Dear friends, it seems to be simple problem but I cannot deal with it. I have captured packets on the Linux router with NAT on the two interfaces at the same time: tcpdump -i eth1 -w lan.pcap tcpdump -i eth0 -w wan.pcap during two sessions SSH and enter&stop commands almost simultaneously. I need to filter incoming packets to eth1 from 192.168.1.2 IP address and the same packets on the outcoming interface of router (eth0) from these files. First task is simple, because I can filter packets in based on MAC address of 192.168.1.2 host. But how can I filter the same packets on the second (wan.pcap) file (these packets have got different source IP address after NAT operation - IP address of eth0 interface)? I can filter every destination addresses but it is very long time process. Is there any simpler method? Please help me. edit: 192.168.1.2 ------eth1_router_eth0--------wan One more question: if I send data from 192.168.1.2 host through the router, then I see the packet on the eth0 with time of leaving eth0 interface or entering eth0 interface? I need time of leaving eth0 interface by packet. asked 11 Oct '13, 15:54  net16 edited 12 Oct '13, 10:33 |
One Answer:
O.K. so, what do you have to build a filter? The source IP will be changed and source port might be changed by the NAT operation, so you can't use the source IP address, but the source port could work, unless your NAT devices changes that by default, which is not the case for Linux MASQUERADING. O.K. Then there is the IP ID and the TCP sequence numbers. Both are good candidates as well, although if some randomization features are enabled in the Linux kernel, they will change as well. I'd start with the source ports and if that does not work, I'd look for one of the other criteria (IP ID, TCP sequence number, TCP stream number - tcp.stream, etc.).
The time when libpcap gets the packet from the kernel, which is 'more to the side' of leaving eth0 than to the side of entering eth0. Regards answered 12 Oct '13, 10:32  Kurt Knochner ♦ edited 12 Oct '13, 10:37 Kurt, thank you very much for your answer. At the moment, it looks that I cannot use TCP sequence numbers because they are relative. But I will try to use range of source port numbers (I have no MASQUERADING). Although I am affraid that another workstations (sharing traffic) may use the same random numbers - it is possible. To the other parameter I have similar misgiving - it can be repeated in different flows. But I will try carefully. Second question: I understand that in this one direction - on the eth1 I have entering (receiving a whole packet) time and on the eth0 I have time of leaving packet on outcoming interface (eth0). (12 Oct '13, 11:07) net16 1
That's just the default settings of Wireshark. You can change it here
Regarding your question regarding time stamps. It's more or less like this: The NIC receives the frame and hands it over to the kernel. In the kernel there is an API to capture traffic. Wireshark will get the frames via that API (from libpcap). So, the time stamp of the frame will be a few nanoseconds later than the frame really arrived, due to the handling in the kernel. On the sending side it is the same. So, there is a difference between the time stamps in the capture file and the 'real' time where the frames are being received/sent. For TCP conversations, you can also use the stream index (tcp.stream). However, to be able to use that, you need to 'sync' the two capture files. Here is how to do it.
For this to work, you need to capture the same data internally and externally. If your Firewall drops some TCP connections, this will not work, as the number of connections on the internal and external side is different. (12 Oct '13, 16:21) Kurt Knochner ♦ Dear Kurt, thank you for your time and explanations. I see few different tcp.stream indexes within transmission between 192.168.1.2 and 'chosen public address' hosts in my 30 seconds file. Do you think that it means such refreshing or re-quering page in new tab of web browser? Despite of this it is only SYN, SYN/ACK, ACK, FIN/ACK and "Continuation or non-HTTP traffic" (as it is traffic in one direction) - it is proper. I capture only headers. Moreover I measure traffic statistics during some interval, for example 1 min, therefore I do not know if I can remove traffic before suitable frame on wan.pcap because that frame is shifted in time. I need to capture this shifting on the graph of wan interface. I use Statistics->IO Graph with filter obviously. I will check if I get such difference (Wireshark should include shifting in Tick intervals). (13 Oct '13, 11:18) net16 After removing unnecessary packets I have to synchronize time in the both pcap files (with processing time of reference packet). I have used Edit->Set Time Reference, and Time Shift. I would like to shift with 0.000065 s. I use Shift all packets and write +0.000065 but error is appeared - Offset is zero. How can I do this? When I set value of "Time shift for this packet" (0.53968800), then times from input trace file is appeared again. Tommorow I will export displayed data to new files. Maybe it will help. (13 Oct '13, 14:51) net16
I'm sorry, but without the capture files and some details of what you are trying to do, I can only speculate about the reasons.
Hm.. what are you actually trying to do and why do you need a capture of both interfaces for traffic statistics !?! (14 Oct '13, 06:40) Kurt Knochner ♦ Kurt, sorry for my delay. I make some research work. I estimate times, retransmisions, packet lost, etc. The deeper subject we enter, the broader knowledge we need. I still look for something in my research work. Thank you for discuss and help. (15 Oct '13, 14:44) net16 I have another idea. It is possible to display packets with the same SEQ numbers? During NAT operation router change IP addresses but SEQ numbers and IP ID leave the same. It would be great to find duplicated SEQ numbers. Then I will get all packets forwarded by the router with NAT. Some packets are lost and do not forward and I want to separate it. Or I can use tshark with "-e tcp.seq". I see twice packets one by one and single packets (without pair), but how can I filter it? (04 Dec '13, 14:52) net16 1
Only with a script that pareses the tshark output and tries to find duplicates. There is no such functionality (find duplicates) in tshark/Wireshark. (04 Dec '13, 15:03) Kurt Knochner ♦ Do you mean bash scripts? Awk, sed, etc. ? And later I have to count all statistics by scripts too? (04 Dec '13, 15:18) net16 1 Whatever scripting language you speak fluent ;-) I prefer Perl or Python. If you like bash or Awk, take that. sed would be too hard for this kind of task.
Sure, as soon as you have exported/extracted those values with tshark, it's up to you to do whatever you want/need with that data. (04 Dec '13, 15:20) Kurt Knochner ♦ Fluent not necessarily. But I used scripts for different task. I will spend some time and I'll do it. Thank you very much, Kurt. You are helpful as always :) (04 Dec '13, 15:33) net16 Good luck. (04 Dec '13, 15:35) Kurt Knochner ♦ showing 5 of 12 show 7 more comments |
Do you mean a capture filter or a display filter?
I must be missing something. Can you just capture all the traffic, then find out what the NAT table looks like? MAC addresses are no good because all IPs sourced by your interface will have the same MAC. Remember, MAC addresses are only relevant to Ethernet segments. You won't see the MAC address of a remote system if there is a router in the middle.
Kurt, I mean a display filter. I would like to capture all traffic by tcpdump, then move captured .pcap file to Windows OS and filter different data by Wireshark. After filtering I will estimate different statistics on the filtered data.
hansangb, thank you for your comment. In this example MAC address was associated with one IP - PC workstation. I will remember, thanks.