packetnet icon indicating copy to clipboard operation
packetnet copied to clipboard

Published 20 hours ago verified publisher icon dotpcap

l2tp Packet is not pulling sessionID

Open lovejotd opened this issue 4 years ago • 10 comments

When I run analysis on a L2tp Packet, the session ID is showing up as 0, but when I open the same packet in wireshark, It shows the session ID as 4000? Checking the Bytes, it also looks like it should be 4000.

lovejotd avatar Dec 18 '20 13:12 lovejotd

Probably a parsing error, if the bytes are correct you can take a look here and try to fix it (a test for this would be useful too): https://github.com/chmorgan/packetnet/blob/2775ea7f8fef4edee445ef7087eaa04a3612c920/PacketDotNet/L2tpPacket.cs#L73

PhyxionNL avatar Dec 18 '20 13:12 PhyxionNL

I can add a test for it, Doesn't seem as though I have permissions to create a branch

lovejotd avatar Dec 18 '20 14:12 lovejotd

You don't, but you can create a fork and then submit a PR 🙂

PhyxionNL avatar Dec 18 '20 14:12 PhyxionNL

Sorry this is my first time... Not sure if I am testing the way you guys are, cause my test is different, I uploaded a PR of my test, Let me know what you think

lovejotd avatar Dec 18 '20 14:12 lovejotd

@lovejotd wasn't sure if you saw my comment on your PR. I'd like to look at the packet you captured in Wireshark and look at the test results. Do you have that .pcap file still? If so can you upload it here?

chmorgan avatar Jan 06 '21 01:01 chmorgan

@chmorgan No problem, Yes I still have it. I got it from a test capture site - https://packetlife.net/captures/protocol/l2tp/

You can download it here - https://packetlife.net/media/captures/icmp_in_l2tpv3.cap

Let me know if you have any questions

lovejotd avatar Jan 06 '21 02:01 lovejotd

@lovejotd alright, so after looking at that capture file and the l2tppacket dissector the issue is that there are multiple versions of l2tp packets. The one being tested is v2 but the one you are testing with is v3. From the RFCs it looks like the format of the packets differs.

I'm also not sure if the parser covers all of the cases for l2tp v2 packets either.

It might make sense to extend that class but there would be properties of the class that wouldn't be valid for some versions of the packet.

chmorgan avatar Jan 06 '21 02:01 chmorgan

@lovejotd @PhyxionNL as a heads up the current plan is to make a class that will create the appropriate version of the L2TP packet based upon the version field. Similar to how OspfPacket.ConstructPacket() works. Hope to have it wrapped up in a few days and a PR open.

chmorgan avatar Jan 07 '21 03:01 chmorgan

Was there any movement on this? Thanks!

lovejotd avatar Dec 21 '21 16:12 lovejotd

@lovejotd I started working on it and got side-tracked due to far too many projects and no immediate use for this.

I can push my work in progress to a branch if you'd like to take a look. It's basically the same approach as we do with other parsers that have multiple versions, we check the version and instantiate the correct version class.

chmorgan avatar Dec 21 '21 17:12 chmorgan