TSDuck v3.40-4033
MPEG Transport Stream Toolkit
|
Read a TCP/IP session from a pcap or pcapng file. More...
#include <tsPcapStream.h>
Public Member Functions | |
PcapStream ()=default | |
Default constructor. | |
bool | addressFilterIsSet () const |
Check if the address filter is precisely set. | |
const IPSocketAddress & | clientPeer () const |
Get the address of the client peer. | |
virtual void | close () |
Close the file. | |
void | defineArgs (Args &args) |
Add command line option definitions in an Args. | |
const IPSocketAddress & | destinationFilter () const |
Get the current destination filter. | |
bool | endOfFile () const |
Check if the end of file (or other error) has been reached. | |
bool | endOfSession (Report &report) |
Check if the TCP session is fully terminated on both sides. | |
bool | endOfStream (const IPSocketAddress &source, Report &report) |
Check if the next data to read is at end of TCP session. | |
fs::path | fileName () const |
Get the file name. | |
uint64_t | fileSize () const |
Get the total file size in bytes so far. | |
cn::microseconds | firstTimestamp () const |
Get the capture timestamp of the first packet in the file. | |
uint64_t | ipPacketCount () const |
Get the number of valid captured IP packets so far. | |
bool | isOpen () const |
Check if the file is open. | |
cn::microseconds | lastTimestamp () const |
Get the capture timestamp of the last packet which was read from the file. | |
bool | loadArgs (DuckContext &duck, Args &args) |
Load arguments from command line. | |
size_t | maxReassemblyQueueSize () const |
Get the maximum number of queued data blocks to reassemble TCP streams. | |
bool | nextSession (Report &report) |
Skip the end of the current TCP session and prepare for next session. | |
virtual bool | open (const fs::path &filename, Report &report) override |
Open the file for read. | |
const IPSocketAddress & | otherFilter (const IPSocketAddress &addr) const |
Get the "other" filter (source or destination) based on the other one. | |
uint64_t | packetCount () const |
Get the number of captured packets so far. | |
virtual bool | readIP (IPPacket &packet, VLANIdStack &vlans, cn::microseconds ×tamp, Report &report) override |
Read the next IP packet, IPv4 or IPv6, headers included. | |
bool | readTCP (IPSocketAddress &source, ByteBlock &data, size_t &size, cn::microseconds ×tamp, Report &report) |
Read data from the TCP session either in one specific direction or any direction. | |
const IPSocketAddress & | serverPeer () const |
Get the address of the server peer. | |
virtual void | setBidirectionalFilter (const IPSocketAddress &addr1, const IPSocketAddress &addr2) override |
Set a bidirectional address filter. | |
void | setFirstPacketFilter (size_t count) |
Filter packets starting at the specified number. | |
void | setFirstTimeOffset (cn::microseconds time) |
Filter packets starting at the specified time offset from the beginning of the file. | |
void | setFirstTimestamp (cn::microseconds time) |
Filter packets starting at the specified timestamp. | |
void | setLastPacketFilter (size_t count) |
Filter packets up to the specified number. | |
void | setLastTimeOffset (cn::microseconds time) |
Filter packets up to the specified time offset from the beginning of the file. | |
void | setLastTimestamp (cn::microseconds time) |
Filter packets up to the specified timestamp. | |
void | setReportAddressesFilterSeverity (int level) |
Specify the severity to report the filtered addresses once (in non-wildcard mode). | |
const IPSocketAddress & | sourceFilter () const |
Get the current source filter. | |
bool | startOfStream (const IPSocketAddress &source, Report &report) |
Check if the next data to read is at start of TCP session. | |
bool | startOfStream (Report &report) |
Check if the next data to read is at start of TCP session. | |
cn::microseconds | timeOffset (cn::microseconds timestamp) const |
Compute the time offset from the beginning of the file of a packet timestamp. | |
uint64_t | totalIPPacketsSize () const |
Get the total size in bytes of valid captured IP packets so far. | |
uint64_t | totalPacketsSize () const |
Get the total size in bytes of captured packets so far. | |
Static Public Member Functions | |
static Time | ToTime (cn::microseconds timestamp) |
Compute the date and time from a packet timestamp. | |
Read a TCP/IP session from a pcap or pcapng file.
A TCP session uses two continuous streams, one in each direction, between two socket addresses.
Filtering a specified TCP stream shall be set using setBidirectionalFilter(). If not set, the first TCP packet defines the TCP session to follow.
Setting a new filter clears the current state of the previous filter but does not change the current position inside the pcap file. If any IPv4 address or TCP port is unspecified in filtered addresses, then the first TCP/IP packet matching the specified fields is used to determine the unspecified field.
Once the peers are defined, either because they were fully specified using setBidirectionalFilter() or the first packet resolved them, use sourceFilter() and destinationFilter() to get the peers addresses. In that case, "source" and "destination" are interchangeable since a TCP session is bidirectional.
Use addressFilterIsSet() to check if the peers are fully specified.
Some effort is made to reassemble repeated or re-ordered TCP packets. Fragmented IP packets are ignored. It is not possible to rebuild a TCP session with fragmented packets.
|
inline |
Get the address of the client peer.
|
inline |
Get the address of the server peer.
bool ts::PcapStream::readTCP | ( | IPSocketAddress & | source, |
ByteBlock & | data, | ||
size_t & | size, | ||
cn::microseconds & | timestamp, | ||
Report & | report | ||
) |
Read data from the TCP session either in one specific direction or any direction.
Reading stops at end of TCP session or end of pcap file. To move to next TCP session, use nextSession().
[in,out] | source | Source address of the TCP stream to extract data from. If, on input, the value is unset (no address, no port), then data from any direction are read. On output, source contains the address of the peer from which data were read. |
[in,out] | data | Byte block into which data is read. The byte block is not reinitialized, input data are appended to it. |
[in,out] | size | On input, this is the data size to read in bytes. In absence of error, that exact number of bytes is read. Reading can stop earlier in case of end of TCP stream or end of pcap file. On output, it contains the actual number of read bytes. |
[out] | timestamp | Capture timestamp in microseconds since Unix epoch or -1 if none is available. If the data has been reassembled from several IP packets, this is the timestamp of the last part. |
[in,out] | report | Where to report errors. |
bool ts::PcapStream::startOfStream | ( | Report & | report | ) |
Check if the next data to read is at start of TCP session.
[in,out] | report | Where to report errors. |
bool ts::PcapStream::startOfStream | ( | const IPSocketAddress & | source, |
Report & | report | ||
) |
Check if the next data to read is at start of TCP session.
[in] | source | Source address of the TCP stream. It must match one of the peers of the TCP session. |
[in,out] | report | Where to report errors. |
bool ts::PcapStream::endOfStream | ( | const IPSocketAddress & | source, |
Report & | report | ||
) |
Check if the next data to read is at end of TCP session.
[in] | source | Source address of the TCP stream. It must match one of the peers of the TCP session. |
[in,out] | report | Where to report errors. |
|
inline |
Check if the TCP session is fully terminated on both sides.
[in,out] | report | Where to report errors. |
bool ts::PcapStream::nextSession | ( | Report & | report | ) |
Skip the end of the current TCP session and prepare for next session.
[in,out] | report | Where to report errors. |
|
inline |
Get the maximum number of queued data blocks to reassemble TCP streams.
This value gives an idea of how packets were reordered during transmission.
|
overridevirtual |
Open the file for read.
[in] | filename | File name. If empty or "-", use standard input. |
[in,out] | report | Where to report errors. |
Reimplemented from ts::PcapFilter.
|
overridevirtual |
Set a bidirectional address filter.
Select packets where the source and destination addresses match the pair of filtered address, in any direction.
[in] | addr1 | First address to filter, either source or destination. The port is meaningful only with TCP and UDP. |
[in] | addr2 | Second address to filter, either source or destination. The port is meaningful only with TCP and UDP. |
Reimplemented from ts::PcapFilter.
|
inlineinherited |
Filter packets starting at the specified number.
The packet numbering counts all captured packets from the beginning of the file, starting at 1. This is the same value as seen on Wireshark in the leftmost column.
[in] | count | Number of first captured packet to read. |
|
inlineinherited |
Filter packets up to the specified number.
The packet numbering counts all captured packets from the beginning of the file, starting at 1. This is the same value as seen on Wireshark in the leftmost column.
[in] | count | Number of last captured packet to read. |
|
inlineinherited |
Filter packets starting at the specified time offset from the beginning of the file.
This is the same value as seen on Wireshark in the "Time" column (in seconds).
[in] | time | First time offset in microseconds from the beginning of the capture. |
|
inlineinherited |
Filter packets up to the specified time offset from the beginning of the file.
This is the same value as seen on Wireshark in the "Time" column (in seconds).
[in] | time | Last time offset in microseconds from the beginning of the capture. |
|
inlineinherited |
Filter packets starting at the specified timestamp.
[in] | time | First timestamp, in microseconds from the UNIX epoch. |
|
inlineinherited |
Filter packets up to the specified timestamp.
[in] | time | Last timestamp, in microseconds from the UNIX epoch. |
|
inlineinherited |
Get the current source filter.
In the case of non-wildcard filtering, after returning the first packet, this is the actual socket address of the filtered stream.
In the case of bidirectional filtering (for instance a TCP session), there is no real "source" or "destination". They are the two endpoints of the stream.
|
inlineinherited |
Get the current destination filter.
In the case of non-wildcard filtering, after returning the first packet, this is the actual socket address of the filtered stream.
In the case of bidirectional filtering (for instance a TCP session), there is no real "source" or "destination". They are the two endpoints of the stream.
|
inherited |
Check if the address filter is precisely set.
Using address filtering, some addresses or port may be unspecified, acting as a wildcard. In non-wildcard mode, the first packet matching this wildcard is selected and the corresponding stream is then exclusively filtered. At this point, the filter is precisely set.
|
inherited |
Get the "other" filter (source or destination) based on the other one.
[in] | addr | A socket address, typically matching the source or destination filter. |
|
inlineinherited |
Specify the severity to report the filtered addresses once (in non-wildcard mode).
In non-wildcard mode, when the filtered addresses contain non-specified fields, the first packet which matches the filters define the stream. At this point, the selected stream is displayed (in debug mode by default). This function redefines the severity level (info or verbose for instance).
[in] | level | Severity level to use. |
|
inherited |
Add command line option definitions in an Args.
[in,out] | args | Command line arguments to update. |
|
inherited |
Load arguments from command line.
Args error indicator is set in case of incorrect arguments.
[in,out] | duck | TSDuck execution context. |
[in,out] | args | Command line arguments. |
|
overridevirtualinherited |
Read the next IP packet, IPv4 or IPv6, headers included.
Skip intermediate metadata and other types of packets.
[out] | packet | Received IP packet. |
[out] | vlans | Stack of VLAN encapsulation from which the packet is extracted. |
[out] | timestamp | Capture timestamp in microseconds since Unix epoch or -1 if none is available. |
[in,out] | report | Where to report error. |
Reimplemented from ts::PcapFile.
|
inlineinherited |
Check if the file is open.
|
inlineinherited |
Get the file name.
|
inlineinherited |
Get the number of captured packets so far.
This includes all packets, not only IP packets. This value is the number of the last returned packet, as seen in the left-most column in Wireshark interface.
|
inlineinherited |
Check if the end of file (or other error) has been reached.
|
inlineinherited |
Get the number of valid captured IP packets so far.
|
inlineinherited |
Get the total file size in bytes so far.
|
inlineinherited |
Get the total size in bytes of captured packets so far.
This includes all packets, including link-layer headers when present.
|
inlineinherited |
Get the total size in bytes of valid captured IP packets so far.
This includes all IP headers but not link-layer headers when present.
|
inlineinherited |
Get the capture timestamp of the first packet in the file.
|
inlineinherited |
Get the capture timestamp of the last packet which was read from the file.
|
inlineinherited |
Compute the time offset from the beginning of the file of a packet timestamp.
[in] | timestamp | Capture timestamp of a packet in the file. |
|
inlinestaticinherited |
Compute the date and time from a packet timestamp.
[in] | timestamp | Capture timestamp of a packet in a file. |
|
virtualinherited |
Close the file.
Do not reset counters, file names, etc. The last values before close() are still accessible.