wader/fq
1
1
Fork 0
mirror of https://github.com/wader/fq.git synced 2024-11-26 21:55:57 +03:00
Code Issues Projects Releases Wiki Activity

tcp: Split into client/server structs and add skipped_bytes and has_start/end per direction

Browse Source 
Feels clenaer and removes _client/server field prefixes
This commit is contained in:
Mattias Wadman 2022-05-06 16:45:59 +02:00
parent 51ea1a31b9
commit 34cf5442b3
10 changed files with 701 additions and 600 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.vscode/settings.json vendored
View File

@ -55,6 +55,7 @@
"gojq",
"gojqextra",
"golangci",
"gopacket",
"GOPATH",
"gosec",
"gosimple",

1
format/format.go
View File

@ -240,6 +240,7 @@ type TCPStreamIn struct {
IsClient bool
HasStart bool
HasEnd bool
SkippedBytes uint64
SourcePort int
DestinationPort int
}

49
format/inet/flowsdecoder/flowsdecoder.go
View File

@ -13,19 +13,22 @@ import (
"github.com/google/gopacket/reassembly"
)
type IPEndpoint struct {
type TCPEndpoint struct {
IP net.IP
Port int
}
type TCPConnection struct {
ClientEndpoint IPEndpoint
ServerEndpoint IPEndpoint
type TCPDirection struct {
Endpoint TCPEndpoint
HasStart bool
HasEnd bool
ClientToServer *bytes.Buffer
ServerToClient *bytes.Buffer
Buffer *bytes.Buffer
SkippedBytes uint64
}
type TCPConnection struct {
Client TCPDirection
Server TCPDirection
tcpState *reassembly.TCPSimpleFSM
optChecker reassembly.TCPOptionCheck
net gopacket.Flow
@ -53,25 +56,31 @@ func (t *TCPConnection) ReassembledSG(sg reassembly.ScatterGather, ac reassembly
dir, start, end, skip := sg.Info()
length, _ := sg.Lengths()
var d *TCPDirection
switch dir {
case reassembly.TCPDirClientToServer:
d = &t.Client
case reassembly.TCPDirServerToClient:
d = &t.Server
default:
panic("unreachable")
}
if skip == -1 {
// can't find where skip == -1 is documented but this is what gopacket reassemblydump does
// to allow missing syn/ack
} else if skip != 0 {
// stream has missing bytes
d.SkippedBytes += uint64(skip)
return
}
t.HasStart = t.HasStart || start
t.HasEnd = t.HasEnd || end
d.HasStart = d.HasStart || start
d.HasEnd = d.HasEnd || end
data := sg.Fetch(length)
switch dir {
case reassembly.TCPDirClientToServer:
t.ClientToServer.Write(data)
case reassembly.TCPDirServerToClient:
t.ServerToClient.Write(data)
}
d.Buffer.Write(data)
}
func (t *TCPConnection) ReassemblyComplete(ac reassembly.AssemblerContext) bool {
@ -103,16 +112,20 @@ func (fd *Decoder) New(net, transport gopacket.Flow, tcp *layers.TCP, ac reassem
}
stream := &TCPConnection{
ClientEndpoint: IPEndpoint{
Client: TCPDirection{
Endpoint: TCPEndpoint{
IP: append([]byte(nil), net.Src().Raw()...),
Port: clientPort,
},
ServerEndpoint: IPEndpoint{
Buffer: &bytes.Buffer{},
},
Server: TCPDirection{
Endpoint: TCPEndpoint{
IP: append([]byte(nil), net.Dst().Raw()...),
Port: serverPort,
},
ClientToServer: &bytes.Buffer{},
ServerToClient: &bytes.Buffer{},
Buffer: &bytes.Buffer{},
},
net: net,
transport: transport,

146
format/inet/testdata/flow_missing_synack.fqtest vendored
View File

@ -2,90 +2,138 @@
$ fq '.tcp_connections | d' flow_missing_synack.pcap
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.tcp_connections[0:8]:
| | | [0]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2061
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2061
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9c fa fe|...........P....| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9c fa fe|...........P....| stream: raw bits
* |until 0x177.7 (end) (376) | |
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c 9f e3|....5...1..P....| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c 9f e3|....5...1..P....| stream: raw bits
* |until 0x42b.7 (end) (1068) | |
| | | [1]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2068
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2068
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9d 00 a1|...........P....| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9d 00 a1|...........P....| stream: raw bits
* |until 0x177.7 (end) (376) | |
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c a5 e5|....5...1..P....| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c a5 e5|....5...1..P....| stream: raw bits
* |until 0x42b.7 (end) (1068) | |
| | | [2]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2070
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2070
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9d 03 f3|...........P....| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 00 9e 01 00 00 9a 03 01 50 83 9d 03 f3|...........P....| stream: raw bits
* |until 0x2ad.7 (end) (686) | |
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c a8 b2|....5...1..P....| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 35 02 00 00 31 03 01 50 83 9c a8 b2|....5...1..P....| stream: raw bits
* |until 0x53c.7 (end) (1341) | |
| | | [3]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2071
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2071
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 03 d8|....n...j..P....| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 03 d8|....n...j..P....| stream: raw bits
* |until 0x2df.7 (end) (736) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c a8 fc|....Q...M..P....| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c a8 fc|....Q...M..P....| stream: raw bits
* |until 0x1b7.7 (end) (440) | |
| | | [4]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2072
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2072
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 03 94|....n...j..P....| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 03 94|....n...j..P....| stream: raw bits
* |until 0x2fd.7 (end) (766) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c a8 d8|....Q...M..P....| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c a8 d8|....Q...M..P....| stream: raw bits
* |until 0x1b7.7 (end) (440) | |
| | | [5]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2073
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2073
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 0d 96|....n...j..P....| stream: raw bits
* |until 0x2fd.7 (end) (766) | |
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: true
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d 0d 96|....n...j..P....| client_stream: raw bits
* |until 0x2fd.7 (end) (766) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c b2 45|....Q...M..P...E| server_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9c b2 45|....Q...M..P...E| stream: raw bits
* |until 0x2d73.7 (end) (11636) | |
| | | [6]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2078
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2078
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d d7 3a|....n...j..P...:| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9d d7 3a|....n...j..P...:| stream: raw bits
* |until 0x38c.7 (end) (909) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9d 7c ac|....Q...M..P..|.| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9d 7c ac|....Q...M..P..|.| stream: raw bits
* |until 0x2d5.7 (end) (726) | |
| | | [7]{}: tcp_connection
| | | source_ip: "192.168.1.4"
| | | source_port: 2085
| | | destination_ip: "192.168.1.3"
| | | destination_port: "https" (443) (http protocol over TLS/SSL)
| | | client{}:
| | | ip: "192.168.1.4"
| | | port: 2085
| | | has_start: false
| | | has_end: false
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9e 02 2b|....n...j..P...+| client_stream: raw bits
| | | skipped_bytes: 0
0x0000|16 03 01 01 6e 01 00 01 6a 03 01 50 83 9e 02 2b|....n...j..P...+| stream: raw bits
* |until 0x4a0.7 (end) (1185) | |
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9d a7 8b|....Q...M..P....| server_stream: raw bits
| | | server{}:
| | | ip: "192.168.1.3"
| | | port: "https" (443) (http protocol over TLS/SSL)
| | | has_start: false
| | | has_end: false
| | | skipped_bytes: 0
0x0000|16 03 01 00 51 02 00 00 4d 03 01 50 83 9d a7 8b|....Q...M..P....| stream: raw bits
* |until 0x4f3.7 (end) (1268) | |

64
format/pcap/shared.go
View File

@ -33,6 +33,7 @@ var linkToDecodeFn = map[int]func(fd *flowsdecoder.Decoder, bs []byte) error{
},
}
// TODO: make some of this shared if more packet capture formats are added
func fieldFlows(d *decode.D, fd *flowsdecoder.Decoder, tcpStreamFormat decode.Group, ipv4PacketFormat decode.Group) {
d.FieldArray("ipv4_reassembled", func(d *decode.D) {
for _, p := range fd.IPV4Reassembled {
@ -51,43 +52,44 @@ func fieldFlows(d *decode.D, fd *flowsdecoder.Decoder, tcpStreamFormat decode.Gr
d.FieldArray("tcp_connections", func(d *decode.D) {
for _, s := range fd.TCPConnections {
d.FieldStruct("tcp_connection", func(d *decode.D) {
d.FieldValueStr("source_ip", s.ClientEndpoint.IP.String())
d.FieldValueU("source_port", uint64(s.ClientEndpoint.Port), format.TCPPortMap)
d.FieldValueStr("destination_ip", s.ServerEndpoint.IP.String())
d.FieldValueU("destination_port", uint64(s.ServerEndpoint.Port), format.TCPPortMap)
d.FieldValueBool("has_start", s.HasStart)
d.FieldValueBool("has_end", s.HasEnd)
csBR := bitio.NewBitReader(s.ClientToServer.Bytes(), -1)
f := func(d *decode.D, td *flowsdecoder.TCPDirection, tsi format.TCPStreamIn) {
d.FieldValueStr("ip", td.Endpoint.IP.String())
d.FieldValueU("port", uint64(td.Endpoint.Port), format.TCPPortMap)
d.FieldValueBool("has_start", td.HasStart)
d.FieldValueBool("has_end", td.HasEnd)
d.FieldValueU("skipped_bytes", td.SkippedBytes)
br := bitio.NewBitReader(td.Buffer.Bytes(), -1)
if dv, _, _ := d.TryFieldFormatBitBuf(
"client_stream",
csBR,
"stream",
br,
tcpStreamFormat,
format.TCPStreamIn{
IsClient: true,
HasStart: s.HasStart,
HasEnd: s.HasEnd,
SourcePort: s.ClientEndpoint.Port,
DestinationPort: s.ServerEndpoint.Port,
},
tsi,
); dv == nil {
d.FieldRootBitBuf("client_stream", csBR)
d.FieldRootBitBuf("stream", br)
}
}
scBR := bitio.NewBitReader(s.ServerToClient.Bytes(), -1)
if dv, _, _ := d.TryFieldFormatBitBuf(
"server_stream",
scBR,
tcpStreamFormat,
format.TCPStreamIn{
d.FieldStruct("client", func(d *decode.D) {
f(d, &s.Client, format.TCPStreamIn{
IsClient: true,
HasStart: s.Client.HasStart,
HasEnd: s.Client.HasEnd,
SkippedBytes: s.Client.SkippedBytes,
SourcePort: s.Client.Endpoint.Port,
DestinationPort: s.Server.Endpoint.Port,
})
})
d.FieldStruct("server", func(d *decode.D) {
f(d, &s.Server, format.TCPStreamIn{
IsClient: false,
HasStart: s.HasStart,
HasEnd: s.HasEnd,
SourcePort: s.ServerEndpoint.Port,
DestinationPort: s.ClientEndpoint.Port,
},
); dv == nil {
d.FieldRootBitBuf("server_stream", scBR)
}
HasStart: s.Server.HasStart,
HasEnd: s.Server.HasEnd,
SkippedBytes: s.Server.SkippedBytes,
SourcePort: s.Server.Endpoint.Port,
DestinationPort: s.Client.Endpoint.Port,
})
})
})
}
})

18
format/pcap/testdata/http_gzip.fqtest vendored
View File

@ -609,13 +609,19 @@ $ fq -d pcap dv /http_gzip.cap
| | | ipv4_reassembled[0:0]: 0x6ab-NA (0)
| | | tcp_connections[0:1]: 0x6ab-NA (0)
| | | [0]{}: tcp_connection 0x6ab-NA (0)
| | | source_ip: "192.168.69.2" 0x6ab-NA (0)
| | | source_port: 34059 0x6ab-NA (0)
| | | destination_ip: "192.168.69.1" 0x6ab-NA (0)
| | | destination_port: "http" (80) (World Wide Web HTTP) 0x6ab-NA (0)
| | | client{}: 0x6ab-NA (0)
| | | ip: "192.168.69.2" 0x6ab-NA (0)
| | | port: 34059 0x6ab-NA (0)
| | | has_start: true 0x6ab-NA (0)
| | | has_end: true 0x6ab-NA (0)
0x000|47 45 54 20 2f 74 65 73 74 2f 65 74 68 65 72 65|GET /test/ethere| client_stream: raw bits 0x0-0x1bc.7 (445)
| | | skipped_bytes: 0 0x6ab-NA (0)
0x000|47 45 54 20 2f 74 65 73 74 2f 65 74 68 65 72 65|GET /test/ethere| stream: raw bits 0x0-0x1bc.7 (445)
* |until 0x1bc.7 (end) (445) | |
0x000|48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d|HTTP/1.1 200 OK.| server_stream: raw bits 0x0-0x191.7 (402)
| | | server{}: 0x6ab-NA (0)
| | | ip: "192.168.69.1" 0x6ab-NA (0)
| | | port: "http" (80) (World Wide Web HTTP) 0x6ab-NA (0)
| | | has_start: true 0x6ab-NA (0)
| | | has_end: true 0x6ab-NA (0)
| | | skipped_bytes: 0 0x6ab-NA (0)
0x000|48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d|HTTP/1.1 200 OK.| stream: raw bits 0x0-0x191.7 (402)
* |until 0x191.7 (end) (402) | |

18
format/pcap/testdata/ipv6_http.fqtest vendored
View File

@ -3483,13 +3483,19 @@ $ fq -d pcap dv ipv6_http.pcap
| | | ipv4_reassembled[0:0]: 0x23c7-NA (0)
| | | tcp_connections[0:1]: 0x23c7-NA (0)
| | | [0]{}: tcp_connection 0x23c7-NA (0)
| | | source_ip: "2001:6f8:102d:0:2d0:9ff:fee3:e8de" 0x23c7-NA (0)
| | | source_port: 59201 0x23c7-NA (0)
| | | destination_ip: "2001:6f8:900:7c0::2" 0x23c7-NA (0)
| | | destination_port: "http" (80) (World Wide Web HTTP) 0x23c7-NA (0)
| | | client{}: 0x23c7-NA (0)
| | | ip: "2001:6f8:102d:0:2d0:9ff:fee3:e8de" 0x23c7-NA (0)
| | | port: 59201 0x23c7-NA (0)
| | | has_start: true 0x23c7-NA (0)
| | | has_end: true 0x23c7-NA (0)
0x000|47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 0d 0a|GET / HTTP/1.0..| client_stream: raw bits 0x0-0xef.7 (240)
| | | skipped_bytes: 0 0x23c7-NA (0)
0x000|47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 0d 0a|GET / HTTP/1.0..| stream: raw bits 0x0-0xef.7 (240)
* |until 0xef.7 (end) (240) | |
0x000|48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d|HTTP/1.1 200 OK.| server_stream: raw bits 0x0-0x8d2.7 (2259)
| | | server{}: 0x23c7-NA (0)
| | | ip: "2001:6f8:900:7c0::2" 0x23c7-NA (0)
| | | port: "http" (80) (World Wide Web HTTP) 0x23c7-NA (0)
| | | has_start: true 0x23c7-NA (0)
| | | has_end: true 0x23c7-NA (0)
| | | skipped_bytes: 0 0x23c7-NA (0)
0x000|48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d|HTTP/1.1 200 OK.| stream: raw bits 0x0-0x8d2.7 (2259)
* |until 0x8d2.7 (end) (2259) | |

36
format/pcap/testdata/many_interfaces.fqtest vendored
View File

@ -5487,23 +5487,35 @@ $ fq -d pcapng dv /many_interfaces.pcapng
| | | ipv4_reassembled[0:0]: 0x51b8-NA (0)
| | | tcp_connections[0:2]: 0x51b8-NA (0)
| | | [0]{}: tcp_connection 0x51b8-NA (0)
| | | source_ip: "192.168.1.139" 0x51b8-NA (0)
| | | source_port: 50981 0x51b8-NA (0)
| | | destination_ip: "74.125.228.227" 0x51b8-NA (0)
| | | destination_port: "https" (443) (http protocol over TLS/SSL) 0x51b8-NA (0)
| | | client{}: 0x51b8-NA (0)
| | | ip: "192.168.1.139" 0x51b8-NA (0)
| | | port: 50981 0x51b8-NA (0)
| | | has_start: true 0x51b8-NA (0)
| | | has_end: false 0x51b8-NA (0)
0x000|16 03 01 02 00 01 00 01 fc 03 03 f0 91 bc 87 3e|...............>| client_stream: raw bits 0x0-0x7b0.7 (1969)
| | | skipped_bytes: 0 0x51b8-NA (0)
0x000|16 03 01 02 00 01 00 01 fc 03 03 f0 91 bc 87 3e|...............>| stream: raw bits 0x0-0x7b0.7 (1969)
* |until 0x7b0.7 (end) (1969) | |
0x000|16 03 03 00 5a 02 00 00 56 03 03 55 d0 e5 ff ab|....Z...V..U....| server_stream: raw bits 0x0-0x35b.7 (860)
| | | server{}: 0x51b8-NA (0)
| | | ip: "74.125.228.227" 0x51b8-NA (0)
| | | port: "https" (443) (http protocol over TLS/SSL) 0x51b8-NA (0)
| | | has_start: true 0x51b8-NA (0)
| | | has_end: false 0x51b8-NA (0)
| | | skipped_bytes: 0 0x51b8-NA (0)
0x000|16 03 03 00 5a 02 00 00 56 03 03 55 d0 e5 ff ab|....Z...V..U....| stream: raw bits 0x0-0x35b.7 (860)
* |until 0x35b.7 (end) (860) | |
| | | [1]{}: tcp_connection 0x51b8-NA (0)
| | | source_ip: "192.168.1.139" 0x51b8-NA (0)
| | | source_port: 50982 0x51b8-NA (0)
| | | destination_ip: "74.125.228.227" 0x51b8-NA (0)
| | | destination_port: "https" (443) (http protocol over TLS/SSL) 0x51b8-NA (0)
| | | client{}: 0x51b8-NA (0)
| | | ip: "192.168.1.139" 0x51b8-NA (0)
| | | port: 50982 0x51b8-NA (0)
| | | has_start: true 0x51b8-NA (0)
| | | has_end: false 0x51b8-NA (0)
0x000|16 03 01 00 d3 01 00 00 cf 03 03 c0 a6 33 83 e1|.............3..| client_stream: raw bits 0x0-0xd7.7 (216)
| | | skipped_bytes: 0 0x51b8-NA (0)
0x000|16 03 01 00 d3 01 00 00 cf 03 03 c0 a6 33 83 e1|.............3..| stream: raw bits 0x0-0xd7.7 (216)
* |until 0xd7.7 (end) (216) | |
| | | server_stream: raw bits 0x0-NA (0)
| | | server{}: 0x51b8-NA (0)
| | | ip: "74.125.228.227" 0x51b8-NA (0)
| | | port: "https" (443) (http protocol over TLS/SSL) 0x51b8-NA (0)
| | | has_start: true 0x51b8-NA (0)
| | | has_end: false 0x51b8-NA (0)
| | | skipped_bytes: 0 0x51b8-NA (0)
| | | stream: raw bits 0x0-NA (0)

18
format/pcap/testdata/sll2_tcp.fqtest vendored
View File

@ -335,11 +335,17 @@ $ fq -d pcap dv /sll2_tcp.pcap
| | | ipv4_reassembled[0:0]: 0x1e5-NA (0)
| | | tcp_connections[0:1]: 0x1e5-NA (0)
| | | [0]{}: tcp_connection 0x1e5-NA (0)
| | | source_ip: "127.0.0.1" 0x1e5-NA (0)
| | | source_port: 47174 0x1e5-NA (0)
| | | destination_ip: "127.0.0.1" 0x1e5-NA (0)
| | | destination_port: 1234 0x1e5-NA (0)
| | | client{}: 0x1e5-NA (0)
| | | ip: "127.0.0.1" 0x1e5-NA (0)
| | | port: 47174 0x1e5-NA (0)
| | | has_start: true 0x1e5-NA (0)
| | | has_end: false 0x1e5-NA (0)
0x00|74 65 73 74 0a| |test.| | client_stream: raw bits 0x0-0x4.7 (5)
| | | server_stream: raw bits 0x0-NA (0)
| | | skipped_bytes: 0 0x1e5-NA (0)
0x00|74 65 73 74 0a| |test.| | stream: raw bits 0x0-0x4.7 (5)
| | | server{}: 0x1e5-NA (0)
| | | ip: "127.0.0.1" 0x1e5-NA (0)
| | | port: 1234 0x1e5-NA (0)
| | | has_start: true 0x1e5-NA (0)
| | | has_end: false 0x1e5-NA (0)
| | | skipped_bytes: 0 0x1e5-NA (0)
| | | stream: raw bits 0x0-NA (0)

18
format/rtmp/testdata/rtmp_sample.cap.fqtest vendored
View File

@ -1,13 +1,13 @@
$ fq '.tcp_connections | dv' rtmp_sample.cap
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.tcp_connections[0:1]: 0x2268-NA (0)
| | | [0]{}: tcp_connection 0x2268-NA (0)
| | | source_ip: "192.168.43.1" 0x2268-NA (0)
| | | source_port: 1177 0x2268-NA (0)
| | | destination_ip: "192.168.43.128" 0x2268-NA (0)
| | | destination_port: "rtmp" (1935) (Real-Time Messaging Protocol) 0x2268-NA (0)
| | | client{}: 0x2268-NA (0)
| | | ip: "192.168.43.1" 0x2268-NA (0)
| | | port: 1177 0x2268-NA (0)
| | | has_start: true 0x2268-NA (0)
| | | has_end: false 0x2268-NA (0)
| | | client_stream{}: (rtmp) 0x0-0xd7b.7 (3452)
| | | skipped_bytes: 0 0x2268-NA (0)
| | | stream{}: (rtmp) 0x0-0xd7b.7 (3452)
| | | handshake{}: 0x0-0xc00.7 (3073)
| | | c0{}: 0x0-0x0.7 (1)
0x000|03 |. | version: 3 0x0-0x0.7 (1)
@ -228,7 +228,13 @@ $ fq '.tcp_connections | dv' rtmp_sample.cap
| | | message_stream_id: 0 (previous) 0xd72-NA (0)
| | | calculated_timestamp: 16275007 0xd72-NA (0)
0xd70| 00 03 00 00 00 01 00 00 00 00| | ..........| | data: raw bits 0xd72-0xd7b.7 (10)
| | | server_stream{}: (rtmp) 0x0-0xda7.7 (3496)
| | | server{}: 0x2268-NA (0)
| | | ip: "192.168.43.128" 0x2268-NA (0)
| | | port: "rtmp" (1935) (Real-Time Messaging Protocol) 0x2268-NA (0)
| | | has_start: true 0x2268-NA (0)
| | | has_end: false 0x2268-NA (0)
| | | skipped_bytes: 0 0x2268-NA (0)
| | | stream{}: (rtmp) 0x0-0xda7.7 (3496)
| | | handshake{}: 0x0-0xc00.7 (3073)
| | | s0{}: 0x0-0x0.7 (1)
0x000|03 |. | version: 3 0x0-0x0.7 (1)