wireshark decode retransmissions duplicate-address-frame

Config wireshark:
- show columns:
1. ethernet destinations
2. ethernet source

Detecting arp duplicated address 

arp.duplicate-address-frame

2. ethernet source

F2 99 = GATEWAY OR ATTACKER
D0 03
44 01
The attacker changes the traffic between client and server. So you need to check every packet the attacker passes to the client for modifications.
After you have filtered individual conversations, focus on the duplicate packets. You need to compare each pair of packets to find the change the attacker did. Focus on the HTTP messages, the requests and the responses.
To make the task easier, you can use TCP checksums to compare the payload. Go to Edit->Preferences->User Interface->Columns, Add new column, select Custom Field type and set Field name to tcp.checksum. Drag the new column before the Info column. Click OK.
Now you can find the original packet and the one marked as TCP Retransmission and easily compare the checksums. You will find the HTTP answer (packets 36 and 38) differs.

note: remember to reconfigure your Wireshark for decode  packet as TCP Retransmission.  
The cap was capture from trace tool which we are using in our Gateway. Problem solved. Unchecked the Analyse TCP sequences fro TCP Preferences.




0 pensamientos:

Post a Comment

feedback!