Skip to content

rickyzhang82/PacketSorter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
cmake
cmake
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 
clean-build.sh
clean-build.sh
 
 
mac-clean-build.sh
mac-clean-build.sh
 
 

Repository files navigation

What

This application is used for deep packet inspection research project. It collects network packets and sorts packets by TCP connection and TCP sequence number.

It requires TCP packet sorting feature from my forked PcapPlusPlus repository. The app can run on both FreeBSD and Linux. Resource leaking like memory leak and file handler leak have been checked intensively. In my research project, I ran PacketSorter in pfSense router over a month to collect packet data.

How

First, build dependency library PcapPlusPlus from my forked repository.

git clone -b my-master https://github.com/rickyzhang82/PcapPlusPlus

In FreeBSD

./configure-freebsd.sh
gmake all
sudo gmake install

In Linux

./configure-linux.sh
make all
sudo make install

Secondly, build PacketSorter application.

git clone https://github.com/rickyzhang82/PacketSorter
./clean-build.sh

Thirdly, run PacketSorter

./PacketSorter -h

Usage:
------
PacketSorter [-hvlcms] [-r input_file] [-i interface] [-o output_dir] [-e bpf_filter] [-f max_files]

Options:

    -r input_file : Input pcap/pcapng file to analyze. Required argument for reading from file
    -i interface  : Use the specified interface. Can be interface name (e.g eth0) or interface IPv4 address. Required argument for capturing from live interface
    -o output_dir : Specify output directory (default is '.')
    -e bpf_filter : Apply a BPF filter to capture file or live interface, meaning TCP sorter will only work on filtered packets
    -f max_files  : Maximum number of file descriptors to use (default: 500)
    -p max_packet : Maximum number of captured packets from both sides in each TCP connection (default: 0 = unlimited)
    -t time_out   : Maximum idle timeout in seconds for inactive TCP connection (default: 180. The value 0 = unlimited)
    -n max_scan   : Maximum number of inactive TCP connection scan in each batch (default: 100. The value 0 = scan all)
    -d clean_prd  : Time period in seconds to trigger clean up inactive TCP connection (default: 60)
    -g max_slt    : Maximum sgement lifetime. In TIME_WAIT state, TCP state machine wait for twice the MSS until transist to closed state. (default: 60)
    -x            : Exclude empty TCP packet (default: false)
    -s            : Write each side of each connection to a separate file (default is writing both sides of each connection to the same file)
    -l            : Print the list of interfaces and exit
    -v            : Displays the current version and exists
    -h            : Display this help message and exit

For example, in my research project I need to capture first 16th non-empty TCP payload packets from TCP connection. I use the following options:

/root/bin/PacketSorter -i re0 -o /root/tcpsorter -x -p 16 > /root/tcpsorter/run.log 2>&1

About

TCP packet sorter

Topics

tcp sort packet-capture pcapplusplus

Resources

Readme
Activity

Stars

8 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages