Skip to content

feat: TCP session reconstruction with application-layer payload decoding#149

Merged
NotYuSheng merged 2 commits intomainfrom
feature/tcp-session-reconstruction
Apr 2, 2026
Merged

feat: TCP session reconstruction with application-layer payload decoding#149
NotYuSheng merged 2 commits intomainfrom
feature/tcp-session-reconstruction

Conversation

@NotYuSheng
Copy link
Copy Markdown
Owner

@NotYuSheng NotYuSheng commented Apr 2, 2026

Closes #139

Summary

  • SessionReconstructionService — on-demand tshark-based stream reassembly: auto-detects TCP vs UDP transport (so HTTP, TLS, FTP-DATA, DNS etc. all work), tries both endpoint directions, truncates at 1 MB
  • SessionResponse DTO — ordered client/server chunks, parsed HTTP exchanges (headers, gzip decompression, chunked transfer decoding), truncation flag, graceful error messages
  • GET /api/conversations/{conversationId}/session — new endpoint
  • Session tab in ConversationDetail — Wireshark-style interleaved single-pane stream (client=red, server=blue); HTTP conversations add a Parsed HTTP view with collapsible request/response blocks

Test plan

  • Open an HTTP conversation → Session tab → Reconstruct → verify Parsed HTTP view shows request/response blocks with headers and body
  • Toggle to Raw Stream view → verify interleaved red/blue pane
  • Open an FTP-DATA conversation → verify stream is found and raw bytes shown
  • Open a TLS conversation → verify encrypted-stream notice is shown
  • Open a conversation with gzip-encoded HTTP body → verify gzip decoded badge appears and body is readable
  • Open a large session (>1 MB) → verify truncation warning appears
  • Verify Packets tab still works normally after adding the tab UI

🤖 Generated with Claude Code

@NotYuSheng @claude
feat: TCP session reconstruction with application-layer payload decod…
797c44c 
…ing (#139)

- Add SessionReconstructionService: uses tshark -z follow,tcp/udp,raw to
  reassemble the full byte stream for a conversation; auto-detects transport
  protocol (tries tcp then udp) so HTTP, TLS, FTP-DATA, DNS etc. all work
- Add SessionResponse DTO with ordered client/server chunks, HTTP exchange
  parsing (headers, gzip body decompression, chunked transfer decoding),
  truncation flag at 1 MB, and errorMessage for graceful failures
- Expose GET /api/conversations/{conversationId}/session endpoint
- Frontend: add Session tab to ConversationDetail with Wireshark-style
  interleaved single-pane stream view (client=red, server=blue); HTTP
  conversations additionally offer a Parsed HTTP view with collapsible
  request/response blocks showing headers and decoded bodies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new session reconstruction feature that allows users to view reconstructed TCP/UDP streams and decoded application-layer payloads (such as HTTP) for specific conversations. While the implementation provides a useful new capability, the review identified several critical performance and correctness issues in the SessionReconstructionService. Specifically, the current approach of downloading entire PCAP files to temporary storage is inefficient, the HTTP message splitting logic is prone to false positives, the stream merging process suffers from $O(N^2)$ complexity, and the hex-to-byte conversion logic incorrectly handles odd-length strings.

Comment thread backend/src/main/java/com/tracepcap/analysis/service/SessionReconstructionService.java
Comment thread backend/src/main/java/com/tracepcap/analysis/service/SessionReconstructionService.java Outdated
Comment thread backend/src/main/java/com/tracepcap/analysis/service/SessionReconstructionService.java Outdated
Comment thread backend/src/main/java/com/tracepcap/analysis/service/SessionReconstructionService.java
@NotYuSheng @claude
fix: address PR review comments on SessionReconstructionService
c2371e7 
- Add 500 MB PCAP size guard before downloading to avoid excessive I/O
- Replace O(N²) byte array merging with ByteArrayOutputStream accumulator
- Replace fragile HTTP pattern scan with sequential parser that uses
  Content-Length/chunked boundaries to skip message bodies, preventing
  false positives when body content contains HTTP method strings
- Return null for odd-length hex strings instead of silently corrupting
  the last byte by appending '0'

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NotYuSheng NotYuSheng merged commit f453ba1 into main Apr 2, 2026
@NotYuSheng NotYuSheng deleted the feature/tcp-session-reconstruction branch April 2, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: TCP session reconstruction with application-layer payload decoding

1 participant

@NotYuSheng