Skip to content

Commit

Permalink
Remove example docs from readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmaxxz
jmaxxz committed Feb 25, 2015
1 parent 5135d3a commit 05acd54
Showing 1 changed file with 4 additions and 254 deletions.
258 changes: 4 additions & 254 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,26 +149,6 @@ see the wonderful things it can do for you. Hopefully the names of the properti
, dst_name: '75.119.207.0:80'
, current_cap_time: 1280425738911.65

### HTTP Analysis

The `TCP_tracker` also detects and decodes HTTP on all streams it receives. If HTTP is detected, several
new events will be emitted:

* `http request`: function(session, http)
* `http request body`: function(session, http, data)

Note that `data` is a node Buffer object sliced from the original packet. If you want to use it past the
current tick, you'll need to make a copy somehow.

* `http request complete`: function(session, http)
* `http response`: function(session, http)
* `http response body`: function(session, http, data)

`data` is a Buffer slice. See above.

* `http response complete`: function(session, http)

See `http_trace` for an example of how to use these events to decode HTTP.

### WebSocket Analysis

Expand All @@ -177,7 +157,7 @@ The `TCP_tracker` further detects and decodes WebSocket traffic on all streams i
* `websocket upgrade`: function(session, http)
* `websocket message`: function(session, dir, message)

See `http_trace` for an example of how to use these events to decode WebSocket.
See [http_trace](https://github.com/mranney/http_trace) for an example of how to use these events to decode WebSocket.


## Some Common Problems
Expand Down Expand Up @@ -208,9 +188,9 @@ Sadly, `node_pcap` does not know how to decode IPv6 packets yet. Often when cap
will arrive surprisingly, even though you were expecting IPv4. A common case is the hostname `localhost`, which many client programs will
resolve to the IPv6 address `::1` and then will try `127.0.0.1`. Until we get IPv6 decode support, a `libpcap` filter can be
set to only see IPv4 traffic:

sudo http_trace lo0 "ip proto \tcp"

```
"ip proto \tcp"
```
The backslash is important. The pcap filter language has an ambiguity with the word "tcp", so by escaping it,
you'll get the correct interpretation for this case.

Expand All @@ -225,236 +205,6 @@ If the pcap filters are set correctly and `libpcap` still drops packets, it is p
buffer size. At the moment, this requires changing `pcap_binding.cc`. Look for `pcap_set_buffer_size()` and
set to a larger value.

## examples/simple_capture

This program captures packets and prints them using the built in simple printer. Here's a sample of it's output.
In another window I ran `curl nodejs.org`.

mjr:~/work/node_pcap$ sudo node examples/simple_capture.js en1 ""
libpcap version 1.0.0
en0 no address
* en1 10.240.0.133/255.255.255.0
lo0 127.0.0.1/255.0.0.0
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 10.240.0.1 ARP request 10.240.0.133
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c 10.240.0.133 ARP reply 10.240.0.1 hwaddr 00:18:39:ff:f9:1c
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c 10.240.0.133:53808 -> 97.107.132.72:80 TCP len 64
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c 10.240.0.133:57052 -> 10.240.0.1:53 DNS question 133.0.240.10.in-addr.arpa PTR
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c 10.240.0.133:57052 -> 10.240.0.1:53 DNS question 72.132.107.97.in-addr.arpa PTR
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c 10.240.0.133:57052 -> 10.240.0.1:53 DNS question 1.0.240.10.in-addr.arpa PTR
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 10.240.0.1:53 -> 10.240.0.133:57052 DNS answer 133.0.240.10.in-addr.arpa PTR
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 10.240.0.1:53 -> rv-mjr2.ranney.com:57052 DNS answer 72.132.107.97.in-addr.arpa PTR
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 10.240.0.1:53 -> rv-mjr2.ranney.com:57052 DNS answer 1.0.240.10.in-addr.arpa PTR
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 60
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 196
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 52
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 1500
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 337
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52
00:18:39:ff:f9:1c -> 00:1f:5b:ce:3e:29 tinyclouds.org:80 -> rv-mjr2.ranney.com:53808 TCP len 52
00:1f:5b:ce:3e:29 -> 00:18:39:ff:f9:1c rv-mjr2.ranney.com:53808 -> tinyclouds.org:80 TCP len 52


## Output from `session.findalldevs`:

[ { name: 'en0'
, addresses:
[ { addr: '10.51.2.183'
, netmask: '255.255.255.0'
, broadaddr: '10.51.2.255'
}
]
}
, { name: 'fw0', addresses: [] }
, { name: 'en1', addresses: [] }
, { name: 'lo0'
, addresses: [ { addr: '127.0.0.1', netmask: '255.0.0.0' } ]
, flags: 'PCAP_IF_LOOPBACK'
}
]


### Deep decode of `curl nodejs.org`:

Running `sys.inspect` on the first three decoded packets of this TCP session.

First packet, TCP SYN:

{ ethernet:
{ dhost: '00:18:39:ff:f9:1c'
, shost: '00:1f:5b:ce:3e:29'
, ethertype: 2048
, ip:
{ version: 4
, header_length: 5
, diffserv: 0
, total_length: 64
, identification: 49042
, flags: { reserved: 0, df: 1, mf: 0 }
, fragment_offset: 0
, ttl: 64
, protocol: 6
, header_checksum: 35325
, saddr: '10.240.0.133'
, daddr: '97.107.132.72'
, protocol_name: 'TCP'
, tcp:
{ sport: 57230
, dport: 80
, seqno: 4179361823
, ackno: 1540242985
, data_offset: 11
, reserved: 0
, flags:
{ cwr: 0
, ece: 0
, urg: 0
, ack: 0
, psh: 0
, rst: 0
, syn: 1
, fin: 0
}
, window_size: 65535
, checksum: 2601
, urgent_pointer: 0
, payload_offset: 78
, payload: { length: 0 }
}
}
}
, pcap_header:
{ time: Sat, 22 May 2010 07:48:40 GMT
, tv_sec: 1274514520
, tv_usec: 820479
, caplen: 78
, len: 78
, link_type: 'LINKTYPE_ETHERNET'
}
}

Second packet, TCP SYN+ACK:

{ ethernet:
{ dhost: '00:1f:5b:ce:3e:29'
, shost: '00:18:39:ff:f9:1c'
, ethertype: 2048
, ip:
{ version: 4
, header_length: 5
, diffserv: 32
, total_length: 60
, identification: 0
, flags: { reserved: 0, df: 1, mf: 0 }
, fragment_offset: 0
, ttl: 48
, protocol: 6
, header_checksum: 22900
, saddr: '97.107.132.72'
, daddr: '10.240.0.133'
, protocol_name: 'TCP'
, tcp:
{ sport: 80
, dport: 57230
, seqno: 1042874392
, ackno: 973076764
, data_offset: 10
, reserved: 0
, flags:
{ cwr: 0
, ece: 0
, urg: 0
, ack: 1
, psh: 0
, rst: 0
, syn: 1
, fin: 0
}
, window_size: 5792
, checksum: 35930
, urgent_pointer: 0
, payload_offset: 74
, payload: { length: 0 }
}
}
}
, pcap_header:
{ time: Sat, 22 May 2010 07:48:40 GMT
, tv_sec: 1274514520
, tv_usec: 915980
, caplen: 74
, len: 74
, link_type: 'LINKTYPE_ETHERNET'
}
}

Third packet, TCP ACK, 3-way handshake is now complete:

{ ethernet:
{ dhost: '00:18:39:ff:f9:1c'
, shost: '00:1f:5b:ce:3e:29'
, ethertype: 2048
, ip:
{ version: 4
, header_length: 5
, diffserv: 0
, total_length: 52
, identification: 39874
, flags: { reserved: 0, df: 1, mf: 0 }
, fragment_offset: 0
, ttl: 64
, protocol: 6
, header_checksum: 44505
, saddr: '10.240.0.133'
, daddr: '97.107.132.72'
, protocol_name: 'TCP'
, tcp:
{ sport: 57230
, dport: 80
, seqno: 4179361823
, ackno: 1540242985
, data_offset: 8
, reserved: 0
, flags:
{ cwr: 0
, ece: 0
, urg: 0
, ack: 1
, psh: 0
, rst: 0
, syn: 0
, fin: 0
}
, window_size: 65535
, checksum: 53698
, urgent_pointer: 0
, payload_offset: 66
, payload: { length: 0 }
}
}
}
, pcap_header:
{ time: Sat, 22 May 2010 07:48:40 GMT
, tv_sec: 1274514520
, tv_usec: 916054
, caplen: 66
, len: 66
, link_type: 'LINKTYPE_ETHERNET'
}
}

## Help Wanted

I want to build up decoders and printers for all popular protocols. Patches are welcome.
Expand Down

0 comments on commit 05acd54

Please sign in to comment.