TCP Stream Analysis

Question

I want to extract TCP streams of a PCAP file and obtain then analyze parameters of the streams, like iRTT, retransmission rate (something like "tcp.analysis" in Wireshark). I tried to used Pyshark to use Wireshark analysis but it was not available in fields and encountered 'Memory Error' with this code:

import pyshark
pkts = pyshark.FileCapture("test.pcapng", use_ek=False)
streams = {}
for pkt in pkts:
    if 'tcp' not in pkt:
        continue
    if pkt.tcp.stream not in streams:
        streams[pkt.tcp.stream] = list()
    streams[pkt.tcp.stream].append(pkt)

I have no idea how can I use Scapy for my purpose. There are two challenges: Splitting TCP stream in an efficient way, and then calculate the streams' parameters.

What do you recommend?

Answer 1

I would start with tshark which I believe uses the same underlying code as wireshark.

Maybe start with something like

tshark -T fields -e frame.number -e frame.time_epoch \
-e tcp.stream -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport \
-e tcp.analysis.ack_rtt -r input_file.pcap

You can see the ack RTT in the output of this example, but I'm sure there are other fields besides ack_rtt that are available.

 1   1689889766.834655000   0   10.0.1.10   10.0.1.44   32968     22
 2   1689889767.261635000   0   10.0.1.44   10.0.1.10   22     32968   0.426980000
 3   1689889767.261695000   0   10.0.1.10   10.0.1.44   32968     22   0.000060000
 4   1689889767.262371000   0   10.0.1.10   10.0.1.44   32968     22
 5   1689889767.263970000   0   10.0.1.44   10.0.1.10   22     32968   0.001599000
 6   1689889767.722803000   0   10.0.1.44   10.0.1.10   22     32968
 7   1689889767.722884000   0   10.0.1.10   10.0.1.44   32968     22   0.000081000
 8   1689889767.726569000   0   10.0.1.10   10.0.1.44   32968     22
 9   1689889767.729913000   0   10.0.1.44   10.0.1.10   22     32968   0.003344000
10   1689889767.729942000   0   10.0.1.10   10.0.1.44   32968     22

I don't see anything wrong with your python program though. Adding a section after your code to print out the packets works for me.

import pyshark

pkts = pyshark.FileCapture("test.pcap")
streams = {}
for pkt in pkts:
    if 'tcp' not in pkt:
        continue
    if pkt.tcp.stream not in streams:
        streams[pkt.tcp.stream] = list()
    streams[pkt.tcp.stream].append(pkt)

for stream in streams:
    for pkt in streams[stream]:
        try:
            ack_rtt = pkt.tcp.analysis_ack_rtt
        except AttributeError as e:
            ack_rtt = '-'
        print(f"{pkt.frame_info.number} {stream} {pkt.ip.src} {pkt.ip.dst} {pkt.tcp.srcport} {pkt.tcp.dstport} - ack_rtt: {ack_rtt}")

That gives me the following output:

1 0 172.20.20.2 1.1.1.1 51100 1790 - ack_rtt: -
2 1 172.20.20.2 172.20.20.4 55168 1790 - ack_rtt: -
3 1 172.20.20.4 172.20.20.2 1790 55168 - ack_rtt: 0.000174000
4 1 172.20.20.2 172.20.20.4 55168 1790 - ack_rtt: 0.000072000
5 1 172.20.20.2 172.20.20.4 55168 1790 - ack_rtt: -
6 1 172.20.20.4 172.20.20.2 1790 55168 - ack_rtt: 0.000055000
7 1 172.20.20.2 172.20.20.4 55168 1790 - ack_rtt: -
8 1 172.20.20.4 172.20.20.2 1790 55168 - ack_rtt: 0.000055000
9 1 172.20.20.2 172.20.20.4 55168 1790 - ack_rtt: -
10 1 172.20.20.4 172.20.20.2 1790 55168 - ack_rtt: 0.000170000
11 1 172.20.20.2 172.20.20.4 55168 1790 - ack_rtt: -
12 1 172.20.20.4 172.20.20.2 1790 55168 - ack_rtt: 0.000041000