Pcap File Parsing (III)-splitting sctp packets

In this chapter, we will understand the sctp packet structure, briefly introduce the sctp protocol, and finally split the sctp packet with multiple chunks to ask a single sctp packet.

Sctp data packets

Data Header

ETH Information

IP Header

Sctp Header

Sctp chunk 1

......

Sctp chunk n

The data headers and IP headers have been introduced before. Here, we will briefly introduce ETH information.

// Ethernet information typedef struct _ ethernet_info {byte destmac [6]; byte srcmac [6]; _ int16 itype;} _ ethernetinfo;

MAC address of dsetmac target host

MAC address of the srcmac source host

Type protocol type, IP 0x0800

 

Sctp Overview

A sctp group contains a common header and several chunks. Each data block can contain both control information and user data. In addition to init, init ACK, and shutdown complete data blocks, multiple data blocks of other types can be bundled in one sctp group to meet MTU size requirements. Of course, these data blocks can also not be bundled with other data blocks in one group. If a user message cannot be placed in a sctp group, the message can be divided into several data blocks.

Sctp Header

The sctp public grouping header contains the source port number, destination port number, verification tag, and checksum)

 1. Source Port Number (16 bits)

The source port number identifies the sctp Port Number of the sctp sending endpoint. The receiver can use the source port number, source IP address, destination port number, and destination IP address to identify the coupling of the sctp group.

2. Destination Port Number (16 bits)

The destination port number is the sctp Port Number of the destination endpoint. The receiving host can use the destination port number to unbind the sctp group to the correct Endpoint or application.

3. Verify the tag (32 bits)

The verification tag is a random identifier generated by the local end point for this coupling when it is created. During the establishment of coupling, both parties exchange this tag. when data is transferred, the sender must include this tag in the public grouping header for verification.

4. Check Code (32 bits)

By using the ADLER-32 Algorithm for user data, sctp calculates a 32-bit verification code, which is carried in the datagram, and performs the same operation at the receiving end, verify whether the user data is damaged by checking whether the verification code is equal.

Data Block

Data blocks include chunk type, Chunk flags, Chunk length, and Chunk value ).

1. Block Type (8 bits)

The block type defines the type of the message in the chunk value.

0	User data block for data transmission.
1	Init is used to initiate sctp coupling between two endpoints.
2	Init Ack is used to confirm the initiation message (init) of sctp coupling ).
3	The sack data block is sent to the peer end to confirm that the data block is received, and the receiving sequence gap between the data blocks is notified.
4	The heartbeat endpoint sends the data block to the Peer to detect the accessibility of a destination address defined in the current coupling.
5	Heartbeat ack responds to heartbeat messages.
6	Abort disables coupling.
7	One endpoint in the shutdown coupling initiates a graceful closure for its coupling.
8	Shutdown ack responds to the shutdown message and is sent when the program is closed.
9	The error notifies the peer that an error occurs in sctp coupling.
10	Cookie ECHO is only used for the coupling initiation process. It is sent by the initiator of the coupling to the peer end to complete the initiation process.
11	Cookie ack cookie confirmation, relative to Cookie echo
12	Ecne reserved, used in external environment congestion release echo
13	CWR reserved, used to reduce the congestion window
14	Shutdown complete is used to confirm the shutdown ACK message when the program is closed.
15-62	IETF reservation
63	IETF defined block extension usage
126-64	IETF reservation
127	Define Block Extension usage
128-190	IETF reservation
191	Define Block Extension usage
192-254	IETF reservation
255	IETF defines block expansion. If the receiving endpoint cannot identify the block type, the maximum bit of the block type is 2 bits to identify the operations required.

BITs (maximum two) Meaning

00	Stop processing and discard this sctp group, and no longer process other message blocks in this sctp group.
01	Stop processing and discard this sctp group, stop processing other message blocks in this sctp group, and return unrecognized parameters to the initiator endpoint in "error" or "init ack.
10	Skip this data block and continue execution.
11	Skip this data block and continue execution, and return unrecognized parameters to the initiator endpoint in "error" or "init ack.

2. Data Block flag (8 bit)

The block flag usage is determined by the block type. Unless it is set to another value, the block tag is set to 0 during transmission and the receiving endpoint ignores the block tag.

For definitions, see http :\\

3. Block length (16 bit)

The block length includes chunk type, Chunk flags, Chunk length, and Chunk value.

4. Block Value (variable length)

The block value content transmits the actual information in the block. The content is determined by the message block type. The length of the block value is not long.

Sctp struct Definition

// Sctp header typedef struct _ sctp_header {_ int16 srcport; _ int16 dstport; _ int32 ivertag; _ int32 ichecksum;} _ sctpheader; // chunk header typedef struct _ bytes {byte type; byte flag; _ int16ilength;} _ sctpchunkheader; // single sctp chunktypedef struct _ sctp_chunk {__sctpchunkheader header; byte * pdata;} _ sctpchunk;

Split sctp data blocks

The following code parses data packets one by one. When the data packet bit is sctp, the data Chunk is split.

Bool main () {_ pcap_header header; int ino = 1; // open the source file and output file if (! Openpcapfile ("sctp. pcap") |! Openoutfile ("export. pcap ") {return false ;}// get the file header getpcapheader (& header); // write the file header writefileheader (& header); movefirst (); While (! Ieeof () {_ pk_header data; _ ip_header ipdata; _ ethernetinfo ethinfo; byte * pbuffer; // get the next packet getpacketandmovenext (& Data, & pbuffer ); // get ETH information getethernetinfo (Transport info, pbuffer, 0); // obtain IP information getipdata (& ipdata, pbuffer, sizeof (_ ethernetinfo )); // sctp = 132 If (ipdata. byteprotocol = 132) {// get the sctp header int ioffset = sizeof (_ ethernetinfo) + ipdata. bytehdlength * 4; int ichunkoffset = ioffset + Sizeof (_ sctpheader); _ sctpheader; _ sctpchunksctpchunkarr [max_chunk_num]; // Number of chunks currently saved int ichunknum = 0; // The currently saved chunk length int ilenght = 0; // obtain the sctp header getsctpheader (& sctpheader, pbuffer, ioffset); While (true) {// currently read chunk _ sctpchunksctpchunk; // For Loop flag int I = 0; getsctpchunk (& sctpchunk, pbuffer, ichunkoffset); If (sctpchunk. header. type = 0) // create a new data packet in the data block and write the chunk information {wri Tepkheader (& Data, ilenght + sctpchunk. header. ilength + length_sctpallheader (ipdata); writeethinfo (Transport info); writeipheader (& ipdata, ilenght + sctpchunk. header. ilength + vertex (ipdata); writesctpheader (& sctpheader); for (I = 0; I <ichunknum; I ++) {writesctpchunk (sctpchunkarr + I );} writesctpchunk (& sctpchunk); ichunknum = ilenght = 0;} else {// the current block bit is not a data block sctpchunkarr [ichunknum ++] = Sctpchunk; ilenght + = sctpchunk. header. ilength;} ichunkoffset + = sctpchunk. header. ilength; If (ichunkoffset> = ipdata. itotallength-(ipdata. bytehdlength & 0x0f) * 4) {If (ichunknum> 0) {// There are unwritten chunk data, all new data packets are written to If (sctpchunk. header. type! = 0) ilenght-= sctpchunk. header. ilength; writepkheader (& Data, ilenght + sctpchunk. header. ilength + length_sctpallheader (ipdata); writeethinfo (Transport info); writeipheader (& ipdata, ilenght + sctpchunk. header. ilength + vertex (ipdata); writesctpheader (& sctpheader); for (I = 0; I <ichunknum; I ++) {writesctpchunk (sctpchunkarr + I );}} break ;}}free (pbuffer) ;}closeoutfile (); closepcapfile (); printf ("export over"); Return true ;}

Source code download: http://download.csdn.net/detail/yhangleo/4998322

 

IP checksum calculation: http://blog.csdn.net/yhangleo/article/details/8508003