Fix missing tcp.reassembled.data field #16

lrstewart · 2024-06-16T09:21:45Z

I couldn't get any metadata for "tcp.reassembled.data" when reading a packet capture that included a TLS record fragmented across multiple TCP segments.

I could see "tcp.reassembled.data" when I ran tshark like tshark -r tcp_fragmentation.pcap -Tpdml -Y "tls.handshake.type == 1". But it was in a "fake-field-wrapper" proto tag instead of the "tcp" proto tag. A snippet of the output:

    <field name="tcp.payload" showname="TCP payload (76 bytes)" size="76" pos="66" show="08:22:ea:fb:ea:31:63:cf:00:0d:00:1a:00:18:04:03:05:03:06:03:08:09:08:0a:08:0b:08:04:08:05:08:06:04:01:05:01:06:01:00:00:00:0e:00:0c:00:00:09:6c:6f:63:61:6c:68:6f:73:74:00:23:00:00:00:0b:00:02:01:00:00:2d:00:02:01:01:00:17:00:00" value="0822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
    <field name="tcp.segment_data" showname="TCP segment data (76 bytes)" size="76" pos="66" show="08:22:ea:fb:ea:31:63:cf:00:0d:00:1a:00:18:04:03:05:03:06:03:08:09:08:0a:08:0b:08:04:08:05:08:06:04:01:05:01:06:01:00:00:00:0e:00:0c:00:00:09:6c:6f:63:61:6c:68:6f:73:74:00:23:00:00:00:0b:00:02:01:00:00:2d:00:02:01:01:00:17:00:00" value="0822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
  </proto>
  <proto name="fake-field-wrapper">
    <field name="tcp.segments" showname="3 Reassembled TCP Segments (276 bytes): #4(100), #6(100), #8(76)" size="276" pos="0" show="" value="">
      <field name="tcp.segment" showname="Frame: 4, payload: 0-99 (100 bytes)" size="100" pos="0" show="4" value="160301010f0100010b03030c75d691da75e769771ebc1b2d71ac3ea2a2699f916053ae66a8c520f5be0f732045b0051cc856969b74e9f2a9be7c64a604e249fec97f85c46bd89f72c7365f39001c130113021303c02bc02fc02cc030cca9cca8c024c028"/>
      <field name="tcp.segment" showname="Frame: 6, payload: 100-199 (100 bytes)" size="100" pos="100" show="6" value="c023c02700ff010000a6002b00050403040303000a000a00080017001d0018001900330047004500170041046cd3fdfba2cd1d07fe7ea401fb15b949be79c5cc02f2672840a8bb8243e1977714944d44cbc157ac51eae2ef4b934c6dbdede825fb1bdbf4"/>
      <field name="tcp.segment" showname="Frame: 8, payload: 200-275 (76 bytes)" size="76" pos="200" show="8" value="0822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
      <field name="tcp.segment.count" showname="Segment count: 3" size="0" pos="0" show="3"/>
      <field name="tcp.reassembled.length" showname="Reassembled TCP length: 276" size="0" pos="0" show="276"/>
      <field name="tcp.reassembled.data" showname="Reassembled TCP Data [truncated]: 160301010f0100010b03030c75d691da75e769771ebc1b2d71ac3ea2a2699f916053ae66a8c520f5be0f732045b0051cc856969b74e9f2a9be7c64a604e249fec97f85c46bd89f72c7365f39001c130113021303c02bc02fc02cc030cca9cca8c024c028c023c" size="276" pos="0" show="16:03:01:01:0f:01:00:01:0b:03:03:0c:75:d6:91:da:75:e7:69:77:1e:bc:1b:2d:71:ac:3e:a2:a2:69:9f:91:60:53:ae:66:a8:c5:20:f5:be:0f:73:20:45:b0:05:1c:c8:56:96:9b:74:e9:f2:a9:be:7c:64:a6:04:e2:49:fe:c9:7f:85:c4:6b:d8:9f:72:c7:36:5f:39:00:1c:13:01:13:02:13:03:c0:2b:c0:2f:c0:2c:c0:30:cc:a9:cc:a8:c0:24:c0:28:c0:23:c0:27:00:ff:01:00:00:a6:00:2b:00:05:04:03:04:03:03:00:0a:00:0a:00:08:00:17:00:1d:00:18:00:19:00:33:00:47:00:45:00:17:00:41:04:6c:d3:fd:fb:a2:cd:1d:07:fe:7e:a4:01:fb:15:b9:49:be:79:c5:cc:02:f2:67:28:40:a8:bb:82:43:e1:97:77:14:94:4d:44:cb:c1:57:ac:51:ea:e2:ef:4b:93:4c:6d:bd:ed:e8:25:fb:1b:db:f4:08:22:ea:fb:ea:31:63:cf:00:0d:00:1a:00:18:04:03:05:03:06:03:08:09:08:0a:08:0b:08:04:08:05:08:06:04:01:05:01:06:01:00:00:00:0e:00:0c:00:00:09:6c:6f:63:61:6c:68:6f:73:74:00:23:00:00:00:0b:00:02:01:00:00:2d:00:02:01:01:00:17:00:00" value="160301010f0100010b03030c75d691da75e769771ebc1b2d71ac3ea2a2699f916053ae66a8c520f5be0f732045b0051cc856969b74e9f2a9be7c64a604e249fec97f85c46bd89f72c7365f39001c130113021303c02bc02fc02cc030cca9cca8c024c028c023c02700ff010000a6002b00050403040303000a000a00080017001d0018001900330047004500170041046cd3fdfba2cd1d07fe7ea401fb15b949be79c5cc02f2672840a8bb8243e1977714944d44cbc157ac51eae2ef4b934c6dbdede825fb1bdbf40822eafbea3163cf000d001a00180403050306030809080a080b0804080508060401050106010000000e000c0000096c6f63616c686f737400230000000b00020100002d0002010100170000"/>
  </field>
  </proto>
  <proto name="tls" showname="Transport Layer Security" size="276" pos="0">
    <field name="tls.record" showname="TLSv1 Record Layer: Handshake Protocol: Client Hello" size="276" pos="0" show="" value="">

The problem seems to be that rtshark ignores all "fake-field-wrapper" tags, making all the tcp fragmentation information unreachable.

This change tries to fix the problem by inferring the real protocol from the field name. "tcp.reassembled.data" is pretty clear that it's part of tcp. To be extra cautious, I required that the protocol inferred from the field name match the last protocol read, not just any existing protocol.

src/lib.rs

Fix missing tcp.reassembled.data field

ea0e682

lrstewart commented Jun 16, 2024

View reviewed changes

src/lib.rs Show resolved Hide resolved

CrabeDeFrance merged commit 9cf3791 into CrabeDeFrance:main Jun 24, 2024
1 of 2 checks passed

lrstewart deleted the tcp_reassemble branch June 24, 2024 16:29

lrstewart mentioned this pull request Jul 7, 2024

test(pcap): handle pcaps with tcp fragmentation aws/s2n-tls#4643

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix missing tcp.reassembled.data field #16

Fix missing tcp.reassembled.data field #16

lrstewart commented Jun 16, 2024

Fix missing tcp.reassembled.data field #16

Fix missing tcp.reassembled.data field #16

Conversation

lrstewart commented Jun 16, 2024