This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

lua listener, icmp redirect packets called twice

0

Hi together,

i write a small lua script, that collects connection data via tshark lua api and store this in a csv file.

I use this listener function:

local tap_ipv4 = create_IPv4_tap()

function tap_ipv4.packet(pinfo, tvb, ip) some code end


All works fine. But it seems that the tap_ipv4.packet() gets called twice for IMCP redircet packets. ICMP echo/reply,TCP/UDP seems normal. I dont know if this is works as designed. Has someone else this problem?

Here is the a example code:

-- function to create a IPv4 listener
function create_IPv4_tap()
    local tap = Listener.new("ip")
    return(tap)
end

– let's create a ipv4 listener local tap_ipv4 = create_IPv4_tap()

– will be called once for every IP Header. function tap_ipv4.packet(pinfo, tvb, ip) local packet_number = pinfo.number – for debug reasons print("Packet Number: ", packet_number) end

function tap_ipv4.draw() print("draw called") – Debug Message end

and the Output from a simple capture file that contains 3 ICMP redirects

> tshark -r test_05.pcapng -X lua_script:test.lua
Packet Number:          1
1 0.000000000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=9/2304, ttl=128
Packet Number:          2
2 0.026124000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=9/2304, ttl=56 (request in 1)
Packet Number:          3
3 1.001399000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=10/2560, ttl=128
Packet Number:          4
Packet Number:          4
4 1.002284000  192.168.0.2 -> 192.168.0.100 ICMP 102 Redirect             (Redirect for host)
Packet Number:          5
5 1.026090000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=10/2560, ttl=56 (request in 3)
Packet Number:          6
6 2.003533000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=11/2816, ttl=128
Packet Number:          7
7 2.026073000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=11/2816, ttl=56 (request in 6)
Packet Number:          8
8 3.005648000 192.168.0.100 -> 8.8.8.8      ICMP 74 Echo (ping) request  id=0x0001, seq=12/3072, ttl=128
Packet Number:          9
Packet Number:          9
9 3.006529000  192.168.0.2 -> 192.168.0.100 ICMP 102 Redirect             (Redirect for host)
Packet Number:          10
10 3.031055000      8.8.8.8 -> 192.168.0.100 ICMP 74 Echo (ping) reply    id=0x0001, seq=12/3072, ttl=56 (request in 8)
Packet Number:          11
Packet Number:          11
11 10.449692000  192.168.0.2 -> 192.168.0.100 ICMP 90 Redirect             (Redirect for host)
draw called

Platform Windows7 64bit (also tested with GNU/Debian Linux 8, same issue) Wireshark v1.12.8-0-g5b6e543 from master-1.12

asked 02 Nov ‘15, 12:51

C_N's gravatar image

C_N
6113
accept rate: 0%


One Answer:

1

But it seems that the tap_ipv4.packet() gets called twice for IMCP redircet packets. ICMP echo/reply,TCP/UDP seems normal. I dont know if this is works as designed.

As far as I can see in the code (packet-icmp.c), I'd say: yes it works as designed. The ICMP dissector calls the IP dissector for the ICMP payload, which contains the IP header of the packet that triggered the ICMP redirect. You should see the same behavior for ICMP UNREACHABLE, TIMEEXEEDED, SOURCEQUENCH, REDIRECT.

Possible Solution (if you want to look at the 'outer' ICMP frame only): Add a table (array/hash) to your code to remember that you've already processed a certain frame number and skip it the second time your tap is called for that frame.

Please take a look at the code of @izopizo in the following question:

https://ask.wireshark.org/questions/15196/implementing-a-basic-packet-counter-and-incorrect-order-detector-using-dissectors-and-lua

The code stores the packet number in pkts and uses pinfo.visited.

Regards
Kurt

answered 02 Nov '15, 16:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

thanks for the quick help. Ok that behavior make sense.

I only need the connection information (srcIP, DstIP, Proto, and length in bytes).
Simply check, if the packet number was already processed works fine for me.

Here is a example:

-- function to create a IPv4 listener
function create_IPv4_tap()
    local tap = Listener.new("ip")
    return(tap)
end

– we store the number of a processed packet local processed_packets = {}

– let's create a ipv4 listener local tap_ipv4 = create_IPv4_tap()

– will be called once for every IP Header. function tap_ipv4.packet(pinfo, tvb, ip) local packet_number = pinfo.number – for debug reasons

if processed_packets[packet_number] then
    print("Packet ", packet_number, " already processed")
else
    print("Packet Number:   ", packet_number)
    processed_packets[pinfo.number] = true
end

end

function tap_ipv4.draw() print("draw called") – Debug Message end

(03 Nov ‘15, 10:55) C_N

good!

Hint: If a supplied answer resolves your question can you please “accept” it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(03 Nov ‘15, 11:18) Kurt Knochner ♦