Yesterday I looked at the traffic in my home lab and found that about 1% of the traffic was strange. Before I describe the curiosity, let me show you the usual comparative framework.
This is a regular frame with Ethernet II encapsulation. It starts with the 6 bytes of the destination MAC address, the 6 bytes of the source MAC address and 2 bytes of the ether type, which in this case is 0x0800, indicating that the IP packet follows the Ethernet header. There is no TCP charge because it is an ACK segment.
You can see him in Sharq.
tshark -Vx -r frame4238.pcap
frame 1: 66 bytes on line (528 bits), 66 bytes intercepted (528 bits) encapsulated type
: Ethernet (1 )
Arrival time : 7. May 2019 18:19:10.071831000 UTC
[Time difference for this packet: 0.000000000 seconds]
Epoch time: 1557253150.071831000 seconds
[Time difference from previously acquired image: 0.000000000 seconds]
[Time difference from previous image displayed: 0.000000000 seconds]
[Time of reference or first image: 0.000000000 seconds]
Frame number : 1
Frame length: 66 bytes (528 bits)
Acquisition length : 66 Byte (528 Bit)
[Frame marked : Incorrect]
[Frame ignored : Incorrect]
[Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src : IntelCor_12:7d:bb (38:ba:f8:12:7d:bb), Dst : Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
Assignment : Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
Address : Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
… ..0. …. …= bit LG : Worldwide unique address (factory setting)
… …0 …. …. … … = … … is an IG bit: Unicast address
Source : IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
Address : IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
. 0 . . … …= bit LG : Worldwide unique address (factory setting)
… …0 …. …. … … = … … is an IG bit: Unicast address
Type : IPv4 (0x0800)
Internet Protocol Version 4, Src : 192.168.4.96, Dst: 52.21.18.219
0100 …. = version : 4
…. 0101 = Header length: 20 bytes (5)
Field for differentiated services: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00 … = Differentiated Service Code Point : Default setting (0)
… ..00 = notification of obvious congestion : Carriage outside EEC (0)
Total length : 52Identifier: 0xd98c (55692)Flags: 0x4000, do not fragment0 …. …. … = reserved bit : Do not install.1 . …. …. … = Don’t shatter: Install
..0. …. …. … = No more fragments:
…0 0000 0000 0000 0000 0000 0000 0000 0000 0000 = Fragmentation offset is not defined: 0
It is time to live : 64
Protocol : TCP (6)
Main checksum: 0x553f [control disabled]
[Main checksum status: not checked]
Source : 192.168.4.96
Allocation : 52.21.18.219
Transmission control protocol, Src port : 38828, Port Dst: 443, sec: 1, pc : One, Len: 0
Home port : 38828
Port of destination : 443
[Current Index: 0]
[Len TCP Segment : 0]
Sequence number: 1 (relative sequence number)
[Next sequence number: 1 (relative sequence number)]
Confirmation number: 1 (relative alias number)
1000 …. = header length: 32 bytes (8)
Flags: 0x010 (ACK)
000 . …. … = Reserved : Don’t install… 0 … 0 …. …. = None: Don’t install… 0… …. = Reducing the risk of congestion (CWR) : Don’t install… .0.. …. = ECN echo : Don’t install… ..0. …. = Urgent : Don’t install… …1 …. = Confirmed: install … …. 0… = Press : Don’t install… …. .0.. = Reset: Don’t install… …. ..0. = Cyn: Don’t install… …. …0 = End: Do not install
[TCP flags : ——————–
Valeur de la waile de la fenêtre : 296
[Calculated window size : 296]
[Window size scale factor: -1 (unknown)]
Checksum: 0x08b0 [not verified]
[Checksum status: not verified]
Urgent pointer : 0
Options : (12 bytes), Inactivity (NOP), Time stamp
TCP option – Inactivity (NOP)
Good : Inactivity (1)
TCP option – Inactivity (NOP)
Type : Non-operational (1)
TCP option – Time Stamp : TSval 26210782, TSecr 2652693036
Good: Time stamp option (8)
Length : 10
Time stamp value : 26210782
Echo Time Stamp Reaction : 2652693036 [Time stamp] [Time of the first frame of this TCP current: 0.000000000 sec.0010 00 34 d9 8c 40 00 40 06 55 3f c0 a8 04 60 34 15 .4… @[email protected] ?… 4.0020 12 db 97 ac 01 bb e3 42 2a 57 83 49 c2 ea 80 10… B*W.I… …
0030 01 28 08 b0 00 01 08 0a 01 8f f1 in 9th 1c ….
0040 e2 2c
You see Wireshark understands what he sees. It decodes the IP and TCP header.
So far, so good. Here’s an example of a strange movement I’ve seen.
That’s how Shark feels.
tshark -Vx -r frame4241.pcap
frame 1: 66 bytes on line (528 bits), 66 bytes intercepted (528 bits) encapsulated type
: Ethernet (1 )
Arrival time : 7. May 2019. 18:19:10.073296000 UTC
[Time difference for this packet: 0.000000000 seconds]
Time difference: 1557253150.073296000 seconds
[Time difference from previously recorded image: 0.000000000 seconds]
[Time delta from previous recording: 0.000000000 seconds]
[Time of reference or first recording: 0.000000000 seconds]
Frame number : 1
Frame length: 66 bytes (528 bits)
Acquisition length : 66 Byte (528 Bit)
[Frame marked : Incorrect]
[Frame ignored : Incorrect]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
destination: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
Address : Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
… ..0. …. …= bit LG : Worldwide unique address (factory setting)
… …0 …. …. … … = … … is an IG bit: Unicast address
Source : IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
Address : IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
. 0 . . … …= bit LG : Worldwide unique address (factory setting)
… …0 …. …. … … = … … is an IG bit: One address (Unicast)
Length : 56
[Expert information (error/error) :
The value of the longitudinal field passes through the end of the charge]
[Severity level : Error]
[Group : Small]
Logical control
DSAP : Unknown (0x45)
0100 010. = SAP : Unknown… …1 = IG bit : SSAP Groups
: Sublevel Management LLC (0x02)
0000 001. = SAP : The management of the sub-levels of LLC… …0 = CR bit: Control panel : U, Unknown (0x0B)
000. 10… = team: Unknown (0x02)
… .11 = frame type : Unnumbered frame (0x3)Data (49 bytes)Data: 84d98d86b5400649eec 0460341512db97ac0d0be3422a… length: 49]
0000 fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02 …I …8 …8E.
0010 0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15 … @.I… ‘4.
0020 12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec …. B*W.I… …
0030 01 28 17 6f 00 01 01 08 0a 01 8f f1 de ed 7f .
0040 a5 4a.J
What’s the problem? This frame starts with the 6 bytes of the destination MAC address and the 6 bytes of the source MAC address, as we have seen above. However, the next two bytes are 0x0038, which is not the same as the 0x0800 ether type we saw earlier. 0x0038 is the decimal 56, which seems to indicate the length of the frame (although the frame is 66 bytes in total).
Wireshark decides not to consider this frame as an Ethernet II but as an IEEE 802.3 Ethernet. I had to look in Appendix A of my first book to find out what that meant.
For comparison: the frame format for Ethernet II (page 664) can be found here:
This is what we saw earlier in Figure 4238 – Dst MAC, Src MAC, Ethertype and then Data.
This is the frame format for IEEE 802.3 Ethernet.
It’s much harder: Dst MAC, Src MAC, length and then DSAP, SSAP, control and data.
It turns out that this format also doesn’t seem to match what happens in frame 4241. Although the length field seems to be in the ball marker, Wireshark’s assumption that the following bytes are DSAP, SSAP, Control and Data is not appropriate. For me the trick was that 0x45 followed the field of assumed length. I recognized 0x45 as the beginning of the IP header, with 4 IPv4 values and 5 values of 5 words (40 bytes) in the IP header.
If we apply a manual byte-byte comparison, we can better understand what can be done with these two frameworks. (In one case I divided 0x45 bytes into two snacks).
Note that I have boldly printed the parts of each frame that exactly match.
This analysis shows that these two frameworks are very similar, especially in places where I would not expect that. This made me believe that frame 4241 was a corrupted version of frame 4238.
I can imagine that the frames will share MAC addresses, IP addresses and some default IP and TCP settings. However, what is unusual is that they have the same departure ports (38828) but not the same destination ports (443 and 3339). It is very important that they have the same order and TCP confirmation numbers. They also use the same source time stamp.
Note a field that I did not enter in bold because they are not identical: the value of the IP ID. Frame 4238 has 0xd98c and frame 4241 has 0xd98d. The perfectly raised IP ID made me believe that frame 4241 was a damaged relay at the IP level of the same TCP segment.
But I really don’t know what to think. These frames were intercepted by netsniff-ng in the VirtualBox VM of Linux 16.04. Is it a problem with NetSniff-ng, Linux, VirtualBox or the Linux host operating system running VirtualBox?
I would like to thank the people at ask.wireshark.org for their help in trying to decode these (and other) frames as raw 802.3 ethernet. What’s that? This is essentially the format Novell uses with IPX, where the frame is Dst MAC, Src MAC, Length, Data.
I wanted to see if I could get Wireshark to decode odd frames like 802.3 raw Ethernet instead of IEEE 802.3 Ethernet with LLC headers.
Sake Blok kindly suggested that I change the type of reference layer in pcap to User0 and then tell Wireshark how to interpret the frames. I did it on his orders:
$ editcap -T user0 Extract-user0.pcap
Then I opened the track at Wireshark and the frame of the saw 4241 (here frame 3) as shown below:
DLT 147 corresponds to the channel level type for User0. The sandbank shark doesn’t know how to do it. We correct this by right-clicking on the yellow field and choosing Protocol Settings -> Open DLT User Settings :
Next I created a User 0 (DLT-147) fpr input with an ip load and a header size of 14, as shown in the figure :
After I pressed OK, I went back to Wireshark. That’s how picture 4241 appeared (here you can see it again as picture 3):
You can see that Wireshark now wants an IP header, but it doesn’t know how to work with the next TCP header. I tried different values and options to make sure Wireshark could also understand the TCP header, but it went far enough for my needs.
The fact is that I think there is some kind of problem with packet capture, either with the software used or with the traffic delivered to the software via the bridge NIC created by VirtualBox. Since this is a test environment and the traffic represents 1% of the total collection volume, I’m not worried about the results.
I’m pretty sure this weird traffic isn’t on the line. I was trying to intercept a listening NIC on the host operating system and I didn’t see anything like it.
Have you ever seen anything like this before? Let me know in the Twitter commentary.
PS: I found the display filter frame.number=X Wireshark and the display filter frame.len>Y useful in investigating this activity.threat hunting research papers,difference between threat intelligence and threat hunting
