Project

General

Profile

Actions

Support #3227

closed

How to obtain Suricata Reassembled TCP UDP stream in the source code

Added by Berk Ulku over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

Hello,
I want to obtain reassembled stream payload for both TCP and UDP in Suricata. How can i obtain stream data in source code? Which methods/classes in the source provide or manipulate stream data?
Shortly, I want to extract all streaming data from Suricata and use it, when it is sniffing the network.

I installed binary on my machine and for the time being I am trying to find a function or a class where I can dump reassembled stream payloads(both Tcp and Udp) in the C source code so that I can save the stream payload to a memory block instead of parsing EVE JSON or any other log file.

Actions #1

Updated by Andreas Herz over 4 years ago

  • Assignee set to Community Ticket
  • Target version set to Support
Actions #2

Updated by Victor Julien about 4 years ago

I would suggest having a look at how our json output (eve) logs the payload from stream and packets.

For TCP, check `StreamSegmentForEach`. https://github.com/OISF/suricata/blob/master/src/output-json-alert.c#L527
For UDP, you can simply access `Packet::payload`. There is no "stream reassembly" for UDP: https://github.com/OISF/suricata/blob/master/src/output-json-alert.c#L372

Actions #3

Updated by Andreas Herz over 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF