Skip to content

Commit

Permalink
tcp,flow: By default allow missing syn/ack for now
Browse files Browse the repository at this point in the history 
Is probably what you usually want
  • Loading branch information
@wader
wader committed Jan 7, 2022
1 parent 2c3e411 commit edd0ae1
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 1 deletion.
7 changes: 6 additions & 1 deletion format/inet/flowsdecoder/flowsdecoder.go
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
package flowsdecoder

// TODO: option to not allow missing syn/ack?

import (
"bytes"
"encoding/binary"
Expand Down Expand Up @@ -49,7 +51,10 @@ func (t *TCPConnection) ReassembledSG(sg reassembly.ScatterGather, ac reassembly
dir, _, _, skip := sg.Info()
length, _ := sg.Lengths()

if skip != 0 {
if skip == -1 {
// can't find where skip == -1 is documented but this is what gopacket reassemblydump does
// to allow missing syn/ack
} else if skip != 0 {
// stream has missing bytes
return
}
Expand Down
75 changes: 75 additions & 0 deletions format/inet/testdata/flow_missing_synack.fqtest
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# ssl_test.pcap from https://www.cloudshark.org/captures/a9718e5fdb28
$ fq '.tcp_connections | d' flow_missing_synack.pcap
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.tcp_connections[0:8]:
| | | [0]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2061
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9c fa fe|...........P....| client_stream: raw bits
* |until 0x177.7 (end) (376) | |
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c 9f e3|....5...1..P....| server_stream: raw bits
* |until 0x42b.7 (end) (1068) | |
| | | [1]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2068
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9d 00 a1|...........P....| client_stream: raw bits
* |until 0x177.7 (end) (376) | |
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c a5 e5|....5...1..P....| server_stream: raw bits
* |until 0x42b.7 (end) (1068) | |
| | | [2]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2070
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9d 03 f3|...........P....| client_stream: raw bits
* |until 0x2ad.7 (end) (686) | |
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c a8 b2|....5...1..P....| server_stream: raw bits
* |until 0x53c.7 (end) (1341) | |
| | | [3]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2071
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 03 d8|....n...j..P....| client_stream: raw bits
* |until 0x2df.7 (end) (736) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c a8 fc|....Q...M..P....| server_stream: raw bits
* |until 0x1b7.7 (end) (440) | |
| | | [4]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2072
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 03 94|....n...j..P....| client_stream: raw bits
* |until 0x2fd.7 (end) (766) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c a8 d8|....Q...M..P....| server_stream: raw bits
* |until 0x1b7.7 (end) (440) | |
| | | [5]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2073
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 0d 96|....n...j..P....| client_stream: raw bits
* |until 0x2fd.7 (end) (766) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c b2 45|....Q...M..P...E| server_stream: raw bits
* |until 0x2d73.7 (end) (11636) | |
| | | [6]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2078
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d d7 3a|....n...j..P...:| client_stream: raw bits
* |until 0x38c.7 (end) (909) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9d 7c ac|....Q...M..P..|.| server_stream: raw bits
* |until 0x2d5.7 (end) (726) | |
| | | [7]{}:
| | | source_ip: "192.168.1.4"
| | | source_port: 2085
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9e 02 2b|....n...j..P...+| client_stream: raw bits
* |until 0x4a0.7 (end) (1185) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9d a7 8b|....Q...M..P....| server_stream: raw bits
* |until 0x4f3.7 (end) (1268) | |
Binary file added format/inet/testdata/flow_missing_synack.pcap
View file
Binary file not shown.

0 comments on commit edd0ae1

Please sign in to comment.