Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7443

Enable PCAP Plugin to Reassemble TCP Streams

    XMLWordPrintableJSON

    Details

      Description

      One common task in network forensics is reassembling TCP streams from captured network data.  This PR adds this capability to Drill.

      Usage

      To enable TCP re-sessionization, in the configuration for the PCAP reader, simply set the variable: sessionizeTCPStreams to true.

      This can also be accomplished at query time by using the table() method.

      SELECT * FROM table(dfs.test.`attack-trace.pcap` (type => 'pcap', sessionizeTCPStreams=> true))

      Results

      When this option is enabled, Drill will ignore all packets that are not TCP packets.
      Executing a query with this option enables changes the results Drill will return from PCAP files.

      You will get the following columns:

      • session_start_time: The start time of the session
      • session_end_time: The ending time of the session
      • session_duration: The duration of the session. This will be a Drill PERIOD datatype.
      • total_packet_count: The number of packets in the session
      • connection_time: The amount of time it took for the TCP handshake to be completed. Useful for network diagnostics
      • src_ip: The IP address of the initiating machine
      • dst_ip: The IP address of the remote machine
      • src_port: The port of the originating machine
      • dst_port: The port of the remote machine
      • src_mac_address: The MAC address of the originating machine
      • dst_mac_address: The MAC address of the remote machine
      • tcp_session: This is the session hash for the TCP session. (Long)
      • is_corrupt: True/false if the session contains corrupted packets
      • data_from_originator: The data sent from the originator
      • data_from_remote: The data sent from the remote machine
      • data_volume_from_remote: The number of bytes sent from the remote host
      • data_volume_from_origin: The number of bytes sent from the originating machine
      • packet_count_from_origin: The number of packets sent from the originating machine
      • packet_count_from_remote: The number of packets sent from the remote machine
         
         

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cgivre Charles Givre
                Reporter:
                cgivre Charles Givre
                Reviewer:
                Arina Ielchiieva
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: