cxt2pcap.pl bug for ICMP & UDP packets
wmesser opened this issue · comments
Searching with cxt2pcap.pl results in not finding the stream if you are looking for UDP or ICMP data.
The below is how I got it to work on my system.
--- cxt2pcap.pl 2012-12-02 19:38:00.000000000 -0500
+++ cxt2pcap-modified.pl 2013-01-11 11:10:08.200237419 -0500
@@ -132,10 +132,13 @@
if ($tproto == 6 && ($PROTO == 6 || $PROTO == "any")) {
$BUFFER .= "$pktHdr$PKTBUFFER" if processTCPPkt($PKTBUFFER);
} elsif ($tproto == 17 && ($PROTO == 17 || $PROTO == "any")) {
- $BUFFER .= $pktHdr . $PKTBUFFER if processUDPPkt($PKTBUFFER);
+ $BUFFER .= "$pktHdr$PKTBUFFER" if processUDPPkt($PKTBUFFER);
} elsif ($tproto == 1 && ($PROTO == 1 || $PROTO == "any")) {
- $BUFFER .= $pktHdr . $PKTBUFFER if processICMPPkt($PKTBUFFER);
+ $BUFFER .= "$pktHdr$PKTBUFFER" if processICMPPkt($PKTBUFFER);
}
+# $pktHdr . $PKTBUFFER changed to "$pktHDR$PKTBUFFER in the UDP and ICMP cases
+# for consistency
+
if (tell RFILE > $BE) {
print "[*] Last byte position in READ reached ($BE)\n" if ($VERBOSE||$DEBUG);
last;
@@ -202,6 +205,19 @@
my $srcport = substr($pktBuf, 34,2);
my $dstport = substr($pktBuf, 36,2);
+# below modified from processTCPPkt() above to ensure correct
+# handling of UDP packets.
+
+ my $binstr = "$srcip$srcport$dstip$dstport";
+ printSession ($binstr) if ($DEBUG || $VERBOSE);
+ my @B = unpack("C*", $binstr);
+ $srcip = "$B[0].$B[1].$B[2].$B[3]";
+ $dstip = "$B[6].$B[7].$B[8].$B[9]";
+ $srcport = $B[4]*256+$B[5];
+ $dstport = $B[10]*256+$B[11];
+
+# end parts taken from processTCPPkt()
+
if (( $srcip eq $SRC_IP && $dstip eq $DST_IP ) || ( $srcip eq $DST_IP && $dstip eq $SRC_IP )) {
if (( $srcport eq $SRC_PORT && $dstport eq $DST_PORT ) || ( $srcport eq $DST_PORT && $dstport eq $SRC_PORT )) {
print "[D] Got matching UDP packet\n" if $VERBOSE;
@@ -217,6 +233,15 @@
my $srcip = substr($pktBuf, 26,4);
my $dstip = substr($pktBuf, 30,4);
+# below modified from processTCPPkt() above to ensure correct
+# handling of ICMP packets.
+
+ my $binstr = "$srcip$dstip";
+ printSession ($binstr) if ($DEBUG || $VERBOSE);
+ my @B = unpack("C*", $binstr);
+ $srcip = "$B[0].$B[1].$B[2].$B[3]";
+ $dstip = "$B[4].$B[5].$B[6].$B[7]";
+
if (( $srcip eq $SRC_IP && $dstip eq $DST_IP ) || ( $srcip eq $DST_IP && $dstip eq $SRC_IP )) {
return 1;
}
I did something similar, just did not push it yesterday (I was on a plain for 10 hours)... Thanks for the contribution and making it an issue. The script was just a proof of concept, and far from finished. The best would be to use libpcap and some more C-code to write something. Will look into the perl code better later today. Thanks again.
E
wmesser: Can you test commit bd0f4a7 and verify that it works as expected?
If you have any other thoughts to pdns2pcap.pl please shoot :) It seems you are able to fiddle with the code you self, so patches are wellcome!
E
485fcc9 closes this issue then. Again, this is probably better done with an app written in C, but the perl code does the trick at the moment. Thanks for reporting and testing wmesser!
Probably, but performance for this is likely to largely be disk-based, so it shouldn't make too much difference. I'm working on using cxtracker's indexing capabilities to speed up OpenFPC. So far it looks like it requires some modifications on both sides to get what I'm looking for out of both components. I'll have to modify this script again to get IPv6 to work anyway, so I may wind up converting it to C then if you don't beat me to it.
Nice. I have two many projects on my drawing board to believe that I will beat you too it :) If you make it, I will have to owe you a beer or two!