v0.5
Reassembly
TCP stream reassembly
Implementation
For reassembling TCP streams the gopacket/reassembly implementation is used. This allows to parse application layer protocols such as HTTP and POP3. The reassembly package currrently only implements reassembling stream over IPv4. To overcome this limitation for HTTP capture, you can use the proxy tool.
Architecture
The gopacket reassembly implementation leaves several options for using it.
Netcap currently uses one dedicated assembler for each worker and a single shared connection pool for all streams.
Another option would be using a dedicated assembler for each worker for each L7 protocol with a shared stream pool for that specific protocol. This would potentially decrease lock contention for the reassembly, and might be implemented to improve performance in future versions.
Configuration
The following fields of the encoder.Config affect the TCP stream reassembly:
1
// Interval to apply connection flushes
2
FlushEvery int
3
​
4
// Do not use IPv4 defragger
5
NoDefrag bool
6
​
7
// Dont verify the packet checksums
8
Checksum bool
9
​
10
// Dont check TCP options
11
NoOptCheck bool
12
​
13
// Ignore TCP state machine errors
14
IgnoreFSMerr bool
15
​
16
// TCP state machine allow missing init in three way handshake
17
AllowMissingInit bool
18
​
19
// Toggle debug mode
20
Debug bool
21
​
22
// Dump packet contents as hex for debugging
23
HexDump bool
24
​
25
// Wait until all connections finished processing when receiving shutdown signal
26
WaitForConnections bool
27
​
28
// Write incomplete HTTP responses to disk when extracting files
29
WriteIncomplete bool
Copied!
Debugging
To see debug output for the reassembly, run with the -debug flag and check the reassembly.log file.
For more general troubleshooting advice, please refer to the Troubleshooting page:
​
Last modified 2yr ago
Copy link