I'm trying to write a python module for determining SCTP associations from captured traffic. It works fine when I read a pcap that has SACK chunks (since my heuristic uses TSNs), but I have a couple of files that don't have these chunks (either because they have been removed, or because they mostly contain retransmissions) When I try to run the script on these files, I get different results to Wireshark's Telephony>SCTP>Show All Associations utility. At the moment I'm using a combination of comparing TSNs and comparing Transport Addresses. For the latter, arrays of unique src and dst transport addresses are kept for each endpoint. When a src TA for one endpoint is found in the dst array of another, they are made more likely to be put into an association together. For example with this file, my script gets all associations right, except the ones with VTags: 838939786, 4139831617 and 3653663047. Wireshark pairs up the first 2, and the 365[...] with a 0 VTag. My script puts 838[...] and 365[...] together, and 413[...] with a 0 VTag. Is there something else Wireshark does that I've not considered? asked 06 Aug '15, 06:06 Alex Hunter edited 06 Aug '15, 07:56 |