npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@tdole/pcap-tcp_reassemble

v8.14.1

Published

With this program you can reorder TCP sessions in a pcap file.

Downloads

61

Readme

With this program you can reorder TCP sessions in a pcap file.

Sometimes TShark or Wireshark cannot reorden TCP stream in the right way and this will result in corrupted TCP stream content. Processes which work with the TCP content, like TLS, will then also fail.

As an input source you can now also read data from a RabbitMQ. The pcap data must have been uploaded with the "@todle/pcaptorabbit" program.

Requirements:

  • NodeJS (v14.6.1 or higher).
  • Capture file must be in pcap or pcap-ng (data in 'Enhanced Packet Block' blocks) format.

Installation:

This programm also exists on the online NPM repository. Install from there with 'npm install @todle/pcap-tcp_reassemble -g'. This will install de program 'pcap-tcp_reassemble' globally.

To install the checkedout git repository version use the command 'npm install -g' will install the program 'pcap-tcp_reassemble' globally.

Usage

Usage: node ./pcap-tcp_reassemble.js [options]
Show this help message
    --help
When connection to AMQP server is lost. Retry this many times before stopping program. (Default: 100)
    --amqpFailAfterReconnects <value>
When connection to AMQP server is lost. Wait this many milliseconds before reconnect. (Default: 5000)
    --amqpReconnectInterval <value>
When proces is asked to stop save a list of open session files to pick up on next start.
    --saveBeforeStop
Before starting check if we have a list generated by to continueAfterStop. Read the content of these files to continue.
    -c, --continueAfterStop
Allow only one TCP session per source ip. Close existing when new session is seen.
    --onlyOneSessionPerSource
IP address of server.
    --serverIp <value>
Make one pcap file per tcp session.
    --savePerTCPSession
Next to TCP session pcap file generate a forensic log file including dropped packts and original source files.
    --generateForensicLog
Drop/do not create pcap files when payload of tcp session is zero byte.
    --onlyStoreCleanSessions
Drop/do not create pcap files when payload of tcp session is zero byte.
    --dropZeroPayloadSession
Splity boundary. String with hexadecimal values. For example 0A0D for CrLf.
    --splitboundary <value>
Splity size. Depends on splittype if it is number of packet or seconds. Default: 100
    --splitsize <value>
Type of splitting (1=number of packet, 2=time interval in seconds, 3=time interval and both incoming and outgoing data stream need to end on boundary). Default: 1
    --splittype <value>
Split tcp session data over multiple files.
    --split
Only ouput packets to/from specified port(s) (comma separated list of port numbers)
    --portfilter <value>
Folder used for final destination of [tcp session] pcap files
    --destfolder <value>
RabbitMq queue
    -q, --amqpQueue <value>
AMQP Routing key
    -l, --amqpRoutingKey <value>
RabbitMQ exchange
    -e, --amqpExchange <value>
URI to amqp (RabbitMQ) host
    --amqpHost <value>
TCP session timeout to use in seconds. (Default: 86400
    --tcpSessionTimeout <value>
Save all packets also non tcp.
    -a, --all
Show version
    -v, --version
Write reassembled and cleand data to pcap file
    -o, --output <value>
read from pcap file
    -f, --file <value>
Debug generate a lot of output to stdout and stderr
    -d, --debug

The program can read from stdin and write to stdout when using either "-f" or "-o" command line arguments.

Example local files:

node pcap-tcp_reassemble.js -f test.pcap -o test_cleaned.pcap -a

cat test.pcap | node pcap-tcp_reassemble.js -f - -o - -a > test_cleaned.pcap

Example splitting tcp sessions into individual pcap files. One pcap per tcp session:

node pcap-tcp_reassemble.js -f test.pcap --destfolder /data/out/

This will generate per tcp session a pcap file with the following path: /data/out/<ip1>/<ip2>/<port1>-<port2>/YYYYMMDD_hhmmss.SSSSSS_[s|c]_<frame#>_<version>.pcap. The reported session states can be found in Flowchart of TCP connections and their definition

  • ip1 and ip2: ip1 will be the string compared lowest of source and destination ip of the session.
    • So source == 10.1.1.1 and destination == 205.1.1.1 ip1 wil become 10.1.1.1 and ip2 will be 205.1.1.1
    • but when source == 205.1.1.1 and destination == 10.1.1.1 will also result in ip1 will be 10.1.1.1 and ip2 will be 205.1.1.1
  • port1 and port2 will be set respectively to the ports used by ip1 and ip2.
  • YYYYMMDD_hhmmss.SSSSSS will be set to the timestamp of the first pcap packet in the tcp session. This will be in your local timezone.
  • [s|c]: Will tell you if this is a clean tcp session which started with a SYN packet or a SYN/ACK packet.
  • frame: will be set to the last frame received from the source when this file was created. This to make the filename unique.
  • version: will be the version of the pcap-tcp_reassemble software. It is the version specified in the package.json file and the dots (.) have been replaced by underscores (_). So 5.2.1 becomes 5_2_1

If you add the command line argument "--generateForensicLog" next to each tcp session pcap file a ".*.log.json" will be create which contains forensic information about the tcpsession pcap. In it the following information is recorderd:

  • sourceFiles: Array of filename(s) which are the source of this tcp session pcap. When pcap-tcp_reassemble is used with the "-f" argument it is the name of this source file. When reading from a RabbitMQ it is the name of the source files read by pcaptorabbit program.
  • connection:
    • hasInitialSyn: Booolean where a SYN or SYN/ACK packet was seen to start the session,
    • starttime: Start time of this session in unix timestamp including milliseconds. For Example: 1662842458.226251.
    • endtime: End time of session in unix timestamp including milliseconds. For example: 1662842921.333337.
    • duration: Duration of session in seconds.
    • cleanSession: Session started with a clean SYN or SYN/ACK packet.
    • established: Both ends of TCP session went through the ESTABLISHED state.
    • source: You can see this as the client or initiator of the tcp session.
      • ip: ip number
      • port: tcp port number
      • transmittedBytes: Number of bytes send from this ip.
      • missingBytes: Total number of bytes missing in pcap. Based on sequence number one or more packets are missing. The missing packets/size are reported in the 'gap' property of this connection.
      • finalState: This is the final state of this side of the connection
      • gap: This is a key/value pair list of packets/segments missing in the source data. Each key is the a string with "<sequence from> -> <sequence to>" of the missing packet and the value is the number of bytes missing in the packet.
      • dropped-duplicate-data: This is a key/value pair list of packet for which the content was already received. So this packet was retransmitted. The key is the frame number of the packet in the source and the value is the sequence number of the packet.
      • truncated: Sometimes data in a tcp session can be retransmitted. And sometimes the payload of a retransmitted packet fills a complete gap but overlaps the payload of other packet(s). So the software truncates the end and/or start of the payload to fit the gap and this truncated packet is written in place of the gap. This property contains a key/value pair list of truncated packets. The key is the frame number of the source packet truncated and the value is an object with the following properties:
        • old: Information of original packet. this is an object with the following properties:
          • sequence: Sequence number of original packet.
          • length: Length of original packet.
        • new: Information of new truncated packet. this is an object with the following properties:
          • sequence: New sequence number of packet. When only end it truncated then this is the same as the old sequence number.
          • length: Length of new packet.
    • destination: You can see this as the server/listening side of the tcp session. This object has the same properties as the source property.
{
	"sourceFiles": [
		"/data/in/test.pcap"
	],
	"connection": {
		"source": {
			"ip": "10.0.0.1",
			"port": 1234,
			"gap": {
				"3065721720 -> 3065722450": 730
			},
			"dropped-duplicate-data": {
				"65001295": 3065936480,
				"65001298": 3065936480,
			},
            "truncated": {
                "old": {
                    "sequence": 30123456,
                    "length": 512
                },
                "new": {
                    "sequence": 30123456,
                    "length": 200
                }
            }
			"transmittedBytes": 2078750,
			"missingBytes": 2190,
			"finalState": "TRANSITION_TO_TIME_WAIT"
		},
		"destination": {
			"ip": "192.168.1.1",
			"port": 80,
			"gap": {
				"1734786526 -> 1734792672": 6146,
				"1754514400 -> 1754525504": 11104
			},
			"dropped-duplicate-data": {
				"65007570": 1740352772,
			},
			"transmittedBytes": 31833310,
			"missingBytes": 17250,
			"finalState": "CLOSE_WAIT"
		},
		"hasInitialSyn": true,
		"starttime": 1662842458.226251,
		"cleanSession": true,
		"endtime": 1662842921.333337,
		"duration": 463.107086,
		"established": true
	}
}