Source code for pathspider.chains.tcp

.. module:: pathspider.chains.tcp
   :synopsis: A flow observer chain for basic TCP behaviour, TCP options
              parser and useful TCP related constants

This module contains the TCPChain flow analysis chain which can be used by
PATHspider's Observer for recording basic TCP [RFC793]_ behaviour details. This
module also contains a helper function that may be used by chains for the
parsing of TCP options and a number of useful TCP related constants that can be
used to interpret the results added to flow records by TCPChain.

.. codeauthor:: Iain R. Learmonth <>
.. codeauthor:: Piet De Vaere <>


from pathspider.chains.base import Chain

#: TCP Flag - CWR
TCP_CWR = 0x80
#: TCP Flag - ECE
TCP_ECE = 0x40
#: TCP Flag - URG
TCP_URG = 0x20
#: TCP Flag - ACK
TCP_ACK = 0x10
#: TCP Flag - PSH
TCP_PSH = 0x08
#: TCP Flag - RST
TCP_RST = 0x04
#: TCP Flag - SYN
TCP_SYN = 0x02
#: TCP Flag - FIN
TCP_FIN = 0x01

#: TCP Flags - SYN and ACK
#: TCP Flags - SYN, ACK and ECE
#: TCP Flags - SYN, ACK, ECE and CWR
#: TCP Flags - SYN, ACK, ECE

#: TCP Option - End of options list
TO_EOL = 0
#: TCP Option - No Operation
TO_NOP = 1
#: TCP Option - Maximum Segment Size
TO_MSS = 2
#: TCP Option - Window Scaling
TO_WS = 3
#: TCP Option - Selective Acknowledgement Permitted
#: TCP Option - Selective Acknowledgement
#: TCP Option - Timestamp
TO_TS = 8
#: TCP Option - Multipath TCP
#: TCP Option - TCP Fast Open Cookie
#: TCP Option - Experimental Option A
TO_EXPA = 254
#: TCP Option - Experimental Option B
TO_EXPB = 255
#: TCP Option Experiment ID - TCP Fast Open
TO_EXID_FASTOPEN = (0xF9, 0x89)

[docs]def tcp_options(tcp): """ Parses and extracts TCP options from a python-libtrace TCP object. .. warning:: This is a pure Python implementation of a TCP options parser and does not benefit from the speed advantage generally realised by calling to libtrace functions written in C through python-libtrace. :param tcp: The TCP header to extract options from :type tcp: plt.tcp :returns: A mapping of option kinds to values :rtype: dict """ optbytes =[20:tcp.doff*4] opthash = {} # parse options in place cp = 0 ncp = 0 while cp < len(optbytes): # skip NOP if optbytes[cp] == TO_NOP: cp += 1 continue # die on EOL if optbytes[cp] == TO_EOL: break # parse options length ncp = cp + optbytes[cp+1] # copy options data into hash # FIXME doesn't handle multiples (#189) opthash[optbytes[cp]] = optbytes[cp+2:ncp] # advance cp = ncp return opthash
[docs]class TCPChain(Chain): """ This flow analysis chain records details of basic TCP behaviour in the flow record. It will determine when a 3WHS has completed and has simplified logic for determining when a TCP flow has completed. +----------------------+------+---------------------------------------------------------+ | Field Name | Type | Description | +======================+======+=========================================================+ | ``tcp_synflags_fwd`` | int | SYN flags seen in the forward direction | +----------------------+------+---------------------------------------------------------+ | ``tcp_synflags_rev`` | int | SYN flags seen in the reverse direction | +----------------------+------+---------------------------------------------------------+ | ``tcp_fin_fwd`` | bool | At least one FIN flag was seen in the forward direction | +----------------------+------+---------------------------------------------------------+ | ``tcp_fin_rev`` | bool | At least one FIN flag was seen in the reverse direction | +----------------------+------+---------------------------------------------------------+ | ``tcp_rst_fwd`` | bool | At least one RST flag was seen in the forward direction | +----------------------+------+---------------------------------------------------------+ | ``tcp_rst_rev`` | bool | At least one RST flag was seen in the reverse direction | +----------------------+------+---------------------------------------------------------+ | ``tcp_connected`` | bool | The 3WHS completed | +----------------------+------+---------------------------------------------------------+ """
[docs] def new_flow(self, rec, ip): # pylint: disable=W0613 """ For a new flow, all fields will be initialised to ``False`` except ``tcp_synflags_*`` which will be set to ``None``. :param rec: the flow record :type rec: dict :param ip: the IP or IPv6 packet that triggered the creation of a new flow record :type ip: plt.ip or plt.ip6 :return: Always ``True`` :rtype: bool """ rec['tcp_synflags_fwd'] = None rec['tcp_synflags_rev'] = None rec['tcp_fin_fwd'] = False rec['tcp_fin_rev'] = False rec['tcp_rst_fwd'] = False rec['tcp_rst_rev'] = False rec['tcp_connected'] = False return True
[docs] def tcp(self, rec, tcp, rev): """ Records basic TCP behaviour details. SYN Flags This will record the SYN flags observed in each direction. These will not be recorded again if there are futher segments in the flow with a SYN bit set, the first SYN observed wins. FIN and RST Flags If a segment has the FIN or RST flags, the relevant fields are set to true. 3WHS If a SYN was observed in the forward direction, and a SYNACK in the reverse direction and the segment passed is an ACK in the forward direction then ``tcp_connected`` will be set to True. Flow Completion If a FIN has been observed in one direction and this segment contains a FIN in the other direction, a flow is considered complete. If a RST has been observed in either direction, a flow is considered complete. :param rec: the flow record :type rec: dict :param tcp: the TCP segment that was observed to be part of this flow :type ip: plt.tcp :param rev: True if the packet was in the reverse direction, False if in the forward direction :type rev: bool :return: True if flow should continue to be observed, False if the flow should be passed on for merging (i.e. the flow is complete) :rtype: bool """ if tcp.syn_flag: rec['tcp_synflags_rev' if rev else 'tcp_synflags_fwd'] = tcp.flags # This test is intended to catch the completion of the 3WHS. if (not rec['tcp_connected'] and rev == 0 and rec['tcp_synflags_fwd'] is not None and rec['tcp_synflags_rev'] is not None and rec['tcp_synflags_fwd'] & TCP_SYN == TCP_SYN and rec['tcp_synflags_rev'] & TCP_SA == TCP_SA and tcp.ack_flag): rec['tcp_connected'] = True if tcp.fin_flag and rev: rec['tcp_fin_fwd'] = True if tcp.fin_flag and not rev: rec['tcp_fin_rev'] = True if tcp.rst_flag and rev: rec['tcp_rst_rev'] = True if tcp.rst_flag and not rev: rec['tcp_rst_fwd'] = True return not ((rec['tcp_fin_fwd'] and rec['tcp_fin_rev']) or rec['tcp_rst_fwd'] or rec['tcp_rst_rev'])