find-mangled-sequence-numbers.sh

#!/bin/bash
# find_mangled_sequence_numbers.sh begins on the previous line
#
# This script uses tshark to evidence of sequence number mangling. That is the
# sequence numbers recorded in SACK blocks does not match the sequence numbers
# in the TCP ACK header field. This is subjective so the second argument
# provides the threshold value.
#
# This happens when some middle-ware device is altering the sequence number in
# the TCP header but does not alter the sequence numbers in the SACK blocks.
#
# The output is the list of streams with mangled sequence numbers.
#
# Version 1.0 February, 6, 2018
# Version 1.1 Aprl 24, 2018
#   minor edititing of some comments
#
FINDMANGLEDSEQUENCENUMBERSVERSION="1.1_2018-04-24"

# from https://github.com/noahdavids/packet-analysis.git

# Copyright (C) 2017 Noah Davids

# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, version 3, https://www.gnu.org/licenses/gpl-3.0.html

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

if [ $# -gt 2 ] || [ $# -lt 1 ]
   then echo "Usage:"
        echo "   find-mangled-sequence-numbers FILE [THRESHOLD]"
        echo "       FILE is the name of the trace file to be analyzed"
        echo "       THRESHOLD is the value above which triggers a report,"
        echo "                 default is 1,000,000"
   exit
fi

FILE=$1

if [ ! -e "$FILE" ]
   then echo "Could not find input file $FILE"
   exit
fi

if [ $# -eq 2 ]
   then THRESHOLD=$2
   else THRESHOLD=1000000
fi

echo "find-mangled-sequence-numbers $FILE $THRESHOLD"

# For every TCP segment that has a SACK block, print out the TCP stream number
# the ack number and the first left edge value of the SACK block. Subtract the
# left edge from the ack number and if the value is greater than the threshold
# or less than the negative threshold print out the TCP stream number. Then
# sor the stream numbers and remove the dupliactes.
#
# Note that is some chance of a false positive when the ACK number wraps at
# same time that here is a SACK block.


tshark -r $FILE -Y "tcp.options.sack_le" -E occurrence=f \
       -o tcp.relative_sequence_numbers:FALSE \
       -T fields -e tcp.stream -e tcp.ack -e tcp.options.sack_le | \
       awk -v thresh=$THRESHOLD \
          '(($3-$2 > thresh) || ($3-$2 < -thresh)) {print $1}' | sort -nu

exit
	#!/bin/bash
	# find_mangled_sequence_numbers.sh begins on the previous line
	#
	# This script uses tshark to evidence of sequence number mangling. That is the
	# sequence numbers recorded in SACK blocks does not match the sequence numbers
	# in the TCP ACK header field. This is subjective so the second argument
	# provides the threshold value.
	#
	# This happens when some middle-ware device is altering the sequence number in
	# the TCP header but does not alter the sequence numbers in the SACK blocks.
	#
	# The output is the list of streams with mangled sequence numbers.
	#
	# Version 1.0 February, 6, 2018
	# Version 1.1 Aprl 24, 2018
	# minor edititing of some comments
	#
	FINDMANGLEDSEQUENCENUMBERSVERSION="1.1_2018-04-24"

	# from https://github.com/noahdavids/packet-analysis.git

	# Copyright (C) 2017 Noah Davids

	# This program is free software: you can redistribute it and/or modify it
	# under the terms of the GNU General Public License as published by the Free
	# Software Foundation, version 3, https://www.gnu.org/licenses/gpl-3.0.html

	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.

	if [ $# -gt 2 ] \|\| [ $# -lt 1 ]
	then echo "Usage:"
	echo " find-mangled-sequence-numbers FILE [THRESHOLD]"
	echo " FILE is the name of the trace file to be analyzed"
	echo " THRESHOLD is the value above which triggers a report,"
	echo " default is 1,000,000"
	exit
	fi

	FILE=$1

	if [ ! -e "$FILE" ]
	then echo "Could not find input file $FILE"
	exit
	fi

	if [ $# -eq 2 ]
	then THRESHOLD=$2
	else THRESHOLD=1000000
	fi

	echo "find-mangled-sequence-numbers $FILE $THRESHOLD"

	# For every TCP segment that has a SACK block, print out the TCP stream number
	# the ack number and the first left edge value of the SACK block. Subtract the
	# left edge from the ack number and if the value is greater than the threshold
	# or less than the negative threshold print out the TCP stream number. Then
	# sor the stream numbers and remove the dupliactes.
	#
	# Note that is some chance of a false positive when the ACK number wraps at
	# same time that here is a SACK block.


	tshark -r $FILE -Y "tcp.options.sack_le" -E occurrence=f \
	-o tcp.relative_sequence_numbers:FALSE \
	-T fields -e tcp.stream -e tcp.ack -e tcp.options.sack_le \| \
	awk -v thresh=$THRESHOLD \
	'(($3-$2 > thresh) \|\| ($3-$2 < -thresh)) {print $1}' \| sort -nu

	exit