tcpreplay icon indicating copy to clipboard operation
tcpreplay copied to clipboard

Published 20 hours ago verified publisher icon appneta

[Bug] tcprewrite provides incorrect checksum for certain ipv4 packets

Open ChuckCottrill opened this issue 11 months ago • 0 comments

The tcprewrite program changes packet length to an undesirable (incorrect) value.

Describe the bug TCP rewrite appears to change packet length incorrectly, due to incorrect handling of minimum length packets; this could cause incorrect checksum (which could be interpreted as a spoofing attempt and discard packet).

Expected behavior: TCP rewrite should correctly change packet length (more to follow).

To Reproduce

Steps to reproduce the behavior:

  1. uncompress packet captures:
mkdir -p pcaps
unzip tcprewrite-pcaps.zip
cp tcprewrite-pcaps/pcap-original-packet-3.pcap pcaps/.
  1. Run tcprewrite version 4.4.0 and observe the output, as follows
# version 4.4.0
VERSION="4.4.0"
# prepare
tcpreplay-4.4.0/src/tcpprep \
    --cidr=0.0.0.0/0 \
    --pcap=pcaps/pcap-original-packet-3.pcap \
    --cachefile=pcaps/pcap.cache
# use tcprewrite to rewrite packet addresses
tcpreplay-4.4.0/src/tcprewrite \
    --cachefile=pcaps/pcap.cache \
    --infile=pcaps/pcap-original-packet-3.pcap \
    --outfile=pcaps/cap-4.4.0-packet-out.pcap \
    --endpoints=10.200.1.1:10.200.1.2
  1. Run tcprewrite version 4.4.1 and observe the output, as follows
# version 4.4.1
# prepare
tcpreplay-4.4.1/src/tcpprep \
    --cidr=0.0.0.0/0 \
    --pcap=pcaps/pcap-original-packet-3.pcap \
    --cachefile=pcaps/pcap.cache
# use tcprewrite to rewrite packet addresses
tcpreplay-4.4.1/src/tcprewrite \
    --cachefile=pcaps/pcap.cache \
    --infile=pcaps/pcap-original-packet-3.pcap \
    --outfile=pcaps/cap-4.4.1-packet-out.pcap \
    --endpoints=10.200.1.1:10.200.1.2
  1. compare files, should be identical
bdiff pcaps/cap-4.4.0-packet-out.pcap pcaps/cap-4.4.1-packet-out.pcap

Packet Captures

Packet Captures to Reproduce:

  • pcap-original-packet-3.pcap
  • pcap-4.4.0-packet-3.pcap
  • pcap-4.4.1-packet-3.pcap

Examine packets

Use Wireshark to examine and compare both packets.

  • Note that the ver 4.4.1 reports incorrect checksum.
  • Note also that packet length was changed, which is different behavior from desired.
  • Perhaps a flag to specify whether length change is needed or desired?

Screenshots N/A - use Wireshark to view packets

System (please complete the following information):

  • OS: Linux
  • OS version
    • Linux hostname 5.15.0-71-generic #78-Ubuntu SMP datetime x86_64 x86_64 x86_64 GNU/Linux
  • Tcpreplay Version [4.4.1] versus [4.4.0]

Additional context The changed length results in an erroneous checksum which results in dropped packet(s).

ChuckCottrill avatar Feb 29 '24 17:02 ChuckCottrill