in reply to Re: TCP session recreation from pcap files
in thread TCP session recreation from pcap files

Ah thanks very much for the help Khen. I played a little with pcapdump. Seems similar to tcpdump and I'd been using that. So, the situation I'm in is that I already have a large number of dump files from a large network and I want to do some analysis on them (as opposed to capturing new data with something like pcapdump).

Whilst I have managed to script some stuff to extract individual packet information (headers+payload) from pcap files: 

use strict;
use Net::TcpDumpLog;
use NetPacket::IP qw(:strip);
use NetPacket::TCP qw(:strip);

my $log = Net::TcpDumpLog->new();
$log->read($ARGV[0]);

my @Indexes = $log->indexes;
my $index;
my ($length_orig,$length_incl,$drops,$secs,$msecs);
my $data;

print ("IP SRC,IP DST, IP LENGTH, IP TOS, IP TTL, IP Offset, TCP ACK, 
+TCP flags, TCP Winsize, TCP Chksum, TCP URG\n");

foreach $index (@Indexes) {

    ($length_orig,$length_incl,$drops,$secs,$msecs) = $log->header($in
+dex);

    $data = $log->data($index);
    my ($ether_dest,$ether_src,$ether_type,$ether_data) = unpack('H12H
+12H4a*',$data);

    my $ip_obj   = NetPacket::IP->decode($ether_data);
    my $tcp_obj  = NetPacket::TCP->decode( $ip_obj->{data});    

    print ("$i  $ip_obj->{src_ip} ($tmpIPs),$ip_obj->{dest_ip} ($tmpIP
+d),$ip_obj->{len},$ip_obj->{tos},$ip_obj->{ttl},$ip_obj->{foffset},$t
+cp_obj->{acknum},$tcp_obj->{flags}, $tcp_obj->{winsize}, $tcp_obj->{c
+ksum}, $tcp_obj->{urg}\n");

[download]
...I'm struggling a bit to recreate the sessions in a nice way. I figured out with that Net::Analysis tool that the following command: 
$perl -MNet::Analysis -e main TCP,v=7 google.dump

[download]
gives the output: 
  = (  0 23:28:09.091264 163.1.236.180:47262-209.85.227.99:80) *AP    
+ SEQ:4094724362 ACK:3316076611 1072b
  ====[23:28:09.091264] tcp session start [163.1.236.180:47262 -> 209.
+85.227.99:80]
    ==[23:28:09.091264] [Mono from   163.1.236.180:47262]  0.000000s, 
+  1pkts,   1072b
  = (  1 23:28:09.119041 209.85.227.99:80-163.1.236.180:47262) *A     
+ SEQ:3316076611 ACK:4094725434 1368b
  = (  2 23:28:09.119097 163.1.236.180:47262-209.85.227.99:80) _A

[......]

  ====[--:--:--.------] tcp session end [163.1.236.180:47263-209.85.22
+7.99:80]

[download]
i.e. it's reconstructing sessions as well as monologues within each session and listing each packet. Now what I really want to do is to figure out how to 'code' the above command such that I can tweak it. Instead of outputting each packet to the console, for example, I'd like to insert it into a database. Also I'd like additional header information.

The kludge approach I'm about to take is to dump the whole output to a file and then parse it with another script, and then try and match each packet in the Net::Analysis output to each packet in my above scripts output. Not so ideal...

Thanks and sorry for rambling!
-N

In Section Seekers of Perl Wisdom