Multicast Sequence Decoder
A scapy script for pulling the sequence number out of a UDP multicast
packet payload. Used for troubleshooting packet captures of
applications which claim to be losing traffic due to missing sequence.
usage: mcsd.py [-h] [-s SOURCE] [-d DEST] [-S SPORT] [-D DPORT] [-o OFFSET][-l LENGTH] [-r]filenamepositional arguments:filename pcap filename to readoptional arguments:-h, --help show this help message and exit-s SOURCE, --source SOURCEfilter on source IP address-d DEST, --dest DEST filter on destination IP address-S SPORT, --sport SPORTfilter on source port number-D DPORT, --dport DPORTfilter on destination port number-o OFFSET, --offset OFFSEToffset into packet to start reading-l LENGTH, --length LENGTHlength of characters to read-r, --raw raw mode. only print payload data
Fields displayed are:
frame src IP → dst IP sport → dport payload
A capture file with multiple streams:
$ mcsd.py mcpackets.pcap1 10.0.0.1 → 239.0.0.1 65535 → 9001 000000012 10.0.0.2 → 239.0.0.2 1111 → 9999 000000023 10.0.0.1 → 239.0.0.1 65535 → 9001 000000034 10.0.0.2 → 239.0.0.2 1111 → 9999 000000045 10.0.0.1 → 239.0.0.1 65535 → 9001 000000056 10.0.0.2 → 239.0.0.2 1111 → 9999 000000067 10.0.0.1 → 239.0.0.1 65535 → 9001 000000078 10.0.0.2 → 239.0.0.2 1111 → 9999 000000089 10.0.0.1 → 239.0.0.1 65535 → 9001 0000000910 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001011 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001112 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001213 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001314 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001415 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001516 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001617 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001718 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001819 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001920 10.0.0.2 → 239.0.0.2 1111 → 9999 00000020
Filtering on source IP:
$ mcsd.py -s 10.0.0.1 mcpackets.pcap1 10.0.0.1 → 239.0.0.1 65535 → 9001 000000013 10.0.0.1 → 239.0.0.1 65535 → 9001 000000035 10.0.0.1 → 239.0.0.1 65535 → 9001 000000057 10.0.0.1 → 239.0.0.1 65535 → 9001 000000079 10.0.0.1 → 239.0.0.1 65535 → 9001 0000000911 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001113 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001315 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001517 10.0.0.1 → 239.0.0.1 65535 → 9001 0000001719 10.0.0.1 → 239.0.0.1 65535 → 9001 00000019
Filtering on destination port:
$ mcsd.py -D 9999 mcpackets.pcap2 10.0.0.2 → 239.0.0.2 1111 → 9999 000000024 10.0.0.2 → 239.0.0.2 1111 → 9999 000000046 10.0.0.2 → 239.0.0.2 1111 → 9999 000000068 10.0.0.2 → 239.0.0.2 1111 → 9999 0000000810 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001012 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001214 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001416 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001618 10.0.0.2 → 239.0.0.2 1111 → 9999 0000001820 10.0.0.2 → 239.0.0.2 1111 → 9999 00000020
Raw mode, just displaying payload:
$ mcsd.py -D 9999 -r mcpackets.pcap00000002000000040000000600000008000000100000001200000014000000160000001800000020
Reading further ahead into the packet:
$ mcsd.py -D 9999 -r -o 4 -l 4 mcpackets.pcap0002000400060008001000120014001600180020
Text processing tools can be used to iterate over printed sequence numbers and identify missing data.
The exact processing depends on the format of the packet data.
An example using awk to find missing sequence numbers which don’t increase by 1, starting at 1, using the above sample data:
$ mcsd.py -D 9999 mcpackets.pcap | awk '$NF!=p+1{print p+1"-"$NF-1}{p=$NF}'1-13-35-57-79-911-1113-1315-1517-1719-19
This output describes that we are missing sequence number 1, 3, 5, and so on.
Put mcsd.py somewhere in $PATH, eg:
mkdir -p ~/binwget -O ~/bin/mcsd.py https://raw.githubusercontent.com/superjamie/mcsd/master/mcsd.pychmod +x ~/bin/mcsd.py
Jamie Bainbridge - jamie.bainbridge@gmail.com