Parsing a decrypted PDU-L7 Pcap with multiple sessions does not work

[obilodeau]

I am able to reliably reproduce a bug where a Pcap with exported PDUs containing more than one session of the same source and destination IPs is getting mixed up and doesn't convert to the correct replay file or mp4.

We should probably cleanly separate streams in the PDU parsing code. Not sure how to do that with PDU level packets (is the information available in the wireshark trace?).

Workaround: walking the pcap with filters like tcp.stream eq <1, 2, .. N> and exporting one PDU-L7 pcap per TCP streams works.

[alxbl]

I think exported PDUs don't have proper source/dst information, so all streams get mangled together into one big soup. We should check if there's any info in the exported PDUs that could make it possible to distinguish

[obilodeau]

Good point @alxbl! I'll check but if what we need to distinguish isn't available, we will simply update our instructions to differentiate streams before exporting and document the limitation.

[alxbl]

I think there's a clever way to do this by using the EXPORTEDPDU's source port and destination port tags. We can base it on the tuple (src,dst) to identify conversations, assuming that no two connections re-use the client-side port. This should work in like 99.9% of the cases. I'll look into how this could be implemented and get a capture to try with.

[alxbl]

I managed to get something working by parsing the Exported PDUs and creating sessions with the information available in the tags... it's messy right now but I'll clean up the code and open a PR tomorrow.

Analyzing PCAP 'multi-export.pcap' ...    - 10.2.0.1 -> 10.2.0.126: plaintext
    - 10.2.0.1 -> 10.2.0.126: plaintext
    - 10.2.0.1 -> 10.2.0.126: plaintext
[*] Processing 10.2.0.1 -> 10.2.0.126
100% (185 of 185) |#############################################################################################################################################################| Elapsed Time: 0:00:00 Time:  0:00:00

[+] Successfully wrote
[*] Processing 10.2.0.1 -> 10.2.0.126
100% (78 of 78) |###############################################################################################################################################################| Elapsed Time: 0:00:00 Time:  0:00:00

[+] Successfully wrote
[*] Processing 10.2.0.1 -> 10.2.0.126
100% (436 of 436) |#############################################################################################################################################################| Elapsed Time: 0:00:00 Time:  0:00:00

[+] Successfully wrote```