CODEWITHSUNDEEP
pythonudppcapscapy
Xavier Bourvellec
Xavier Bourvellec

Reputation: 148

scapy: UDP defragmentation timestamp problem

i use the following script (python + scapy) to create a defragmented version of a pcap file that contains fragmented UDP packets.

# Read pcap file
in=rdpcap("in.pcap")
# Defragment ...
out = defragment(in)
# Write defragmented pcap file
wrpcap ("out.pcap", out)

My problem is that the pcap timestamps of defragmented packets are set to the date of the defragmentation, and not to the date of the capture. Non-fragmented packet still have their original capture timestamps.

I had a look to inet.py, defragment() and defrag(), but i'm not very fluent in scapy, i'd like help to make sense of it and hack it to keep the date of, say, the last fragment, and put it in the defragmented packet...

Could anybody help me on this, any hint?
Like, where can i find the capture date in input packets, and where should i put it in the defragmented packet...

Of course, any other solution reaching the same goal is welcome (i admit... i'm in hurry :( ...)

Upvotes: 3

Views: 1840

Answers (1)

Xavier Bourvellec
Xavier Bourvellec

Reputation: 148

Here is a patch to inet.py that adds the capture date of the 1st fragment to the defragmented packet.

There is probably cleaner solutions, such as modifying Packet.copy() method and some others, but hey, it fits the bill ...

*** inet.py     2011-03-29 14:01:19.000000000 +0000
--- inet.py.orig        2011-03-29 07:59:02.000000000 +0000
***************
*** 846,856 ****
          lastp = lst[-1]
          if p.frag > 0 or lastp.flags & 1 != 0: # first or last fragment missing
              missfrag += lst
-             print "missing framgent!"
              continue
!         # Keep 1st fragment capture time (as it is lost in subsequent copies during defragmentation)
!         ptime = p.time
!         p = p.copy() # copy() method do not copy time member (?)
          if Padding in p:
              del(p[Padding].underlayer.payload)
          ip = p[IP]
--- 846,853 ----
          lastp = lst[-1]
          if p.frag > 0 or lastp.flags & 1 != 0: # first or last fragment missing
              missfrag += lst
              continue
!         p = p.copy()
          if Padding in p:
              del(p[Padding].underlayer.payload)
          ip = p[IP]
***************
*** 878,892 ****
              del(ip.len)
              p = p/txt
              p._defrag_pos = max(x._defrag_pos for x in lst)
-             # Put back time in packet
-             p.time= ptime
              defrag.append(p)
      defrag2=[]
      for p in defrag:
          q = p.__class__(str(p))
          q._defrag_pos = p._defrag_pos
-         # Put back time in packet
-         q.time = p.time
          defrag2.append(q)
      final += defrag2
      final += missfrag
--- 875,885 ----

Upvotes: 2

Related Questions