NETCAP
NETCAP
Overview
GitHub
Homepage
GoDoc
Overview
Audit Records
Specification
Installation
Quickstart
Configuration
Bash Completion
Packet Collection
Audit Record Labeling
HTTP Proxy
USB Capture
Payload Capture
Distributed Collection
Workers
Filtering and Export
Data Compression
Internals
Metrics
Resolvers
TLS Fingerprinting
Reassembly
Deep Packet Inspection
Live Capture
Maltego Integration
Logging
Packet Contexts
Industrial Control Systems
File Extraction
Email Extraction
Device Profiles
Python Integration
Changelog
Troubleshooting
Unit Tests
Extension
Downloads
Docker Containers
FAQ
Contributing
License
Powered by GitBook

Reassembly

TCP stream reassembly

Implementation

For reassembling TCP streams the gopacket/reassembly implementation is used. This allows to parse application layer protocols such as HTTP and POP3. The reassembly package currrently only implements reassembling stream over IPv4. To overcome this limitation for HTTP capture, you can use the proxy tool.

Architecture

The gopacket reassembly implementation leaves several options for using it.

Netcap currently uses one dedicated assembler for each worker and a single shared connection pool for all streams.

Another option would be using a dedicated assembler for each worker for each L7 protocol with a shared stream pool for that specific protocol. This would potentially decrease lock contention for the reassembly, and might be implemented to improve performance in future versions.

Configuration

The following fields of the encoder.Config affect the TCP stream reassembly:

// Interval to apply connection flushes
FlushEvery         int
​
// Do not use IPv4 defragger
NoDefrag           bool
​
// Dont verify the packet checksums
Checksum           bool
​
// Dont check TCP options
NoOptCheck         bool
​
// Ignore TCP state machine errors
IgnoreFSMerr       bool
​
// TCP state machine allow missing init in three way handshake
AllowMissingInit   bool
​
// Toggle debug mode
Debug              bool
​
// Dump packet contents as hex for debugging
HexDump            bool
​
// Wait until all connections finished processing when receiving shutdown signal
WaitForConnections bool
​
// Write incomplete HTTP responses to disk when extracting files
WriteIncomplete    bool

Debugging

To see debug output for the reassembly, run with the -debug flag and check the reassembly.log file.

For more general troubleshooting advice, please refer to the Troubleshooting page:

​

Previous
TLS Fingerprinting
Next
Deep Packet Inspection
Last updated 1 year ago
Contents
Implementation
Architecture
Configuration
Debugging