Module: ReassembleTcp

Defined in:
lib/reassemble_tcp.rb,
lib/reassemble_tcp/version.rb,
lib/reassemble_tcp/packet_stream.rb,
lib/reassemble_tcp/tcp_connection.rb

Defined Under Namespace

Classes: PacketStream, TcpConnection

Constant Summary collapse

VERSION = 
"0.0.1"

Class Method Summary collapse

Class Method Details

.tcp_connections(filepath) ⇒ Array<ReassembleTcp::TcpConnection>

get TCP connections from pcap file

Parameters:

  • filepath (String)

    pcapfile path

Returns:



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/reassemble_tcp.rb', line 12

def self.tcp_connections(filepath)
  streams = []
  PacketFu::PcapFile.read_packets_with_timestamp(filepath) {|pkt|
    next unless pkt.is_ip? and pkt.is_tcp?
    stm = streams.find{|ts| ts.match?(pkt) }
    if pkt.tcp_flags[:syn] == 1 && pkt.tcp_flags[:ack] == 0
      next unless stm.nil?
      streams << TcpConnection.new(pkt)
    else
      next if stm.nil?
      stm << pkt
    end
  }
  streams
end

.tcp_data_stream(filepath) {|time, from, to, data| ... } ⇒ Object

get reassembled tcp data

Parameters:

  • filepath (String)

    pcapfile path

Yields:

  • (time, from, to, data)

Yield Parameters:

  • time (Time)

    packet timestamp

  • from (String)

    source IP address

  • to (String)

    destination IP address

  • data (String)

    tcp resassembled data



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/reassemble_tcp.rb', line 35

def self.tcp_data_stream(filepath, &block)
  stream_data = {}
  ReassembleTcp.tcp_connections(filepath).each do |conn|
    dst = conn.dst_ip
    src = conn.src_ip
    conn.tcpdata do |range, dir, data|
      next if data.nil? || data.empty?
      from, to = (dir == :send ) ? [src, dst] : [dst, src]
      p range.last
      etime = Time.at(range.last)
      stream_data[etime] = [from, to, data]
    end
  end
  stream_data.keys.sort.each do |etime|
    from, to, data = stream_data[etime]
    yield etime, from, to, data
  end
  nil
end