This is an implementation of TCP reassembly logic, which means reassembly of TCP messages spanning multiple TCP segments (or packets).
This logic can be useful in analyzing messages for a large number of protocols implemented on top of TCP including HTTP, SSL/TLS, FTP and many many more.
General Features:
- Manage multiple TCP connections under one pcpp::TcpReassembly instance
- Support TCP retransmission
- Support out-of-order packets
- Support missing TCP data
- TCP connections can end "naturally" (by FIN/RST packets) or manually by the user
- Support callbacks for new TCP data, connection start and connection end
Logic Description:
- The user creates an instance of the pcpp::TcpReassembly class
- Then the user starts feeding it with TCP packets
- The pcpp::TcpReassembly instance manages all TCP connections from the packets it's being fed. For each connection it manages its 2 sides (A->B and B->A).
- When a packet arrives, it is first classified to a certain TCP connection
- Then it is classified to a certain side of the TCP connection
- Then the pcpp::TcpReassembly logic tries to understand if the data in this packet is the expected data (sequence-wise) and if it's new (e.g isn't a retransmission).
- If the packet data matches these criteria a callback is being invoked. This callback is supplied by the user in the creation of the pcpp::TcpReassembly instance. This callback contains the new data (of course), but also information about the connection (5-tuple, 4-byte hash key describing the connection, etc.) and also a pointer to a "user
cookie", meaning a pointer to a structure provided by the user during the creation of the pcpp::TcpReassembly instance.
- If the data in this packet isn't new, it's being ignored
- If the data in this packet isn't expected (meaning this packet came out-of-order), then the data is being queued internally and will be sent to the user when its turn arrives (meaning, after the data before arrives).
- If the missing data doesn't arrive until a new message from the other side of the connection arrives or until the connection ends - this will be considered as missing data and the queued data will be sent to the user, but the string "[X bytes missing]" will be added to the message sent in the callback.
- pcpp::TcpReassembly supports 2 more callbacks - one is invoked when a new TCP connection is first seen and the other when it's ended (either by a FIN/RST packet or manually by the user). Both of these callbacks contain data about the connection (5-tuple, 4-byte hash key describing the connection, etc.) and also a pointer to a "user cookie", meaning a pointer to a structure provided by the user during the creation of the pcpp::TcpReassembly instance. The end connection callback also provides the reason for closing it ("naturally" or manually).
Basic Usage and APIs:
Additional information: When the connection is closed the information is not being deleted from memory immediately. There is a delay between these moments. Existence of this delay is caused by two reasons:
The struct pcpp::TcpReassemblyConfiguration allows to setup the parameters of cleanup. Following parameters are supported: