最新的wireshark可以直接识别出mptcp。

Wireshark is a widely used network analyzer that can capture network traffic, save the captured packets (*.pcap) for later analysis and most importantly helps with analyzing such packet traces. Wireshark supports many protocols, which means it is able to assign meaning to bytes (dissect in the wireshark nomenclature) and display it accordingly. In some cases as in the TCP dissector, Wireshark even builds some state to provide expert information, for instance to identify TCP retransmissions. So far, Wireshark supported stateless dissection of MPTCP, i.e., it could dissect MPTCP options correctly, without being able to identify Multipath TCP connections.

Since November 2015 and the following patch (i.e., starting from Wireshark >= 2.1), Wireshark now considers MPTCP as a separate protocol, and builds states for MPTCP as well, thus mimicking TCP dissection.

This means Wireshark is now able to (providing the matching features are enabled):

  • map TCP subflows (tcp.stream) to MPTCP connections (mptcp.stream, see also mptcp.analysis.subflows).
  • List MPTCP connections

  • identify the master subflows (*mptcp.master == 1*)
  • check for mistmatched key/tokens and key/initial sequence data number (ISN)
  • etc... start filtering packets with *mptcp.* and wireshark autocompletion should show the different possibilities

Full MPTCP dissection can be quite CPU-consuming, thus some options are disabled by default and can be enabled through the menu Edit -> Preferences -> Protocols ->MPTCP.

  • Display relative MPTCP sequence numbers substracts the ISN to Data Sequence Numbers. This works only if the initial packets with the keys (3 way handshake) are captured and the wireshark option tcp relative sequence numbers is enabled.
  • In depth analysis of data sequence signal (DSS) mappings tells wireshark to look for the packets which sent the DSS mappings that cover the current packet; wireshark then displays a clickable item that brings you to the packet. This feature enables the creation of interval trees (introduced especially for this feature), which should consume quite a bit of memory/CPU so use with care !
  • Check for data duplication across subflows is a feature that was intended to help detect opportunistic reinjections or redundant schedulers but this is mostly experimental so use with care.

http://blog.multipath-tcp.org/blog/html/2016/08/23/mptcp_analyzer.html

MPTCP in Wireshark(转)的更多相关文章

  1. MPTCP iperf 发包方式

    之前用的发包方式是发送大文件,用NC监测. 今天改了另外一种发包方式iperf,简单记录下. iperf发包,具体方法: 1.在终端中运行拓扑脚本: 运行py脚本:sudo python topy.p ...

  2. wireshark 相关提示

    Packet size limited during capture      提示说明标记的包没有抓全,在某些操作系统中,默认只抓96个字节,tcpdump中有"-s"参数可用于 ...

  3. Wireshark

    0. install Wireshark on Ubuntu 14 sudo apt-get install -y wireshark sudo addgroup -quiet -system wir ...

  4. 通过Wireshark抓包进行Cookie劫持

    首先在目标A机器上运行Wireshark并开启浏览器,开启前关闭其他占用网络的软件,这里我拿51CTO.com做测试. 正常登陆51CTO用户中心,此时使用 http.cookie and http. ...

  5. 运维之网络安全抓包—— WireShark 和 tcpdump

    ------------------------------------------------本文章只解释抓包工具的捕获器和过滤器的说明,以及简单使用,应付日常而已----------------- ...

  6. 【转】[fix] Wireshark error: There are no interfaces on which a capture can be done. on Mac OS X

    I got the following error message when trying to open a network interface for capture using Wireshar ...

  7. kali linux之窥看女神上网隐私(ettercap+wireshark+zenmap +dsniff)

    作者:小波 http://www.cnblogs.com/xiaobo-Linux/ 无聊就玩了玩,不要干一些坏事哟~~网上也有一些文章关于kali linux的,就实战了一番.kali是用的debi ...

  8. Ubuntu16.04 LTS下apt安装WireShark

    Ubuntu16.04 LTS下apt安装WireShark 安装与配置 首先通过apt安装WireShark: $ sudo apt install wireshark 会同时安装许多的依赖包,其中 ...

  9. wireshark lua脚本

    1.目的:解析rssp2协议   2.如何使用wireshark lua插件 将编写的(假设为rssp2.lua)lua文本,放入wireshark 安装目录下,放哪里都行只要dofile添加了路径. ...

随机推荐

  1. 找回Xcode7的代码折叠功能

    升级到Xcode7后,会发现代码折叠功能不见了,这是怎么回事? 其实这个功能还在的,用以下的快捷键仍然可以折叠代码.只是不能用鼠标实现折叠了:在Xcode菜单里选择Preference——Text E ...

  2. nodejs websocket 聊天应用

    前端一直是一块充满惊喜的土地,不仅是那些富有创造性的页面,还有那些惊赞的效果及不断推出的新技术.像node.js这样的后端开拓者直接将前端人员的能力扩大到了后端.瞬间就有了一统天下的感觉,来往穿梭于前 ...

  3. dsp-asic-fpga

    DSP是在模拟信号变换成数字信号以后进行高速实时处理的专用处理器,它采用的是哈佛设计,即数据总线和地址总线分开,使程序和数据分别存储在两个分开的空间,允许取指令和执行指令完全重叠,也就是说在执行上一条 ...

  4. Linux内核RCU(Read Copy Update)锁简析

    在非常早曾经,大概是2009年的时候.写过一篇关于Linux RCU锁的文章<RCU锁在linux内核的演变>,如今我承认.那个时候我尽管懂了RCU锁,可是我没有能力用一种非常easy的描 ...

  5. MacOS 修改主机名

    修改主机名 sudo scutil --set HostName xxx 修改共享名 sudo scutil --set ComputerName xxx

  6. multimap容器和multiset容器中的find操作

    前言 multimap容器是map容器的“ 增强版 ”,它允许一个键对应多个值.对于map容器来说,find函数将会返回第一个键值匹配元素所在处的迭代器.那么对于multimap容器来说,find函数 ...

  7. hbase shell删除没实用

    用Xshell登陆linux主机后,在hbase shell下不能使用backspace和delete删除误输的指令,这是Xshell的配置问题: 在File->Properties->T ...

  8. SAP-ABAP系列 第二篇SAP ABAP开发基础

    第二章SAP ABAP开发基础 1.ABAP数据类型及定义 ABAP程序中共包含8种基本数据类型定义, 类型名称 描述 属性 C Character Text (字符类型) 默认长度=1,默认值 = ...

  9. NS3网络仿真(11): ARP

    快乐虾 http://blog.csdn.net/lights_joy/ 欢迎转载,但请保留作者信息 ARP(Address ResolutionProtocol,地址解析协议)协议的基本功能就是通过 ...

  10. Please read "Security" section of the manual to find out how to run mysqld as root!

    [root@test ~]# /usr/local/mysql/bin/mysqld2018-08-05T08:29:05.143142Z 0 [Warning] [MY-011070] [Serve ...