search

CrabeDeFrance / rtshark

Rust interface to tshark application
Other
32 stars 9 forks source link

Fix missing tcp.reassembled.data field #16

Closed lrstewart closed 3 months ago

lrstewart commented 3 months ago

I couldn't get any metadata for "tcp.reassembled.data" when reading a packet capture that included a TLS record fragmented across multiple TCP segments.

I could see "tcp.reassembled.data" when I ran tshark like tshark -r tcp_fragmentation.pcap -Tpdml -Y "tls.handshake.type == 1". But it was in a "fake-field-wrapper" proto tag instead of the "tcp" proto tag. A snippet of the output:

    <field name="tcp.payload" showname="TCP payload (76 bytes)" size="76" pos="66" show="08:22:ea:fb:ea:31:63:cf:00:0d:00:1a:00:18:04:03:05:03:06:03:08:09:08:0a:08:0b:08:04:08:05:08:06:04:01:05:01:06:01:00:00:00:0e:00:0c:00:00:09:6c:6f:63:61:6c:68:6f:73:74:00:23:00:00:00:0b:00:02:01:00:00:2d:00:02:01:01:00:17:00:00" value="0822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
    <field name="tcp.segment_data" showname="TCP segment data (76 bytes)" size="76" pos="66" show="08:22:ea:fb:ea:31:63:cf:00:0d:00:1a:00:18:04:03:05:03:06:03:08:09:08:0a:08:0b:08:04:08:05:08:06:04:01:05:01:06:01:00:00:00:0e:00:0c:00:00:09:6c:6f:63:61:6c:68:6f:73:74:00:23:00:00:00:0b:00:02:01:00:00:2d:00:02:01:01:00:17:00:00" value="0822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
  </proto>
  <proto name="fake-field-wrapper">
    <field name="tcp.segments" showname="3 Reassembled TCP Segments (276 bytes): #4(100), #6(100), #8(76)" size="276" pos="0" show="" value="">
      <field name="tcp.segment" showname="Frame: 4, payload: 0-99 (100 bytes)" size="100" pos="0" show="4" value="160301010f0100010b03030c75d691da75e769771ebc1b2d71ac3ea2a2699f916053ae66a8c520f5be0f732045b0051cc856969b74e9f2a9be7c64a604e249fec97f85c46bd89f72c7365f39001c130113021303c02bc02fc02cc030cca9cca8c024c028"/>
      <field name="tcp.segment" showname="Frame: 6, payload: 100-199 (100 bytes)" size="100" pos="100" show="6" value="c023c02700ff010000a6002b00050403040303000a000a00080017001d0018001900330047004500170041046cd3fdfba2cd1d07fe7ea401fb15b949be79c5cc02f2672840a8bb8243e1977714944d44cbc157ac51eae2ef4b934c6dbdede825fb1bdbf4"/>
      <field name="tcp.segment" showname="Frame: 8, payload: 200-275 (76 bytes)" size="76" pos="200" show="8" value="0822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
      <field name="tcp.segment.count" showname="Segment count: 3" size="0" pos="0" show="3"/>
      <field name="tcp.reassembled.length" showname="Reassembled TCP length: 276" size="0" pos="0" show="276"/>
      <field name="tcp.reassembled.data" showname="Reassembled TCP Data [truncated]: 160301010f0100010b03030c75d691da75e769771ebc1b2d71ac3ea2a2699f916053ae66a8c520f5be0f732045b0051cc856969b74e9f2a9be7c64a604e249fec97f85c46bd89f72c7365f39001c130113021303c02bc02fc02cc030cca9cca8c024c028c023c" size="276" pos="0" show="16:03:01:01:0f:01:00:01:0b:03:03:0c:75:d6:91:da:75:e7:69:77:1e:bc:1b:2d:71:ac:3e:a2:a2:69:9f:91:60:53:ae:66:a8:c5:20:f5:be:0f:73:20:45:b0:05:1c:c8:56:96:9b:74:e9:f2:a9:be:7c:64:a6:04:e2:49:fe:c9:7f:85:c4:6b:d8:9f:72:c7:36:5f:39:00:1c:13:01:13:02:13:03:c0:2b:c0:2f:c0:2c:c0:30:cc:a9:cc:a8:c0:24:c0:28:c0:23:c0:27:00:ff:01:00:00:a6:00:2b:00:05:04:03:04:03:03:00:0a:00:0a:00:08:00:17:00:1d:00:18:00:19:00:33:00:47:00:45:00:17:00:41:04:6c:d3:fd:fb:a2:cd:1d:07:fe:7e:a4:01:fb:15:b9:49:be:79:c5:cc:02:f2:67:28:40:a8:bb:82:43:e1:97:77:14:94:4d:44:cb:c1:57:ac:51:ea:e2:ef:4b:93:4c:6d:bd:ed:e8:25:fb:1b:db:f4:08:22:ea:fb:ea:31:63:cf:00:0d:00:1a:00:18:04:03:05:03:06:03:08:09:08:0a:08:0b:08:04:08:05:08:06:04:01:05:01:06:01:00:00:00:0e:00:0c:00:00:09:6c:6f:63:61:6c:68:6f:73:74:00:23:00:00:00:0b:00:02:01:00:00:2d:00:02:01:01:00:17:00:00" value="160301010f0100010b03030c75d691da75e769771ebc1b2d71ac3ea2a2699f916053ae66a8c520f5be0f732045b0051cc856969b74e9f2a9be7c64a604e249fec97f85c46bd89f72c7365f39001c130113021303c02bc02fc02cc030cca9cca8c024c028c023c02700ff010000a6002b00050403040303000a000a00080017001d0018001900330047004500170041046cd3fdfba2cd1d07fe7ea401fb15b949be79c5cc02f2672840a8bb8243e1977714944d44cbc157ac51eae2ef4b934c6dbdede825fb1bdbf40822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
  </field>
  </proto>
  <proto name="tls" showname="Transport Layer Security" size="276" pos="0">
    <field name="tls.record" showname="TLSv1 Record Layer: Handshake Protocol: Client Hello" size="276" pos="0" show="" value="">

The problem seems to be that rtshark ignores all "fake-field-wrapper" tags, making all the tcp fragmentation information unreachable.

This change tries to fix the problem by inferring the real protocol from the field name. "tcp.reassembled.data" is pretty clear that it's part of tcp. To be extra cautious, I required that the protocol inferred from the field name match the last protocol read, not just any existing protocol.