USArmyResearchLab / Dshell

Dshell is a network forensic analysis framework.
Other
5.45k stars 1.15k forks source link

Custom ErrorH for Followstream #98

Closed amm3 closed 7 years ago

amm3 commented 7 years ago

Custom error handler changed to not report missing bytes when expected sequence number is 0. This condition occurs when using the --followstream_ignore_handshake flag even though no bytes were dropped.

Yes, there is an outside chance that the real expected sequence would be 0, but it seems like a low enough chance to implement this way. Thoughts?

dev195 commented 7 years ago

As I dig through the code, I think this issue might be a symptom of something deeper with how sequence numbers are handled with --followstream_ignore_handshake active. When I run it, I sometimes get data out of order and constant reports of missing byte sequences; not having the flag shows a pristine connection reconstruction.

I'm putting this pull request on hold until I can sort out the bigger issue. There will likely be another update soon (hopefully) that should fix the bigger issues I'm seeing. If all goes well, it should make this pull request unnecessary.

amm3 commented 7 years ago

Good point. Digging in a little further, I think I see the problem. The Connection constructor sets a default nextoffset for each direction to 0. These are reinitialized to tcp.seq + 1 from the SYN in each direction when not invoking ignore_handshake.

I may see an easy fix.

amm3 commented 7 years ago

This pull is unnecessary with #99.