Archive

标签为 ‘WIRESHARK’的文章

How to convert SPP into text2pcap readable format by python

Introduction

There are some internal tools that can decode SPP packets at former, but they are not work now. In some scenario, customer coudln’t do span on our asr9k, so we only need SPP, then will face to how to decode SPP result.

The article disscuss how to covert SPP original data to text2pcap readable format, then decode by text2pcap. You only do the script that can auto work. Btw, before do that, you need have python2.7 and text2pcap (integrate in wireshark). If you have python3.0 or newer, that maybe have some issue, because some function have a bit different, you need adjust them by yourself.

Solution

Original SPP data:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.12.04 17:12:19 =~=~=~=~=~=~=~=~=~=~=~=
trace p stop
Tracing stopped with 666 outstanding...
spp-ui> trace print
Packet serial 861
port4/classify:
  length 148 phys_int_index 0 next_ctx 0xdeadbeef time 09:10:41.407
  00: 00 70 72 00 00 08 00 65 7a 00 00 00 ff ff 00 07 
  10: 80 30 00 00 00 00 0f 00 00 00 1f 00 00 00 00 00 
  20: 00 70 05 f2 42 fb 00 00 04 00 01 40 07 01 05 27 
  30: 06 03 0e 06 00 00 00 00 4c 00 00 00 00 00 58 00 
  40: 00 00 00 00 00 00 06 01 00 a1 13 41 92 60 00 b2 
  50: 64 41 8a 4c 08 00 45 c0 00 3e 00 00 00 00 fe 11 
  60: c8 25 12 ac 79 0d 34 df d0 01 02 86 02 86 00 2a 
  70: 75 5a 00 01 00 1e 3f da a4 0f 00 00 01 00 00 14 
  80: 00 00 00 00 04 00 00 04 00 5a c0 00 04 01 00 04 
  90: 3f da a4 0f 00 00 00 00 00 00 00 00 00 00 00 00 
  a0: 00 00 00 17 00 08 05 01 00 00 af c8 00 24 14 01 
  b0: 01 08 3f da d0 46 20 00 01 08 3f da d0 42 20 00 
  c0: 01 08 3f da d0 41 20 00 01 08 3f da d0 07 20 00 
  d0: 00 08 13 01 00 00 08 00 00 20 cf 07 00 00 07 16 
  e0: 4d 50 4c 53 2d 54 45 20 74 6f 20 76 61 72 30 31 
  f0: 2e 6b 6c 70 30 32 00 00 00 0c 0b 07 3f df 04 08 
--------------------------

完整阅读

0

Compiling Wireshark 1.12

Same topic I had posted at stack overflow, that include more detail output:
Qt is not available error while compiling a wireshark 1.12

Now move it to my blog for review.
I have a issue on rhel6.3, and I download all qt47 rpm:

-rw-r--r--.  1 root root  4282888 Sep 22 06:32 qt47-4.7.1-3_15.el6.x86_64.rpm
-rw-r--r--.  1 root root 11458684 Sep 22 06:33 qt47-devel-4.7.1-3_15.el6.x86_64.rpm
-rw-r--r--.  1 root root    54076 Sep 22 06:32 qt47-sqlite-4.7.1-3_15.el6.x86_64.rpm
-rw-r--r--.  1 root root  5374988 Sep 22 06:33 qt47-webkit-4.7.1-3_15.el6.x86_64.rpm
-rw-r--r--.  1 root root 13297200 Sep 22 06:34 qt47-x11-4.7.1-3_15.el6.x86_64.rpm

When install that, report conflict with libjpeg-turbo:
完整阅读

0

How to capture packets that dropped by NP/CPU?

之前讨论过在XR上,当我们遇到与本设备交互的TCP/UDP和RAW有问题时,可以用下面方法抓下来,然后分析《How to decode TCP, UDP and RAW for IOS-XR》。在76/65上,可以用Netdr,ELAM,CPU span,PB capture,那在咱们的ASR9k上是否有类似好用的工具?答案当然是肯定的,在咱们ASR9k上有两个方法可以抓punt到CPU的包:

1. 在4.3.1以后,咱们的XR支持NP Monitor

详细的可以看下面文章: https://supportforums.cisco.com/docs/DOC-29010
这里要注意的是:Note that a captured packet will be DROPPED!
所以一定要注意在选择monitor的counter时,要选择真正的drop counter,而不要把正常的counter给monitor了,那样数据转发就会受影响了。暂时没有测试环境,没法贴出详细测试步骤,文档写的很清楚,详细看上面的文档。

2. 通过SPP monitor,这是ASR9k特有的

下面是一个抓包实例:
完整阅读

0

Wireshark使用技巧之三: 利用text2pcap转换Hex文本到pcap

做为工程师,平时会抓一些数据包进行分析包的结构,但是有些时候抓的信息是dump文件,没有经过编译的,所以无法读取,例如在65/76上用Netdr抓下来的出方向的数据包,仅仅能看到Layer2的信息,Layer3的信息却看不出来。有些时候,我们需要这些信息,所以要想根据这些Layer3的 Payload,推断出3层信息。这时就涉及到编译的过程,如何把十六进制的信息转换成可读的数据?转换方法有很多种,在此我将用“text2pcap”这个小 工具来完成这个任务。

------- dump of outgoing inband packet -------
interface Gi3/0/1, routine cwan_fastsend, timestamp 00:00:41
dbus info: src_vlan 0x3FD(1021), src_indx 0x380(896), len 0x50(80)
  bpdu 0, index_dir 1, flood 0, dont_lrn 1, dest_indx 0xBF(191)
  06028018 03FD7800 03800000 50000000 00000000 00000000 00000000 00BF0000
mistral hdr: req_token 0x0(0), src_index 0x380(896), rx_offset 0x30(48)
  requeue 0, obl_pkt 0, vlan 0x0(0)
destmac 01.00.5E.00.00.02, srcmac 00.1B.0D.E6.F0.C0, protocol 0800
layer 3 data: 45C0003E 00000000 01115469 42424242 E0000002 02860286
              002A84B4 0001001E 02020202 00000100 00140000 00000400
              0004000F 00000401 000003FD 00000141 00000000 080C

完整阅读

0

Wireshark使用技巧之二: 利用“IO Graphs”分析数据并出图

平时在处理故障时,会经常遇到抓包分析的情况。
有时会需要我们把问题分析出来并呈现给客户。
而且这种形式不仅仅体现在口头上或原始数据上。
如果能把原始数据过滤并把数据以图表的形式展现给客户,那么更能体现工作的质量与水平。

这时我们就会用到Wireshark的一个非常好用的工具“IO Graphs”
完整阅读

0