TCP streams support

[Sebitosh]

Hi,

I am currently working on zaproxy/zaproxy#4812 , and I want to use this library to retrieve HTTP traffic to be interpreted on my end. To achieve this however, support for organizing TCP traffic into streams is needed to pair HTTP request and responses together.

For this reason I am currently working out how to contribute a TCPStream interface (extending the Stream interface), a DefaultTCPStream class (implementing TCPStream), and a TCPStreamHandler class (implementing the StreamHandler interface). Once I believe I have something that can be worked with, I'll open a PR.

Here is how I am thinking of defining a TCP stream:

• A stream is identified using it's 5-tuple, that is it's source and destination addresses, source and destination ports, and it's layer 4 protocol (in this case TCP). Any TCP packet going from that source to that destination or from that destination to that source would belong to that stream.
• Any encountered packet with a new 5-tuple would start a different stream
• TCP streams CAN start with a TCP handshake, but not necessarily
• TCP streams CAN end, either abruptly with a RST flag, or gracefully with a 3 or 4-way handshake with the FIN flag. If a stream ends, any new packet with the same 5-tuple than an ended stream would start a new stream instead of being added to it.
• If on a non-ended stream, a packet with a SYN flag is encountered indicating that a new handshake is being started, the stream is assumed to have ended and a new stream is opened starting from the SYN packet.

This definition does not take into account mismatching sequence numbers. I know software like wireshark will notice odd sequence numbers and report it (as per this post that helped me define a TCP stream). In this case I believe such analysis to be somewhat out of scope of the work i am doing, so for the definition I am proposing, there is no soundness guarantee for sequence numbers among packets placed in the same TCP streams. Edit: analysis based on sequence numbers could simply be done by a StreamListener, leaving it up to the user to do any such analysis (which could include mismatches, duplication detection, etc...)

Does such a definition look like it would fit? Do you have any specific expectation for such a contribution? Anything you would like to see it address?

[jonbo372]

Hi and I love contributions and this would be a great addition!

Your overall strategy makes sense and as you already outlined, tracking a tcp stream can be tricky as they may not end cleanly etc but looks like you're on top of it. As far as the stream ID, I have a class that does that here: https://github.com/sniceio/snice-networking/blob/main/networking-common/src/main/java/io/snice/networking/common/ConnectionId.java feel free to copy/paste.

I also wrote a HTTP FSM that you may want to look at here: https://github.com/sniceio/snice-networking/blob/main/http-stack/src/main/java/io/snice/networking/http/fsm/HttpFsm.java and that is using my own simple FSM framework, which may help you with the TCP Stream state machine. See here: https://github.com/sniceio/hektor. You would only need the fsm library. The documentation is a bit lacking but there's not much to that library. See unit tests, such as: https://github.com/sniceio/hektor/blob/main/hektor-fsm/src/test/java/io/hektor/fsm/scenarios/vendingmachine/VendingMachineFSM.java

Looking forward to your pull request!