Wireshark-users: Re: [Wireshark-users] Out of sequence packets
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 28 Apr 2009 19:14:52 +0200
Hello Alan,I hear you, and indeed it's great that Wireshark can do that. Improving defragmentation is a Good Thing(sm), as long is it's not in the way of looking at the frames on the wire.
Thanx, Jaap Alan Jay Weiner wrote:
Hi Jaap, I see the design goal gap as you describe, but I disagree with your view of 'test equipment' and how it relates to Wireshark. As I see it, Wireshark is most definitely 'test equipment' - one which operates at the packet level (as you describe) but also is able to decode higher protocol levels. Indeed, that ability is one of its great strengths! Wireshark is first and foremost a packet sniffer; nothing should interfere with that. However, Wireshark already goes much beyond simple packet capture, including putting together fragmented TCP packets. It just doesn't handle the case of the first packet not being received first (the case the original poster is seeing). Improving the defragmenting logic - especially for TCP - seems useful to me, even when it occurs infrequently. - Al Weiner -----------------------------------------------------------------------------Alan Jay Weiner / Valid8.com, Inc. - Conform, Perform & Excel(tm) 500 W Cummings Park, Suite #2700, Woburn, MA 01801, USA a.weiner@xxxxxxxxxx / Tel:+1-781-938-1221 x112, Fax +1-781-207-0550http://www.VALID8.com -----Original Message-----From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter Sent: Monday, April 27, 2009 12:44 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Out of sequence packets Hi, I think you have to be very aware of the design goal of the application athand. Wireshark, as a packet sniffer, has the design goal of showing you the frames as they travel on the network medium. That is a very low level approach, well below eg. the TCP layer (I come back to that later).As you describe a generic term 'test equipment' I see it as an end device application emulation, which, like the real end device of the observed communications, shows what the application communicates and how this is interpreted. You understand that this is a (very) high level approach to network communications, which sits on top of multiple complicated layers of communications software, eg IP and TCP.You see there's a gap between the two described design goals. IndeedWireshark tries to provide some of the features of your 'test equipment' but it is inherently hindered by the fact that it has to perform first and foremost at the network medium layer. It will therefore never be able to serve your goal as 'test equipment'.Note that this is true for all kinds of low level tools, like sniffers andIDS. See how this has been identified as a fundamental problem and used by tools like SniffJoke: http://www.delirandom.net/sniffjoke/Thanx, Jaap Alan Jay Weiner wrote:As I read that this problem is quite rare maybe it's uselessEven though it might be a rare occurrence, the original poster is seeingit;evidence that the case can occur in real life. As Wireshark is testequipment, I argue that it *should* handle such cases.My personal feeling is that Wireshark could/should be configurable - a setting to configure how large a buffer is allocated for holding out-of-sequence packets; i.e., how late the first packet may be in ordertostill put everything together. That said, I realize it's easy to create work for someone else; since I'm not jumping up to do the work my opinion carries less weight. (btw, I make the same argument about our own products; as test equipmentweshould handle (and/or be able to generate) every odd, bad, messed-up, whatever... :) - Al Weiner -----------------------------------------------------------------------------Alan Jay Weiner / Valid8.com, Inc. - Conform, Perform & Excel(tm) 500 W Cummings Park, Suite #2700, Woburn, MA 01801, USA a.weiner@xxxxxxxxxx / Tel:+1-781-938-1221 x112, Fax +1-781-207-0550http://www.VALID8.com -----Original Message-----From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Matthieu Patou Sent: Sunday, April 26, 2009 4:49 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Out of sequence packets On 04/26/2009 10:33 PM, Sake Blok wrote:My protocol (LDAP with SASL) is able to cope with this out of order packets, but wireshark not and that's particulary bad when you have encrypted data with rc4 (like it's my case) because as you are not able to decode it and due to this you lose the synchronisation with the (de)cipher and you are not able to decode subsequent LDAP request as well (well until the caller unbind and restart a new bind).On Sun, Apr 26, 2009 at 10:13:30PM +1000, Martin Visser wrote:On Sun, Apr 26, 2009 at 7:50 PM, Matthieu Patou <mat+Informatique.Wireshark@xxxxxxxxx> wrote: Some of the dissected protocols for instance HTTP also allow you to have visibility of the whole object, as long it is complete, even if it is made up of out of order or duplicate packets.Which is true for every packet *except* the first packet of a PDU. If that packet is received out-of-order, Wireshark is not able to dissect that PDU as it is fed with faulty information. This is the case I believe Matthieu was refering to :In fact it's not the second one before the first one but the forth ....Sake I don't know in the general case but in my case I've got a packet x saying next sequence xxx and unfortunately next packet in the same direction with the same port (source and dest) has the sequence yyy. Then we can decide to park it and do so for every packet before finding the one with sequence xxx, then we put missing packet in places ...reorder packets (ie. if you have sequence 1341 before sequence 1 then you're caught).I was looking at the TCP dissector this afternoon to see how easy it would be to park a packet in the defragmentation queue when a previous packet has been lost (due to out-of-order) and a new PDU was expected. This should solve the issue (unless the packet was not out-of-order, but really lost). Unfortunately I was not yet able to find a way to do that. If anyone has an idea, feel free :-)Well it seems simple in a mail ... As I read that this problem is quite rare maybe it's useless Matthieu.
- References:
- [Wireshark-users] Out of sequence packets
- From: Matthieu Patou
- Re: [Wireshark-users] Out of sequence packets
- From: Martin Visser
- Re: [Wireshark-users] Out of sequence packets
- From: Sake Blok
- Re: [Wireshark-users] Out of sequence packets
- From: Matthieu Patou
- Re: [Wireshark-users] Out of sequence packets
- From: Alan Jay Weiner
- Re: [Wireshark-users] Out of sequence packets
- From: Jaap Keuter
- Re: [Wireshark-users] Out of sequence packets
- From: Alan Jay Weiner
- [Wireshark-users] Out of sequence packets
- Prev by Date: Re: [Wireshark-users] Out of sequence packets
- Next by Date: Re: [Wireshark-users] Question on wireless sniffing and Cisco AP modes
- Previous by thread: Re: [Wireshark-users] Out of sequence packets
- Next by thread: [Wireshark-users] Connecting to router
- Index(es):