Hi,
I am using jnetpcap since few days and I have an issue to reassemble TCP packets to have a complete http packet. I tried to use TcpAssembly, TcpSequencer, and TcpAnalyser but no success.
I read many topics in this forum (like nodes 97, 219, 156, 519 ) but I didn't find a working example
Could someone help me to a working TCP packet assembly code ?
Thank you in advance
I am using jnetpcap 2.0b0001.1 on Windows
Try these test cases.
Hi Mark,
I tried to use the test cases but no success. Here is my code (I am still modifying it):
import java.io.IOException;
import java.io.InputStream;
import org.jnetpcap.Pcap;
import org.jnetpcap.PcapBpfProgram;
import org.jnetpcap.nio.JBuffer;
import org.jnetpcap.nio.JMemory;
import org.jnetpcap.packet.JMemoryPacket;
import org.jnetpcap.packet.JPacket;
import org.jnetpcap.packet.JPacketHandler;
import org.jnetpcap.packet.JRegistry;
import org.jnetpcap.packet.JScanner;
import org.jnetpcap.packet.analysis.EventDumper;
import org.jnetpcap.packet.analysis.FragmentAssembly;
import org.jnetpcap.packet.analysis.FragmentSequence;
import org.jnetpcap.packet.analysis.JController;
import org.jnetpcap.packet.format.JFormatter;
import org.jnetpcap.packet.format.TextFormatter;
import org.jnetpcap.protocol.JProtocol;
import org.jnetpcap.protocol.application.WebImage;
import org.jnetpcap.protocol.tcpip.Http;
import org.jnetpcap.protocol.tcpip.HttpAnalyzer;
import org.jnetpcap.protocol.tcpip.Tcp;
import org.jnetpcap.protocol.tcpip.TcpAnalyzer;
import org.jnetpcap.protocol.tcpip.TcpAssembler;
import org.jnetpcap.protocol.tcpip.TcpSequencer;
import junit.framework.TestCase;
public class Test1 extends TestCase {
public final static String HTTP = "tmp-capture-file4.cap";
public static void openOffline(String file, JPacketHandler<Pcap> handler,
String filter) {
StringBuilder errbuf = new StringBuilder();
Pcap pcap;
if ((pcap = Pcap.openOffline(file, errbuf)) == null) {
fail(errbuf.toString());
}
if (filter != null) {
PcapBpfProgram program = new PcapBpfProgram();
if (pcap.compile(program, filter, 0, 0) != Pcap.OK) {
System.err.printf("pcap filter err: %s\n", pcap.getErr());
}
pcap.setFilter(program);
}
pcap.loop(Pcap.LOOP_INFINATE, handler, pcap);
pcap.close();
}
private JPacket reassemble(FragmentSequence sequence) {
JBuffer buf = new JBuffer(JMemory.Type.POINTER);
// memory.allocate(sequence.getTotalLength(), buf);
// Tcp tcp = tcpLocal.get();
// Ip4 ip = ipLocal.get();
Tcp tcp = new Tcp();
long start = sequence.getStart();
for (JPacket p : sequence.getPacketSequence()) {
if (p.hasHeader(tcp)) {
int seq = (int) (tcp.seq() - start);
int offset = tcp.getOffset() + tcp.hlen() * 4;
int length = tcp.getPayloadLength();
p.transferTo(buf, offset, length, seq);
} else {
throw new IllegalStateException(
"expected tcp header binding in tcp packet");
}
}
JPacket packet = sequence.getPacketSequence().get(0);
int i = packet.getState().findHeaderIndex(Tcp.ID);
int nid = packet.getState().getHeaderIdByIndex(i + 1);
packet.addAnalysis(nid, sequence);
JPacket copy = new JMemoryPacket(buf);
JScanner.getThreadLocal().scan(copy, nid);
return copy;
}
@SuppressWarnings("unchecked")
public void testCaptureRCP1() {
/*
* Dump all events to stdout
*/
EventDumper dumper = new EventDumper();
JController controller = JRegistry.getAnalyzer(JController.class);
TcpAnalyzer tcpAnalyzer = new TcpAnalyzer();
final TcpSequencer frag = new TcpSequencer();
final TcpAssembler reassembler = new TcpAssembler(frag);
controller.addAnalyzer(tcpAnalyzer, JProtocol.TCP_ID);
HttpAnalyzer httpAnalyzer = JRegistry.getAnalyzer(HttpAnalyzer.class);
// controller.addAnalyzer(httpAnalyzer, JProtocol.HTTP_ID);
controller.add(new JPacketHandler<Object>() {
Http http = new Http();
public void nextPacket(JPacket packet, Object user) {
JFormatter out = new TextFormatter(System.out);
Tcp tcp = new Tcp();
try {
if (packet.hasHeader(tcp)
&& tcp.hasAnalysis(FragmentAssembly.class)) {
}
out.format(packet);
System.out.flush();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("The packet is :\n" + packet.toHexdump());
//frag.setFragmentationBoundary(packet, 191777L);
}
}, null);
reassembler.addReassemblyListener(dumper, null);
Test1.openOffline(HTTP, controller, null);
}
}and what I get is the following :
Frame:
Frame: number = 0
Frame: timestamp = 2010-05-06 11:48:59.764
Frame: wire length = 62 bytes
Frame: captured length = 62 bytes
Frame:
Eth: ******* Ethernet - "Ethernet" - offset=0 (0x0) length=14
Eth:
Eth: destination = 0:0:c:7:ac:1
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: source = 0:11:85:5f:cf:47
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: type = 0x800 (2048) [ip version 4]
Eth:
Ip: ******* Ip4 - "ip version 4" - offset=14 (0xE) length=20 protocol suite=NETWORK
Ip:
Ip: version = 4
Ip: diffserv = 0x0 (
Ip: 0000 00.. = [0] code point: not set
Ip: .... ..0. = [0] ECN bit: not set
Ip: .... ...0 = [0] ECE bit: not set
Ip: id = 0xC00A (49162)
Ip: offset = 0
Ip: type = 6 [next: Transmission Control]
Ip: source = 172.16.63.15
Ip: hlen = 5 [5 * 4 = 20 bytes, No Ip Options]
Ip: ttl = 128 [time to live]
Ip: destination = 172.16.21.138
Ip: checksum = 0x8E03 (36355) [correct]
Ip: flags = 0x2 (2)
Ip: 0.. = [0] reserved
Ip: .1. = [1] DF: do not fragment: set
Ip: ..0 = [0] MF: more fragments: not set
Ip: length = 48
Ip:
Tcp: ******* Tcp offset=34 (0x22) length=28
Tcp:
Tcp: source = 14527
Tcp: destination = 81
Tcp: seq = 0x22B76224 (582443556)
Tcp: ack = 0x0 (
Tcp: hlen = 7
Tcp: reserved = 0
Tcp: flags = 0x2 (2)
Tcp: 0... .... = [0] cwr: reduced (cwr)
Tcp: .0.. .... = [0] ece: ECN echo flag
Tcp: ..0. .... = [0] ack: urgent, out-of-band data
Tcp: ...0 .... = [0] ack: acknowledgment
Tcp: .... 0... = [0] ack: push current segment of data
Tcp: .... .0.. = [0] ack: reset connection
Tcp: .... ..1. = [1] ack: synchronize connection, startup
Tcp: .... ...0 = [0] fin: closing down connection
Tcp: window = 64512
Tcp: checksum = 0x1C79 (7289) [correct]
Tcp: urgent = 0
Tcp:
Tcp: *** JAnalysisMap analysis ***
TcpThe packet is :
0000:*00 00 0c 07 ac 01 00 11 85 5f cf 47 08 00*45 00 ........._.G..E.
0010: 00 30 c0 0a 40 00 80 06 8e 03 ac 10 3f 0f ac 10 .0..@.......?...
0020: 15 8a*38 bf 00 51 22 b7 62 24 00 00 00 00 70 02 ..8..Q".b$....p.
0030: fc 00 1c 79 00 00 02 04 05 b4 01 01 04 02* ...y..........
Frame:
Frame: number = 1
Frame: timestamp = 2010-05-06 11:48:59.764
Frame: wire length = 60 bytes
Frame: captured length = 60 bytes
Frame:
Eth: ******* Ethernet - "Ethernet" - offset=0 (0x0) length=14
Eth:
Eth: destination = 0:11:85:5f:cf:47
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: source = 0:a:42:70:de:40
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: type = 0x800 (2048) [ip version 4]
Eth:
Ip: ******* Ip4 - "ip version 4" - offset=14 (0xE) length=20 protocol suite=NETWORK
Ip:
Ip: version = 4
Ip: hlen = 5 [5 * 4 = 20 bytes, No Ip Options]
Ip: diffserv = 0x0 (
Ip: 0000 00.. = [0] code point: not set
Ip: .... ..0. = [0] ECN bit: not set
Ip: .... ...0 = [0] ECE bit: not set
Ip: length = 44
Ip: id = 0x1B2D (6957)
Ip: flags = 0x2 (2)
Ip: 0.. = [0] reserved
Ip: .1. = [1] DF: do not fragment: set
Ip: ..0 = [0] MF: more fragments: not set
Ip: offset = 0
Ip: ttl = 59 [time to live]
Ip: type = 6 [next: Transmission Control]
Ip: checksum = 0x77E5 (30693) [correct]
Ip: source = 172.16.21.138
Ip: destination = 172.16.63.15
Ip:
Tcp: ******* Tcp offset=34 (0x22) length=24
Tcp:
Tcp: source = 81
Tcp: destination = 14527
Tcp: seq = 0x26C30695 (650315413)
Tcp: ack = 0x22B76225 (582443557)
Tcp: hlen = 6
Tcp: reserved = 0
Tcp: flags = 0x12 (18)
Tcp: 0... .... = [0] cwr: reduced (cwr)
Tcp: .0.. .... = [0] ece: ECN echo flag
Tcp: ..0. .... = [0] ack: urgent, out-of-band data
Tcp: ...1 .... = [1] ack: acknowledgment
Tcp: .... 0... = [0] ack: push current segment of data
Tcp: .... .0.. = [0] ack: reset connection
Tcp: .... ..1. = [1] ack: synchronize connection, startup
Tcp: .... ...0 = [0] fin: closing down connection
Tcp: window = 65535
Tcp: checksum = 0x18 (24) [correct]
Tcp: urgent = 0
Tcp:
Tcp: *** JAnalysisMap analysis ***
Tcp
Data: ******* Payload offset=58 (0x3A) length=2
Data:
003a: 00 00 ..
The packet is :
0000:*00 11 85 5f cf 47 00 0a 42 70 de 40 08 00*45 00 ..._.G..Bp.@..E.
0010: 00 2c 1b 2d 40 00 3b 06 77 e5 ac 10 15 8a ac 10 .,.-@.;.w.......
0020: 3f 0f*00 51 38 bf 26 c3 06 95 22 b7 62 25 60 12 ?..Q8.&...".b%`.
0030: ff ff 00 18 00 00 02 04 05 b4*00 00* ............
Frame:
Frame: number = 2
Frame: timestamp = 2010-05-06 11:48:59.764
Frame: wire length = 54 bytes
Frame: captured length = 54 bytes
Frame:
Eth: ******* Ethernet - "Ethernet" - offset=0 (0x0) length=14
Eth:
Eth: destination = 0:0:c:7:ac:1
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: source = 0:11:85:5f:cf:47
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: type = 0x800 (2048) [ip version 4]
Eth:
Ip: ******* Ip4 - "ip version 4" - offset=14 (0xE) length=20 protocol suite=NETWORK
Ip:
Ip: version = 4
Ip: hlen = 5 [5 * 4 = 20 bytes, No Ip Options]
Ip: diffserv = 0x0 (
Ip: 0000 00.. = [0] code point: not set
Ip: .... ..0. = [0] ECN bit: not set
Ip: .... ...0 = [0] ECE bit: not set
Ip: length = 40
Ip: id = 0xC00B (49163)
Ip: flags = 0x2 (2)
Ip: 0.. = [0] reserved
Ip: .1. = [1] DF: do not fragment: set
Ip: ..0 = [0] MF: more fragments: not set
Ip: offset = 0
Ip: ttl = 128 [time to live]
Ip: type = 6 [next: Transmission Control]
Ip: checksum = 0x8E0A (36362) [correct]
Ip: source = 172.16.63.15
Ip: destination = 172.16.21.138
Ip:
Tcp: ******* Tcp offset=34 (0x22) length=20
Tcp:
Tcp: source = 14527
Tcp: destination = 81
Tcp: seq = 0x22B76225 (582443557)
Tcp: ack = 0x26C30696 (650315414)
Tcp: hlen = 5
Tcp: reserved = 0
Tcp: flags = 0x10 (16)
Tcp: 0... .... = [0] cwr: reduced (cwr)
Tcp: .0.. .... = [0] ece: ECN echo flag
Tcp: ..0. .... = [0] ack: urgent, out-of-band data
Tcp: ...1 .... = [1] ack: acknowledgment
Tcp: .... 0... = [0] ack: push current segment of data
Tcp: .... .0.. = [0] ack: reset connection
Tcp: .... ..0. = [0] ack: synchronize connection, startup
Tcp: .... ...0 = [0] fin: closing down connection
Tcp: window = 64512
Tcp: checksum = 0xACD4 (44244) [incorrect: 0x1BD4]
Tcp: urgent = 0
Tcp:
Tcp: *** tcp duplex stream analysis ***
TcpThe packet is :
0000:*00 00 0c 07 ac 01 00 11 85 5f cf 47 08 00*45 00 ........._.G..E.
0010: 00 28 c0 0b 40 00 80 06 8e 0a ac 10 3f 0f ac 10 .(..@.......?...
0020: 15 8a*38 bf 00 51 22 b7 62 25 26 c3 06 96 50 10 ..8..Q".b%&...P.
0030: fc 00 ac d4 00 00* ......
Frame:
Frame: number = 3
Frame: timestamp = 2010-05-06 11:48:59.779
Frame: wire length = 703 bytes
Frame: captured length = 703 bytes
Frame:
Eth: ******* Ethernet - "Ethernet" - offset=0 (0x0) length=14
Eth:
Eth: destination = 0:0:c:7:ac:1
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: source = 0:11:85:5f:cf:47
Eth: .... ..0. .... .... = [0] LG bit
Eth: .... ...0 .... .... = [0] IG bit
Eth: type = 0x800 (2048) [ip version 4]
Eth:
Ip: ******* Ip4 - "ip version 4" - offset=14 (0xE) length=20 protocol suite=NETWORK
Ip:
Ip: version = 4
Ip: hlen = 5 [5 * 4 = 20 bytes, No Ip Options]
Ip: diffserv = 0x0 (
Ip: 0000 00.. = [0] code point: not set
Ip: .... ..0. = [0] ECN bit: not set
Ip: .... ...0 = [0] ECE bit: not set
Ip: length = 689
Ip: id = 0xC00C (49164)
Ip: flags = 0x2 (2)
Ip: 0.. = [0] reserved
Ip: .1. = [1] DF: do not fragment: set
Ip: ..0 = [0] MF: more fragments: not set
Ip: offset = 0
Ip: ttl = 128 [time to live]
Ip: type = 6 [next: Transmission Control]
Ip: checksum = 0x8B80 (35712) [correct]
Ip: source = 172.16.63.15
Ip: destination = 172.16.21.138
Ip:
Tcp: ******* Tcp offset=34 (0x22) length=20
Tcp:
Tcp: source = 14527
Tcp: destination = 81
Tcp: seq = 0x22B76225 (582443557)
Tcp: ack = 0x26C30696 (650315414)
Tcp: hlen = 5
Tcp: reserved = 0
Tcp: flags = 0x18 (24)
Tcp: 0... .... = [0] cwr: reduced (cwr)
Tcp: .0.. .... = [0] ece: ECN echo flag
Tcp: ..0. .... = [0] ack: urgent, out-of-band data
Tcp:
What I would like to have at the end, is just a reassembled http packets that I can manipulate as an InputStream.
Thank you in advance for your help
Regards,
Dali