TCP streams

TCP stream follower

class TCPStreamFollower(data_callback=None, end_callback=None)

Bases: object

Reconstruct client and server TCP streams from individual PDUs.

A TCPStreamFollower object will analyze the PDU's that you provide and reconstruct the clients and servers TCP streams that it can find.

When a stream is updated, the python function data_callback is called. When a stream is closed, the python function end_callback is called.

Callbacks are function that must accept one and only one parameter. The parameter is a TCPStream object.

Example

>>> from cycapture.libtins import TCPStream, TCPStreamFollower, PDU
>>> pdus = get_some_pdus()        # get PDUs from somewhere (typically from pcap)
>>> assert(all([isinstance(pdu, PDU) for pdu in pdus]))
>>> def updated(stream):
...     assert(isinstance(stream, TCPStream))
...     print("Updated stream from {}:{} to {}:{}".format(
...         stream.client_addr, stream.client_port, stream.server_addr, stream.server_port)
...     )
>>> follower = TCPStreamFollower(updated, None)         # we don't monitor closed streams
>>> follower.feed(pdus)
Parameters:
  • data_callback (function) -- the python callback to call when a stream is updated
  • end_callback (function) -- the python callback to call when a stream is finished
feed(pdu_iterator)

Follow TCP streams found in PDUs from pdu_iterator and call the appropriate

If pdu_iterator contains objects that are not PDUs, they will be ignored.

Parameters:pdu_iterator (a PDU, or a list of PDU or any iterator that gives PDU)

TCP stream

class TCPStream(client_addr, server_addr, client_port, server_port, ident, finished, client_payload, server_payload)

Bases: object

TCP stream encapsulation.

TCPStream objects are not meant to be made directly by the user. Instead, they are built by libtins and provided to TCPStreamFollower callbacks when a TCP stream is updated or closed.

client_addr

IPv4Address or None

TCP client address

server_addr

IPv4Address or None

TCP server address

client_port

int

TCP client port

server_port

int

TCP server port

identifier

int

TCP identifier

finished

bool

True if the stream has been closed

client_payload

bytes

What has been sent by the client so far

server_payload

bytes

What has been sent by the server so far