From 8a23844ed3b3566733b0093d1c1e939cf8d7a150 Mon Sep 17 00:00:00 2001 From: hidd3ncod3s Date: Wed, 11 Oct 2023 22:11:45 -0700 Subject: [PATCH] Name the connection splitter filename with 5 tuple information (#1214) --- Examples/PcapSplitter/ConnectionSplitters.h | 68 +++++++++++++++++++++ Examples/PcapSplitter/IPPortSplitters.h | 44 ------------- Examples/PcapSplitter/Splitters.h | 44 +++++++++++++ 3 files changed, 112 insertions(+), 44 deletions(-) diff --git a/Examples/PcapSplitter/ConnectionSplitters.h b/Examples/PcapSplitter/ConnectionSplitters.h index 997a50a936..0c326f91ae 100644 --- a/Examples/PcapSplitter/ConnectionSplitters.h +++ b/Examples/PcapSplitter/ConnectionSplitters.h @@ -145,4 +145,72 @@ class FiveTupleSplitter : public ValueBasedSplitter return m_FlowTable[hash]; } + + void updateStringStream(std::ostringstream & sstream, const std::string & srcIp, uint16_t srcPort, const std::string & dstIp, uint16_t dstPort) + { + sstream << hyphenIP(srcIp) + << "_" + << srcPort + << "-" + << hyphenIP(dstIp) + << "_" + << dstPort; + } + + /** + * Re-implement Splitter's getFileName() method, this time with the IPs/Ports/protocol value + */ + std::string getFileName(pcpp::Packet& packet, const std::string &outputPcapBasePath, int fileNumber) + { + std::ostringstream sstream; + + // if it's not a TCP or UDP packet, put it in file #0 + if (!packet.isPacketOfType(pcpp::TCP) && !packet.isPacketOfType(pcpp::UDP)) + { + return Splitter::getFileName(packet, outputPcapBasePath, fileNumber); + } + + sstream << "connection-"; + + if (packet.isPacketOfType(pcpp::TCP)) + { + // extract TCP layer + pcpp::TcpLayer* tcpLayer = packet.getLayerOfType(); + if (tcpLayer != nullptr) + { + uint16_t srcPort = tcpLayer->getSrcPort(); + uint16_t dstPort = tcpLayer->getDstPort(); + + sstream << "tcp_"; + + if ((tcpLayer->getTcpHeader()->synFlag == 1) && (tcpLayer->getTcpHeader()->ackFlag == 0)) + { + updateStringStream(sstream, getSrcIPString(packet), srcPort, getDstIPString(packet), dstPort); + } else if (((tcpLayer->getTcpHeader()->synFlag == 1) && + (tcpLayer->getTcpHeader()->ackFlag == 1) + ) || (srcPort < dstPort) ) + { + updateStringStream(sstream, getDstIPString(packet), dstPort, getSrcIPString(packet), srcPort); + } else + { + updateStringStream(sstream, getSrcIPString(packet), srcPort, getDstIPString(packet), dstPort); + } + return outputPcapBasePath + sstream.str(); + } + } + else if (packet.isPacketOfType(pcpp::UDP)) + { + // for UDP packets, decide the server port by the lower port + pcpp::UdpLayer* udpLayer = packet.getLayerOfType(); + if (udpLayer != nullptr) + { + sstream << "udp_"; + updateStringStream(sstream, getSrcIPString(packet), udpLayer->getSrcPort(), getDstIPString(packet), udpLayer->getDstPort()); + return outputPcapBasePath + sstream.str(); + } + } + + // if reached here, return 'miscellaneous' + return outputPcapBasePath + "miscellaneous"; + } }; diff --git a/Examples/PcapSplitter/IPPortSplitters.h b/Examples/PcapSplitter/IPPortSplitters.h index 7b7e2fee6e..6a8d23d0cb 100644 --- a/Examples/PcapSplitter/IPPortSplitters.h +++ b/Examples/PcapSplitter/IPPortSplitters.h @@ -213,26 +213,6 @@ class IPPortSplitter : public ValueBasedSplitter return 0; } - /** - * An auxiliary method for extracting packet's IPv4/IPv6 source address as string - */ - std::string getSrcIPString(pcpp::Packet& packet) - { - if (packet.isPacketOfType(pcpp::IP)) - return packet.getLayerOfType()->getSrcIPAddress().toString(); - return "miscellaneous"; - } - - /** - * An auxiliary method for extracting packet's IPv4/IPv6 dest address string - */ - std::string getDstIPString(pcpp::Packet& packet) - { - if (packet.isPacketOfType(pcpp::IP)) - return packet.getLayerOfType()->getDstIPAddress().toString(); - return "miscellaneous"; - } - /** * An auxiliary method to indicate whether an IPv4/IPv6 source address is multicast or not */ @@ -252,30 +232,6 @@ class IPPortSplitter : public ValueBasedSplitter return packet.getLayerOfType()->getDstIPAddress().isMulticast(); return false; } - - /** - * An auxiliary method for replacing '.' and ':' in IPv4/IPv6 addresses with '-' - */ - std::string hyphenIP(std::string ipVal) - { - // for IPv4 - replace '.' with '-' - int loc = ipVal.find("."); - while (loc >= 0) - { - ipVal.replace(loc, 1, "-"); - loc = ipVal.find("."); - } - - // for IPv6 - replace ':' with '-' - loc = ipVal.find(":"); - while (loc >= 0) - { - ipVal.replace(loc, 1, "-"); - loc = ipVal.find(":"); - } - - return ipVal; - } }; diff --git a/Examples/PcapSplitter/Splitters.h b/Examples/PcapSplitter/Splitters.h index a981ded88f..e4ae645dc8 100644 --- a/Examples/PcapSplitter/Splitters.h +++ b/Examples/PcapSplitter/Splitters.h @@ -194,3 +194,47 @@ class ValueBasedSplitter : public SplitterWithMaxFiles return m_ValueToFileTable[value]; } }; + +/** + * An auxiliary method for extracting packet's IPv4/IPv6 source address as string + */ +std::string getSrcIPString(pcpp::Packet& packet) +{ + if (packet.isPacketOfType(pcpp::IP)) + return packet.getLayerOfType()->getSrcIPAddress().toString(); + return "miscellaneous"; +} + +/** + * An auxiliary method for extracting packet's IPv4/IPv6 dest address string + */ +std::string getDstIPString(pcpp::Packet& packet) +{ + if (packet.isPacketOfType(pcpp::IP)) + return packet.getLayerOfType()->getDstIPAddress().toString(); + return "miscellaneous"; +} + +/** + * An auxiliary method for replacing '.' and ':' in IPv4/IPv6 addresses with '-' + */ +std::string hyphenIP(std::string ipVal) +{ + // for IPv4 - replace '.' with '-' + int loc = ipVal.find("."); + while (loc >= 0) + { + ipVal.replace(loc, 1, "-"); + loc = ipVal.find("."); + } + + // for IPv6 - replace ':' with '-' + loc = ipVal.find(":"); + while (loc >= 0) + { + ipVal.replace(loc, 1, "-"); + loc = ipVal.find(":"); + } + + return ipVal; +}