Identify single communication

StackOverflow https://stackoverflow.com/questions/22618768

Question

I have problem with identifying communication established by TCP. I have to identify first completed communication, for example first complete http communication. I have dump .pcap file with capture. I know that communication should start by three way handshake ( SYN, SYN - ACK, ACK ) and then closing of communication by double FIN flag from both side.

But I have a lot of communication in that dump file. So here is the question. Which things i need to remember to match exact one communication ?

I thought about source IP, destination IP, protocol, maybe port but i am not sure.

Thank you for every advice. And sorry for my english.

Was it helpful?

Solution

You stated that you need:

  1. To identify a particular conversation
  2. To identify the first completed conversation

You can identify a particular TCP or UDP conversation by filtering for the 5-tuple of the connection:

  1. Source IP
  2. Source Port
  3. Destination IP
  4. Destination Port
  5. Transport (TCP or UDP)

As Shane mentioned, this is protocol dependent e.g. ICMP does not have the concept of ports like TCP and UDP do.

A libpcap filter like the following would work for TCP and UDP:

tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80

Apply it with tcpdump:

$ tcpdump -nnr myfile.pcap 'tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80'

To identify the first completed connection you will have to follow the timestamps.

Using a tool like Bro to read a PCAP would yield the answer as it will list each connection attempt seen (complete or incomplete):

$ bro -r myfile.pcap
$ bro-cut -d < conn.log | head -1
2014-03-14T10:00:09-0500    CPnl844qkZabYchIL7  1.1.1.1 57596   1.1.1.2 80  tcp http    0.271392    248 7775    SF  F   ShADadfF    14  1240    20  16606   (empty) US  US

Use the flag data for TCP to judge whether there was a successful handshake and tear down. For other protocols you can make judgements based on byte counts, sent and received.

OTHER TIPS

Identifying the first completed communication is highly protocol specific. You are on the right track with your filters. If your protocol is a commonly used one there are plug ins called protocol analyzers and filters that can locate "conversations" for you from a pcap data stream. If you know approximate start time and end time that would help narrow it down too.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top