Support #3227
closedHow to obtain Suricata Reassembled TCP UDP stream in the source code
Description
Hello,
I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.
I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.
Updated by Andreas Herz over 4 years ago
- Assignee set to Community Ticket
- Target version set to Support
Updated by Victor Julien about 4 years ago
I would suggest having a look at how our json output (eve) logs the payload from stream and packets.
For TCP, check `StreamSegmentForEach`. https://github.com/OISF/suricata/blob/master/src/output-json-alert.c#L527
For UDP, you can simply access `Packet::payload`. There is no "stream reassembly" for UDP: https://github.com/OISF/suricata/blob/master/src/output-json-alert.c#L372
Updated by Andreas Herz over 3 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs