This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi together,

i write a small lua script, that collects connection data via tshark lua api and store this in a csv file.

I use this listener function:

local tap_ipv4 = create_IPv4_tap()

function tap_ipv4.packet(pinfo, tvb, ip)
   some code
end


All works fine. But it seems that the tap_ipv4.packet() gets called twice for IMCP redircet packets. ICMP echo/reply,TCP/UDP seems normal. I dont know if this is works as designed. Has someone else this problem?

Here is the a example code:

-- function to create a IPv4 listener
function create_IPv4_tap()
    local tap = Listener.new("ip")
    return(tap)
end

-- let's create a ipv4 listener
local tap_ipv4 = create_IPv4_tap()

-- will be called once for every IP Header.
function tap_ipv4.packet(pinfo, tvb, ip)
    local packet_number = pinfo.number  -- for debug reasons
    print("Packet Number:   ", packet_number)
end

function tap_ipv4.draw()
    print("draw called")     -- Debug Message
end

and the Output from a simple capture file that contains 3 ICMP redirects

> tshark -r test_05.pcapng -X lua_script:test.lua
Packet Number:          1
  1 0.000000000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=9/2304, ttl=128
Packet Number:          2
  2 0.026124000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=9/2304, ttl=56 (request in 1)
Packet Number:          3
  3 1.001399000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=10/2560, ttl=128
Packet Number:          4
Packet Number:          4
  4 1.002284000  192.168.0.2 -> 192.168.0.100 ICMP 102 Redirect             (Redirect for host)
Packet Number:          5
  5 1.026090000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=10/2560, ttl=56 (request in 3)
Packet Number:          6
  6 2.003533000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=11/2816, ttl=128
Packet Number:          7
  7 2.026073000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=11/2816, ttl=56 (request in 6)
Packet Number:          8
  8 3.005648000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=12/3072, ttl=128
Packet Number:          9
Packet Number:          9
  9 3.006529000  192.168.0.2 -> 192.168.0.100 ICMP 102 Redirect             (Redirect for host)
Packet Number:          10
 10 3.031055000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=12/3072, ttl=56 (request in 8)
Packet Number:          11
Packet Number:          11
 11 10.449692000  192.168.0.2 -> 192.168.0.100 ICMP 90 Redirect             (Redirect for host)
draw called

Platform Windows7 64bit (also tested with GNU/Debian Linux 8, same issue) Wireshark v1.12.8-0-g5b6e543 from master-1.12

asked 02 Nov '15, 12:51

C_N's gravatar image

C_N
6113
accept rate: 0%


But it seems that the tap_ipv4.packet() gets called twice for IMCP redircet packets. ICMP echo/reply,TCP/UDP seems normal. I dont know if this is works as designed.

As far as I can see in the code (packet-icmp.c), I'd say: yes it works as designed. The ICMP dissector calls the IP dissector for the ICMP payload, which contains the IP header of the packet that triggered the ICMP redirect. You should see the same behavior for ICMP UNREACHABLE, TIMEEXEEDED, SOURCEQUENCH, REDIRECT.

Possible Solution (if you want to look at the 'outer' ICMP frame only): Add a table (array/hash) to your code to remember that you've already processed a certain frame number and skip it the second time your tap is called for that frame.

Please take a look at the code of @izopizo in the following question:

https://ask.wireshark.org/questions/15196/implementing-a-basic-packet-counter-and-incorrect-order-detector-using-dissectors-and-lua

The code stores the packet number in pkts and uses pinfo.visited.

Regards
Kurt

permanent link

answered 02 Nov '15, 16:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

thanks for the quick help. Ok that behavior make sense.

I only need the connection information (srcIP, DstIP, Proto, and length in bytes).
Simply check, if the packet number was already processed works fine for me.

Here is a example:

-- function to create a IPv4 listener
function create_IPv4_tap()
    local tap = Listener.new("ip")
    return(tap)
end

-- we store the number of a processed packet
local processed_packets = {}

-- let's create a ipv4 listener
local tap_ipv4 = create_IPv4_tap()

-- will be called once for every IP Header.
function tap_ipv4.packet(pinfo, tvb, ip)
    local packet_number = pinfo.number  -- for debug reasons

    if processed_packets[packet_number] then
        print("Packet ", packet_number, " already processed")
    else
        print("Packet Number:   ", packet_number)
        processed_packets[pinfo.number] = true
    end
end

function tap_ipv4.draw()
    print("draw called")     -- Debug Message
end
(03 Nov '15, 10:55) C_N

good!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(03 Nov '15, 11:18) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×431
×74

question asked: 02 Nov '15, 12:51

question was seen: 1,749 times

last updated: 03 Nov '15, 11:18

p​o​w​e​r​e​d by O​S​Q​A