Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2020-06-16 07:06:16 +0000

Ankur Satle gravatar image

tshark: Look-up and modify all IP fragments during capture from and writing to pipes?

Objective

I am trying to customize tshark to modify bytes of received frames. Thus, I need to access and modify frame bytes. A similar previous question is currently unanswered: dissector access fragment bytes.

Target usage 

$ tshark -r input_pipe -w output_pipe -f <filter> #Packets in output have modified bytes

Approach

For multiple protocols, bytes corresponding to specific fields need to be changed. I let the packets go through dissection instead of re-inventing the dissection wheel. Inside the dissector, bytes corresponding to some fields will be modified in the tvbuff_t *tvb;

With this approach, packets that are fully present in one frame are altered.

For fragmented packets though, changes do not reflect in the output for the constituent fragments. Obviously, dissection is changing the reassembled tvb here & not the frame tvb.

Thus, I added logic (to modify the input file itself):

  1. after dissect_packet().
  2. I iterate over packet_info.dependent_frames,
  3. find each frame_data from cfile.frames
  4. Then, fetch the bytes from capture file.
  5. overwrite them with bytes from the reassembled tvb_data (g_slist_last(edt->pi.data_src)->data;)
  6. and write back the file.

This works well when tshark is run with files: 

$ tshark -r in_file.pcap  #Works well! Bytes in in_file.pcap are modified

But does not work when reading from and writing to pipes. Key observations:

  1. cfile.frames or cfile.provider.frames is NULL (tshark.c)
  2. global_capture_session.cf->frames or global_capture_session.cf->provider.frames is NULL (tshark.c)

NOTE: two-pass analysis would have helped as packets are revisited. But, 2-pass isn't possible with reading & writing from and to pipes! :( while it works perfectly fine with input and output files

Help needed

Could you please help me with:

  1. Where is the packets information (something like frame_data/packet_info) stored during a live capture
  2. I was not able to figure out if a temporary file is opened for capturing from pipes and, if opened, where it was
  3. I am guessing that if a complex (capture or display) filter is specified that needs protocol dissection, where and how previously seen fragments are maintained and when they are output
  4. Is there another way worth exploring/trying to achieve modification of bytes across all fragments based on dissection

Thanks very much in advance!!!

tshark: Look-up and modify all IP fragments during capture from and writing to pipes?

Objective

I am trying to customize tshark to modify bytes of received frames. Thus, I need to access and modify frame bytes. A similar previous question is currently unanswered: dissector access fragment bytes.

Target usage 

$ tshark -r input_pipe -w output_pipe -f <filter> #Packets in output have modified bytes

Approach

For multiple protocols, bytes corresponding to specific fields need to be changed. I let the packets go through dissection instead of re-inventing the dissection wheel. Inside the dissector, bytes corresponding to some fields will be modified in the tvbuff_t *tvb;

With this approach, packets that are fully present in one frame are altered.

For fragmented packets though, changes do not reflect in the output for the constituent fragments. Obviously, dissection is changing the reassembled tvb here & not the frame tvb.

Thus, I added logic (to modify the input file itself):

  1. after dissect_packet().
  2. I iterate over packet_info.dependent_frames,
  3. find each frame_data from cfile.frames
  4. Then, fetch the bytes from capture file.
  5. overwrite them with bytes from the reassembled tvb_data (g_slist_last(edt->pi.data_src)->data;)
  6. and write back the file.

This works well when tshark is run with files: 

$ tshark -r in_file.pcap  #Works well! Bytes in in_file.pcap are modified

But But, while the above works well when input and output are files, the same does not work when reading from and writing to pipes. pipes. Key observations:

  1. cfile.frames or cfile.provider.frames is NULL (tshark.c)
  2. global_capture_session.cf->frames or global_capture_session.cf->provider.frames is NULL (tshark.c)

NOTE: two-pass analysis would have helped as packets are revisited. But, 2-pass isn't possible with reading & writing from and to pipes! :( while it works perfectly fine with input and output files

Help needed

Could you please help me with:

  1. Where is the packets information (something like (some data-structure for frame_data/packet_info) stored during a live pipe/live capture
  2. I was not able to figure out if Is a temporary file is opened for capturing from pipes and, if opened, so, where it was
  3. I am guessing that if a complex (capture or display) filter is specified that needs protocol dissection, where and how previously seen fragments are maintained and when they are output
  4. Is there another way worth exploring/trying to achieve modification of bytes across all fragments based on dissection

Partial answers/clarification of any of the aspects/hints are most welcome! Thanks very much in advance!!!

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2