search

scroot / gopacket

Automatically exported from code.google.com/p/gopacket
BSD 3-Clause "New" or "Revised" License
0 stars 1 forks source link

TCP Assembly as bidirectional flow #21

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
First off, this is a great library!

I'm using gopacket to reassemble TCP flows from captured pcap files. I notice 
that each direction is considered a flow and I was wondering what a good 
approach would be for combining the two halves into a single tcp connection or 
"conversation".

For instance, the attached image shows a wireshark conversations breakdown with 
64 TCP conversations. Running gopacket TCP assembly returns 128 TCP flows. 

I'm trying to think of the best way to merge the two halves. Right now I'm 
keeping a slice of flows and checking in ReassemblyComplete() to see if the new 
flow is the second half of an existing conversation. To do this I check:

existing.SrcAddr == newFlow.DstAddr
existing.SrcPort == newFlow.DstPort
existing.DstAddr == newFlow.SrcAddr
existing.DstPort == newFlow.SrcPort
existing.StartTime == newFlow.StartTime
existing.EndTime == newFlow.EndTime

The issue with this is the start and end times are a few micro seconds off 
generally, so I have to allow for a little fudge room.  I'm wondering what a 
cleaner way might be to implement this.

Perhaps I should try to implement this in the gopacket reassembly code or 
continue to do this by merging reassemblies after gopacket processed the flows.

Regards

Original issue reported on code.google.com by keep.it....@gmail.com on 26 Jun 2014 at 6:08

Attachments:

GoogleCodeExporter commented 9 years ago 
Hey, Gully,

Sorry for the late reply on this.  The short answer is:
  - currently tcpassembly doesn't support really bullet-proof bidirectional support, since it doesn't (yet) expose Seq/Ack.
  - we can fudge it pretty well, though.  I'm writing up an example in the examples directory to show this.  I'll update this issue once it's submitted.

Original comment by gconnell@google.com on 1 Jul 2014 at 4:35

GoogleCodeExporter commented 9 years ago 
Example code at examples/bidirectional:   
https://code.google.com/p/gopacket/source/detail?r=39870ca7398ebc83b55c04c2a5a45
78ba8b5ea94

Original comment by gconnell@google.com on 1 Jul 2014 at 7:28