Develop Reference

Why Would SSHD Reject a Connection Request Based on the IPv4 Identification Field?

I'm trying an experiment in Ubuntu 22.04 where I create two TUN/TAP interfaces, assign them IP addresses 192.168.75.1 and 192.168.76.1, map 192.168.75.2 to 76.1 and 76.2 to 75.1 in the code, and try to connect between the two ends. Pings get through successfully, but when I try to SSH between them, it fails.
When I SSH into 75.2 from 75.1, I see the outgoing SSH packet in tcpdump on 75.1 and the incoming one with the new IP addresses in tcpdump on 76.1, but SSHD never responds. I'm recalculating the IPv4 checksum (RFC 791) and TCP checksum (RFC 793) after changing the IP addresses and the checksums show up as correct in the tcpdump.
When I compare the tcpdump of the SSH interaction through the TUN/TAP interface (which fails) and through the regular localhost interface (which succeeds), I can't find any difference apart from the identification field in the IPv4 header (two bytes right after total length) are zero for the packets coming through localhost and nonzero through the TUN/TAP interface. Is there any reason why SSHD would care about this field?
I also disabled the firewall and opened up everything in iptables using iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT && iptables -t nat -F && iptables -t mangle -F && iptables -F && iptables -X. I also tried restarting the SSHD service after the new interfaces were up and assigned IP addresses. I'm really having a hard time finding any difference other than the IPv4 header identification field. Seeing the pings go through makes me think I'm on the right track, at least.
Edit #1 with more details:
Output from ifconfig:
custom0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.75.1 netmask 255.255.255.0 broadcast 192.168.75.255
inet6 fe80::80b:cff:fe0d:e00 prefixlen 64 scopeid 0x20<link>
ether 0a:0b:0c:0d:0e:00 txqueuelen 1000 (Ethernet)
RX packets 13 bytes 2341 (2.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 5501 (5.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
custom1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.76.1 netmask 255.255.255.0 broadcast 192.168.76.255
inet6 fe80::80b:cff:fe0d:e01 prefixlen 64 scopeid 0x20<link>
ether 0a:0b:0c:0d:0e:01 txqueuelen 1000 (Ethernet)
RX packets 18 bytes 3366 (3.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44 bytes 6561 (6.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Output from tcpdump on custom0 during successful ping. There is a lag, but it does work. Request #11 goes out before reply #1 finally comes back.
1664723041.491324 IP (tos 0x0, ttl 64, id 26129, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.75.1 > 192.168.75.2: ICMP echo request, id 1, seq 11, length 64
0x0000: 4500 0054 6611 4000 4001 bd43 c0a8 4b01 E..Tf.#.#..C..K.
0x0010: c0a8 4b02 0800 6c96 0001 000b 61a8 3963 ..K...l.....a.9c
0x0020: 0000 0000 2a7f 0700 0000 0000 1011 1213 ....*...........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
1664723042.419621 IP (tos 0x0, ttl 64, id 26589, offset 0, flags [none], proto ICMP (1), length 84)
192.168.75.2 > 192.168.75.1: ICMP echo reply, id 1, seq 1, length 64
0x0000: 4500 0054 67dd 0000 4001 fb77 c0a8 4b02 E..Tg...#..w..K.
0x0010: c0a8 4b01 0000 9a32 0001 0001 57a8 3963 ..K....2....W.9c
0x0020: 0000 0000 12ed 0300 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
Output from tcpdump on custom1 during successful ping. On this interface, replies appear immediate.
1664723042.419596 IP (tos 0x0, ttl 64, id 26589, offset 0, flags [none], proto ICMP (1), length 84)
192.168.76.1 > 192.168.76.2: ICMP echo reply, id 1, seq 1, length 64
0x0000: 4500 0054 67dd 0000 4001 f977 c0a8 4c01 E..Tg...#..w..L.
0x0010: c0a8 4c02 0000 9a32 0001 0001 57a8 3963 ..L....2....W.9c
0x0020: 0000 0000 12ed 0300 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
1664723042.419614 IP (tos 0x0, ttl 64, id 25034, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.76.2 > 192.168.76.1: ICMP echo request, id 1, seq 2, length 64
0x0000: 4500 0054 61ca 4000 4001 bf8a c0a8 4c02 E..Ta.#.#.....L.
0x0010: c0a8 4c01 0800 9ae9 0001 0002 58a8 3963 ..L.........X.9c
0x0020: 0000 0000 0835 0400 0000 0000 1011 1213 .....5..........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
Lines added to etc/ssh/sshd_config after the TUN/TAP interfaces were up with assigned IP addresses:
ListenAddress 192.168.75.1
ListenAddress 192.168.76.1
Output from tcpdump on custom0 during unsuccessful SSH attempt:
1664723517.797359 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.75.2 tell 192.168.75.1, length 28
0x0000: 0001 0800 0604 0001 0a0b 0c0d 0e00 c0a8 ................
0x0010: 4b01 0000 0000 0000 c0a8 4b02 K.........K.
1664723517.797403 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.75.2 is-at 01:02:03:04:05:01, length 28
0x0000: 0001 0800 0604 0002 0102 0304 0501 c0a8 ................
0x0010: 4b02 0a0b 0c0d 0e00 c0a8 4b01 K.........K.
1664723517.797407 IP (tos 0x10, ttl 64, id 3817, offset 0, flags [DF], proto TCP (6), length 60)
192.168.75.1.42530 > 192.168.75.2.22: Flags [S], cksum 0x5e34 (correct), seq 3234729807, win 64240, options [mss 1460,sackOK,TS val 3543043583 ecr 0,nop,wscale 9], length 0
0x0000: 4510 003c 0ee9 4000 4006 146f c0a8 4b01 E..<..#.#..o..K.
0x0010: c0a8 4b02 a622 0016 c0ce 0f4f 0000 0000 ..K..".....O....
0x0020: a002 faf0 5e34 0000 0204 05b4 0402 080a ....^4..........
0x0030: d32e 8dff 0000 0000 0103 0309 ............
1664723518.803703 IP (tos 0x10, ttl 64, id 3818, offset 0, flags [DF], proto TCP (6), length 60)
192.168.75.1.42530 > 192.168.75.2.22: Flags [S], cksum 0x5a46 (correct), seq 3234729807, win 64240, options [mss 1460,sackOK,TS val 3543044589 ecr 0,nop,wscale 9], length 0
0x0000: 4510 003c 0eea 4000 4006 146e c0a8 4b01 E..<..#.#..n..K.
0x0010: c0a8 4b02 a622 0016 c0ce 0f4f 0000 0000 ..K..".....O....
0x0020: a002 faf0 5a46 0000 0204 05b4 0402 080a ....ZF..........
0x0030: d32e 91ed 0000 0000 0103 0309 ............
Output from tcpdump on custom1 during unsuccessful SSH attempt:
1664723519.732730 IP (tos 0x10, ttl 64, id 3817, offset 0, flags [DF], proto TCP (6), length 60)
192.168.76.2.42530 > 192.168.76.1.22: Flags [S], cksum 0x5c34 (correct), seq 3234729807, win 64240, options [mss 1460,sackOK,TS val 3543043583 ecr 0,nop,wscale 9], length 0
0x0000: 4510 003c 0ee9 4000 4006 126f c0a8 4c02 E..<..#.#..o..L.
0x0010: c0a8 4c01 a622 0016 c0ce 0f4f 0000 0000 ..L..".....O....
0x0020: a002 faf0 5c34 0000 0204 05b4 0402 080a ....\4..........
0x0030: d32e 8dff 0000 0000 0103 0309 ............
The exact failure message is ssh: connect to host 192.168.75.2 port 22: No route to host.
Output of route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.50.1 0.0.0.0 UG 100 0 0 enp38s0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp38s0
192.168.50.0 0.0.0.0 255.255.255.0 U 100 0 0 enp38s0
192.168.75.0 0.0.0.0 255.255.255.0 U 0 0 0 custom0
192.168.76.0 0.0.0.0 255.255.255.0 U 0 0 0 custom1
Edit #2:
I posted the code on GitHub along with a README at https://github.com/johnwstanford/bifrost. It's written in Rust. I also fixed the issue of the lag by calling poll on the file descriptor before trying to read from it, but the rest of the behavior is still the same.

Unix -Delete even bytes from a file

I want to find and delete all even bytes from a file given in command line. Is there any command for this situation?

I think this does what you want. It dumps the file as continuous plain hex, then reads two bytes, saving them for later and then two more bytes. Then it outputs the bytes it saved and pipes the whole lot back into xxd to "reconstruct":
xxd -p INPUT | sed -E 's/(..)../\1/g' | xxd -r -p > OUTPUT
So, if I dump a PNG image like this:
xxd image.png
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 0064 0000 0064 0203 0000 000d 8c7d ...d...d.......}
00000020: c700 0000 0467 414d 4100 00b1 8f0b fc61 .....gAMA......a
00000030: 0500 0000 2063 4852 4d00 007a 2600 0080 .... cHRM..z&...
00000040: 8400 00fa 0000 0080 e800 0075 3000 00ea ...........u0...
00000050: 6000 003a 9800 0017 709c ba51 3c00 0000 `..:....p..Q<...
00000060: 0950 4c54 4500 0000 ff00 00ff ffff 6719 .PLTE.........g.
00000070: 641e 0000 0001 624b 4744 0266 0b7c 6400 d.....bKGD.f.|d.
00000080: 0000 0774 494d 4507 e404 1c0a 0820 506e ...tIME...... Pn
00000090: 92c5 0000 0025 4944 4154 48c7 6360 1805 .....%IDATH.c`..
000000a0: a300 0c58 4361 2064 5466 5466 5466 5466 ...XCa dTfTfTfTf
000000b0: 5466 5406 8fcc 2818 3100 00e8 0fcb 7f57 TfT...(.1......W
000000c0: afef dd00 0000 2574 4558 7464 6174 653a ......%tEXtdate:
000000d0: 6372 6561 7465 0032 3032 302d 3034 2d32 create.2020-04-2
000000e0: 3854 3130 3a30 383a 3332 2b30 303a 3030 8T10:08:32+00:00
000000f0: d513 d3d0 0000 0025 7445 5874 6461 7465 .......%tEXtdate
00000100: 3a6d 6f64 6966 7900 3230 3230 2d30 342d :modify.2020-04-
00000110: 3238 5431 303a 3038 3a33 322b 3030 3a30 28T10:08:32+00:0
00000120: 30a4 4e6b 6c00 0000 0049 454e 44ae 4260 0.Nkl....IEND.B`
00000130: 82
and then put that through my filter and display it again:
xxd -p image.png | sed -E 's/(..)../\1/g' | xxd -r -pp | xxd
00000000: 894e 0d1a 0000 4944 0000 0000 0200 008c .N....ID........
00000010: c700 0441 4100 8ffc 0500 2048 4d00 2600 ...AA..... HM.&.
00000020: 8400 0000 e800 3000 6000 9800 70ba 3c00 ......0.`...p.<.
00000030: 094c 4500 ff00 ff67 6400 0062 4702 0b64 .LE....gd..bG..d
00000040: 0007 4945 e41c 0850 9200 0049 4148 6318 ..IE...P...IAHc.
00000050: a30c 4320 5454 5454 5454 8f28 3100 0f7f ..C TTTTTT.(1...
00000060: afdd 0025 4574 6165 6365 7400 3030 302d ...%Etaecet.000-
00000070: 3831 3a38 332b 3030 d5d3 0000 7458 6474 81:83+00....tXdt
00000080: 3a6f 6979 3232 2d34 3254 3030 3a32 303a :oiy22-42T00:20:
00000090: 304e 6c00 0045 4442 82 0Nl..EDB.

Or in Perl
#!/usr/bin/perl
use strict;
use warnings;
open my $ifh, '<', $ARGV[0] or die "Need an input filename";
binmode $ifh;
open my $ofh, '>', $ARGV[1] or die "Need an output filename";
binmode $ofh;
my $x;
while (read $ifh,$x,2) {
my $num = pack 'C',ord($x); # or ord(substr $x,1) for odd bytes
print $ofh $num;
}

I am not sure if there such shell/bash built in command. seems like you need to write you own bash script for doing so.

Why TCP FIN/ACK packets have payload data but length is 0?

I use tcpdump to capture some data, but found that the FIN and ACK packets have some payload while the length is 0. Can anyone explain that? When I use Wireshark to see the pcap file, all is right. Why is that?
20:56:05.174314 IP 10.0.2.15.20281 > 192.168.4.80.21224: Flags [.], ack 1721, win 33232, length 0
0x0000: 0004 0001 0006 0800 2793 4e00 0000 0800 ........'.N.....
0x0010: 4500 0028 417a 4000 4006 284f 0a00 020f E..(Az#.#.(O....
0x0020: c0a8 0450 4f39 52e8 b35c bf82 f4d8 b0ba ...PO9R..\......
0x0030: 5010 81d0 d121 0000 4745 5420 2f75 7365 P....!..GET./use
0x0040: 7273 2f31 3f75 7365 rs/1?use
20:56:15.179096 IP 10.0.2.15.20281 > 192.168.4.80.21224: Flags [F.], seq 649, ack 1721, win 33232, length 0
0x0000: 0004 0001 0006 0800 2793 4e00 0000 0800 ........'.N.....
0x0010: 4500 0028 417b 4000 4006 284e 0a00 020f E..(A{#.#.(N....
0x0020: c0a8 0450 4f39 52e8 b35c bf82 f4d8 b0ba ...PO9R..\......
0x0030: 5011 81d0 d121 0000 0000 0000 0000 2e31 P....!.........1
0x0040: 2035 3030 2049 6e74 .500.Int
20:56:15.179528 IP 192.168.4.80.21224 > 10.0.2.15.20281: Flags [.], ack 650, win 65535, length 0
0x0000: 0000 0001 0006 5254 0012 3502 0000 0800 ......RT..5.....
0x0010: 4500 0028 73f3 0000 4006 35d6 c0a8 0450 E..(s...#.5....P
0x0020: 0a00 020f 52e8 4f39 f4d8 b0ba b35c bf83 ....R.O9.....\..
0x0030: 5010 ffff 2438 0000 0000 0000 0000 2e31 P...$8.........1
0x0040: 2035 3030 2049 6e74 6572 6e61 6c20 .500.Internal.
20:56:15.181826 IP 192.168.4.80.21224 > 10.0.2.15.20281: Flags [F.], seq 1721, ack 650, win 65535, length 0
0x0000: 0000 0001 0006 5254 0012 3502 0000 0800 ......RT..5.....
0x0010: 4500 0028 73f5 0000 4006 35d4 c0a8 0450 E..(s...#.5....P
0x0020: 0a00 020f 52e8 4f39 f4d8 b0ba b35c bf83 ....R.O9.....\..
0x0030: 5011 ffff 2437 0000 0000 0000 0000 7365 P...$7........se
0x0040: 7273 2f31 3f75 7365 725f 6964 3d35 rs/1?user_id=5
20:56:15.181884 IP 10.0.2.15.20281 > 192.168.4.80.21224: Flags [.], ack 1722, win 33232, length 0
0x0000: 0004 0001 0006 0800 2793 4e00 0000 0800 ........'.N.....
0x0010: 4500 0028 eaf7 4000 4006 7ed1 0a00 020f E..(..#.#.~.....
0x0020: c0a8 0450 4f39 52e8 b35c bf83 f4d8 b0bb ...PO9R..\......
0x0030: 5010 81d0 a266 0000 4745 5420 2f75 7365 P....f..GET./use
0x0040: 7273 2f31 3f75 7365 rs/1?use

Get a substring from a file shell script [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
i need get a substring from a file shell script
i need a little help with this shell script. I have a variable, represents a IP/TCP header. I need filter a traffic capture by the header selected.
> var=ttl 128 (only TTL=128)
>
> tcpdump -Xvv -n -i eth0 -c 300 > capture.txt 2>/dev/null
>
I'm trying using grep command, but only have the line with ttl 128, don't the ip source and destination
> grep -i "$var" capture.txt > resultGrep.txt
The result of the tcpdump command is some like this
15:29:18.164566 IP (tos 0x0, ttl 1, id 2394, offset 0, flags [none], proto UDP (17), length 125)
10.0.0.155.58363 > 239.255.255.254.1900: UDP, length 97
0x0000: 4600 0024 0000 0000 0102 3ad3 0a00 0000 F..$......:.....
0x0010: e000 0001 9404 0000 1101 ebfe 0000 0000 ................
0x0020: 0300 0000 0000 0000 0000 0000 0000 ..............
15:29:18.164566 IP (tos 0x0, ttl 128, id 2394, offset 0, flags [none], proto UDP (17), length 125)
10.0.0.131.58363 > 239.255.255.250.1900: UDP, length 97
0x0000: 4600 0024 0000 0000 0102 3ad3 0a00 0000 F..$......:.....
0x0010: e000 0001 9404 0000 1101 ebfe 0000 0000 ................
0x0020: 0300 0000 0000 0000 0000 0000 0000 ..............
15:29:18.164566 IP (tos 0x0, ttl 64, id 2394, offset 0, flags [none], proto UDP (17), length 125)
10.0.0.147.58363 > 239.255.255.255.1900: UDP, length 97
0x0000: 4600 0024 0000 0000 0102 3ad3 0a00 0000 F..$......:.....
0x0010: e000 0001 9404 0000 1101 ebfe 0000 0000 ................
0x0020: 0300 0000 0000 0000 0000 0000 0000 ..............
I need have ip address source and ip address destination from packets with ttl 128 header, in the example the output result must be
10.0.0.131.58363 > 239.255.255.250.1900

If your grep supports displaying a context -A, you can try
grep -A 1 -e 'ttl 128' capture.txt | grep '^ ' | cut -d: -f1
The first grep shows all lines with ttl 128 plus one following line. The second grep filters the lines starting with blanks. The final cut selects everything before the first :.

Shell script linux substract parameter grep

I need help to extract coincidences from a file.
I capture network traffic with tcpdump command
tcpdump -Xvv -i eth0 > captureFile.txt
Given any field of IP headers, TCP and Ethernet specify all values ​​found in the captured traffic and count how many times that value for that field. For example if suppose TTL = 128 TTL = 64 then indicate how many packets have that field with each of these values​​.
The content of the file:
09:26:13.245546 IP (tos 0x0, ttl 1, id 3439, offset 0, flags [none], proto UDP (17), length 1018)
10.0.0.226.58935 > 239.255.255.250.3702: UDP, length 990
0x0000: 4500 03fa 0d6f 0000 0111 ada8 0a00 00e2 E....o..........
0x0010: efff fffa e637 0e76 03e6 7ec0 3c3f 786d .....7.v..~.<?xm
0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0".
0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8"
0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
09:26:13.339173 IP6 (hlim 1, next-header UDP (17) payload length: 998) fe80::21e9:f54b:9ae7:6383.58936 > ff02::c.3702: UDP, length 990
0x0000: 6000 0000 03e6 1101 fe80 0000 0000 0000 `...............
0x0010: 21e9 f54b 9ae7 6383 ff02 0000 0000 0000 !..K..c.........
0x0020: 0000 0000 0000 000c e638 0e76 03e6 666c .........8.v..fl
0x0030: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml.version="1
0x0040: 2e30 2220 656e 636f 6469 6e67 .0".encoding
09:26:13.407313 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.3.118 tell 10.0.1.215, length 46
0x0000: 0001 0800 0604 0001 0009 0fcb 0a0c 0a00 ................
0x0010: 01d7 0000 0000 0000 0a00 0376 0000 0000 ...........v....
0x0020: 0000 0000 0000 0000 0000 d9c4 62a8 ............b.
09:26:13.525954 IP (tos 0x0, ttl 128, id 3441, offset 0, flags [none], proto UDP (17), length 161)
10.0.0.226.59131 > 239.255.255.250.1900: UDP, length 133
0x0000: 4500 00a1 0d71 0000 0111 b0ff 0a00 00e2 E....q..........
0x0010: efff fffa e6fb 076c 008d 6fa6 4d2d 5345 .......l..o.M-SE
0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1.
0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25
0x0040: 352e 3235 303a 3139 3030 0d0a 5.250:1900..
09:26:13.557002 IP (tos 0x0, ttl 1, id 3442, offset 0, flags [none], proto UDP (17), length 161)
10.0.0.226.59131 > 239.255.255.250.1900: UDP, length 133
0x0000: 4500 00a1 0d72 0000 0111 b0fe 0a00 00e2 E....r..........
0x0010: efff fffa e6fb 076c 008d 6fa6 4d2d 5345 .......l..o.M-SE
0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1.
0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25
0x0040: 352e 3235 303a 3139 3030 0d0a 5.250:1900..
09:26:13.642734 IP (tos 0x0, ttl 1, id 21767, offset 0, flags [none], proto UDP (17), length 684)
10.0.0.237.58882 > 239.255.255.250.3702: UDP, length 656
0x0000: 4500 02ac 5507 0000 0111 6753 0a00 00ed E...U.....gS....
0x0010: efff fffa e602 0e76 0298 5568 3c3f 786d .......v..Uh<?xm
0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0".
0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8"
0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
09:26:13.642960 IP6 (hlim 1, next-header UDP (17) payload length: 664) fe80::b8a2:bd0:4e0b:1bb5.58883 > ff02::c.3702: UDP, length 656
0x0000: 6000 0000 0298 1101 fe80 0000 0000 0000 `...............
0x0010: b8a2 0bd0 4e0b 1bb5 ff02 0000 0000 0000 ....N...........
0x0020: 0000 0000 0000 000c e603 0e76 0298 248c ...........v..$.
0x0030: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml.version="
09:26:13.642999 IP (tos 0x0, ttl 64, id 21767, offset 0, flags [none], proto UDP (17), length 684)
10.0.0.237.58882 > 239.255.255.250.3702: UDP, length 656
0x0000: 4500 02ac 5507 0000 0111 6753 0a00 00ed E...U.....gS....
0x0010: efff fffa e602 0e76 0298 5568 3c3f 786d .......v..Uh<?xm
0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0".
0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8"
0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
The result must be:
ttl 64 - 1 time
ttl 128 - 1 time
ttl 1 - 3 times

I think this would be exactly same as your expected output.
grep -ioP 'ttl \d+' file|awk '{a[$0]++}END{for(x in a)print x" - "a[x]" times"}'
output would be:
ttl 1 - 3 times
ttl 64 - 1 times
ttl 128 - 1 times
well not exactly same, since I didn't check time and times.. do you really need it? it could be done easily..
EDIT
as OP asks, output time/times depends on the count:
grep -ioP 'ttl \d+' file|awk '{a[$0]++}END{for(x in a)print x" - "a[x]" time"(a[x]>1?"s":"")}'
output:
ttl 1 - 3 times
ttl 64 - 1 time
ttl 128 - 1 time

It's a bit long and I'm sure it can be refactored quite a lot but it works if you don't|can't have perl installed:
grep ttl captureFile.txt | awk '{print $5,$6}' | sed 's/,//' | sort | uniq -c | awk '{print $2,$3,"-",$1,"times"}'

Two approaches:
If you have perl,
captureFile.txt |
perl -ne '/ttl (\d+),/ and $TTL{$1}++;
END { for my $ttl (keys %TTL) {print "* ttl $1 - $TTL{$ttl} time\n"}}'
Should do it. But I think uniq -c may also work with grep...
captureFile.txt | egrep -o 'ttl ([0-9]+)' | uniq -c
And to get the exact output format you asked for, just add this after uniq -c
| awk '{print "* ttl "$3" - "$1" time"}'

grep "ttl [0-9]*" captureFile.txt -o
Would get only the relevant parts of the text file.
grep "ttl [0-9]*" captureFile.txt -o |
awk 'NF{ count[ toupper( $0 ) ]++}
END{ for ( name in count ) { print "*" name " - " count[ name ] " times"
};
}'
Would get the formatting you wanted.

Simple awk script:
$ awk -F, '/ttl/{u[$2]++}END{for(k in u)print k" - "u[k]" time"(u[k]>1?"s":"")}'
ttl 128 - 1 time
ttl 64 - 1 time
ttl 1 - 3 times
No need to waste sub-process.