Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(#313): Add support for conversion of multiple exported sessions. #368

Merged
merged 4 commits into from
Jan 7, 2022

Conversation

alxbl
Copy link
Collaborator

@alxbl alxbl commented Oct 27, 2021

This pull request adds the ability to convert multiple sessions inside of an exported PDU PCAP. It fixes #313.

This is done by parsing the EXPORTED_PDU header (in a very ad-hoc way, right now) with a custom Exported layer to retrieve the ip.src, tcp.sport, ip.dst, and tcp.dport tags in the header and modifying the tcp_both session extraction code to use the Exported layer.

I say the layer is ad-hoc because EXPORTED_PDU's tags are an arbitrary list of tags with the following form:

tagIdentifier (2B)
tagLength (2B)
tagBytes (<tagLength>B)
[.... repeat until tagEnd ...]
tagEnd ("\x00\x00")
tagLength ("\x00\x00")

But right now what I'm doing is hardcoding the list of tags that I've seen in typical exported RDP L7 captures, so it might fail for non-standard exports.

We can fix that when/if it happens. In general if it fails, it's probably because the pcap wasn't exported properly.

@obilodeau
Copy link
Collaborator

Not much more luck here. I'll investigate the JSON output deeper then.

@obilodeau obilodeau added this to the v1.2.0 milestone Jan 6, 2022
@obilodeau
Copy link
Collaborator

Just pushed a rebase on master. I manually handled conflicts but the new InetAddress code is still not using Exported since I fixed similar problems in my own fixes on top of the #366 PR. More stuff is coming.

@obilodeau
Copy link
Collaborator

Another interactive rebase to make everything neat and avoid a squash commit

@obilodeau obilodeau merged commit abd8b87 into master Jan 7, 2022
@obilodeau obilodeau deleted the multi-export-conversion branch January 11, 2022 03:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Parsing a decrypted PDU-L7 Pcap with multiple sessions does not work
2 participants