fragmented cflow packets

asked 2020-10-19 17:09:19 +0000

meetsuraj gravatar image

updated 2020-10-20 08:01:27 +0000

grahamb gravatar image

I have a packet capture which has fragmented cflow packets, i am not able to reassemble using tshark. I am trying to use -o tcp.desegment_tcp_streams:TRUE, but still i cant reassemble it.

below is the example:

16        773  173.150.1.1 -> 172.148.1.50 TCP 570 50687 > personal-agent [ACK] Seq=257 Ack=1 Win=8192 Len=500 TSval=22838 TSecr=398428810
18        773  173.150.1.1 -> 172.148.1.50 TCP 570 50687 > personal-agent [ACK] Seq=757 Ack=1 Win=8192 Len=500 TSval=22838 TSecr=399197440
20        773  173.150.1.1 -> 172.148.1.50 TCP 520 50687 > personal-agent [PSH, ACK] Seq=1257 Ack=1 Win=8192 Len=450 TSval=22838 TSecr=399197440

I want to re-assemble this and then analyse it as a cflow packets and get the fields values.

Could you please help me.

edit retag flag offensive close merge delete

Comments

Do you have access to the Wireshark Gui to test?
Edit -> Preferences... -> Protocols -> CFLOW

Looks like personal-agent in your question is TCP port 5555.
Have you added this to the list of Cflow TCP ports?

Chuckc gravatar imageChuckc ( 2020-10-19 17:38:50 +0000 )edit

Hi, Thanks for your comment. I don't have gui access in my code, But yeah, i am able to decode when port number is 5555, i use below command:

tshark -d tcp.port==5555,cflow ---> this decodes the packet as cflow.

My only issue here is i am not able to reassemble the above three packets into one, so that i could get one cflow packet and analyze it for the field values.

meetsuraj gravatar imagemeetsuraj ( 2020-10-20 02:49:50 +0000 )edit

Have you checked the other settings for cflow? (change findstr to grep on *nix)

C:\Program Files\Wireshark>tshark -G defaultprefs | findstr /I cflow
#cflow.netflow.ports: 2055,9996
#cflow.ipfix.ports: 4739
#cflow.max_template_fields: 60
#cflow.desegment: TRUE

C:\Program Files\Wireshark>tshark -G currentprefs | findstr /I cflow
#cflow.netflow.ports: 2055,9996
#cflow.ipfix.ports: 4739
#cflow.max_template_fields: 60
#cflow.desegment: TRUE
Chuckc gravatar imageChuckc ( 2020-10-20 12:06:29 +0000 )edit

Exactly, This is what I was looking for. Thanks for the suggestion. 

tshark -o cflow.desegment: TRUE

This is working. But it looks like CentOS 7 comes with wireshark version 1.10, which is latest stable version, and in that version its not supported.

[suraj@host149-suraj robot]$ tshark -G defaultprefs | grep cflow
#cflow.netflow.ports: 2055,9996
#cflow.ipfix.ports: 4739
#cflow.max_template_fields: 60

Lets see if i can install a later version on CentOS 7. thanks again.

meetsuraj gravatar imagemeetsuraj ( 2020-10-21 02:53:50 +0000 )edit
add a comment