0

I have a packet that I have manually created for a SYN/ACK but I get no reply from the server. This is all wireless/GSM stuff so I cannot use a sniffer.

I have calculated the TCP and the IP header checksums manually a few times and they seem correct but I really need a 3rd party method to be sure. I had several endian issues but I think I have it right now. But who knows...

I only found an online parser but it does not test/verify the checksums.

Does anyone have an easy idea for me?

Just in case someone has suitable access to a test method, and feels like pasting it in for me, here is the packet:

45 10 00 3C 00 02 00 00 64 06 E8 1F 0A AA 61 43 51 8A B1 13 
01 BB 01 BB 00 00 00 0A 00 00 00 00 50 02 00 00 3D D8 00 00

Regards berntd

Rachit kapadia
  • 705
  • 7
  • 18
berntd
  • 53
  • 6
  • I have now manually converted this packet to have the usual hex dump format with address offset in the front and 16 bytes per line. I then used text2pcap.exe -e 0x806 source destination to convert hex dump to a PCAP file with dummy inserted ethernet encapsulation but in wireshark, it comes up as a packet with ARP protocol and it is not correctly analysed/shown. – berntd Jan 22 '18 at 23:43
  • Ok, I see the problem. I should have used ext2pcap.exe -e 0x800 to specify IPv4 instead of ARP. I can currently at least see the packet in wireshark. – berntd Jan 23 '18 at 00:04

2 Answers2

0

I've creating a pcap from your hex data using Net::PcapWriter:

use strict;
use warnings;
use Net::PcapWriter;

my $w = Net::PcapWriter->new('test.pcap');
my $ip = pack('H*','4510003C000200006406E81F0AAA6143518AB11301BB01BB0000000A00000000500200003DD80000');
$w->packet($w->layer2prefix('1.1.1.1').$ip);

Loading it into Wireshark shows both the IP checksum and the TCP checksum as correct, so it is probably not a problem of the checksum calculation.

But tcpdump says that the length is wrong: 

IP truncated-ip - 20 bytes missing! 10.170.97.67.443 > 81.138.177.19.443: Flags [S], seq 10:30, win 0, length 20

This is because you've set the total length in the IP header to 60 bytes (00 3C) but the IP header + TCP header is only 40 bytes in total and your packet does not have any payload, i.e. the total length should be 40 and not 60 bytes.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • That is great! I see you wrote that PCAPWriter. Can I do the same on my side with packets like this? I have no experience or idea how I would use something like your PCAPWriter. ? – berntd Jan 22 '18 at 20:39
  • @berntd: what I've quoted in the answer is the full Perl script which I've used. You need of course Perl installed and the Net::PcapWriter module. How to do this is off-topic and might also depend on your OS. – Steffen Ullrich Jan 22 '18 at 20:51
0

Here is what I came up with to do it the manual way:

Put packet into a text file like so:

45 10 00 3C 00 02 00 00 64 06 E8 1F 0A AA 61 43 51 8A B1 13 
01 BB 01 BB 00 00 00 0A 00 00 00 00 50 02 00 00 3D D8 00 00

add addressing offsets and group into 16 byte lines as in a hex dump:

000000 45 10 00 3C 00 02 00 00 64 06 E8 1F 0A AA 61 43 
000010 51 8A B1 13 01 BB 01 BB 00 00 00 0A 00 00 00 00 
000020 50 02 00 00 3D D8 00 00

Save it (source).

Now run ext2pcap.exe -e 0x800 source dest The dest file can now be imported as a PCAP file into wireshark for decoding.

Multiple packets can be converted byt starting the address offset for each new packet at 000000 again in the source file.

text2pcap.exe seems to come with wireshark.

Tedious but works. Cheers

berntd
  • 53
  • 6