UDP packets split over multiple ethernet frames are not merged into the right session on sessions() call

[ortylp]

Use case:

1. read pcap file containing "large" UDP/IP packets (split across many ethernet frames)
2. try to split the data stream onto sessions Result: in case of 3 UDP source/destination sessions the data is split onto 4 lists. Three of them contain ethernet frames with UDP headers matching the three sessions, the fourth one contains all other ethernet frames that do not contain UDP headers and are the mising fragments of those UDP packets.

Expected result: all ethernet frames with IP headers get included into the correct of those 3 sessions.

Should this issue be handled here or in the python 2 upstream?

[phaethon]

Can you provide sample .pcap? There is no upstream for this project. It was forked, and it lives fully independently.

[ortylp]

Unfortunately I cannot give you the live data. I would have to generate one. I'll try to write small python script, that sends such packets. The UDP datagrams are about 6KB large, so that you get them split into 5 ethernet frames.

Wireshark shows them like this:

1. IP ID=x at offset b
2. IP ID=x at offset c
3. IP ID=x at offset d
4. IP ID=x at offset e
5. IP ID=x at offset 0 (this one contains also UDP header)
6. IP ID=x+1 at offset b
7. IP ID=x+1 at offset c
8. IP ID=x+1 at offset d
9. IP ID=x+1 at offset e
10. IP ID=x+1 at offset 0 (this one contains also UDP header)

where 0 < b < c < d < e What is to be observed here is that:

• each UDP datagram is split onto 5 IP/ethernet frames
• first ethernet frame of the UDP datagram comes as the last one, so the UDP header of the UDP datagram comes last
• each ethernet frame seems to contain IP header (using ID multiple frames can be grouped into UDP datagram and sorted by offset)

The behaviour of scapy is that these 10 packets would get split into two sessions: one would contain ethernet frames 5 and 10 (only those contain UDP headers), the other one 1,2,3,4,6,7,8,9

Warning: if you record with tcpdump and filter on UDP port number, you catch only frame 5 and 10, the rest gets omitted. This is actually a bug in tcpdump, with status WONTFIX because they want filters to be stateless... :(