matching data packets and ICMP packets in case of TCP duplicates

0
votes

I'm trying to match data packets with the ICMP time-exceeded packets they triggered. Therefore, I'm comparing 28-byte-long strings of each data packet (IP header + 8B of payload) with all (28-byte-long) ICMP payloads.

I'm having problems when I'm sending duplicate TCP packets:

>>> p1
<IP  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCP  sport=10743 dport=37901 seq=2939035442L ack=2703569003L dataofs=10L reserved=0L flags=SA window=14480 chksum=0x9529 urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (215365485, 52950)), ('NOP', None), ('WScale', 4)] |>>
>>> p2
<IP  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCP  sport=10743 dport=37901 seq=2939035442L ack=2703569003L dataofs=10L reserved=0L flags=SA window=14480 chksum=0x9426 urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (215365744, 52950)), ('NOP', None), ('WScale', 4)] |>>

...whose first 28 bytes are the same, but differ in the rest of the tcp header:

'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'

The ICMP packets I got have thus the same payload:

>>> i1[ICMP]
<ICMP  type=time-exceeded code=ttl-zero-during-transit chksum=0x689a unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCPerror  sport=10743 dport=37901 seq=2939035442L |>>>

>>> i2[ICMP]
<ICMP  type=time-exceeded code=ttl-zero-during-transit chksum=0x689a unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=60 id=0 flags=DF frag=0L ttl=1 proto=tcp chksum=0x7093 src=XXX dst=YYY options=[] |<TCPerror  sport=10743 dport=37901 seq=2939035442L |>>>

Corresponding strings are:

'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'
'E\x00\x00<\x00\x00@\x00\x01\x06p\x93\x8a`t\x86\xb2.X\x14)\xf7\x94\r\xaf.\x1f2'

Right now in this particular case I'm claiming that a1 matches i1 because between i1 and i2, it is i1 that arrived soon after the sending of a1, whereas i2 arrived much later.

Is this enough? What else am I missing?

1
pythontcpduplicatesscapyicmp

1 Answers

1
votes

The header size of a TCP packet is not always 20 bytes. If there are options set, the header could be larger. You can use the Internet Header Length field to find the header size and add the amount of payload you want to that number.

Scapy: how do I get the full IP packet header?