TSDuck v3.40-4033
MPEG Transport Stream Toolkit
Loading...
Searching...
No Matches
ts::PcapStream Class Reference

Read a TCP/IP session from a pcap or pcapng file. More...

#include <tsPcapStream.h>

Inheritance diagram for ts::PcapStream:
Collaboration diagram for ts::PcapStream:

Public Member Functions

 PcapStream ()=default
 Default constructor.
 
bool addressFilterIsSet () const
 Check if the address filter is precisely set.
 
const IPSocketAddressclientPeer () const
 Get the address of the client peer.
 
virtual void close ()
 Close the file.
 
void defineArgs (Args &args)
 Add command line option definitions in an Args.
 
const IPSocketAddressdestinationFilter () const
 Get the current destination filter.
 
bool endOfFile () const
 Check if the end of file (or other error) has been reached.
 
bool endOfSession (Report &report)
 Check if the TCP session is fully terminated on both sides.
 
bool endOfStream (const IPSocketAddress &source, Report &report)
 Check if the next data to read is at end of TCP session.
 
fs::path fileName () const
 Get the file name.
 
uint64_t fileSize () const
 Get the total file size in bytes so far.
 
cn::microseconds firstTimestamp () const
 Get the capture timestamp of the first packet in the file.
 
uint64_t ipPacketCount () const
 Get the number of valid captured IP packets so far.
 
bool isOpen () const
 Check if the file is open.
 
cn::microseconds lastTimestamp () const
 Get the capture timestamp of the last packet which was read from the file.
 
bool loadArgs (DuckContext &duck, Args &args)
 Load arguments from command line.
 
size_t maxReassemblyQueueSize () const
 Get the maximum number of queued data blocks to reassemble TCP streams.
 
bool nextSession (Report &report)
 Skip the end of the current TCP session and prepare for next session.
 
virtual bool open (const fs::path &filename, Report &report) override
 Open the file for read.
 
const IPSocketAddressotherFilter (const IPSocketAddress &addr) const
 Get the "other" filter (source or destination) based on the other one.
 
uint64_t packetCount () const
 Get the number of captured packets so far.
 
virtual bool readIP (IPPacket &packet, VLANIdStack &vlans, cn::microseconds &timestamp, Report &report) override
 Read the next IP packet, IPv4 or IPv6, headers included.
 
bool readTCP (IPSocketAddress &source, ByteBlock &data, size_t &size, cn::microseconds &timestamp, Report &report)
 Read data from the TCP session either in one specific direction or any direction.
 
const IPSocketAddressserverPeer () const
 Get the address of the server peer.
 
virtual void setBidirectionalFilter (const IPSocketAddress &addr1, const IPSocketAddress &addr2) override
 Set a bidirectional address filter.
 
void setFirstPacketFilter (size_t count)
 Filter packets starting at the specified number.
 
void setFirstTimeOffset (cn::microseconds time)
 Filter packets starting at the specified time offset from the beginning of the file.
 
void setFirstTimestamp (cn::microseconds time)
 Filter packets starting at the specified timestamp.
 
void setLastPacketFilter (size_t count)
 Filter packets up to the specified number.
 
void setLastTimeOffset (cn::microseconds time)
 Filter packets up to the specified time offset from the beginning of the file.
 
void setLastTimestamp (cn::microseconds time)
 Filter packets up to the specified timestamp.
 
void setReportAddressesFilterSeverity (int level)
 Specify the severity to report the filtered addresses once (in non-wildcard mode).
 
const IPSocketAddresssourceFilter () const
 Get the current source filter.
 
bool startOfStream (const IPSocketAddress &source, Report &report)
 Check if the next data to read is at start of TCP session.
 
bool startOfStream (Report &report)
 Check if the next data to read is at start of TCP session.
 
cn::microseconds timeOffset (cn::microseconds timestamp) const
 Compute the time offset from the beginning of the file of a packet timestamp.
 
uint64_t totalIPPacketsSize () const
 Get the total size in bytes of valid captured IP packets so far.
 
uint64_t totalPacketsSize () const
 Get the total size in bytes of captured packets so far.
 

Static Public Member Functions

static Time ToTime (cn::microseconds timestamp)
 Compute the date and time from a packet timestamp.
 

Detailed Description

Read a TCP/IP session from a pcap or pcapng file.

A TCP session uses two continuous streams, one in each direction, between two socket addresses.

Filtering a specified TCP stream shall be set using setBidirectionalFilter(). If not set, the first TCP packet defines the TCP session to follow.

Setting a new filter clears the current state of the previous filter but does not change the current position inside the pcap file. If any IPv4 address or TCP port is unspecified in filtered addresses, then the first TCP/IP packet matching the specified fields is used to determine the unspecified field.

Once the peers are defined, either because they were fully specified using setBidirectionalFilter() or the first packet resolved them, use sourceFilter() and destinationFilter() to get the peers addresses. In that case, "source" and "destination" are interchangeable since a TCP session is bidirectional.

Use addressFilterIsSet() to check if the peers are fully specified.

Some effort is made to reassemble repeated or re-ordered TCP packets. Fragmented IP packets are ignored. It is not possible to rebuild a TCP session with fragmented packets.

Member Function Documentation

◆ clientPeer()

const IPSocketAddress & ts::PcapStream::clientPeer ( ) const
inline

Get the address of the client peer.

Returns
A constant reference to the client socket address if the client is known, no addres/port if the client is unknown. When the pcap capture starts when the TCP connection is already established, the SYN/ACK sequence is not present and we do not know which peer is the client.

◆ serverPeer()

const IPSocketAddress & ts::PcapStream::serverPeer ( ) const
inline

Get the address of the server peer.

Returns
A constant reference to the server socket address if the server is known, no addres/port if the server is unknown. When the pcap capture starts when the TCP connection is already established, the SYN/ACK sequence is not present and we do not know which peer is the client.

◆ readTCP()

bool ts::PcapStream::readTCP ( IPSocketAddress source,
ByteBlock data,
size_t &  size,
cn::microseconds &  timestamp,
Report report 
)

Read data from the TCP session either in one specific direction or any direction.

Reading stops at end of TCP session or end of pcap file. To move to next TCP session, use nextSession().

Parameters
[in,out]sourceSource address of the TCP stream to extract data from. If, on input, the value is unset (no address, no port), then data from any direction are read. On output, source contains the address of the peer from which data were read.
[in,out]dataByte block into which data is read. The byte block is not reinitialized, input data are appended to it.
[in,out]sizeOn input, this is the data size to read in bytes. In absence of error, that exact number of bytes is read. Reading can stop earlier in case of end of TCP stream or end of pcap file. On output, it contains the actual number of read bytes.
[out]timestampCapture timestamp in microseconds since Unix epoch or -1 if none is available. If the data has been reassembled from several IP packets, this is the timestamp of the last part.
[in,out]reportWhere to report errors.
Returns
True on success, false on error or end of file.

◆ startOfStream() [1/2]

bool ts::PcapStream::startOfStream ( Report report)

Check if the next data to read is at start of TCP session.

Parameters
[in,out]reportWhere to report errors.
Returns
True on success and if the next data to read is at start of TCP session, false otherwise.

◆ startOfStream() [2/2]

bool ts::PcapStream::startOfStream ( const IPSocketAddress source,
Report report 
)

Check if the next data to read is at start of TCP session.

Parameters
[in]sourceSource address of the TCP stream. It must match one of the peers of the TCP session.
[in,out]reportWhere to report errors.
Returns
True on success and if the next data to read is at start of TCP session, false otherwise.

◆ endOfStream()

bool ts::PcapStream::endOfStream ( const IPSocketAddress source,
Report report 
)

Check if the next data to read is at end of TCP session.

Parameters
[in]sourceSource address of the TCP stream. It must match one of the peers of the TCP session.
[in,out]reportWhere to report errors.
Returns
True if the next data to read is at end of TCP session or on error, false otherwise.

◆ endOfSession()

bool ts::PcapStream::endOfSession ( Report report)
inline

Check if the TCP session is fully terminated on both sides.

Parameters
[in,out]reportWhere to report errors.
Returns
True if the TCP session is fully terminated on both sides or on error, false otherwise.

◆ nextSession()

bool ts::PcapStream::nextSession ( Report report)

Skip the end of the current TCP session and prepare for next session.

Parameters
[in,out]reportWhere to report errors.
Returns
True on success, false on error or end of file before an explicit end of current session.

◆ maxReassemblyQueueSize()

size_t ts::PcapStream::maxReassemblyQueueSize ( ) const
inline

Get the maximum number of queued data blocks to reassemble TCP streams.

This value gives an idea of how packets were reordered during transmission.

Returns
The maximum number of queued data blocks to reassemble TCP streams.

◆ open()

virtual bool ts::PcapStream::open ( const fs::path &  filename,
Report report 
)
overridevirtual

Open the file for read.

Parameters
[in]filenameFile name. If empty or "-", use standard input.
[in,out]reportWhere to report errors.
Returns
True on success, false on error.

Reimplemented from ts::PcapFilter.

◆ setBidirectionalFilter()

virtual void ts::PcapStream::setBidirectionalFilter ( const IPSocketAddress addr1,
const IPSocketAddress addr2 
)
overridevirtual

Set a bidirectional address filter.

Select packets where the source and destination addresses match the pair of filtered address, in any direction.

Parameters
[in]addr1First address to filter, either source or destination. The port is meaningful only with TCP and UDP.
[in]addr2Second address to filter, either source or destination. The port is meaningful only with TCP and UDP.
See also
setWildcardFilter()

Reimplemented from ts::PcapFilter.

◆ setFirstPacketFilter()

void ts::PcapFilter::setFirstPacketFilter ( size_t  count)
inlineinherited

Filter packets starting at the specified number.

The packet numbering counts all captured packets from the beginning of the file, starting at 1. This is the same value as seen on Wireshark in the leftmost column.

Parameters
[in]countNumber of first captured packet to read.

◆ setLastPacketFilter()

void ts::PcapFilter::setLastPacketFilter ( size_t  count)
inlineinherited

Filter packets up to the specified number.

The packet numbering counts all captured packets from the beginning of the file, starting at 1. This is the same value as seen on Wireshark in the leftmost column.

Parameters
[in]countNumber of last captured packet to read.

◆ setFirstTimeOffset()

void ts::PcapFilter::setFirstTimeOffset ( cn::microseconds  time)
inlineinherited

Filter packets starting at the specified time offset from the beginning of the file.

This is the same value as seen on Wireshark in the "Time" column (in seconds).

Parameters
[in]timeFirst time offset in microseconds from the beginning of the capture.

◆ setLastTimeOffset()

void ts::PcapFilter::setLastTimeOffset ( cn::microseconds  time)
inlineinherited

Filter packets up to the specified time offset from the beginning of the file.

This is the same value as seen on Wireshark in the "Time" column (in seconds).

Parameters
[in]timeLast time offset in microseconds from the beginning of the capture.

◆ setFirstTimestamp()

void ts::PcapFilter::setFirstTimestamp ( cn::microseconds  time)
inlineinherited

Filter packets starting at the specified timestamp.

Parameters
[in]timeFirst timestamp, in microseconds from the UNIX epoch.
See also
ts::Time::UnixEpoch

◆ setLastTimestamp()

void ts::PcapFilter::setLastTimestamp ( cn::microseconds  time)
inlineinherited

Filter packets up to the specified timestamp.

Parameters
[in]timeLast timestamp, in microseconds from the UNIX epoch.
See also
ts::Time::UnixEpoch

◆ sourceFilter()

const IPSocketAddress & ts::PcapFilter::sourceFilter ( ) const
inlineinherited

Get the current source filter.

In the case of non-wildcard filtering, after returning the first packet, this is the actual socket address of the filtered stream.

In the case of bidirectional filtering (for instance a TCP session), there is no real "source" or "destination". They are the two endpoints of the stream.

Returns
A constant reference to the current source filter.
See also
setWildcardFilter()

◆ destinationFilter()

const IPSocketAddress & ts::PcapFilter::destinationFilter ( ) const
inlineinherited

Get the current destination filter.

In the case of non-wildcard filtering, after returning the first packet, this is the actual socket address of the filtered stream.

In the case of bidirectional filtering (for instance a TCP session), there is no real "source" or "destination". They are the two endpoints of the stream.

Returns
A constant reference to the current source filter.
See also
setWildcardFilter()

◆ addressFilterIsSet()

bool ts::PcapFilter::addressFilterIsSet ( ) const
inherited

Check if the address filter is precisely set.

Using address filtering, some addresses or port may be unspecified, acting as a wildcard. In non-wildcard mode, the first packet matching this wildcard is selected and the corresponding stream is then exclusively filtered. At this point, the filter is precisely set.

Returns
True if the address filter is precisely set.

◆ otherFilter()

const IPSocketAddress & ts::PcapFilter::otherFilter ( const IPSocketAddress addr) const
inherited

Get the "other" filter (source or destination) based on the other one.

Parameters
[in]addrA socket address, typically matching the source or destination filter.
Returns
A constant reference to the other filter. If addr matches neither the source nor the destination filter, return an empty socket address.

◆ setReportAddressesFilterSeverity()

void ts::PcapFilter::setReportAddressesFilterSeverity ( int  level)
inlineinherited

Specify the severity to report the filtered addresses once (in non-wildcard mode).

In non-wildcard mode, when the filtered addresses contain non-specified fields, the first packet which matches the filters define the stream. At this point, the selected stream is displayed (in debug mode by default). This function redefines the severity level (info or verbose for instance).

Parameters
[in]levelSeverity level to use.

◆ defineArgs()

void ts::PcapFilter::defineArgs ( Args args)
inherited

Add command line option definitions in an Args.

Parameters
[in,out]argsCommand line arguments to update.

◆ loadArgs()

bool ts::PcapFilter::loadArgs ( DuckContext duck,
Args args 
)
inherited

Load arguments from command line.

Args error indicator is set in case of incorrect arguments.

Parameters
[in,out]duckTSDuck execution context.
[in,out]argsCommand line arguments.
Returns
True on success, false on error in argument line.

◆ readIP()

virtual bool ts::PcapFilter::readIP ( IPPacket packet,
VLANIdStack vlans,
cn::microseconds &  timestamp,
Report report 
)
overridevirtualinherited

Read the next IP packet, IPv4 or IPv6, headers included.

Skip intermediate metadata and other types of packets.

Parameters
[out]packetReceived IP packet.
[out]vlansStack of VLAN encapsulation from which the packet is extracted.
[out]timestampCapture timestamp in microseconds since Unix epoch or -1 if none is available.
[in,out]reportWhere to report error.
Returns
True on success, false on error.

Reimplemented from ts::PcapFile.

◆ isOpen()

bool ts::PcapFile::isOpen ( ) const
inlineinherited

Check if the file is open.

Returns
True if the file is open, false otherwise.

◆ fileName()

fs::path ts::PcapFile::fileName ( ) const
inlineinherited

Get the file name.

Returns
The file name as specified in open(). If the standard input is used, return "standard input".

◆ packetCount()

uint64_t ts::PcapFile::packetCount ( ) const
inlineinherited

Get the number of captured packets so far.

This includes all packets, not only IP packets. This value is the number of the last returned packet, as seen in the left-most column in Wireshark interface.

Returns
The number of captured packets so far.

◆ endOfFile()

bool ts::PcapFile::endOfFile ( ) const
inlineinherited

Check if the end of file (or other error) has been reached.

Returns
True on end of file or error.

◆ ipPacketCount()

uint64_t ts::PcapFile::ipPacketCount ( ) const
inlineinherited

Get the number of valid captured IP packets so far.

Returns
The number of valid captured IP packets so far.

◆ fileSize()

uint64_t ts::PcapFile::fileSize ( ) const
inlineinherited

Get the total file size in bytes so far.

Returns
The total file size in bytes so far.

◆ totalPacketsSize()

uint64_t ts::PcapFile::totalPacketsSize ( ) const
inlineinherited

Get the total size in bytes of captured packets so far.

This includes all packets, including link-layer headers when present.

Returns
The total size in bytes of captured packets so far.

◆ totalIPPacketsSize()

uint64_t ts::PcapFile::totalIPPacketsSize ( ) const
inlineinherited

Get the total size in bytes of valid captured IP packets so far.

This includes all IP headers but not link-layer headers when present.

Returns
The total size in bytes of valid captured IP packets so far.

◆ firstTimestamp()

cn::microseconds ts::PcapFile::firstTimestamp ( ) const
inlineinherited

Get the capture timestamp of the first packet in the file.

Returns
Capture timestamp in microseconds since Unix epoch or -1 if none is available.

◆ lastTimestamp()

cn::microseconds ts::PcapFile::lastTimestamp ( ) const
inlineinherited

Get the capture timestamp of the last packet which was read from the file.

Returns
Capture timestamp in microseconds since Unix epoch or -1 if none is available.

◆ timeOffset()

cn::microseconds ts::PcapFile::timeOffset ( cn::microseconds  timestamp) const
inlineinherited

Compute the time offset from the beginning of the file of a packet timestamp.

Parameters
[in]timestampCapture timestamp of a packet in the file.
Returns
Time offset in microseconds of the packet from the beginning of the file.

◆ ToTime()

static Time ts::PcapFile::ToTime ( cn::microseconds  timestamp)
inlinestaticinherited

Compute the date and time from a packet timestamp.

Parameters
[in]timestampCapture timestamp of a packet in a file.
Returns
Corresponding date or Epoch in case of error.

◆ close()

virtual void ts::PcapFile::close ( )
virtualinherited

Close the file.

Do not reset counters, file names, etc. The last values before close() are still accessible.


The documentation for this class was generated from the following file: