View unanswered posts | View active topics It is currently Sun Aug 18, 2019 2:01 pm



Post new topic Reply to topic  [ 5 posts ] 
 How is recognized packets of specified flow_id? 
Author Message

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post How is recognized packets of specified flow_id?
Hello,

When FlowGetPkt(flow_id) is called, it gives next packet from the flow_id.

How is recognized packets of specified flow_id? How is distinguished packets of specified flow_id from other packets? For example flow_id is key of component (src_ip, dest_ip, src_port, dest_port) and when a packet has these four features equal, is assigned to related flow_id. Is it right? If yes, consequently there should be exist one unique flow_id for each unique (src_ip, dest_ip, src_ip, dest_ip)?


Mon Aug 16, 2010 8:37 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: How is recognized packets of specified flow_id?
Quote:
When FlowGetPkt(flow_id) is called, it gives next packet from the flow_id.

You can not use FlowGetPkt inside the hdep.ProtCheck (proto_heury_dep) and dep.ProtCheck (proto_dep) functions, but you must use FlowGetPktCp(flow_id).

Quote:
How is recognized packets of specified flow_id?

For TCP and UDP the flow (and so flow_id) is defined by IP source, IP destination, Port source and Port destination.
Quote:
For example flow_id is key of component (src_ip, dest_ip, src_port, dest_port) and when a packet has these four features equal, is assigned to related flow_id. Is it right?

Yes

Quote:
If yes, consequently there should be exist one unique flow_id for each unique (src_ip, dest_ip, src_ip, dest_ip)?

Yes, this is true.


Mon Aug 16, 2010 8:57 am
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: How is recognized packets of specified flow_id?
I wrote a dissector module that it doesn't use ProtDep, only uses ProtHeuDep. Also MSNCkeck(same hdep.ProtCheck) always returns TRUE.

In ProtoDissector(flow_id) function using FlowGetPkt(flow_id) is got pkt recursively and printf(pkt->data).

Problem is here:
Only packets that are from out, is printed their data and if i send a packet, isn't printed its data.
Is it related to Xplico core? Can it relate to Checksum(because in log file, i saw message "[tcp]{c}-WARNING: TCP packet chechsum error 0x229f"?


Sun Aug 22, 2010 10:04 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: How is recognized packets of specified flow_id?
Quote:
Only packets that are from out, is printed their data and if i send a packet, isn't printed its data.
Is it related to Xplico core?

Not, it is related to dissectors TCP, IP, ethernet, ....
Quote:
Can it relate to Checksum(because in log file, i saw message "[tcp]{c}-WARNING: TCP packet chechsum error 0x229f"?

Yes, the packer has a checksum error then it is thrown away.
Try with checksum verification disabled.


Tue Aug 24, 2010 8:44 am
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: How is recognized packets of specified flow_id?
Ok. thank you.
The problem was related to tcp checksum error, that by using dis_tcp_nocheck.so instead of dis_tcp.so solved.


Tue Aug 24, 2010 9:46 am
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.