PcapPlusPlus  Next
TcpReassembly.h
Go to the documentation of this file.
1 #pragma once
2 
3 #include "Packet.h"
4 #include "IpAddress.h"
5 #include "PointerVector.h"
6 #include <unordered_map>
7 #include <chrono>
8 #include <map>
9 #include <list>
10 #include <time.h>
11 
84 
87 namespace pcpp
88 {
91  struct ConnectionData
92  {
94  IPAddress srcIP;
96  IPAddress dstIP;
98  uint16_t srcPort;
100  uint16_t dstPort;
102  uint32_t flowKey;
104  timeval startTime;
106  timeval endTime;
108  std::chrono::time_point<std::chrono::high_resolution_clock> startTimePrecise;
110  std::chrono::time_point<std::chrono::high_resolution_clock> endTimePrecise;
111 
113  ConnectionData() : srcPort(0), dstPort(0), flowKey(0), startTime(), endTime()
114  {}
115 
118  void setStartTime(const std::chrono::time_point<std::chrono::high_resolution_clock>& startTimeValue);
119 
122  void setEndTime(const std::chrono::time_point<std::chrono::high_resolution_clock>& endTimeValue);
123  };
124 
125  class TcpReassembly;
126 
131  class TcpStreamData
132  {
133  public:
140  TcpStreamData(const uint8_t* tcpData, size_t tcpDataLength, size_t missingBytes, const ConnectionData& connData,
141  std::chrono::time_point<std::chrono::high_resolution_clock> timestamp)
142  : m_Data(tcpData), m_DataLen(tcpDataLength), m_MissingBytes(missingBytes), m_Connection(connData),
143  m_Timestamp(timestamp)
144  {}
145 
148  const uint8_t* getData() const
149  {
150  return m_Data;
151  }
152 
155  size_t getDataLength() const
156  {
157  return m_DataLen;
158  }
159 
162  size_t getMissingByteCount() const
163  {
164  return m_MissingBytes;
165  }
166 
169  bool isBytesMissing() const
170  {
171  return getMissingByteCount() > 0;
172  }
173 
176  const ConnectionData& getConnectionData() const
177  {
178  return m_Connection;
179  }
180 
182  timeval getTimeStamp() const;
183 
185  std::chrono::time_point<std::chrono::high_resolution_clock> getTimeStampPrecise() const
186  {
187  return m_Timestamp;
188  }
189 
190  private:
191  const uint8_t* m_Data;
192  size_t m_DataLen;
193  size_t m_MissingBytes;
194  const ConnectionData& m_Connection;
195  std::chrono::time_point<std::chrono::high_resolution_clock> m_Timestamp;
196  };
197 
200  struct TcpReassemblyConfiguration
201  {
203  bool removeConnInfo;
204 
208  uint32_t closedConnectionDelay;
209 
213  uint32_t maxNumToClean;
214 
218  uint32_t maxOutOfOrderFragments;
219 
221  bool enableBaseBufferClearCondition;
222 
234  explicit TcpReassemblyConfiguration(bool removeConnInfo = true, uint32_t closedConnectionDelay = 5,
235  uint32_t maxNumToClean = 30, uint32_t maxOutOfOrderFragments = 0,
236  bool enableBaseBufferClearCondition = true)
237  : removeConnInfo(removeConnInfo), closedConnectionDelay(closedConnectionDelay),
238  maxNumToClean(maxNumToClean), maxOutOfOrderFragments(maxOutOfOrderFragments),
239  enableBaseBufferClearCondition(enableBaseBufferClearCondition)
240  {}
241  };
242 
246  class TcpReassembly
247  {
248  public:
250  enum ConnectionEndReason
251  {
253  TcpReassemblyConnectionClosedByFIN_RST,
255  TcpReassemblyConnectionClosedManually
256  };
257 
259  enum ReassemblyStatus
260  {
270  TcpMessageHandled,
280  OutOfOrderTcpMessageBuffered,
284  FIN_RSTWithNoData,
288  Ignore_PacketWithNoData,
289 
292 
293  Ignore_PacketOfClosedFlow,
296  Ignore_Retransimission,
299  NonIpPacket,
302  NonTcpPacket,
306  Error_PacketDoesNotMatchFlow,
307  };
308 
310  typedef std::unordered_map<uint32_t, ConnectionData> ConnectionInfoList;
311 
319  typedef void (*OnTcpMessageReady)(int8_t side, const TcpStreamData& tcpData, void* userCookie);
320 
326  typedef void (*OnTcpConnectionStart)(const ConnectionData& connectionData, void* userCookie);
327 
335  typedef void (*OnTcpConnectionEnd)(const ConnectionData& connectionData, ConnectionEndReason reason,
336  void* userCookie);
337 
348  explicit TcpReassembly(OnTcpMessageReady onMessageReadyCallback, void* userCookie = nullptr,
349  OnTcpConnectionStart onConnectionStartCallback = nullptr,
350  OnTcpConnectionEnd onConnectionEndCallback = nullptr,
351  const TcpReassemblyConfiguration& config = TcpReassemblyConfiguration());
352 
359  ReassemblyStatus reassemblePacket(Packet& tcpData);
360 
367  ReassemblyStatus reassemblePacket(RawPacket* tcpRawData);
368 
374  void closeConnection(uint32_t flowKey);
375 
378  void closeAllConnections();
379 
383  const ConnectionInfoList& getConnectionInformation() const
384  {
385  return m_ConnectionInfo;
386  }
387 
392  int isConnectionOpen(const ConnectionData& connection) const;
393 
398  uint32_t purgeClosedConnections(uint32_t maxNumToClean = 0);
399 
400  private:
401  struct TcpFragment
402  {
403  uint32_t sequence;
404  size_t dataLength;
405  uint8_t* data;
406  std::chrono::time_point<std::chrono::high_resolution_clock> timestamp;
407 
408  TcpFragment() : sequence(0), dataLength(0), data(nullptr)
409  {}
410  ~TcpFragment()
411  {
412  delete[] data;
413  }
414  };
415 
416  struct TcpOneSideData
417  {
418  IPAddress srcIP;
419  uint16_t srcPort;
420  uint32_t sequence;
421  PointerVector<TcpFragment> tcpFragmentList;
422  bool gotFinOrRst;
423 
424  TcpOneSideData() : srcPort(0), sequence(0), gotFinOrRst(false)
425  {}
426  };
427 
428  struct TcpReassemblyData
429  {
430  bool closed;
431  int8_t numOfSides;
432  int8_t prevSide;
433  TcpOneSideData twoSides[2];
434  ConnectionData connData;
435 
436  TcpReassemblyData() : closed(false), numOfSides(0), prevSide(-1)
437  {}
438  };
439 
440  class OutOfOrderProcessingGuard
441  {
442  private:
443  bool& m_Flag;
444 
445  public:
446  explicit OutOfOrderProcessingGuard(bool& flag) : m_Flag(flag)
447  {
448  m_Flag = true;
449  }
450 
451  ~OutOfOrderProcessingGuard()
452  {
453  m_Flag = false;
454  }
455 
456  // Disable copy and move operations
457  OutOfOrderProcessingGuard(const OutOfOrderProcessingGuard&) = delete;
458  OutOfOrderProcessingGuard& operator=(const OutOfOrderProcessingGuard&) = delete;
459  };
460 
461  typedef std::unordered_map<uint32_t, TcpReassemblyData> ConnectionList;
462  typedef std::map<time_t, std::list<uint32_t>> CleanupList;
463 
464  OnTcpMessageReady m_OnMessageReadyCallback;
465  OnTcpConnectionStart m_OnConnStart;
466  OnTcpConnectionEnd m_OnConnEnd;
467  void* m_UserCookie;
468  ConnectionList m_ConnectionList;
469  ConnectionInfoList m_ConnectionInfo;
470  CleanupList m_CleanupList;
471  bool m_RemoveConnInfo;
472  uint32_t m_ClosedConnectionDelay;
473  uint32_t m_MaxNumToClean;
474  size_t m_MaxOutOfOrderFragments;
475  time_t m_PurgeTimepoint;
476  bool m_EnableBaseBufferClearCondition;
477  bool m_ProcessingOutOfOrder = false;
478 
479  void checkOutOfOrderFragments(TcpReassemblyData* tcpReassemblyData, int8_t sideIndex, bool cleanWholeFragList);
480 
481  void handleFinOrRst(TcpReassemblyData* tcpReassemblyData, int8_t sideIndex, uint32_t flowKey, bool isRst);
482 
483  void closeConnectionInternal(uint32_t flowKey, ConnectionEndReason reason);
484 
485  void insertIntoCleanupList(uint32_t flowKey);
486  };
487 
488 } // namespace pcpp
pcpp::IPAddress
Definition: IpAddress.h:276
pcpp::Packet
Definition: Packet.h:22
pcpp::RawPacket
Definition: RawPacket.h:259
pcpp::TcpReassembly
Definition: TcpReassembly.h:247
pcpp::TcpReassembly::reassemblePacket
ReassemblyStatus reassemblePacket(RawPacket *tcpRawData)
pcpp::TcpReassembly::isConnectionOpen
int isConnectionOpen(const ConnectionData &connection) const
pcpp::TcpReassembly::TcpReassembly
TcpReassembly(OnTcpMessageReady onMessageReadyCallback, void *userCookie=nullptr, OnTcpConnectionStart onConnectionStartCallback=nullptr, OnTcpConnectionEnd onConnectionEndCallback=nullptr, const TcpReassemblyConfiguration &config=TcpReassemblyConfiguration())
pcpp::TcpReassembly::ReassemblyStatus
ReassemblyStatus
An enum for providing reassembly status for each processed packet.
Definition: TcpReassembly.h:260
pcpp::TcpReassembly::NonIpPacket
@ NonIpPacket
Definition: TcpReassembly.h:299
pcpp::TcpReassembly::FIN_RSTWithNoData
@ FIN_RSTWithNoData
Definition: TcpReassembly.h:284
pcpp::TcpReassembly::Error_PacketDoesNotMatchFlow
@ Error_PacketDoesNotMatchFlow
Definition: TcpReassembly.h:306
pcpp::TcpReassembly::Ignore_PacketOfClosedFlow
@ Ignore_PacketOfClosedFlow
Definition: TcpReassembly.h:293
pcpp::TcpReassembly::NonTcpPacket
@ NonTcpPacket
Definition: TcpReassembly.h:302
pcpp::TcpReassembly::Ignore_Retransimission
@ Ignore_Retransimission
Definition: TcpReassembly.h:296
pcpp::TcpReassembly::TcpMessageHandled
@ TcpMessageHandled
Definition: TcpReassembly.h:270
pcpp::TcpReassembly::OutOfOrderTcpMessageBuffered
@ OutOfOrderTcpMessageBuffered
Definition: TcpReassembly.h:280
pcpp::TcpReassembly::Ignore_PacketWithNoData
@ Ignore_PacketWithNoData
Definition: TcpReassembly.h:288
pcpp::TcpReassembly::getConnectionInformation
const ConnectionInfoList & getConnectionInformation() const
Definition: TcpReassembly.h:383
pcpp::TcpReassembly::OnTcpConnectionStart
void(* OnTcpConnectionStart)(const ConnectionData &connectionData, void *userCookie)
Definition: TcpReassembly.h:326
pcpp::TcpReassembly::purgeClosedConnections
uint32_t purgeClosedConnections(uint32_t maxNumToClean=0)
pcpp::TcpReassembly::reassemblePacket
ReassemblyStatus reassemblePacket(Packet &tcpData)
pcpp::TcpReassembly::ConnectionInfoList
std::unordered_map< uint32_t, ConnectionData > ConnectionInfoList
The type for storing the connection information.
Definition: TcpReassembly.h:310
pcpp::TcpReassembly::OnTcpMessageReady
void(* OnTcpMessageReady)(int8_t side, const TcpStreamData &tcpData, void *userCookie)
Definition: TcpReassembly.h:319
pcpp::TcpReassembly::closeConnection
void closeConnection(uint32_t flowKey)
pcpp::TcpReassembly::ConnectionEndReason
ConnectionEndReason
An enum for connection end reasons.
Definition: TcpReassembly.h:251
pcpp::TcpReassembly::TcpReassemblyConnectionClosedByFIN_RST
@ TcpReassemblyConnectionClosedByFIN_RST
Connection ended because of FIN or RST packet.
Definition: TcpReassembly.h:253
pcpp::TcpReassembly::TcpReassemblyConnectionClosedManually
@ TcpReassemblyConnectionClosedManually
Connection ended manually by the user.
Definition: TcpReassembly.h:255
pcpp::TcpReassembly::OnTcpConnectionEnd
void(* OnTcpConnectionEnd)(const ConnectionData &connectionData, ConnectionEndReason reason, void *userCookie)
Definition: TcpReassembly.h:335
pcpp::TcpStreamData
Definition: TcpReassembly.h:132
pcpp::TcpStreamData::isBytesMissing
bool isBytesMissing() const
Definition: TcpReassembly.h:169
pcpp::TcpStreamData::getDataLength
size_t getDataLength() const
Definition: TcpReassembly.h:155
pcpp::TcpStreamData::getTimeStamp
timeval getTimeStamp() const
pcpp::TcpStreamData::getMissingByteCount
size_t getMissingByteCount() const
Definition: TcpReassembly.h:162
pcpp::TcpStreamData::TcpStreamData
TcpStreamData(const uint8_t *tcpData, size_t tcpDataLength, size_t missingBytes, const ConnectionData &connData, std::chrono::time_point< std::chrono::high_resolution_clock > timestamp)
Definition: TcpReassembly.h:140
pcpp::TcpStreamData::getTimeStampPrecise
std::chrono::time_point< std::chrono::high_resolution_clock > getTimeStampPrecise() const
Definition: TcpReassembly.h:185
pcpp::TcpStreamData::getData
const uint8_t * getData() const
Definition: TcpReassembly.h:148
pcpp::TcpStreamData::getConnectionData
const ConnectionData & getConnectionData() const
Definition: TcpReassembly.h:176
pcpp
The main namespace for the PcapPlusPlus lib.
pcpp::ConnectionData
Definition: TcpReassembly.h:92
pcpp::ConnectionData::srcIP
IPAddress srcIP
Source IP address.
Definition: TcpReassembly.h:94
pcpp::ConnectionData::dstIP
IPAddress dstIP
Destination IP address.
Definition: TcpReassembly.h:96
pcpp::ConnectionData::startTimePrecise
std::chrono::time_point< std::chrono::high_resolution_clock > startTimePrecise
Start timestamp of the connection with nanosecond precision.
Definition: TcpReassembly.h:108
pcpp::ConnectionData::endTime
timeval endTime
End timestamp of the connection with microsecond precision.
Definition: TcpReassembly.h:106
pcpp::ConnectionData::startTime
timeval startTime
Start timestamp of the connection with microsecond precision.
Definition: TcpReassembly.h:104
pcpp::ConnectionData::setStartTime
void setStartTime(const std::chrono::time_point< std::chrono::high_resolution_clock > &startTimeValue)
pcpp::ConnectionData::endTimePrecise
std::chrono::time_point< std::chrono::high_resolution_clock > endTimePrecise
End timestamp of the connection with nanosecond precision.
Definition: TcpReassembly.h:110
pcpp::ConnectionData::dstPort
uint16_t dstPort
Destination TCP/UDP port.
Definition: TcpReassembly.h:100
pcpp::ConnectionData::srcPort
uint16_t srcPort
Source TCP/UDP port.
Definition: TcpReassembly.h:98
pcpp::ConnectionData::ConnectionData
ConnectionData()
A c'tor for this struct that basically zeros all members.
Definition: TcpReassembly.h:113
pcpp::ConnectionData::flowKey
uint32_t flowKey
A 4-byte hash key representing the connection.
Definition: TcpReassembly.h:102
pcpp::ConnectionData::setEndTime
void setEndTime(const std::chrono::time_point< std::chrono::high_resolution_clock > &endTimeValue)
pcpp::TcpReassemblyConfiguration
Definition: TcpReassembly.h:201
pcpp::TcpReassemblyConfiguration::closedConnectionDelay
uint32_t closedConnectionDelay
Definition: TcpReassembly.h:208
pcpp::TcpReassemblyConfiguration::maxNumToClean
uint32_t maxNumToClean
Definition: TcpReassembly.h:213
pcpp::TcpReassemblyConfiguration::maxOutOfOrderFragments
uint32_t maxOutOfOrderFragments
Definition: TcpReassembly.h:218
pcpp::TcpReassemblyConfiguration::TcpReassemblyConfiguration
TcpReassemblyConfiguration(bool removeConnInfo=true, uint32_t closedConnectionDelay=5, uint32_t maxNumToClean=30, uint32_t maxOutOfOrderFragments=0, bool enableBaseBufferClearCondition=true)
Definition: TcpReassembly.h:234
pcpp::TcpReassemblyConfiguration::enableBaseBufferClearCondition
bool enableBaseBufferClearCondition
To enable to clear buffer once packet contains data from a different side than the side seen before.
Definition: TcpReassembly.h:221
pcpp::TcpReassemblyConfiguration::removeConnInfo
bool removeConnInfo
The flag indicating whether to remove the connection data after a connection is closed.
Definition: TcpReassembly.h:203