======  Stream ======
 
===== Description =====
 
This object represents a complete TCP/IP session . Unsniff allows you to work with complete TCP/IP sessions while performing post-capture analysis. You can write simple scripts to perform complex tasks that would be impossible or painfully difficult with other legacy network analyzers. 

Some examples : 
  * Print a list of all TCP/IP sessions that transferred more than 2M bytes total 
  *  Export the top 5 busiest TCP/IP sessions to a libpcap file 
  * Reassemble and save the first 100 bytes of each TCP session 

===== Properties ===== 
^Name^Type^Access^Description^
|ID|Long|Read|Each stream is assigned a unique ID by Unsniff.|
|InSegmentCount|Long|Read|Number of segments from Destination to Source. \\ //For TCP the InSegmentCount is the number of  segments in the opposite direction of the initial SYN packet//| 
|OutInSegmentCount|Long|Read|Number of segments from Source to Destination. \\ //For TCP the OutSegmentCount is the number of segments in the same direction of the initial SYN packet //|
|InByteCount|Long|Read|Number of bytes from Destination to Source.//(in the opposite direction to the initial SYN packet)// |
|OutByteCount|Long|Read|Number of bytes from Source to Destination //(in the same direction as the initial SYN packet) //|
|StartTimeStamp|String|Read|The timestamp when the session started. For TCP, this is when the first SYN packet was seen. \\ The format of the timestamp string is determined by the Windows Locale settings |
|EndTimeStamp|String|Read|The timestamp when the session ended. The session can end due to the normal FIN sequence or RST or due to user stopping the capture prematurely.\\ For format of the timestamp string is determined by the Windows Locale settings |
|StartTimestampSecs|Long|Read|The seconds part of the start timestamp. This number returns the number of seconds since midnight January 1, 1900 |
|StartTimestampUSecs|Long|Read| The microseconds part of the start timestamp. |
|EndTimestampSecs|Long|Read|The seconds part of the end timestamp. This number returns the number of seconds since midnight January 1, 1900|
|EndTimestampUSecs|Long|Read|The microseconds part of the end timestamp. |
|Description|String|Read-write|The text description of the stream. Your script can also change the description based on your analysis.| 
|SourceAddress|String|Read|The network address of the source of this stream. A network name is returned if this address has been resolved to a name. For TCP, the source is the station that sent the initial SYN segment. |
|DestinationAddress|String|Read|The network address of the destination of this stream. A network name is returned if this address has been resolved to a name. For TCP, the source is the station that sent the SYN+ACK response to the initial SYNsegment|
|Packets|Collection|Read|All the packets that make up this stream. This includes error packets, for example late arrivals, duplicate packets, out of order packets, etc. If you want to perform custom stream analysis you may want access to these packets|
|SourcePort|Integer|Read| Source TCP port |
|DestinationPort|Integer|Read|Destination TCP port|

===== Methods =====
^Name^Parameters^Description^
|SaveToFile|FileName (String) \\ Direction (String)  \\ SeekPos (Long) \\ NumBytes (Long) |Reassemble and save the contents of this stream. You can save either direction beginning at any offset and any number of bytes. \\ //FileName//: Can be a pathname or a relative filename \\ //Direction// : “in” for incoming; “out” for outgoing \\ //SeekPos//: 0 for beginning of stream \\ //NumBytes//: Number of bytes to write, -1 to write everything \\ \\ Example :  To save full incoming stream <code>
 stm = db.StreamIndex[0]
 stm.SaveToFile("incoming0.dat","in",0,-1) 
</code> |

====Sample code====
<code>
'
' xstream -  extract all the streams

' -----------------------
' Check usage & arguments
' -----------------------
On Error Resume Next

Set Sout = WScript.StdOut

if WScript.Arguments.Count <>  2 then
	Sout.WriteLine "Usage: cscript xstream.vbs  input-tcpdump-file output-dir  "
	WScript.Quit
end if

InputTCPD  = WScript.Arguments.Item(0)
DirName    = WScript.Arguments.Item(1)

Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

If fso.FileExists("temp_cap.usnf") Then
	fso.DeleteFile "temp_cap.usnf"
End If

'
' Check if Directory Exists (Create if it doesnt)
'
If Not fso.FolderExists(DirName)  Then
	fso.CreateFolder (DirName)
	Sout.WriteLine "Created Output Folder " & DirName
End If

' Import from tcpdump (libpcap) format
Set UnsniffDB = CreateObject("Unsniff.Database")
UnsniffDB.New("temp_cap.usnf" )
UnsniffDB.Import "libpcap", InputTCPD
Sout.WriteLine "Imported tcpdump file  " & InputTCPD

Dim STIndex
Set STIndex = UnsniffDB.StreamIndex
For Each  ST In STIndex
With ST
	Sout.WriteLine "Source Address =" &ST.SourceAddress & " Dest address" &st.DestinationAddress 
       	PrefName = .ID & ".txt"
	ExpFilePath = fso.BuildPath (DirName, PrefName )
	Sout.WriteLine "path = " & ExpFilePath
	.SaveToFile PrefName,"out",0,10
End With
Next

UnsniffDB.Close()

fso.DeleteFile "temp_cap.usnf"

</code>