|
Reconstruction of TCP Session from Captured IP Packets
Hi Everyone,
Recently I ran into a problem during the development of a network software that captures IP packages directly from the hub of LAN network and reconstructs these packets into TCP sessions in Unix/Linux. The goal is to able to produce complete data of multiple TCP sessions from captured IP packets. Generated TCP session data tries to match the output of standard socket interface provided by Unix/Linux operating system, e.g. recv() and recvfrom().
Capture of IP packet uses libpcap and reassembly of TCP session uses libnids. However, after several weeks of desperate trials and errors, I found libnids can hardly generate qualified output of TCP session data that can be acquired as conveniently as Unix socket function calls. It looks like the direct output tcp_stream structure from its callback function is raw TCP packets that have to be re-organized to obtain an ordered,complete and non-redundant TCP packet stream for each unique TCP session. And also the seemingly organized internal TCP stream table still generates disordered,overlapped, and even mis-calculated data array in memory for each TCP session at the end of each TCP session determined by NIDS_CLOSE signal.
I know of course users can go straight forward to reconstruct TCP session themselves, but such efforts will involve significant amount of energy to make sure everything works as expected when a large number of TCP packets from multiple sessions are pumped out from data capture engine and they need to be re-created to original TCP sessions correctly and efficiently. Such a task can be daunting for non network programming experts.
Therefore I keep wondering if there exist development tools that usual-level software developer can make use of in their developments. I did some research on web for such tools but the results are not very encouraging.
Any suggestions or comments are warmly welcome! Great appreciations!
|
