You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implemented the algorithm and tested the resulting ids comparing against this repo's python script and also against wireshark's community id analysis tool. My implementation's results seemed to always match wireshark's but not corelight's.
When having same ip addresses for src and dst, the following port values seem to be handled differently by corelight's script:
ip_src ip_dest proto(tcp) port_src port_dst community id from coreligh python script community id from wireshark
1.2.3.4 1.2.3.4 6 3344 1122 1:CY1T7/6B7r9W3LMnzSws9RXqqbQ= 1:3seqIXu+5y8sFuE3lLtWR/KnSWo=
1.2.3.4 1.2.3.4 6 1122 3344 1:CY1T7/6B7r9W3LMnzSws9RXqqbQ= 1:3seqIXu+5y8sFuE3lLtWR/KnSWo=
1.2.3.1 1.2.3.1 6 3344 1122 1:jD1eCyop8ZzeL/0xgO58JtpHPLE= 1:GfxcHO3Gsn1cQxpPJoBhxUMcrbU=
1.2.3.4 1.2.3.4 6 5566 7788 1:YZWovxgLMFDntXoQs0LgEGs9QcQ= 1:BjNbSLaYeZZX0M1egqjh1Akg9yw=
1.2.3.4 1.2.3.4 6 6655 8877 1:7hdcx4YnNvllNYNSbtSzegQFnjg= 1:miYC8NFsg/sTi5HwWjjyifbbp+8=
Port combinations like: {1122, 44424}, {334, 44424}, {1133, 2244}, {8899, 1199} didn't seem to cause any issues though.
In function is_ordered(), changing port comparison in the return to:
Hi there, many thanks for reporting this! You are right, the value reported by Wireshark (and, generally, the native-code implementations) is correct, and the value Python reports here is incorrect. You've also identified a gap in the baseline data and testsuites (the case of matching src/dst IP addresses), which would have flagged this.
I'll be pushing fixes in several implementations due to your finding, so thanks again!
Implemented the algorithm and tested the resulting ids comparing against this repo's python script and also against wireshark's community id analysis tool. My implementation's results seemed to always match wireshark's but not corelight's.
When having same ip addresses for src and dst, the following port values seem to be handled differently by corelight's script:
Port combinations like: {1122, 44424}, {334, 44424}, {1133, 2244}, {8899, 1199} didn't seem to cause any issues though.
In function
is_ordered()
, changing port comparison in the return to:seems to get the cases I tried to match.
The text was updated successfully, but these errors were encountered: