Fw: Re: [Winpcap-users] TCP/IP stack reassembly

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Aug 15 16:44:28 GMT 2006

> -------- Original Message --------
> Subject: Re: [Winpcap-users] TCP/IP stack reassembly
> Date: Tue, 15 Aug 2006 00:08:06 -0300
> From: Ivan Arce <ivan.arce at coresecurity.com>
> Organization: Core Security Technologies
> To: winpcap-users at winpcap.org
> CC: accounts at sandmik.net
> References: <44D1D82F.6090102 at RedTile.Com> <44E02F9F.6080600 at sandmik.net>
> <44E0FE4A.7020009 at RedTile.Com> <015c01c6bfff$87ac0080$6b36a8c0 at ace>
> Hello,
> There are mode that just "small differences" depending on what and why
> you're looking at this  problem. Almost 8 years ago I worked developing
> one of the first commercial honeypot software packages for a big security
> vendor, the software had to mimic the behavior of a handful of  TCP/IP
> stacks (Windows NT4, Cisco IOS, solaris 2.x , FreeBSD, SunOS 4.x, etc).
> There were more that 200 documented behavioral differences among the
> TCP/IP stacks of those systems (unfortunately the paper detailing them had
> never seen the public light).
> To clarify: Not ~200 "problem packets" but differences in how those TCP/IP
> stacks operated on exactly the same traffic
> Tools such as nmap (http://insecure.org/nmap/) and p0f
> (http://lcamtuf.coredump.cx/p0f.shtml) take advantage of some of these
> behavioral differences to infer the operating system running on a remote 
> host.
> A good paper that explains how and why these differences are a problem in
> the security world is the classic Tim&Tom on defeating Intrusion Detection
> Systems:
> "Insertion, Evasion and Denial of Service; eluding Network Intrusion
> Detection", Tim Newsham & Thomas Ptacek, Jan 1998.
> http://insecure.org/stf/secnet_ids/secnet_ids.pdf
> A good tool to some testing and possibly extend to include more features
> is fragrouter with was originally at http://monkey.org/~dugsong/fragroute/
> but possibly there are more recent versions
> To craft and send packets quickly you can use the excellent Python package
> Scapy from Philippe Biondi:
> http://www.secdev.org/projects/scapy/
> Or our own Pcapy/Impacket combo (although most likely you'd need a bit of
> Python coding of your own):
> http://oss.coresecurity.com/projects/impacket.html
> -ivan
> David Chang wrote:
>> Ralph,
>> I'm sure that different implementations of TCP/IP have small differences
>> in the way they handle packets.  However, for the vast majority of real
>> world situations, TCP/IP is well documented in RFC 791 & 793.  In
>> addition, books like TCP/IP Illustrated by W. Richard Stevens cover the
>> protocol in great detail.  Using these resources, one can write a TCP/IP
>> re-assembly engine. I don't think there is a "standard" implementation
>> (or algorithm) for re-assembly but rather a list of possible problem
>> packets to handle. Looking at the libnids website
>> (libnids.sourceforge.net), they mention a test suite that their
>> re-assembly engine passed (libnids.sourceforge.net/TESTS).  Maybe you
>> can contact them to find out how they conducted their tests.  Or, maybe
>> you can just use their engine.
>> DC
>> ----- Original Message ----- From: "Thomas O'Hare" <Tom at RedTile.Com>
>> To: <winpcap-users at winpcap.org>
>> Sent: Monday, August 14, 2006 3:50 PM
>> Subject: Re: [Winpcap-users] TCP/IP stack reassembly
>>> Ralph
>>> I will go out on a limb here and anyone else is free to jump in...
>>> The nature of TCP/IP is a "connection oriented" protocol.  Which mean a
>>> real connection exists between 2 hosts.  If the protocol stack is
>>> anywhere near what it should be, then if there are problems with packets
>>> the sending host is supposed to resend the problem data.
>>> So trying to recover and re-assemble packets seems to me to be
>>> defeating, or at least making a lot more work for something that is
>>> supposed to be done for you anyway by the stack.
>>> If I totally missed the boat, then please explain a little further.
>>> But it is late here, I am tired and so I am at a loss as to why you want
>>> to work so hard...
>>> Thanks,
>>> ~ Thomas O'Hare ~
>>> President, RedTile, Inc. - DBA: RedTile Software
>>> Web, Wireless, Network, Database & Systems Software
>>> +1.407.295.9148 ; +49.8651.717950 ; http://www.RedTile.Com/
>>> Operations Manager; Virtual FoxPro User Group
>>> Tom at VFUG.Org ; http://www.VFUG.Org/
>>> Accounts wrote:
>>>> Hi All,
>>>>    I believe this question was asked before without a clear answer. Is
>>>> there a definite or a standard way/library of reassembling the tcp/ip
>>>> stack from the sniffed packets?
>>>>    I wanted to write one myself but the biggest problem that I have
>>>> faced is debugging, is there a software out there that can simulate
>>>> sending packets on demand (like fragmented and oob...) so that it could
>>>> aid in the development and debugging of a code that does the 
>>>> reassembly?
>>>>    Thank you all.
>>>>    Ralph.
> ---
> "Buy the ticket, take the ride" -HST
> Ivan Arce
> http://www.coresecurity.com
> PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

More information about the Winpcap-users mailing list