Bonsoir à tous,
Bon ça va être un peu frustrant parce que pour l'instant je n'ai pas trouvé comment faire une anonymisation correct des flux, et il va donc falloir me croire :/.
Installation:
* Livebox <= SWITCH => ONT
\- port mirroring vers PC sous wireshark + lien interne sur le VLAN 1 (non taggé).
\- airbox, avec routage de l'ip externe de la livebox par cette interface spécifique.
Sur le PC sous wireshark:
* Wireshark capture sur l'interface eth0 et airbox.
* nping --data 000000000000000000000000000000000000000000000000000F000000 -c1 my.external.ip (routage via l'airbox):
=>
00:03:59.067391 IP 192.168.1.100 > 90.127.xx.yy: ICMP echo request, id 32208, seq 1, length 37 # => paquet vers l'airbox
00:03:59.161749 IP 92.184.107.239 > 90.127.xx.yy: ICMP echo request, id 32208, seq 1, length 37 # => arrivé du même paquet sur le vlan 832 vers la livebox (CHKSUM OK)
00:03:59.162508 IP 90.127.xx.yy > 92.184.107.239: ICMP echo reply, id 32208, seq 1, length 37 # => départ de la réponse depuis la livebox sur le vlan 832 vers l'ip de l'airbox (CHKSUM OK)
# => absence de retour de la réponse sur l'interface de l'airbox (normal, vu le problème).
* La même chose pour le tcp:
* DNAT TCP my.external.ip / 61234 => PC / 9999
* shell 1: echo -ne "\x00\x0f\x00\x00\x00" | nc -N -l 9999
* shell 2: nc -N my.external.ip 61234 | od (Taper Ctrl-D pour terminer proprement la connection, ou utiliser -d)
=> Jamais de fin et multiple re-transmission TCP du paquet contenant la charge utile
00:31:52.859289 IP 92.184.107.239.43856 > 90.127.xx.yy.61234: Flags [S], seq 360100060, win 64240, options [mss 1400,sackOK,TS val 485948444 ecr 0,nop,wscale 10], length 0
00:31:52.859491 IP 92.184.107.239.43856 > 192.168.1.16.9999: Flags [S], seq 360100060, win 64240, options [mss 1400,sackOK,TS val 485948444 ecr 0,nop,wscale 10], length 0
00:31:52.859558 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [S.], seq 275788681, ack 360100061, win 65160, options [mss 1460,sackOK,TS val 4255433512 ecr 485948444,nop,wscale 10], length 0
00:31:52.859765 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [S.], seq 275788681, ack 360100061, win 65160, options [mss 1460,sackOK,TS val 4255433512 ecr 485948444,nop,wscale 10], length 0
00:31:52.825180 IP 192.168.1.100.43856 > 90.127.xx.yy.61234: Flags [S], seq 360100060, win 64240, options [mss 1460,sackOK,TS val 485948444 ecr 0,nop,wscale 10], length 0
00:31:52.873415 IP 90.127.xx.yy.61234 > 192.168.1.100.43856: Flags [S.], seq 275788681, ack 360100061, win 65160, options [mss 1400,sackOK,TS val 4255433512 ecr 485948444,nop,wscale 10], length 0
00:31:52.873469 IP 192.168.1.100.43856 > 90.127.xx.yy.61234: Flags [.], ack 1, win 63, options [nop,nop,TS val 485948493 ecr 4255433512], length 0
00:31:52.917035 IP 90.127.xx.yy.61234 > 192.168.1.100.43856: Flags [F.], seq 6, ack 1, win 64, options [nop,nop,TS val 4255433561 ecr 485948493], length 0
00:31:52.917065 IP 192.168.1.100.43856 > 90.127.xx.yy.61234: Flags [.], ack 1, win 63, options [nop,nop,TS val 485948536 ecr 4255433512,nop,nop,sack 1 {6:7}], length 0
00:31:52.909027 IP 92.184.107.239.43856 > 90.127.xx.yy.61234: Flags [.], ack 1, win 63, options [nop,nop,TS val 485948493 ecr 4255433512], length 0
00:31:52.909200 IP 92.184.107.239.43856 > 192.168.1.16.9999: Flags [.], ack 1, win 63, options [nop,nop,TS val 485948493 ecr 4255433512], length 0
00:31:52.909373 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255433561 ecr 485948493], length 5
00:31:52.909398 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [F.], seq 6, ack 1, win 64, options [nop,nop,TS val 4255433561 ecr 485948493], length 0
00:31:52.909606 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255433561 ecr 485948493], length 5
00:31:52.909757 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [F.], seq 6, ack 1, win 64, options [nop,nop,TS val 4255433561 ecr 485948493], length 0
00:31:52.938866 IP 92.184.107.239.43856 > 90.127.xx.yy.61234: Flags [.], ack 1, win 63, options [nop,nop,TS val 485948536 ecr 4255433512,nop,nop,sack 1 {6:7}], length 0
00:31:52.938978 IP 92.184.107.239.43856 > 192.168.1.16.9999: Flags [.], ack 1, win 63, options [nop,nop,TS val 485948536 ecr 4255433512,nop,nop,sack 1 {6:7}], length 0
00:31:52.957857 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255433610 ecr 485948536], length 5
00:31:52.958099 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255433610 ecr 485948536], length 5
00:31:53.209856 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255433862 ecr 485948536], length 5
00:31:53.210115 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255433862 ecr 485948536], length 5
00:31:53.733860 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255434386 ecr 485948536], length 5
00:31:53.734125 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 1, win 64, options [nop,nop,TS val 4255434386 ecr 485948536], length 5
00:31:54.429202 IP 92.184.107.239.43856 > 90.127.xx.yy.61234: Flags [F.], seq 1, ack 1, win 63, options [nop,nop,TS val 485950031 ecr 4255433512,nop,nop,sack 1 {6:7}], length 0
00:31:54.429414 IP 92.184.107.239.43856 > 192.168.1.16.9999: Flags [F.], seq 1, ack 1, win 63, options [nop,nop,TS val 485950031 ecr 4255433512,nop,nop,sack 1 {6:7}], length 0
00:31:54.429432 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [.], ack 2, win 64, options [nop,nop,TS val 4255435081 ecr 485950031], length 0
00:31:54.429653 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [.], ack 2, win 64, options [nop,nop,TS val 4255435081 ecr 485950031], length 0
00:31:54.411918 IP 192.168.1.100.43856 > 90.127.xx.yy.61234: Flags [F.], seq 1, ack 1, win 63, options [nop,nop,TS val 485950031 ecr 4255433512,nop,nop,sack 1 {6:7}], length 0
00:31:54.437008 IP 90.127.xx.yy.61234 > 192.168.1.100.43856: Flags [.], ack 2, win 64, options [nop,nop,TS val 4255435081 ecr 485950031], length 0
00:31:54.757851 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255435410 ecr 485950031], length 5
00:31:54.758142 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255435410 ecr 485950031], length 5
00:31:56.773858 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255437426 ecr 485950031], length 5
00:31:56.774176 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255437426 ecr 485950031], length 5
00:32:00.901863 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255441554 ecr 485950031], length 5
00:32:00.902166 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255441554 ecr 485950031], length 5
00:32:09.093869 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255449746 ecr 485950031], length 5
00:32:09.094252 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255449746 ecr 485950031], length 5
00:32:25.221876 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255465874 ecr 485950031], length 5
00:32:25.222155 IP 90.127.xx.yy.61234 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255465874 ecr 485950031], length 5
00:32:59.013858 IP 192.168.1.16.9999 > 92.184.107.239.43856: Flags [P.], seq 1:6, ack 2, win 64, options [nop,nop,TS val 4255499666 ecr 485950031], length 5
Conclusions:
* La livebox est pour moi totalement hors de cause (je m'en doutais, mais au moins, comme ça plus de doute).
* Cela impact bien TOUS les protocoles, pour peu que l'on respecte le «pattern» (taille de paquet (ethernet) de 71 octets +N*16, et octet 67 qui match le pattern donné par hwit: x0xx1xxx).
Y a plus qu'à attendre que les gars d'Orange fassent leur taff :/, je vois pas trop comment on pourrait identifier l'interface réseau de la machine qui pose problème: 80.10.236.81
Caeies, finalement pas fou, mais dégouté.