-m tcp module not working

[aziel12]

Hello, I am testing latest satori with -m tcp module on pcap file bigFlows.pcap from https://tcpreplay.appneta.com/wiki/captures.html. I get no (empty) result from satori. I tested other pcap files too, but same behaviour. DHCP module is working, but TCP not. Cmd: python3 satori.py -r bigFlows.pcap -m tcp Any ideas what can I recheck? Thanks

[xnih]

So for me it worked fine:

root@ubuntu:/home/xnih/satori# python3 ./satori.py -m tcp -r /home/xnih/Downloads/bigFlows.pcap | more 2013-02-26T22:02:35.959911;172.16.133.103;00:21:70:67:6A:E7;TCP;S;8192:128:1:52:M1460,N,W8,N,N,S:T;Windows 10 - 1607:5|Windows 10 - 1803:5|Windows 7:5|Windows 7 SP1:5|Windows 8.1:5|Windows Server 2008 R2:5 2013-02-26T22:02:35.967166;172.16.133.13;00:21:70:67:6E:72;TCP;S;8192:128:1:52:M1460,N,W2,N,N,S:T;Windows 7 SP1:5 2013-02-26T22:02:35.967228;172.16.133.13;00:90:7F:3E:02:D0;TCP;S;8192:128:1:52:M1460,N,W2,N,N,S:T;Windows 7 SP1:5 2013-02-26T22:02:36.006581;172.16.133.82;00:21:70:63:3B:AD;TCP;S;8192:128:1:52:M1460,N,W8,N,N,S:T;Windows 10 - 1607:5|Windows 10 - 1803:5|Windows 7:5|Windows 7 SP1:5|Windows 8.1:5|Windows Server 2008 R2:5 2013-02-26T22:02:36.015442;172.16.133.36;14:10:9F:D3:EC:9D;TCP;S;65535:64:1:64:M1460,N,W4,N,N,T,S,E,E:P;Apple TV OS 14.2.x:5 2013-02-26T22:02:36.015754;172.16.133.20;00:21:70:67:6A:E4;TCP;S;8192:128:1:52:M1460,N,W2,N,N,S:T;Windows 7 SP1:5 2013-02-26T22:02:36.015816;172.16.133.20;00:90:7F:3E:02:D0;TCP;S;8192:128:1:52:M1460,N,W2,N,N,S:T;Windows 7 SP1:5 2013-02-26T22:02:36.016950;172.16.133.103;00:21:70:67:6A:E7;TCP;S;8192:128:1:52:M1460,N,W8,N,N,S:T;Windows 10 - 1607:5|Windows 10 - 1803:5|Windows 7:5|Windows 7 SP1:5|Windows 8.1:5|Windows Server 2008 R2:5 2013-02-26T22:02:36.018833;172.16.133.103;00:21:70:67:6A:E7;TCP;S;8192:128:1:52:M1460,N,W8,N,N,S:T;Windows 10 - 1607:5|Windows 10 - 1803:5|Windows 7:5|Windows 7 SP1:5|Windows 8.1:5|Windows Server 2008 R2:5

So some questions:

• What OS are you running
• What is the date on satoriTCP.py
• What type of CPU (possible I'm making assumptions on endien-ness, ie how it reads 0010 vs reading it as 1000
• What version of pypacker are you running? For me I checked with:

  pip3 freeze | grep pypacker pypacker==4.9

I haven't specifically tried to update pypacker and it is what is used for the packet manipulation so possible something in it.

Does reading TCP work on a live feed instead of from reading in a pcap?

[aziel12]

issue was pypacker==5.0, reinstalled to ver.4.9, it worked. case can be closed, thanks.

[xnih]

Will leave open for now, evidently I need to update pypacker to 5.0 and test what is going on that broke it.

[xnih]

So found the issue: [df, mf, offset] = computeIPOffset(ip4.off)

pypacker changed it from .off to .frag_off in version 5.

So I need to add some code that will verify if it is running pypacker 4.9 or below and keep old one with just .off or if 5.0 or greater and do .frag_off

Notes for myself: Will try to detect with:

import pkg_resources pkg_resources.get_distribution('pypacker').version

Thanks for reporting the problem! I also need to add some try ... except in there a bit to at least throw an error too!

[aziel12]

sure, to your other questions:

What OS are you running: Ubuntu 18.05 LTS
What is the date on satoriTCP.py: Dont know what exactly you mean, in source code I didnt find anything where you can set time
What type of CPU: AMD Threadripper, Virtualbox 6.1
What version of pypacker are you running? 5.0

[xnih]

Implemented fix to handle 4.9 or before and 5.0 or above with the pypacker .off vs .frag_off

thanks for reporting, feel free to update satori and pypacker if/when you want.