microsoft / etl2pcapng

Utility that converts an .etl file containing a Windows network packet capture into .pcapng format.
MIT License
652 stars 114 forks source link

Automatically infer original fragment length for truncated fragments (Raw/Ethernet) #27

Closed csujedihy closed 4 years ago

csujedihy commented 4 years ago

Currently, if packets were captured using packettruncatebytes=\<size>, wireshark's TCP analysis will be confused when parsing these truncated packets and you will see lots of bogus "[TCP Previous segment not captured]" and "[TCP ACKed unseen segment]".

With this PR, etl2pcapng will parse Ethernet and IP headers and infer the original length of packets and assign the length to PCAPNG_ENHANCED_PACKET_BODY::PacketLength. Note that doing so will not increase the converted file size.

Limitations:

  1. Does not work with LSO v2 packets since length is not filled in IPv4/6 headers.

Demo: Left - before this PR Right - after this PR image


This change is Reviewable

maolson-msft commented 4 years ago

Why isn't the length filled in LSO IP headers?

I'm concerned that having only SOME packets have the correct original length but others have only the truncated length is worse in some ways than them all consistently having the truncated length. Sort of the way that if every plank on a suspension bridge is obviously rotted, you won't cross the bridge at all, but if 90% of the planks are sturdy, you will fall to your death.

csujedihy commented 4 years ago

Why isn't the length filled in LSO IP headers?

I'm concerned that having only SOME packets have the correct original length but others have only the truncated length is worse in some ways than them all consistently having the truncated length. Sort of the way that if every plank on a suspension bridge is obviously rotted, you won't cross the bridge at all, but if 90% of the planks are sturdy, you will fall to your death.

In LSO v2, a LSO packet can be larger than 65535 bytes. So it can't be fit in the length field. Currently etl2pcapng does not handle LSO v2 packets well as AuxFragBuf is only 65535 bytes. Packets larger than 64K will be truncated by default.

I am not too concerned that some packets are still truncated. It's very easy to tell in wireshark. Or we can add a knob for this?

maolson-msft commented 4 years ago

Why isn't the length filled in LSO IP headers? I'm concerned that having only SOME packets have the correct original length but others have only the truncated length is worse in some ways than them all consistently having the truncated length. Sort of the way that if every plank on a suspension bridge is obviously rotted, you won't cross the bridge at all, but if 90% of the planks are sturdy, you will fall to your death.

In LSO v2, a LSO packet can be larger than 65535 bytes. So it can't be fit in the length field. ~Currently etl2pcapng does not handle LSO v2 packets well as AuxFragBuf is only 65535 bytes.~ Packets larger than 64K will be truncated by default.

I am not too concerned that some packets are still truncated. It's very easy to tell in wireshark. Or we can add a knob for this?

OK, I guess the benefit outweighs the cost here. Proceed :)