Name the connection splitter filename with 5 tuple information (#1214)

seladb · Oct 12, 2023 · 8a23844 · 8a23844
1 parent b331f3f
commit 8a23844
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 44 deletions.
diff --git a/Examples/PcapSplitter/ConnectionSplitters.h b/Examples/PcapSplitter/ConnectionSplitters.h
@@ -145,4 +145,72 @@ class FiveTupleSplitter : public ValueBasedSplitter
 
 		return m_FlowTable[hash];
 	}
+
+	void updateStringStream(std::ostringstream & sstream, const std::string & srcIp, uint16_t srcPort, const std::string & dstIp, uint16_t dstPort)
+	{
+		sstream << hyphenIP(srcIp)
+		        << "_"
+		        << srcPort
+		        << "-"
+		        << hyphenIP(dstIp)
+		        << "_"
+		        << dstPort;
+	}
+
+	/**
+	 * Re-implement Splitter's getFileName() method, this time with the IPs/Ports/protocol value
+	 */
+	std::string getFileName(pcpp::Packet& packet, const std::string &outputPcapBasePath, int fileNumber)
+	{
+		std::ostringstream sstream;
+
+		// if it's not a TCP or UDP packet, put it in file #0
+		if (!packet.isPacketOfType(pcpp::TCP) && !packet.isPacketOfType(pcpp::UDP))
+		{
+			return Splitter::getFileName(packet, outputPcapBasePath, fileNumber);
+		}
+
+		sstream << "connection-";
+
+		if (packet.isPacketOfType(pcpp::TCP))
+		{
+			// extract TCP layer
+			pcpp::TcpLayer* tcpLayer = packet.getLayerOfType<pcpp::TcpLayer>();
+			if (tcpLayer != nullptr)
+			{
+				uint16_t srcPort = tcpLayer->getSrcPort();
+				uint16_t dstPort = tcpLayer->getDstPort();
+
+				sstream << "tcp_";
+
+				if ((tcpLayer->getTcpHeader()->synFlag == 1) && (tcpLayer->getTcpHeader()->ackFlag == 0))
+				{
+					updateStringStream(sstream, getSrcIPString(packet), srcPort, getDstIPString(packet), dstPort);
+				} else if (((tcpLayer->getTcpHeader()->synFlag == 1) &&
+					        (tcpLayer->getTcpHeader()->ackFlag == 1)
+					       ) || (srcPort < dstPort) )
+				{
+					updateStringStream(sstream, getDstIPString(packet), dstPort, getSrcIPString(packet), srcPort);
+				} else
+				{
+					updateStringStream(sstream, getSrcIPString(packet), srcPort, getDstIPString(packet), dstPort);
+				}
+				return outputPcapBasePath + sstream.str();
+			}
+		}
+		else if (packet.isPacketOfType(pcpp::UDP))
+		{
+			// for UDP packets, decide the server port by the lower port
+			pcpp::UdpLayer* udpLayer = packet.getLayerOfType<pcpp::UdpLayer>();
+			if (udpLayer != nullptr)
+			{
+				sstream << "udp_";
+				updateStringStream(sstream, getSrcIPString(packet), udpLayer->getSrcPort(), getDstIPString(packet), udpLayer->getDstPort());
+				return outputPcapBasePath + sstream.str();
+			}
+		}
+
+		// if reached here, return 'miscellaneous'
+		return outputPcapBasePath + "miscellaneous";
+	}
 };
diff --git a/Examples/PcapSplitter/IPPortSplitters.h b/Examples/PcapSplitter/IPPortSplitters.h
@@ -213,26 +213,6 @@ class IPPortSplitter : public ValueBasedSplitter
 			return 0;
 	}
 
-	/**
-	 * An auxiliary method for extracting packet's IPv4/IPv6 source address as string
-	 */
-	std::string getSrcIPString(pcpp::Packet& packet)
-	{
-		if (packet.isPacketOfType(pcpp::IP))
-			return packet.getLayerOfType<pcpp::IPLayer>()->getSrcIPAddress().toString();
-		return "miscellaneous";
-	}
-
-	/**
-	 * An auxiliary method for extracting packet's IPv4/IPv6 dest address string
-	 */
-	std::string getDstIPString(pcpp::Packet& packet)
-	{
-		if (packet.isPacketOfType(pcpp::IP))
-			return packet.getLayerOfType<pcpp::IPLayer>()->getDstIPAddress().toString();
-		return "miscellaneous";
-	}
-
 	/**
 	 * An auxiliary method to indicate whether an IPv4/IPv6 source address is multicast or not
 	 */
@@ -252,30 +232,6 @@ class IPPortSplitter : public ValueBasedSplitter
 			return packet.getLayerOfType<pcpp::IPLayer>()->getDstIPAddress().isMulticast();
 		return false;
 	}
-
-	/**
-	 * An auxiliary method for replacing '.' and ':' in IPv4/IPv6 addresses with '-'
-	 */
-	std::string hyphenIP(std::string ipVal)
-	{
-		// for IPv4 - replace '.' with '-'
-		int loc = ipVal.find(".");
-		while (loc >= 0)
-		{
-			ipVal.replace(loc, 1, "-");
-			loc = ipVal.find(".");
-		}
-
-		// for IPv6 - replace ':' with '-'
-		loc = ipVal.find(":");
-		while (loc >= 0)
-		{
-			ipVal.replace(loc, 1, "-");
-			loc = ipVal.find(":");
-		}
-
-		return ipVal;
-	}
 };
 
 

diff --git a/Examples/PcapSplitter/Splitters.h b/Examples/PcapSplitter/Splitters.h
@@ -194,3 +194,47 @@ class ValueBasedSplitter : public SplitterWithMaxFiles
 		return m_ValueToFileTable[value];
 	}
 };
+
+/**
+ * An auxiliary method for extracting packet's IPv4/IPv6 source address as string
+ */
+std::string getSrcIPString(pcpp::Packet& packet)
+{
+	if (packet.isPacketOfType(pcpp::IP))
+		return packet.getLayerOfType<pcpp::IPLayer>()->getSrcIPAddress().toString();
+	return "miscellaneous";
+}
+
+/**
+ * An auxiliary method for extracting packet's IPv4/IPv6 dest address string
+ */
+std::string getDstIPString(pcpp::Packet& packet)
+{
+	if (packet.isPacketOfType(pcpp::IP))
+		return packet.getLayerOfType<pcpp::IPLayer>()->getDstIPAddress().toString();
+	return "miscellaneous";
+}
+
+/**
+ * An auxiliary method for replacing '.' and ':' in IPv4/IPv6 addresses with '-'
+ */
+std::string hyphenIP(std::string ipVal)
+{
+	// for IPv4 - replace '.' with '-'
+	int loc = ipVal.find(".");
+	while (loc >= 0)
+	{
+		ipVal.replace(loc, 1, "-");
+		loc = ipVal.find(".");
+	}
+
+	// for IPv6 - replace ':' with '-'
+	loc = ipVal.find(":");
+	while (loc >= 0)
+	{
+		ipVal.replace(loc, 1, "-");
+		loc = ipVal.find(":");
+	}
+
+	return ipVal;
+}