策略引擎>> PacketSorter>> 返回
项目作者: rickyzhang82

项目描述 :
TCP packet sorter
高级语言: CMake
项目地址: git://github.com/rickyzhang82/PacketSorter.git
创建时间: 2019-12-26T13:12:02Z
项目社区:https://github.com/rickyzhang82/PacketSorter
开源协议:
下载


What

This application is used for deep packet inspection research project. It collects network packets and sorts packets by TCP connection and TCP sequence number.

It requires TCP packet sorting feature from my forked PcapPlusPlus repository. The app can run on both FreeBSD and Linux. Resource leaking like memory leak and file handler leak have been checked intensively. In my research project, I ran PacketSorter in pfSense router over a month to collect packet data.

How

First, build dependency library PcapPlusPlus from my forked repository.

  1. git clone -b my-master https://github.com/rickyzhang82/PcapPlusPlus

In FreeBSD

  1. ./configure-freebsd.sh
  2. gmake all
  3. sudo gmake install

In Linux

  1. ./configure-linux.sh
  2. make all
  3. sudo make install

Secondly, build PacketSorter application.

  1. git clone https://github.com/rickyzhang82/PacketSorter
  2. ./clean-build.sh

Thirdly, run PacketSorter

  1. ./PacketSorter -h
  3. Usage:
  4. ------
  5. PacketSorter [-hvlcms] [-r input_file] [-i interface] [-o output_dir] [-e bpf_filter] [-f max_files]
  7. Options:
  9.     -r input_file : Input pcap/pcapng file to analyze. Required argument for reading from file
  10.     -i interface  : Use the specified interface. Can be interface name (e.g eth0) or interface IPv4 address. Required argument for capturing from live interface
  11.     -o output_dir : Specify output directory (default is '.')
  12.     -e bpf_filter : Apply a BPF filter to capture file or live interface, meaning TCP sorter will only work on filtered packets
  13.     -f max_files  : Maximum number of file descriptors to use (default: 500)
  14.     -p max_packet : Maximum number of captured packets from both sides in each TCP connection (default: 0 = unlimited)
  15.     -t time_out   : Maximum idle timeout in seconds for inactive TCP connection (default: 180. The value 0 = unlimited)
  16.     -n max_scan   : Maximum number of inactive TCP connection scan in each batch (default: 100. The value 0 = scan all)
  17.     -d clean_prd  : Time period in seconds to trigger clean up inactive TCP connection (default: 60)
  18.     -g max_slt    : Maximum sgement lifetime. In TIME_WAIT state, TCP state machine wait for twice the MSS until transist to closed state. (default: 60)
  19.     -x            : Exclude empty TCP packet (default: false)
  20.     -s            : Write each side of each connection to a separate file (default is writing both sides of each connection to the same file)
  21.     -l            : Print the list of interfaces and exit
  22.     -v            : Displays the current version and exists
  23.     -h            : Display this help message and exit

For example, in my research project I need to capture first 16th non-empty TCP payload packets from TCP connection. I use the following options:

  1. /root/bin/PacketSorter -i re0 -o /root/tcpsorter -x -p 16 > /root/tcpsorter/run.log 2>&1