Re: windows and linux pcap
gianluca.costa wrote:
You pcap has two "problems":
  • TCP checksum errors
solved as follows: http://wiki.xplico.org/doku.php?id=tips ... rification

Ciao.
Gianluca


Thanks Gianluca, that did the trick. The firewall does TCP offloading so the checksums are never correct... obviously Xplico ignores ones that are incorrect. For what it's worth, I'd expect a forensic tool to show me absolutely everything whether it can decode it successfully or not... I'm quite happy for it to not decode everything but forensics should show the whole picture.


Tue Mar 23, 2010 11:04 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: windows and linux pcap
Hi wraith,
I understand what you say, and for this reason that Xplico was designed to be versatile.
Your observation is correct. But a good system for decoding the traffic normally consists of two logical entities:
  • acquisitions data (probe)
  • decoding data
and each of these two entities must perform its task properly.
In Xplico is possible to circumvent some problems arising from the acquisition.
If we disable the verification of TCP and there is really a failure of the TCP, which results in a retransmission of the packet, what are the guarantees that the decoder uses the second packet (retransmission) and not the first packet (corrupted)?
Xplico provides many degrees of freedom but it is the system (probe & decoder) which should provide some basic guarantees.
In Xplico besides being able to disable the checksum verification (IP, IPv6, TCP, UDP) there are two different TCP dissectors. The first (default) provides at the dissectors which are based on TCP the data only if confirmed by ACK, the second TCP dissector not have this constraint. These are two different policies each of which has advantages and disadvantages ... in Xplico each user can choose the most suited to their needs :) .

Ciao.
Gianluca


Thu Mar 25, 2010 6:25 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ]  Go to page Previous  1, 2


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.