Not getting the RawPDU to fire

[Ralph Das]

Hey Matias,

I'm trying to get the rawPDU of a tcp packet and then to convert it into ASCI for some further analysis. The only trouble I have is that the rawPDU packet is never found while I understand that there should always be a raw part by default. 

const RawPDU *raw = some_pdu.find_pdu<RawPDU>();

if(raw){

  printf("Found!! payload size = %i \n", raw->size());

}

I will try now to see if I can simply get the tcp packet and navigate one lower. 

Cheers Ralph 

[Bruno Nery]

Hello Ralph,

AFAIU not all packets have a RawPDU. Take, for example, a TCP SYN packet (which only has the IP and TCP layers, and no payload). That packet would not have a RawPDU. Try to isolate a TCP packet with a payload on Wireshark, and then try it against your code on libtins.

cheers,

--
Bruno Nery

--
You received this message because you are subscribed to the Google Groups "libtins" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libtins+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ralph Das]

Hey Bruno,

Thanks for your feedback. I'm pretty sure that some of my packets that I'm processing contain payloads. I'm now testing it out by doing GET requests in monitor mode in a sniffer loop. I only fire the function when traffic from or to port 80 is detected. Some of these packets should show RawPDU's right? 

I can indeed transform my code a bit and let it run on pcap files (handier for development anyway) 

If something comes to mind please let me know.

Thanks Ralph

[Matias Fontanini]

Hi Ralph,

as Bruno mentioned, not every packet will contain a RawPDU. If you are
convinced that your packets *do* contain a RawPDU layer, then I'd be
very glad to help you, just attach a pcap file that reproduces the problem.

Cheers.

On 03/17/2013 04:01 PM, Ralph Das wrote:
> Hey Bruno,
> Thanks for your feedback. I'm pretty sure that some of my packets that I'm
> processing contain payloads. I'm now testing it out by doing GET requests
> in monitor mode in a sniffer loop. I only fire the function when traffic
> from or to port 80 is detected. Some of these packets should show RawPDU's
> right?
>
> I can indeed transform my code a bit and let it run on pcap files (handier
> for development anyway)
>
> If something comes to mind please let me know.
>
> Thanks Ralph
>
> On Sunday, March 17, 2013 7:44:30 PM UTC+1, Bruno Nery wrote:
>> Hello Ralph,
>>
>> AFAIU not all packets have a RawPDU. Take, for example, a TCP SYN packet
>> (which only has the IP and TCP layers, and no payload). That packet would
>> not have a RawPDU. Try to isolate a TCP packet with a payload on Wireshark,
>> and then try it against your code on libtins.
>>
>> cheers,
>>
>> --
>> Bruno Nery
>>
>>

>> On Sun, Mar 17, 2013 at 11:41 AM, Ralph Das <ralp...@sens.us <javascript:>

>>> wrote:
>>> Hey Matias,
>>> I'm trying to get the rawPDU of a tcp packet and then to convert it into
>>> ASCI for some further analysis. The only trouble I have is that the rawPDU
>>> packet is never found while I understand that there should always be a raw
>>> part by default.
>>>
>>> const RawPDU *raw = some_pdu.find_pdu<RawPDU>();
>>>
>>> if(raw){
>>>
>>> printf("Found!! payload size = %i \n", raw->size());
>>>
>>> }
>>>
>>> I will try now to see if I can simply get the tcp packet and navigate one
>>> lower.
>>>
>>> Cheers Ralph
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "libtins" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an

>>> email to libtins+u...@googlegroups.com <javascript:>.

[Ralph Das]

Hey guys,

Here are some simple requests over my monitor that did not trigger the program on the MIPS router to display any rawPDU layer. There are DNS requests GET requests etc. I just never get the conformation that there is a rawPDU found.

Greets Ralph

[Matias Fontanini]

Thanks for the pcap file. I've tested it and it seems like it's working
for me using a 32-bits MIPS compiler.

I used the following snippet:

#include <iostream>
#include <tins/tins.h>

using namespace Tins;

size_t raws = 0, total = 0;

bool handler(const PDU& pdu) {
total++;
if(pdu.find_pdu<RawPDU>())
raws++;
return true;
}

int main() {
FileSniffer sniffer("capture.pcap");
sniffer.sniff_loop(handler);
std::cout << "Got: " << raws << '/' << total << std::endl;
}


And got the following output:

Got: 228/1376

That means that there are 228 packets that contain a RawPDU payload.
Using the following filter on wireshark(wlan type 0x20 is Dot11Data):

wlan.fc.type_subtype == 0x20 && not malformed && (udp || tcp.len > 0)

227 were packets displayed, so apparently it's working fine.

Could you try that snippet and check out the output?

Cheers.

[Ralph Das]

Hey Matias,

Correct I was wrong. I had a typo. Great to have had a second opinion 

Cheers Ralph

[Manan Bhatt]

hello everyone, sorry to disturb the thread, I have just come around this.I am working on DCTCpP and making switch for that. I need to modify the QoS at IP layer. I have installed libtins and trying to run simple program but it is telling undefined reference . So i guess i am missing any libraries linking( -lpcap in case on libpcap). i am running $g++ test.cpp. Please tell how i should run my program.

[Matias Fontanini]

Hi Manan,

don't forget to link the program against libtins:

g++ test.cpp -ltins

Hope it helps!

[Manan Bhatt]

voila. its working..thanks..

[Manan Bhatt]

Hi matias,
Yesterday I have tried to get overview of libtins. My objective is to sniff the packet copy it,modify tos (CE and ECN bit) at IP layer and forward that packet to other interface. Is it possible to do this with libtins. And if possible what is the syntax to change tos at IP.

On Monday, March 18, 2013 12:11:07 AM UTC+5:30, Ralph Das wrote:

[Matias Fontanini]

Once you've found the IP layer, you just modify the TOS using the
appropriate setter:

IP *ip = ....;
ip->tos(42);

Then sending the packet through other interface is trivial as well,
it's all covered in the tutorials/documentation found in the library's
website.

If you find any, more specific, trouble let me know.

Cheers.

> --
> You received this message because you are subscribed to the Google Groups
> "libtins" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to libtins+u...@googlegroups.com.

[Manan Bhatt]

hey all, i am facing strange problem. before 2 days sender program which is given on website was working fine. I was doing some other work and now if i am checking it and try to sniff the packet then it is showing no packet.

Scenario.
I have two system My lab and my laptop
My lab system is having ip 192.168.1.1 and hw_addr is 70:f3:95:0c:db:50
My laptop ip is 192.168.1.2 and hw_addr is dc:0e:a1:6b:38:26.
When I am writing this in basic sender program given in website like (i am running program in my lab pc)

NetworkInterface iface = NetworkInterface::default_interface();
    
NetworkInterface::Info info = iface.addresses();

EthernetII eth(iface, "dc:0e:a1:6b:38:26", info.hw_addr);

eth /= IP("192.168.1.2", info.ip_addr);
    
eth /= TCP(13, 15);
    
eth /= RawPDU("I'm a payload!");
    
PacketSender sender;
    
sender.send(eth);

can any one tell what i am missing, not before two days and now.

On Monday, March 18, 2013 12:11:07 AM UTC+5:30, Ralph Das wrote: