find-mangled-sequence-numbers.sh.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252" />
<title>find-mangled-sequence-numbers.sh Information</title>
</head>

<body background="concret.jpg">
<center>
<h1>find-mangled-sequence-numbers.sh Information</h1>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
</center>
<p>
This script uses tshark to find evidence of sequence number mangling. That is the sequence numbers recorded in SACK blocks does not match the sequence numbers in the TCP ACK header field. This is subjective so the second argument provides the threshold value. This happens when some middle-ware device is altering the sequence number in the TCP header but does not alter the sequence numbers in the SACK blocks.
<p>

The output is the list of streams with mangled sequence numbers.
<br><br>


<b><h3>Usage</h3></b>
find-mangled-sequence-numbers.sh FILE-NAME [THRESHOLD]
<br><br>
<b>FILE-NAME</b>
<br>
The file name (or path to the file), This file must be readable by tshark.
<br><br>
<b>THRESHOLD</b>
<br>
The difference between the SACK block and the ACK value above which we will report a mangled sequence number. Default is 1000000
<br><br>

<b><h3>Examples</h3></b>
Example 1 - Execute find-mangled-sequence-numbers.sh
<p>
The script has identified one TCP stream, number 115 with mangled sequence numbers. The tshark command selects all the TCP segments from TCP stream 115 with SACK blocks and displays the TCP ACK number, the left edge of the SACK block and the difference between the two. Note that the difference is 656,467,914, much larger than the default threshold of 1,000,000.
<center>
<table border=5>
<tr><td align=left>
<pre>                                                                   
$ ./find-mangled-sequence-numbers.sh test1.pcap
find-mangled-sequence-numbers test1.pcap 1000000
115

$ tshark -r test1.pcap -Y "tcp.stream == 115 && tcp.options.sack_le" -T fields -e tcp.ack -e tcp.options.sack_le | awk '{print $1 " " $2 " " $1-$2}'
3811240368 3154772454 656467914
3811240368 3154772454 656467914
3811240368 3154772454 656467914
3811240368 3154772454 656467914
3811240368 3154772454 656467914
3811240368 3154772454 656467914
</pre>
</td></tr>
</table>
Figure 1
</center>
<p>

Example 2 - Execute find-mangled-sequence-numbers.sh on a TCP packet trace file where multiple streams have mangled sequence numbers
<p>
This example shows multiple TCP streams with mangled sequence numbers. The tail following the find-mangled-sequence-numbers in the for loop removes the header line which displays the command line. The head following the tshark command strips all but the first instance of a TCP sequence number SACK left edge output. In some instances the ACK number is less than the left edge of the SACK block and in some cases it is greater, the awk command that displays the difference takes that into account so that all differences are positive. The table shows the TCP stream number, TCP sequence number, SACK left edge and the absolute value of the difference.
<center>
<table border=5>
<tr><td align=left>
<pre>                                                                   
$ ./find-mangled-sequence-numbers.sh  test2.pcap
find-mangled-sequence-numbers test2.pcap 1000000
0
32
35
36
45
50
56
62
70
76
86
94
95
99

$ for x in $(./find-mangled-sequence-numbers.sh  test2.pcap | tail -n +2); do echo $x $(tshark -r test2.pcap -Y "tcp.stream == $x && \              
tcp.options.sack_le"  -T fields -e tcp.ack -e tcp.options.sack_le | head -1 | awk '{if ($1 > $2) print $1 " " $2 " " $1-$2; \
else print $1 " " $2 " " $2-$1}'); done | column -t
0   2030784017  1504792022  525991995
32  1673346234  2148087071  474740837
35  3575468244  4068132549  492664305
36  2016215466  2669290943  653075477
45  3109247463  1711770193  1397477270
50  1025055124  999759832   25295292
56  3112337339  3746364458  634027119
62  860193052   197439550   662753502
70  2740662954  987670000   1752992954
76  1689211722  1250779131  438432591
86  896595655   3510871914  2614276259
94  1557721402  2666071398  1108349996
95  483274964   432146925   51128039
99  852077976   2532451553  1680373577
</pre>
</td></tr>
</table>
Figure 2
</center>
<p>

Example 3 - Execute find-mangled-sequence-numbers.sh with a non-default threshold value
<p>
This example analyzes the same packet trace file as example 2 but with the threshold set to 600,000,000 instead of the default 1,000,000.
<center>
<table border=5>
<tr><td align=left>
<pre>                                                                   
$ ./find-mangled-sequence-numbers.sh  test2.pcap 600000000                                                                                          
find-mangled-sequence-numbers test2.pcap 600000000
36
45
56
62
70
86
94
99

$ for x in $(./find-mangled-sequence-numbers.sh  test2.pcap 600000000 | tail -n +2); do echo $x $(tshark -r test2.pcap -Y "tcp.stream == $x && \
tcp.options.sack_le"  -T fields -e tcp.ack -e tcp.options.sack_le | head -1 | awk '{if ($1 > $2) print $1 " " $2 " " $1-$2; else print $1 " " $2 \
" " $2-$1}'); done | column -t
36  2016215466  2669290943  653075477
45  3109247463  1711770193  1397477270
56  3112337339  3746364458  634027119
62  860193052   197439550   662753502
70  2740662954  987670000   1752992954
86  896595655   3510871914  2614276259
94  1557721402  2666071398  1108349996
99  852077976   2532451553  1680373577

</pre>
</td></tr>
</table>
Figure 3
</center>
<p>

You can find this script at <a href="https://github.com/noahdavids/packet-analysis/blob/master/find-mangled-sequence-numbers.sh">find-mangled-sequence-numbers.sh</a>

<br /><br />
<h5><center>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
<br />
This page was last modified on 18-04-25</h5>
</center>
<a href="mailto:noah@noahdavids.org"><img src="mailbox.gif" width="32" height="32" alt="mailbox" align="left" hspace=3>
Send comments and suggestions
<br />
to noah@noahdavids.org
</a>
</body>

</html>