And here a few assembler changes. With actual new features this time:
Simple assembler for UDP traffic, not really tested and probably not very accurate but better than empty screen
Tagging of TCP and UDP traffic
Persistent Assembler instance. This allows for:
Incremental pcap processing (Simply recording last packet number and listening to FS WRITE events)
Flows assembled across PCAPs (As long as the new PCAP arrives within flush-after timeout)
Some code refactoring, hopefully in the right direction
This is my first time writing something serious in Go, feel free to point out idiomatic mistakes.
Known issues:
When copying PCAPs over and overwriting them, assembler sometimes shows negative packet counts. This won't explode and appears to eventually parse all packets. But it's weird and I have no idea why it happens.
When a reverse proxy is placed in front of an HTTP service (without the service returning Connection: close), it causes the assembler to put all the packets in one flow. This stops only when the document limit is reached or no traffic is seen for flush-after. I don't think there is a real fix for this but I'm open to ideas.
Thanks for open-sourcing Tulip.
Love from Team Czenk :heart:
And here a few assembler changes. With actual new features this time:
flush-after
timeout)This is my first time writing something serious in Go, feel free to point out idiomatic mistakes.
Known issues:
Connection: close
), it causes the assembler to put all the packets in one flow. This stops only when the document limit is reached or no traffic is seen forflush-after
. I don't think there is a real fix for this but I'm open to ideas.Thanks for open-sourcing Tulip. Love from Team Czenk :heart: