[Bug] tcprewrite provides incorrect checksum for certain ipv4 packets
ChuckCottrill opened this issue · 2 comments
The tcprewrite program changes packet length to an undesirable (incorrect) value.
Describe the bug
TCP rewrite appears to change packet length incorrectly, due to incorrect handling of minimum length packets;
this could cause incorrect checksum (which could be interpreted as a spoofing attempt and discard packet).
Expected behavior:
TCP rewrite should correctly change packet length (more to follow).
To Reproduce
Steps to reproduce the behavior:
- uncompress packet captures:
mkdir -p pcaps
unzip tcprewrite-pcaps.zip
cp tcprewrite-pcaps/pcap-original-packet-3.pcap pcaps/.
- Run tcprewrite version 4.4.0 and observe the output, as follows
# version 4.4.0
VERSION="4.4.0"
# prepare
tcpreplay-4.4.0/src/tcpprep \
--cidr=0.0.0.0/0 \
--pcap=pcaps/pcap-original-packet-3.pcap \
--cachefile=pcaps/pcap.cache
# use tcprewrite to rewrite packet addresses
tcpreplay-4.4.0/src/tcprewrite \
--cachefile=pcaps/pcap.cache \
--infile=pcaps/pcap-original-packet-3.pcap \
--outfile=pcaps/cap-4.4.0-packet-out.pcap \
--endpoints=10.200.1.1:10.200.1.2
- Run tcprewrite version 4.4.1 and observe the output, as follows
# version 4.4.1
# prepare
tcpreplay-4.4.1/src/tcpprep \
--cidr=0.0.0.0/0 \
--pcap=pcaps/pcap-original-packet-3.pcap \
--cachefile=pcaps/pcap.cache
# use tcprewrite to rewrite packet addresses
tcpreplay-4.4.1/src/tcprewrite \
--cachefile=pcaps/pcap.cache \
--infile=pcaps/pcap-original-packet-3.pcap \
--outfile=pcaps/cap-4.4.1-packet-out.pcap \
--endpoints=10.200.1.1:10.200.1.2
- compare files, should be identical
bdiff pcaps/cap-4.4.0-packet-out.pcap pcaps/cap-4.4.1-packet-out.pcap
Packet Captures
Packet Captures to Reproduce:
- pcap-original-packet-3.pcap
- pcap-4.4.0-packet-3.pcap
- pcap-4.4.1-packet-3.pcap
Examine packets
Use Wireshark to examine and compare both packets.
- Note that the ver 4.4.1 reports incorrect checksum.
- Note also that packet length was changed, which is different behavior from desired.
- Perhaps a flag to specify whether length change is needed or desired?
Screenshots
N/A - use Wireshark to view packets
System (please complete the following information):
- OS: Linux
- OS version
Linux hostname 5.15.0-71-generic #78-Ubuntu SMP datetime x86_64 x86_64 x86_64 GNU/Linux
- Tcpreplay Version [4.4.1] versus [4.4.0]
Additional context
The changed length results in an erroneous checksum which results in dropped packet(s).
Where are the pcaps? I suspect this is already fixed in 4.5.0-beta1.
Please reopen if this is reproduced with 4.5.0. Don't forget to include PCAPs (zip, then drag-drop)