Comments (7)
sergey-safarov
commented on August 12, 2024
1
Thank you @merlinthemagic
I have tested your suggestion with GRE packets deencapsultion. Works well.
I do not have now TZSP PCAP but think I can filter it the same way.
For my current needs, it will be enough.
If no plans to remove the variable header using tzsp2pcap utility then we can close the ticket.
from tzsp2pcap.
merlinthemagic
commented on August 12, 2024
@sergey-safarov Once you have a standard PCAP you can apply any number of tools to slice and dice the capture. May i suggest you filter the pcap through tshark to get the subset you are looking for.
from tzsp2pcap.
sergey-safarov
commented on August 12, 2024
No all utilities understand TZSP protocol.
I use SIP troubleshooting software like sngrep and others. This software do not able to parse manually filtered PCAP die of TZSP encapsulated packets.
So looks as more simple read not only from the network interface and read also from PCAP file.
from tzsp2pcap.
merlinthemagic
commented on August 12, 2024
Hi @sergey-safarov ,
To clarify you capture packet flows using other tools and these tools cannot decode TZSP so you end up with a pcap containing TZSP frames.
You want to pass those pcap files through "something" that will strip the TZSP headers and output the encapsulated payload into a new pcap?
from tzsp2pcap.
sergey-safarov
commented on August 12, 2024
You want to pass those pcap files through "something" that will strip the TZSP headers and output the encapsulated payload into a new pcap?
yes, I looking decapsulation tool.
Produced PCAP files will be used with other analysis tools.
from tzsp2pcap.
merlinthemagic
commented on August 12, 2024
Try this:
tshark -r original.pcap -Y udp.dstport==37008 -w tzspOnly.pcap && editcap -C 47 tzspOnly.pcap tzspDecoded.pcap
tshark and editcap are part of wireshark. The above assumes IPv4 and that your TZSP frames are streaming on UDP:37008, but you can adjust them to fit your specific needs.
Stripping the headers with a static offset works as long as whatever generate the TZSP frames uses a fixed "Tagged Fields" header. However this header is a variable length field, so if you have to ingest varying sets of tagged fields a bit more logic has to be added. But it could be pretty easily accomplished in a loop.
Ethernet header: 14bytes
IP header: 20bytes
UDP header: 8 bytes
TZSP Header 5bytes
Total: 47bytes
from tzsp2pcap.
sergey-safarov
commented on August 12, 2024
I got a recommendation to use tracewrangler for the packet edit tasks.
from tzsp2pcap.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tzsp2pcap.