在TCP重复的情况下匹配数据包和ICMP数据包 [英] matching data packets and ICMP packets in case of TCP duplicates

问题描述

我正在尝试将数据包与他们触发的ICMP超时数据包进行匹配。因此，我将每个数据包的28字节长的字符串（有效负载的IP标头+ 8B）与所有（28字节长）的ICMP有效负载进行比较。

当我发送重复的TCP数据包时，我遇到问题：

 >>> p1 
< IP版本= 4L ihl = 5L tos = 0x0 len = 60 id = 0 flags = DF frag = 0L ttl = 1 proto = tcp chksum = 0x7093 src = XXX dst = YYY options = [] |< ; TCP sport = 10743 dport = 37901 seq = 2939035442L ack = 2703569003L dataofs = 10L reserved = 0L flags = SA window = 14480 chksum = 0x9529 urgptr = 0 options = [（'MSS'，1460），（'SAckOK' ），（'Timestamp'，（215365485,52950）），（'NOP'，None），（'WScale'，4）] |>> 
>>> p2 
< IP版本= 4L ihl = 5L tos = 0x0 len = 60 id = 0 flags = DF frag = 0L ttl = 1 proto = tcp chksum = 0x7093 src = XXX dst = YYY options = [] |< ; TCP sport = 10743 dport = 37901 seq = 2939035442L ack = 2703569003L dataofs = 10L reserved = 0L flags = SA window = 14480 chksum = 0x9426 urgptr = 0 options = [（'MSS'，1460），（'SAckOK' ），（'Timestamp'，（215365744,52950）），（'NOP'，None），（'WScale'，4）] |>> 
  

...其前28个字节相同，但tcp头文件的其余部分不同：

$ $ $ $ $ $ \\ x93\x8a`t\x86\xb2.X\x14）\xf7\x94\r\xaf.\x1f2'
'E \x00\x00 <\\ \\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14）\xf7\x94\r\xaf.\我获得的ICMP数据包具有相同的有效载荷：

$ b

 >>> i1 [ICMP] 
< ICMP type = time-exceeded code = ttl-zero-during-transit chksum = 0x689a unused = 0 |< IPerror version = 4L ihl = 5L tos = 0x0 len = 60 id = 0 flags = DF frag = 0L ttl = 1 proto = tcp chksum = 0x7093 src = XXX dst = YYY options = [] |< TCPerror sport = 10743 dport = 37901 seq = 2939035442L |>>> 
 
>>> i2 [ICMP] 
< ICMP type = time-exceeded code = ttl-zero-during-transit chksum = 0x689a unused = 0 |< IPerror version = 4L ihl = 5L tos = 0x0 len = 60 id = 0 flags = DF frag = 0L ttl = 1 proto = tcp chksum = 0x7093 src = XXX dst = YYY options = [] |< TCPerror sport = 10743 dport = 37901 seq = 2939035442L |>>> 
  

相应的字符串是：

 'E\x00\x00< \x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\ x14）\xf7\x94\r\xaf.\x1f2'
'E \x00\x00< \x00\x00 @ \x00\x01\x06p\ x93\x8a`t\x86\xb2.X\x14）\xf7\x94\r\xaf.\x1f2'
  

现在在这种特殊情况下，我声称 a1 匹配 i1 因为在 i1 和 i2 之间，它是 i1 在发送 a1 之后即将到达，而 i2 稍后到达。

这个够了吗？我还缺少什么？

解决方案

TCP包的头部大小并不总是20个字节。如果设置了选项，则标题可能会更大。您可以使用Internet标题长度字段查找标题大小，并添加所需数量的有效负载。

Scapy：如何获取完整的IP数据包头？

I'm trying to match data packets with the ICMP time-exceeded packets they triggered. Therefore, I'm comparing 28-byte-long strings of each data packet (IP header + 8B of payload) with all (28-byte-long) ICMP payloads.

I'm having problems when I'm sending duplicate TCP packets:

>>> p1
<IP  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCP  sport=10743 dport=37901 seq=2939035442L ack=2703569003L dataofs=10L reserved=0L flags=SA window=14480 chksum=0x9529 urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (215365485, 52950)), ('NOP', None), ('WScale', 4)] |>>
>>> p2
<IP  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCP  sport=10743 dport=37901 seq=2939035442L ack=2703569003L dataofs=10L reserved=0L flags=SA window=14480 chksum=0x9426 urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (215365744, 52950)), ('NOP', None), ('WScale', 4)] |>>

...whose first 28 bytes are the same, but differ in the rest of the tcp header:

'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'

The ICMP packets I got have thus the same payload:

>>> i1[ICMP]
<ICMP  type=time-exceeded code=ttl-zero-during-transit chksum=0x689a unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCPerror  sport=10743 dport=37901 seq=2939035442L |>>>

>>> i2[ICMP]
<ICMP  type=time-exceeded code=ttl-zero-during-transit chksum=0x689a unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCPerror  sport=10743 dport=37901 seq=2939035442L |>>>

Corresponding strings are:

'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'

Right now in this particular case I'm claiming that a1 matches i1 because between i1 and i2, it is i1 that arrived soon after the sending of a1, whereas i2 arrived much later.

Is this enough? What else am I missing?

解决方案

The header size of a TCP packet is not always 20 bytes. If there are options set, the header could be larger. You can use the Internet Header Length field to find the header size and add the amount of payload you want to that number.

Scapy: how do I get the full IP packet header?

这篇关于在TCP重复的情况下匹配数据包和ICMP数据包的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！