Project

General

Profile

Support #3227

How to obtain Suricata Reassembled TCP UDP stream in the source code

Added by Berk Ulku 8 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Affected Versions:
Label:

Description

Hello,
I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.

I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.

#1

Updated by Andreas Herz 8 months ago

  • Assignee set to Community Ticket
  • Target version set to Support
#2

Updated by Victor Julien 2 months ago

I would suggest having a look at how our json output (eve) logs the payload from stream and packets.

For TCP, check `StreamSegmentForEach`. https://github.com/OISF/suricata/blob/master/src/output-json-alert.c#L527
For UDP, you can simply access `Packet::payload`. There is no "stream reassembly" for UDP: https://github.com/OISF/suricata/blob/master/src/output-json-alert.c#L372

Also available in: Atom PDF