feat(#313): Add support for conversion of multiple exported sessions. #368
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds the ability to convert multiple sessions inside of an exported PDU PCAP. It fixes #313.
This is done by parsing the EXPORTED_PDU header (in a very ad-hoc way, right now) with a custom
Exported
layer to retrieve theip.src
,tcp.sport
,ip.dst
, andtcp.dport
tags in the header and modifying thetcp_both
session extraction code to use theExported
layer.I say the layer is ad-hoc because
EXPORTED_PDU
's tags are an arbitrary list of tags with the following form:But right now what I'm doing is hardcoding the list of tags that I've seen in typical exported RDP L7 captures, so it might fail for non-standard exports.
We can fix that when/if it happens. In general if it fails, it's probably because the pcap wasn't exported properly.