This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm writing a program with raw-sockets and i'm trying to emulate my browser's "syn" packets to a socks server. My program's packets and my browser's packets are almost alike, but the socks server answers only my browser's packets and not my generated packets. My browser sends 5 or 3 syns (with no or very little delay between each of them), and then the socks server sends the "syn,ack" packet. The only difference between the browsers packets and mine is the timestamp in the TCP layer.

Can anyone help me with that? I can provide a packet file if necessary. Thanks :)

asked 20 Nov '10, 09:09

toothpick's gravatar image

toothpick
1111
accept rate: 0%

I guess you'll have to provide traces for both connections, browser and your raw socket, maybe someone can spot the difference that makes the socks server go stubborn and not answering your SYN packet... Do you have a download location?

(20 Nov '10, 11:32) Jasper ♦♦

Ok, I compared your traces and the only thing that seems to be "off" in the raw socket version is that the TCP checksum is not correct. This is something that could be a result of TCP Checksum offloading (which is why many people turn off TCP checksum validation in Wireshark), but I think it is the problem in this case. Here's why:

  1. your browser trace shows that the SYN packets have a correct TCP checksum
  2. your raw socket trace shows that the SYN packets have an incorrect TCP checksum
  3. that means that your checksum is not always incorrect, so probably you do not have TCP checksum offloading trouble
  4. if we assume your computer is usually sending correct TCP checksums for "normal" browser communication and your raw socket communication doesn't, we can assume (with just some doubt, see last paragraph) that
  5. your raw socket program calculates the TCP checksum incorrectly and thus
  6. the incorrect checksum is transmitted to the server which then will
  7. drop the packet because it has to assume it is damaged and
  8. not reply with a SYN/ACK

I hope this makes sense to you. Steps to take are:

  1. capture your computer's traffic with another passive computer to verify if incorrect checksums are in fact sent out the NIC for your raw socket program
  2. if it turns out they are, you have to
  3. fix the raw socket program

If your raw socket program does in fact calculate correct TCP checksums and Wireshark only says they're wrong because of checksum offloading I can't tell why your packets aren't answered, since everything else looks pretty much the same as the browser's packets.

permanent link

answered 04 Dec '10, 13:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

yes, here are the traces of both my program and the browser.

http://rapidshare.com/files/434905180/my-packets http://rapidshare.com/files/434905209/browser

my wireshark saved those files without extension, but I guess they are .cap files.

permanent link

answered 04 Dec '10, 11:51

toothpick's gravatar image

toothpick
1111
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×248
×20
×19
×1

question asked: 20 Nov '10, 09:09

question was seen: 4,617 times

last updated: 04 Dec '10, 13:52

p​o​w​e​r​e​d by O​S​Q​A