В этом видео показано, как использовать фильтр tcp.hdr_len<27&&tcp.flags.syn ==1. Запомним подход - фильтровать можно и по длине фрагмента, заголовка..., после этого видео я пошел искать книги по WireShark, где были бы собраны такие примеры...
Опубликовано: 20 июля 2013 г. This tip was released via Twitter (@laurachappell). In an ideal world both sides of every TCP connection would support SACK (Selective Acknowledgments) and Window Scaling. Sigh... that's just not what we see. Build this coloring rule to spot lousy TCP connection setups.
tcp.hdr_len<27&&tcp.flags.syn ==1
In []:
0:01this is Laura Chappell and welcome to Wireshark
0:03tip 25 if you wanna follow the steps on the day that I released on Twitter
0:09you can follow me Laura Chappell after this step run create a coloring rule
0:15and we are specifically looking for bad TCP connection options
0:19the syntax for this coloring rule string will be
0:23to be dot HDR underscore Leen
0:26less than twenty eight so we're looking for a TCP
0:29header length is less than 28 and
0:32Epson Epson course to speed up flags dots in
0:36equals an equal sign one to look at first to pack in the hand
0:39first two picks the handshake and the reason why we do the header length is
0:43because that tells us
0:44how many options are contained in those packets
0:47in ideal situation would like to see 32 bytes
0:51in the TCP header that would indicate that
0:55most likely the source said that is providing a maximum segment size value
0:59as well as
1:00enabling select acknowledgements as well as using
1:05Windows scaling the course we have to look at those packets to make sure
1:08that those are the three options that are in each one to let me go and show
1:13you what it looks like when we create this coloring wrongly applied some trace
1:17files
1:17have opened up the trace file called TCP
1:21dash problem dash point a top pick up Angie
1:25and thus trace files available at the Wireshark book website
1:29looking at the first two packets I can see that we have a sin and a snack
1:33following that so it's just look at the
1:36sin packet first and I'll expand the TCP header
1:41I'm interested in the options that are contained in the TCP header
1:46as well as the TCP header link this header like
1:50indicates that the header is 44 bytes long so that a lot bigger than 28 bytes
1:56if we look at the options that are contained we can see that this client is
2:01too funny maximum segment size value 1380 bites and that has to be in
2:05every TCP SYN packet as well as a snack
2:08we also see if there's a not been there which is a no operation is just pounding
2:13so the header and a4 byte boundary is fine also indicated it supports Windows
2:18scaling
2:19and it supports TCP timestamps at this is different and the TCP calculate
2:24conversation timestamps
2:26area that were shocked will put inside if this
2:29header so its ports to CP time stamps
2:32and it supports selected acknowledgements so this is a pretty
2:36full functioned
2:37client will build our coloring rule-based
2:41on this particular trace file and
2:44I'll bill that first as a display filter and not pasted over into a coloring
2:48rule so I'm going to start by expanding the flag section because I'm
2:52only interested in sin packets
2:55and we'll be adding that to a filter based on the header length
2:59value so on the TCP header Lingfield
3:03I'm going to right mouse click and say prepare filter based on the selected
3:08value
3:09now I'm looking for the TCP header links being less than 20
3:138 someone to change that and i'm looking for.
3:19anytime the sin-bin set so I will select the
3:23sin bit line and when the right mouse click
3:26and say prepare a filter and when europe ending to an existing filter pure
3:30display filter area
3:32this is when we use the dot dot dot options in here
3:35so I'm going to select dot dot dot and selected
3:38that
3:42ads the second piece to the first piece the second filter
3:46element to the first filter element and will always put print the seas around
3:50them and you don't actually need to print the season this case
3:53you don't need to proceed to peer grouping together to
3:57filter items and then adding another filter item to that
4:01and now I'm just going to
4:07grab that whole display filter and copy it
4:11and then select my coloring rules
4:14button seven-week brand new coloring rule
4:17I'm going to name this capital T
4:21dash connection problems
4:26and I'll haste that
4:29filter in my knee coloring rules string
4:34I'm gonna set the background color to orange because for me I use that as my
4:37butt ugly color
4:39not a big fan a porn star and you know so I just typed in the word origin and I
4:43hit the Tappan
4:45were short understands the x11 color names
4:48always taken a color name Aussie okay and that's what it will look like
4:53I'll see okay and it's up to the top
4:56my coloring ru list and a click OK
5:03now if I apply my knee
5:06filter force since which we learned about in earlier
5:10tip I can just bring a person pack to see if anything matches
5:13that coming on either one of these still but in this example I'm looking at the
5:18traffic
5:19on one side even adding firewall
5:22so we have a client tender tender tender 10 that talks to a mailing firewall
5:27and then adding fire was going to proxy on behalf for this client
5:30it's going to set up a separate connection me outside
5:33from the new IP address to the target server
5:37so I wanna see how this connection looks
5:40on the outside a fanatic farwell hopefully the attributes to the client
5:44will be carried through
5:46let's look at the server said in its sendak packet before we look on the
5:50other side
5:52in the snack pack and we can see that the TCP header length is
5:5628 bytes so it's not less than 20 minutes 28 bytes
6:01we can see that Max from segment sizes supported window scaling a supported and
6:06thats it
6:07quit sure would be nice if it also supported selective acknowledgements
6:12menachem trace file called TCP dash problem point
6:16be and looking at this trace file
6:21apply mice sin filter
6:24and that looks pretty good looks like nothing is colored orange
6:29now let's go ahead and open up another trace how the test
6:33FTP dash download
6:36cash good to
6:40Anna so we can see that it appears that we have a problem with the handshake
6:44in this trace file if we look at what the client
6:48said our clients impact was not colored orange here
6:51so if you look at what the client said that its capabilities are
6:55our client said in the TCP header
6:59and let me just get to the options area
7:02and send packet me it impacted
7:06the options so there's arson packet and the client said
7:10it supported a maximum segment size 1465
7:13and support selective acknowledgements but in the San at packet that came back
7:17from a server
7:19it has in the options area only the maximum segment size value
7:22so we can support like to pick nonsense and we can support
7:27window scaling and that's really not in I
7:30deal TCP connection establishment process
7:36if you'd like to read the Wireshark tips on the day they're released
7:39you can follow me on twitter at Laura Chappell
7:43for more Marshak training and tips visit chapel you dot com
Посты чуть ниже также могут вас заинтересовать
Worth information for me... I really appreciate your effort..Thanks for sharing this on. F5 LTM Training | F5 ASM Training | Block Chain
ОтветитьУдалить