tcpreplay
tcpreplay copied to clipboard
appneta
[Bug] tcprewrite provides incorrect checksum for certain ipv4 packets
The tcprewrite program provides incorrect checksum and modifies packet length in an undesireable manner.
Describe the bug TCP rewrite produces an incorrect IP and TCP checksum for certain pcap files. TCP rewrite appears to change packet length incorrectly, and thus produces an invalid checksum; certain downstream processing may treat said incorrect checksum as a spoofing attempt and discard packet.
Expected behavior: TCP rewrite should only change packet length when that behavior is specifically desired (command line option?). TCP rewrite should correctly calculate IP and TCP checksum (incorrect because length incorrect).
To Reproduce
Steps to reproduce the behavior:
- uncompress packet captures:
mkdir -p pcaps
unzip tcprewrite-pcaps.zip
cp tcprewrite-pcaps/pcap-original-packet-3.pcap pcaps/.
- Run tcprewrite version 4.4.0 and observe the output, as follows
# version 4.4.0
VERSION="4.4.0"
# prepare
tcpreplay-4.4.0/src/tcpprep \
--cidr=0.0.0.0/0 \
--pcap=pcaps/pcap-original-packet-3.pcap \
--cachefile=pcaps/pcap.cache
# use tcprewrite to rewrite packet addresses
tcpreplay-4.4.0/src/tcprewrite \
--cachefile=pcaps/pcap.cache \
--infile=pcaps/pcap-original-packet-3.pcap \
--outfile=pcaps/cap-4.4.0-packet-out.pcap \
--endpoints=10.200.1.1:10.200.1.2
- Run tcprewrite version 4.4.1 and observe the output, as follows
# version 4.4.1
VERSION="4.4.1"
# prepare
tcpreplay-4.4.1/src/tcpprep \
--cidr=0.0.0.0/0 \
--pcap=pcaps/pcap-original-packet-3.pcap \
--cachefile=pcaps/pcap.cache
# use tcprewrite to rewrite packet addresses
tcpreplay-4.4.1/src/tcprewrite \
--cachefile=pcaps/pcap.cache \
--infile=pcaps/pcap-original-packet-3.pcap \
--outfile=pcaps/cap-4.4.1-packet-out.pcap \
--endpoints=10.200.1.1:10.200.1.2
- compare files, should be identical
bdiff pcaps/cap-4.4.0-packet-out.pcap pcaps/cap-4.4.1-packet-out.pcap
Packet Captures
Packet Captures to Reproduce:
- pcap-original-packet-3.pcap
- pcap-4.4.0-packet-3.pcap
- pcap-4.4.1-packet-3.pcap
Examine packets
Use Wireshark to examine and compare both packets.
- Note that the ver 4.4.1 reports incorrect checksum.
- Note also that packet length was changed, which is different behavior from desired.
- Perhaps a flag to specify whether length change is needed or desired?
Screenshots N/A - use Wireshark to view packets
System (please complete the following information):
- OS: Linux
- OS version
-
Linux hostname 5.15.0-71-generic #78-Ubuntu SMP datetime x86_64 x86_64 x86_64 GNU/Linux
-
- Tcpreplay Version [4.4.1] versus [4.4.0]
Additional context The erroneous checksum is due to the changed length. The problem results in dropped packet.
After looking deeper into the cause of this, the assumption which produced the problem, was that a user would always want to change (fix) the header length. Users may only want to change (fix) the header length when desired. Thus a flag to turn on (default off) this behavior, would avoid surprises for those using 4.4.0, and moving to 4.4.1
This issue is related to issue #845 The issue resolves the problems encountered with modifying packet length. This issue does not address the underlying quesion, what should be the packet length calculation result.
This issue does not address the underlying quesion, what should be the packet length calculation result.
I would like to mark this issue resolved by PR #843. I'm a bit concerned about this statement. Can you elaborate? Can a new ticket be opened if the packet length calculation is incorrect (other than issue #845)?
Verified PR #846 fixes this:
~/git/tcpreplay/build Bug_703_844_PR_846_optionally_fix_pkt_hdr_len* ⇡
❯ src/tcprewrite --cachefile=pcaps/pcap.cache \
--infile=pcaps/cap-original-packet-3.pcap \
--outfile=pcaps/cap-4.5.0-packet-out.pcap \
--endpoints=10.200.1.1:10.200.1.2
Warning in ../../src/tcprewrite.c:post_args() line 231:
pcaps/cap-original-packet-3.pcap was captured using a snaplen of 1514 bytes. This may mean you have truncated packets.
~/git/tcpreplay/build Bug_703_844_PR_846_optionally_fix_pkt_hdr_len* ⇡
❯ diff pcaps/cap-4.4.0-packet-3.pcap pcaps/cap-4.5.0-packet-out.pcap
~/git/tcpreplay/build Bug_703_844_PR_846_optionally_fix_pkt_hdr_len* ⇡
❯