added handshake detection

I think. also a few convenience members of TCPPacket
andrewf · Aug 9, 2010 · 34cf33d · 34cf33d
1 parent 1b174b4
commit 34cf33d
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 4 deletions.
diff --git a/tcpflow.py b/tcpflow.py
@@ -21,11 +21,14 @@ def __init__(self, packets):
         self.packets = packets
         #reference point for determining flow direction
         self.socket = self.packets[0].socket
-        # grab handshake, if possible
         # discover direction, etc.
-        # synthesize forward data, backwards data
+        # grab handshake, if possible
+        if not self.detect_handshake(packets[:3]):
+            log.warning('TCP socket %s appears not to have a handshake' % friendly_socket(self.socket))
+        # sort packets 
         self.forward_packets = [pkt for pkt in self.packets if self.samedir(pkt)]
         self.reverse_packets = [pkt for pkt in self.packets if not self.samedir(pkt)]
+        # assemble data
         self.forward_data, self.forward_logger = self.assemble_stream(self.forward_packets)
         self.reverse_data, self.reverse_logger = self.assemble_stream(self.reverse_packets)
         # calculate statistics?
@@ -181,6 +184,31 @@ def writeout_data(self, basename):
         with open(basename + '-rev.dat', 'wb') as f:
             f.write(self.reverse_data)
 
+    def detect_handshake(self, packets):
+        '''
+        Checks whether the passed list of TCPPacket's represents a valid TCP
+        handshake. Returns True or False.
+        '''
+        if len(packets) < 3:
+            return False
+        if len(packets) > 3:
+            log.error('too many packets for detect_handshake')
+            return False
+        syn, synack, ack = packets
+        fwd_seq = None
+        rev_seq = None
+        if syn.tcp.flags & TH_SYN and not syn.tcp.flags & TH_ACK:
+            # have syn
+            fwd_seq = syn.seq # start_seq is the seq field of the segment
+            if synack.flags & TH_SYN and synack.flags & TH_ACK and synack.ack == fwd_seq + 1:
+                # have synack
+                rev_seq = synack.seq
+                if ack.flags & TH_ACK and ack.ack == rev_seq + 1 and ack.seq == fwd_seq + 1:
+                    # have ack
+                    return True
+        return False
+
+
 class TCPDataArrivalLogger:
     '''
     Keeps track of when TCP data first arrives. does this by storing a

diff --git a/tcppacket.py b/tcppacket.py
@@ -18,8 +18,9 @@ def __init__(self, ts, buf, eth, ip, tcp):
         self.tcp = tcp
         self.socket = ((self.ip.src, self.tcp.sport),(self.ip.dst, self.tcp.dport))
         self.data = tcp.data
-        self.is_rexmit = None
-        self.is_out_of_order = None
+        self.seq = tcp.seq
+        self.ack = tcp.ack
+        self.flags = tcp.flags
 
         self.start_seq = self.tcp.seq
         self.end_seq = self.tcp.seq + len(self.tcp.data) # - 1