Bad port comparison when srcIp==dstIp

[liquidjorgeb13]

Implemented the algorithm and tested the resulting ids comparing against this repo's python script and also against wireshark's community id analysis tool. My implementation's results seemed to always match wireshark's but not corelight's.

When having same ip addresses for src and dst, the following port values seem to be handled differently by corelight's script:

     ip_src   ip_dest  proto(tcp)  port_src  port_dst  community id from coreligh python script   community id from wireshark
     1.2.3.4  1.2.3.4      6         3344      1122     1:CY1T7/6B7r9W3LMnzSws9RXqqbQ=             1:3seqIXu+5y8sFuE3lLtWR/KnSWo= 
     1.2.3.4  1.2.3.4      6         1122      3344     1:CY1T7/6B7r9W3LMnzSws9RXqqbQ=             1:3seqIXu+5y8sFuE3lLtWR/KnSWo=  
     1.2.3.1  1.2.3.1      6         3344      1122     1:jD1eCyop8ZzeL/0xgO58JtpHPLE=             1:GfxcHO3Gsn1cQxpPJoBhxUMcrbU= 
     1.2.3.4  1.2.3.4      6         5566      7788     1:YZWovxgLMFDntXoQs0LgEGs9QcQ=             1:BjNbSLaYeZZX0M1egqjh1Akg9yw=   
     1.2.3.4  1.2.3.4      6         6655      8877     1:7hdcx4YnNvllNYNSbtSzegQFnjg=             1:miYC8NFsg/sTi5HwWjjyifbbp+8=   

Port combinations like: {1122, 44424}, {334, 44424}, {1133, 2244}, {8899, 1199} didn't seem to cause any issues though.

In function is_ordered(), changing port comparison in the return to:

int.from_bytes(nbo.sport, 'little') < int.from_bytes(nbo.dport, 'little')

seems to get the cases I tried to match.

[ckreibich]

Hi there, many thanks for reporting this! You are right, the value reported by Wireshark (and, generally, the native-code implementations) is correct, and the value Python reports here is incorrect. You've also identified a gap in the baseline data and testsuites (the case of matching src/dst IP addresses), which would have flagged this.

I'll be pushing fixes in several implementations due to your finding, so thanks again!