UDP packet are not reassembled
514 views
Skip to first unread message
pckmoreau
Nov 18, 2015, 3:32:44 PM11/18/15
to Pcap.Net Q&A
Hello,
I 'm using Pcap.Net to filter over UDP, then recover all data incoming on a specific udp Port.
The problem is that udp payload are always the same size and my decoded packet never exceed 368 Bytes.
so when th epacket is fragmented, i get only the first part of the payload, rest is missing.
Do i need build a tracking tool of fragmented frame, the concat the payload from same ip.identification to recover the whole data ?
Is there any option to correctly reassemble i unfortunately missed ?
code i use from your help in fact:
if (udp.DestinationPort == _listenUdpPort)
{
lock (thisLock)
{
UdpPktQueue.Add(udp.Payload.Decode(Encoding.ASCII).Remove(0, 6).Replace("\0", string.Empty));
}
}the i simply concat the list<string> UdpPktQueue to write to a file.
I get for exemple:
bCEM 2 l2telecom_cell0 429: 10E 0 07:47:17.125097480 520 user data length 872 bytes, logged 872 bytes:
00840044 0000034C 00000000 0085FFFF ...D...L........
00000001 00000000 FFFFFFFF 03E80001 ................
00000000 00000000 00000000 00000000 ................
00000001 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
0000016E 005F0000 00000000 00000000 ...n._..........
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
where i should have (from wireshark):
bCEM 2 l2telecom_cell0 429: 10E 0 07:47:17.125097480 520 user data length 872 bytes, logged 872 bytes:
00840044 0000034C 00000000 0085FFFF ...D...L........
00000001 00000000 FFFFFFFF 03E80001 ................
00000000 00000000 00000000 00000000 ................
00000001 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
0000016E 005F0000 00000000 00000000 ...n._..........
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
D5963C4F BE744E04 3C3091A8 E299CAB4 ..<O.tN.<0......
25AA5A00 00000001 F528D2A6 4F780471 %.Z......(..Ox.q
AAAAAAAA BBBBBBBB 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
01000000 02010000 00000000 00000000 ................
00000000 00000000 00000000 00000000 ................
18D4F532 5C8D0AA9 D1914BC5 D54946E4 ...2\.....K..IF.
CB373CBF EB1AB1DA 5D317B8C A3431A1D .7<.....]1{..C..
8B5BFD44 EAB5488F .[.D..H.Any help would be appreciated.
Best regards
Patrick
Boaz Brickner
Nov 20, 2015, 1:46:45 AM11/20/15
to Pcap.Net Q&A
Hi Patrick,
Yes, indeed Pcap.Net doesn't automatically defragments IP fragmented packets.
Pcap.Net treats each packet as an independent packet.
Only the first packet would contain the UDP header, so you need to first defragment the IP fragments to a single packet before decoding the UDP header and payload.
There is also this issue, which I couldn't reproduce: https://github.com/PcapDotNet/Pcap.Net/issues/44
And feel free to create a new issue requesting support for IP defragmentation.
If you can attach a .pcap file with a sample, I can try and cook up something that might work for you.
Boaz.
pckmoreau
Nov 20, 2015, 3:39:06 AM11/20/15
to Pcap.Net Q&A
Hi Boaz,
Thanks for the answer.
Yes, Pcap.Net should be use more as sniffer than as a UDP receiver.And I through UDP would have been reassembled, my mistake.
So I try to manage a list of all IP fragmented to recover later the UDP payload once the last sequence arrived. But when the UDP comes on the right port (the last sequance), I got the first payload, i think i can manage to add the second discovered in the list, but not the last . Honestly, i think I have too poor knowledge on IP to figure out by my own.
So yes, i would appreciate some cook please.
here attached a pcap trace, my purpose is to have UDP packet decoded sent to some port (ex:15000). So reassemble all fragmented if needed.
the trace is already filtered on ip.version == 4 || udp
Is there any need to create a ticket about defragmentation/reassemble when your tool is working as it has to ? :)
Thanks
Br,
Patrick
Thanks for the answer.
Yes, Pcap.Net should be use more as sniffer than as a UDP receiver.And I through UDP would have been reassembled, my mistake.
So I try to manage a list of all IP fragmented to recover later the UDP payload once the last sequence arrived. But when the UDP comes on the right port (the last sequance), I got the first payload, i think i can manage to add the second discovered in the list, but not the last . Honestly, i think I have too poor knowledge on IP to figure out by my own.
So yes, i would appreciate some cook please.
here attached a pcap trace, my purpose is to have UDP packet decoded sent to some port (ex:15000). So reassemble all fragmented if needed.
the trace is already filtered on ip.version == 4 || udp
Is there any need to create a ticket about defragmentation/reassemble when your tool is working as it has to ? :)
Thanks
Br,
Patrick
Boaz Brickner
Nov 20, 2015, 4:51:08 PM11/20/15
to Pcap.Net Q&A
Hi Patrick,
It's probably still quite buggy, since I didn't do much testing, but it did manage to create the attached .pcap file from your .pcap file (I've converted your .pcapng file to a .pcap file since Pcap.Net doesn't support .pcapng format).
string inputFile = @"...\FragmentationIssue_udp-IpV4.pcap";
var device = new OfflinePacketDevice(inputFile);
List<Packet> packets = new List<Packet>();
var fragmentedPackets = new Dictionary<Tuple<IpV4Address, IpV4Address, ushort>, List<Packet>>();
using (var communicator = device.Open())
{
Packet packet;
while (communicator.ReceivePacket(out packet) == PacketCommunicatorReceiveResult.Ok)
{
var ethernet = packet.Ethernet;
if (ethernet.EtherType == EthernetType.IpV4)
{
var ipV4 = ethernet.IpV4;
var fragmentation = ipV4.Fragmentation;
if (fragmentation.Options == IpV4FragmentationOptions.DoNotFragment)
{
packets.Add(packet);
}
else
{
var key = new Tuple<IpV4Address, IpV4Address, ushort>(ipV4.Source, ipV4.Destination, ipV4.Identification);
if (!fragmentedPackets.ContainsKey(key))
fragmentedPackets.Add(key, new List<Packet>());
fragmentedPackets[key].Add(packet);
}
}
}
}
foreach (var key in fragmentedPackets.Keys)
{
EthernetLayer ethernetLayer = null;
IpV4Layer ipV4Layer = null;
DateTime packetTimestamp = DateTime.MinValue;
byte[] payloadBuffer = new byte[65536];
int payloadLength = 0;
foreach (Packet packet in fragmentedPackets[key])
{
var ethernet = packet.Ethernet;
var ipV4 = ethernet.IpV4;
if (ethernetLayer == null)
{
packetTimestamp = packet.Timestamp;
ethernetLayer = (EthernetLayer)ethernet.ExtractLayer();
ipV4Layer = (IpV4Layer)ipV4.ExtractLayer();
}
int offset = ipV4.Fragmentation.Offset;
ipV4.Payload.ToArray().CopyTo(payloadBuffer, offset);
payloadLength = Math.Max(payloadLength, offset + ipV4.Payload.Length);
}
ipV4Layer.HeaderChecksum = null;
ipV4Layer.Fragmentation = IpV4Fragmentation.None;
Packet fullPacket = PacketBuilder.Build(packetTimestamp, ethernetLayer, ipV4Layer,
new PayloadLayer() {Data = new Datagram(payloadBuffer.Subsegment(0, payloadLength).ToArray())});
packets.Add(fullPacket);
}
string outputFile = inputFile + @".out.pcap";
PacketDumpFile.Dump(outputFile, DataLinkKind.Ethernet, 65536, packets);
Boaz.
Reply all
Reply to author
Forward
0 new messages