Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| #!/bin/bash | |
| # find_mangled_sequence_numbers.sh begins on the previous line | |
| # | |
| # This script uses tshark to evidence of sequence number mangling. That is the | |
| # sequence numbers recorded in SACK blocks does not match the sequence numbers | |
| # in the TCP ACK header field. This is subjective so the second argument | |
| # provides the threshold value. | |
| # | |
| # This happens when some middle-ware device is altering the sequence number in | |
| # the TCP header but does not alter the sequence numbers in the SACK blocks. | |
| # | |
| # The output is the list of streams with mangled sequence numbers. | |
| # | |
| # Version 1.0 February, 6, 2018 | |
| # Version 1.1 Aprl 24, 2018 | |
| # minor edititing of some comments | |
| # | |
| FINDMANGLEDSEQUENCENUMBERSVERSION="1.1_2018-04-24" | |
| # from https://github.com/noahdavids/packet-analysis.git | |
| # Copyright (C) 2017 Noah Davids | |
| # This program is free software: you can redistribute it and/or modify it | |
| # under the terms of the GNU General Public License as published by the Free | |
| # Software Foundation, version 3, https://www.gnu.org/licenses/gpl-3.0.html | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| if [ $# -gt 2 ] || [ $# -lt 1 ] | |
| then echo "Usage:" | |
| echo " find-mangled-sequence-numbers FILE [THRESHOLD]" | |
| echo " FILE is the name of the trace file to be analyzed" | |
| echo " THRESHOLD is the value above which triggers a report," | |
| echo " default is 1,000,000" | |
| exit | |
| fi | |
| FILE=$1 | |
| if [ ! -e "$FILE" ] | |
| then echo "Could not find input file $FILE" | |
| exit | |
| fi | |
| if [ $# -eq 2 ] | |
| then THRESHOLD=$2 | |
| else THRESHOLD=1000000 | |
| fi | |
| echo "find-mangled-sequence-numbers $FILE $THRESHOLD" | |
| # For every TCP segment that has a SACK block, print out the TCP stream number | |
| # the ack number and the first left edge value of the SACK block. Subtract the | |
| # left edge from the ack number and if the value is greater than the threshold | |
| # or less than the negative threshold print out the TCP stream number. Then | |
| # sor the stream numbers and remove the dupliactes. | |
| # | |
| # Note that is some chance of a false positive when the ACK number wraps at | |
| # same time that here is a SACK block. | |
| tshark -r $FILE -Y "tcp.options.sack_le" -E occurrence=f \ | |
| -o tcp.relative_sequence_numbers:FALSE \ | |
| -T fields -e tcp.stream -e tcp.ack -e tcp.options.sack_le | \ | |
| awk -v thresh=$THRESHOLD \ | |
| '(($3-$2 > thresh) || ($3-$2 < -thresh)) {print $1}' | sort -nu | |
| exit | |