mschiffm / cppip Goto Github PK
View Code? Open in Web Editor NEWThe Compressed Pcap Packet Indexing Program
License: MIT License
The Compressed Pcap Packet Indexing Program
License: MIT License
I'm not sure if this is still being worked on, but I'm going to throw this out there anyways. When I specify a TS range that is before or after the TS in the index, I get no packets written to the output. I would like to be able to pass it a wider range.
For instance, if I would like to specify a start time, and if that time is before the first TS in the index, have it use that first S in the index instead. The same for end TS that lay after the last TS in the index.
If I'm reading this right, the sanity check just returns you out if the start TS is earlier than the first TS.
./cppip -D -f -e timestamp:2015-10-21:08:33:02-2015-10-21:08:33:20 1445412783.cppip 1445412783.pcap.gz carved-1445412783.pcap
extracting from 1445412783.pcap.gz using 1445412783.cppip...
DBG: first pkt ts: (1445412782) 2015-10-21 07:33:02.690245
DBG: start pkt ts: (1445412782) 2015-10-21 07:33:02.000000
DBG: stop pkt ts (1445412800) 2015-10-21 07:33:20.000000
DBG: index level: 1 0
DBG: entered at pkt ts: 2015-10-21 07:33:02.000000
DBG: fuzzy match at iteration: 1
start ts: 2015-10-21 07:33:02.000000 not found, instead fuzzy matched on 2015-10-21 07:33:02.690245
Segmentation fault
(gdb) bt
#0 0x00007ffff7649d6b in __memcpy_ssse3_back () from /lib64/libc.so.6
#1 0x000000000040335f in extract_by_ts (c=0x60b010) at extract.c:367
./cppip -v 1445412783.cppip
valid cppip index file
version: 1.4
created: 2015-11-02 18:53:49.616815
packets in pcap:1633283
indexing mode: timestamp
index level: 0:0:0:1
record count: 60
I could very likely be doing something incorrectly, let me know if more info is needed.
Also the timestamps I have to input have to be off by and hour or I get an error that the end TS if before the start of the file.
Hi,
This patch is needed to build on ubuntu
--- configure.ac~orig 2013-05-04 12:48:03.420621418 +0000
+++ configure.ac 2013-05-04 12:55:09.560611547 +0000
@@ -12,20 +12,24 @@
AC_CHECK_LIB([z], [inflate])
+AC_CHECK_LIB([m], [floor])
AC_CHECK_LIB([tabix], [bgzf_open], ,[AC_MSG_ERROR(cannot find tabixtools library you need to install it or tell me where to find it)])
-AC_CHECK_HEADERS([fcntl.h stdlib.h string.h unistd.h])
+AC_CHECK_HEADERS([fcntl.h stdlib.h string.h unistd.h sys/time.h])
AC_CHECK_HEADERS([bgzf.h], ,[AC_MSG_ERROR(cannot find tabixtools header you need to install it or tell me where to find it)])
+AC_TYPE_OFF_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
AC_TYPE_UINT64_T
AC_TYPE_UINT8_T
-AC_CHECK_FUNCS([memset strerror strtol])
+AC_FUNC_MALLOC
+AC_FUNC_MKTIME
+AC_CHECK_FUNCS([floor gettimeofday memset strdup strerror strtol])
AC_CONFIG_FILES([Makefile src/Makefile])
AC_OUTPUT
When both start and stop timestamp are earlier than the first packet timestamp in the packet checked checked, cppip emits the first two packets from the pcap. It should realize this is an error condition and emit 0 packets.
The bug:
$ cppip -f -D -e timestamp:2013-06-16:14:06:30.000000-2013-06-18:16:16:30.00000 index.cppip pcap.gz out.pcap
extracting from pcap.gz using index.cppip...
DBG: first pkt ts: (1402952699) 2014-06-16 14:04:59.944155
DBG: start pkt ts: (1371416790) 2013-06-16 14:06:30.000000
DBG: stop pkt ts (1371597390) 2013-06-18 16:16:30.000000
DBG: index level: 1 0
DBG: entered at pkt ts: 2013-06-16 14:06:30.000000
DBG: fuzzy match at iteration: 1
start ts: 2013-06-16 14:06:30.000000 not found, instead fuzzy matched on 2014-06-16 14:04:59.944155
stop ts: 2013-06-18 16:16:30.000000 not found, instead fuzzy matched on 2014-06-16 14:04:59.944195
wrote 2 packets to out.pcap.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.