[[unsniff:objectref:stream]]
 
Trace: stream
Table of Contents

Stream

Description

This object represents a complete TCP/IP session . Unsniff allows you to work with complete TCP/IP sessions while performing post-capture analysis. You can write simple scripts to perform complex tasks that would be impossible or painfully difficult with other legacy network analyzers.

Some examples :

  • Print a list of all TCP/IP sessions that transferred more than 2M bytes total
  • Export the top 5 busiest TCP/IP sessions to a libpcap file
  • Reassemble and save the first 100 bytes of each TCP session

Properties

NameTypeAccessDescription
IDLongReadEach stream is assigned a unique ID by Unsniff.
InSegmentCountLongReadNumber of segments from Destination to Source.
For TCP the InSegmentCount is the number of segments in the opposite direction of the initial SYN packet
OutInSegmentCountLongReadNumber of segments from Source to Destination.
For TCP the OutSegmentCount is the number of segments in the same direction of the initial SYN packet
InByteCountLongReadNumber of bytes from Destination to Source.(in the opposite direction to the initial SYN packet)
OutByteCountLongReadNumber of bytes from Source to Destination (in the same direction as the initial SYN packet)
StartTimeStampStringReadThe timestamp when the session started. For TCP, this is when the first SYN packet was seen.
The format of the timestamp string is determined by the Windows Locale settings
EndTimeStampStringReadThe timestamp when the session ended. The session can end due to the normal FIN sequence or RST or due to user stopping the capture prematurely.
For format of the timestamp string is determined by the Windows Locale settings
StartTimestampSecsLongReadThe seconds part of the start timestamp. This number returns the number of seconds since midnight January 1, 1900
StartTimestampUSecsLongRead The microseconds part of the start timestamp.
EndTimestampSecsLongReadThe seconds part of the end timestamp. This number returns the number of seconds since midnight January 1, 1900
EndTimestampUSecsLongReadThe microseconds part of the end timestamp.
DescriptionStringRead-writeThe text description of the stream. Your script can also change the description based on your analysis.
SourceAddressStringReadThe network address of the source of this stream. A network name is returned if this address has been resolved to a name. For TCP, the source is the station that sent the initial SYN segment.
DestinationAddressStringReadThe network address of the destination of this stream. A network name is returned if this address has been resolved to a name. For TCP, the source is the station that sent the SYN+ACK response to the initial SYNsegment
PacketsCollectionReadAll the packets that make up this stream. This includes error packets, for example late arrivals, duplicate packets, out of order packets, etc. If you want to perform custom stream analysis you may want access to these packets
SourcePortIntegerRead Source TCP port
DestinationPortIntegerReadDestination TCP port

Methods

NameParametersDescription
SaveToFileFileName (String)
Direction (String)
SeekPos (Long)
NumBytes (Long) 		Reassemble and save the contents of this stream. You can save either direction beginning at any offset and any number of bytes.
FileName: Can be a pathname or a relative filename
Direction : “in” for incoming; “out” for outgoing
SeekPos: 0 for beginning of stream
NumBytes: Number of bytes to write, -1 to write everything

Example : To save full incoming stream 
 stm = db.StreamIndex[0]
 stm.SaveToFile("incoming0.dat","in",0,-1)

Sample code

'
' xstream -  extract all the streams

' -----------------------
' Check usage & arguments
' -----------------------
On Error Resume Next

Set Sout = WScript.StdOut

if WScript.Arguments.Count <>  2 then
	Sout.WriteLine "Usage: cscript xstream.vbs  input-tcpdump-file output-dir  "
	WScript.Quit
end if

InputTCPD  = WScript.Arguments.Item(0)
DirName    = WScript.Arguments.Item(1)

Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

If fso.FileExists("temp_cap.usnf") Then
	fso.DeleteFile "temp_cap.usnf"
End If

'
' Check if Directory Exists (Create if it doesnt)
'
If Not fso.FolderExists(DirName)  Then
	fso.CreateFolder (DirName)
	Sout.WriteLine "Created Output Folder " & DirName
End If

' Import from tcpdump (libpcap) format
Set UnsniffDB = CreateObject("Unsniff.Database")
UnsniffDB.New("temp_cap.usnf" )
UnsniffDB.Import "libpcap", InputTCPD
Sout.WriteLine "Imported tcpdump file  " & InputTCPD

Dim STIndex
Set STIndex = UnsniffDB.StreamIndex
For Each  ST In STIndex
With ST
	Sout.WriteLine "Source Address =" &ST.SourceAddress & " Dest address" &st.DestinationAddress 
       	PrefName = .ID & ".txt"
	ExpFilePath = fso.BuildPath (DirName, PrefName )
	Sout.WriteLine "path = " & ExpFilePath
	.SaveToFile PrefName,"out",0,10
End With
Next

UnsniffDB.Close()

fso.DeleteFile "temp_cap.usnf"
unsniff/objectref/stream.txt · Last modified: 2014/09/11 23:23 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki