Reputation: 22893
matching data packets and ICMP packets in case of TCP duplicates
I'm trying to match data packets with the ICMP time-exceeded packets they triggered. Therefore, I'm comparing 28-byte-long strings of each data packet (IP header + 8B of payload) with all (28-byte-long) ICMP payloads.
I'm having problems when I'm sending duplicate TCP packets:
>>> p1
<IP version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCP sport=10743 dport=37901 seq=2939035442L ack=2703569003L dataofs=10L reserved=0L flags=SA window=14480 chksum=0x9529 urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (215365485, 52950)), ('NOP', None), ('WScale', 4)] |>>
>>> p2
<IP version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCP sport=10743 dport=37901 seq=2939035442L ack=2703569003L dataofs=10L reserved=0L flags=SA window=14480 chksum=0x9426 urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (215365744, 52950)), ('NOP', None), ('WScale', 4)] |>>
...whose first 28 bytes are the same, but differ in the rest of the tcp header:
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
The ICMP packets I got have thus the same payload:
>>> i1[ICMP]
<ICMP type=time-exceeded code=ttl-zero-during-transit chksum=0x689a unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCPerror sport=10743 dport=37901 seq=2939035442L |>>>
>>> i2[ICMP]
<ICMP type=time-exceeded code=ttl-zero-during-transit chksum=0x689a unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCPerror sport=10743 dport=37901 seq=2939035442L |>>>
Corresponding strings are:
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
Right now in this particular case I'm claiming that a1 matches i1 because between i1 and i2, it is i1 that arrived soon after the sending of a1, whereas i2 arrived much later.
Is this enough? What else am I missing?
Upvotes: 0
Views: 626
Answers (1)
Reputation: 19325
The header size of a TCP packet is not always 20 bytes. If there are options set, the header could be larger. You can use the Internet Header Length field to find the header size and add the amount of payload you want to that number.
Scapy: how do I get the full IP packet header?
Upvotes: 1
Related Questions
- Python3 Scapy - Sniff fragmented IP packets
- How can I receive two answers to one packet using scapy?
- Python How can I send an ICMP packet without spoofing?
- How to send the same (duplicate) TCP packet in python
- sending ICMP packets in scapy and choosing the correct interface
- Linux TCP strange behavior
- buggy behaviour in Scapy
- Comparing TCP checksums with Scapy?
- Packet matching behavior in scapy
- Scapy: no reply on raw ICMP packet