View unanswered posts | View active topics It is currently Sun May 20, 2018 9:59 am



Post new topic Reply to topic  [ 6 posts ] 
 Checksum Validation Disabled, but PCAP decoding is off 
Author Message

Joined: Sun Mar 27, 2011 4:13 pm
Posts: 3
Reply with quote
Post Checksum Validation Disabled, but PCAP decoding is off
Hi All..

Thank-you for making Xplico...this tool is exactly the thing I was looking for. Being able to parse my packet captures and visualize everything is sweet.

Now on to the problem.

I've made several different pcaps from different sources...a couple of promiscuous wireless, a couple wired, and a couple from Dionaea. I've tried different filters and switches to get meaningful data in the captures. But every one of them do not display the data that I would expect to see.

Even when locking the sniffer down to a specific Port like http port 80...the decoded capture shows 0's for everything except for Text Flow.

Is there something I am missing? I have wireshark, tcpdump, libpcap, and all of the other dependencies listed on the Wiki. I even have the optional dependencies in the /opt folder so that Xplico will find them during compile time.

Actually...what does Xplico use for the actual decoding part of the process?

Any help is much appreciated!!

--
Jeff


Fri Apr 01, 2011 1:28 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Checksum Validation Disabled, but PCAP decoding is off
Quote:
Is there something I am missing? I have wireshark, tcpdump, libpcap, and all of the other dependencies listed on the Wiki.

The only important dependence among those listed by you is libpcap.
There are only four hypotheses to explain what you experience:
  • a bug (unlikely)
  • data loss in the capture
  • high fragmentation of IP packets
  • chekcsum verification (it was excluded by you)
To identify the problem we have to analyze a single capture not decoded by Xplico. If you select a TCP stream (with http) that is not decoded by Xplico, you can check with Wireshark which is the anomaly (You can also send us the pcap with this tcp flow).

Quote:
Actually...what does Xplico use for the actual decoding part of the process?

Xplico uses xplico to decode the protocols ;) . All parts of Xplico (it is a system not only an application) have been designed and developed (from scratch) by me and Andrea. Some xplico dissectors use some define (#define) and a few lines of code from other projects, of course you can find the references in the source code.

Ciao.
Gianluca


Sat Apr 02, 2011 7:00 am
Profile WWW

Joined: Sun Mar 27, 2011 4:13 pm
Posts: 3
Reply with quote
Post Re: Checksum Validation Disabled, but PCAP decoding is off
Well, I have varied different settings in my sniffs. I have used both wireshark and tcpdump, with basic filters, and some advanced, and some with no filters. I have tried verbose x3, with/without Data (-X), wireless specfic using -I promiscuous and -y IEEE80211, and Xplico only shows text flows, some arp and dns. It doesn't seem to catch any of the SIP/RTP, basic HTTP, FTP, TFTP...I can see it in the capture when I look at it, but Xplico just isn't.

I think I have proof that something just isn't working ... attached is a screenshot of my 'DECODING COMPLETE' page using a wired-sniff, and a wireless sniff. Below is the stdout output from Xplico. Clearly, what is being detected during decode is not being displayed in the dashboard. Just ARP, and Text flow.

Code:
pcapf: running: 0/0, subflow:0/0, tot pkt:0
pol: running: 0/0, subflow:0/0, tot pkt:103555
eth: running: 0/0, subflow:0/0, tot pkt:0
pppoe: running: 0/0, subflow:0/0, tot pkt:0
ppp: running: 0/0, subflow:0/0, tot pkt:0
ip: running: 0/0, subflow:0/0, tot pkt:183
ipv6: running: 0/0, subflow:0/0, tot pkt:212
tcp: running: 0/0, subflow:0/50, tot pkt:2
udp: running: 0/0, subflow:0/50, tot pkt:256
http: running: 0/0, subflow:0/0, tot pkt:0
pop: running: 0/0, subflow:0/0, tot pkt:0
imap: running: 0/0, subflow:0/0, tot pkt:0
smtp: running: 0/0, subflow:0/0, tot pkt:0
httpfd: running: 0/0, subflow:0/0, tot pkt:0
sip: running: 0/0, subflow:0/0, tot pkt:0
rtp: running: 0/0, subflow:0/0, tot pkt:0
rtcp: running: 0/0, subflow:0/0, tot pkt:0
sdp: running: 0/0, subflow:0/0, tot pkt:0
l2tp: running: 0/0, subflow:0/0, tot pkt:0
vlan: running: 0/0, subflow:0/0, tot pkt:0
ftp: running: 0/0, subflow:0/0, tot pkt:0
dns: running: 0/16, subflow:0/0, tot pkt:32
icmp: running: 0/0, subflow:0/0, tot pkt:4
nntp: running: 0/0, subflow:0/0, tot pkt:0
irc: running: 0/0, subflow:0/0, tot pkt:0
ipp: running: 0/0, subflow:0/0, tot pkt:0
pjl: running: 0/0, subflow:0/0, tot pkt:0
mms: running: 0/0, subflow:0/0, tot pkt:0
sll: running: 0/0, subflow:0/0, tot pkt:0
tftp: running: 0/0, subflow:0/0, tot pkt:0
wlan: running: 0/0, subflow:0/0, tot pkt:103555
llc: running: 0/0, subflow:0/0, tot pkt:48677
fbwchat: running: 0/0, subflow:0/0, tot pkt:0
telnet: running: 0/0, subflow:0/0, tot pkt:0
webmail: running: 0/0, subflow:0/0, tot pkt:0
msn: running: 0/0, subflow:0/0, tot pkt:0
paltalk: running: 0/0, subflow:0/0, tot pkt:0
arp: running: 0/0, subflow:0/0, tot pkt:0
paltalk_exp: running: 0/0, subflow:0/0, tot pkt:0
radiotap: running: 0/0, subflow:0/0, tot pkt:103555
tcp-grb: running: 0/1, subflow:0/0, tot pkt:2
udp-grb: running: 0/11, subflow:0/0, tot pkt:224
Pei inserted: 1
Pei to be insert: 0
Fthread: 0/100
Flows: 0
Groups: 0/100
Dns DB: ip number: 0, name number: 0, total size: 240000
Cap. time: Thu Mar 31 15:26:10 2011

Total elaboration time: 7s


--
Jeff


Attachments:
File comment: Xplico Session Dashboard showing text flow and arp/rarp only.
Screen shot 2011-04-02 at 5.53.11 PM.png
Screen shot 2011-04-02 at 5.53.11 PM.png [ 120.18 KiB | Viewed 5317 times ]
Sat Apr 02, 2011 9:56 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Checksum Validation Disabled, but PCAP decoding is off
Hi Jeff,
from your data I can see: 103555 total packets with only 212 IPv6 packets and 212 IPv4 packets. The TCP packet are only 2. This is the problem. Possible explanations are:
  • bug in one of the dissectors: wlan, llc or radiotap
  • a protocol (layer) not handled by xplico (we can develop it)

Well, to identify and solve the problem you should send us (bug[@]xplico.org, xplico[@]iserm.com, or post it in this forum) a pcap file with a TCP stream (from syn to fin packets) that xplico does not decode.

Ciao.
Gianluca


Sun Apr 03, 2011 8:04 am
Profile WWW

Joined: Sun Mar 27, 2011 4:13 pm
Posts: 3
Reply with quote
Post Re: Checksum Validation Disabled, but PCAP decoding is off
Ok ... I have a few captures. I gzipped it so it is ~2mb (11mb expanded)

Here is the command line I used for the capture:

Code:
tcpdump -i en1 -s0 -I -y IEEE802_11 -e -G 59 -w wireless_noarp_nomgmt_promisc.pcap not ether host "xx:xx:xx:02:7a:11"


Nothing to special...there should be a bazillion or so Arps and other broadcasts since I used promiscuous mode.

Let me know if you need a different capture, or need one with different pcap settings.


Attachments:
File comment: promiscuous wireless packet capture
wireless_noarp_nomgmt_promisc.pcap.gz [1.98 MiB]
Downloaded 291 times
Tue Apr 05, 2011 4:48 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Checksum Validation Disabled, but PCAP decoding is off
Hi Jeff,
Xplico does not extract any data because there is nothing in the/this pcap. In your pcap there are 0 TCP packets and only 196 UDP packets.
To verify if there is some problem you have to capture at least a TCP stream with HTTP. Only in this way we can see if there are problems.
With the pcap you've provided there are no problems... because there are no data captured ;).

Ciao.
Gianluca


Wed Apr 06, 2011 6:48 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.