http://git-wip-us.apache.org/repos/asf/metron/blob/d5eb56a9/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.spec.ts ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.spec.ts b/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.spec.ts new file mode 100644 index 0000000..244a3ea --- /dev/null +++ b/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.spec.ts @@ -0,0 +1,1752 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import { TestBed, async, inject } from '@angular/core/testing'; +import { + BaseRequestOptions, + HttpModule, + Http, + Response, + ResponseOptions +} from '@angular/http'; +import { MockBackend } from '@angular/http/testing'; + +import { PcapService } from './pcap.service'; +import { PcapRequest } from '../model/pcap.request'; + +describe('PcapService', () => { + beforeEach(() => { + + TestBed.configureTestingModule({ + imports: [HttpModule], + providers: [ + PcapService, + { + provide: Http, + useFactory: (mockBackend, options) => { + return new Http(mockBackend, options); + }, + deps: [MockBackend, BaseRequestOptions] + }, + MockBackend, + BaseRequestOptions + ] + }); + }); + describe('getPackets()', () => { + it('should return an Observable<Response>', + inject([PcapService, MockBackend], (pcapService, mockBackend) => { + + let request: PcapRequest = { + startTimeMs: 0, + endTimeMs: 0, + ipSrcAddr: '0.0.0.0', + ipSrcPort: '80', + ipDstAddr: '0.0.0.0', + ipDstPort: '80', + protocol: '*', + packetFilter: '*', + includeReverse: false, + }; + + mockBackend.connections.subscribe((connection) => { + connection.mockRespond(new Response(new ResponseOptions({body: pdml_json()}))); + }); + let packets; + pcapService.getPackets(request).subscribe(r => packets = r) + expect(packets).toBeTruthy() + expect(packets.pdml).toBeTruthy() + expect(packets.pdml.packet.length).toBe(1) + expect(packets.pdml.packet[0].proto.length).toBeGreaterThan(3) + + console.log(packets) + })) + + + it('should ...', inject([PcapService], (service: PcapService) => { + expect(service).toBeTruthy(); + })); + + }) + +}); + + + + +function pdml_json() { + return `{ + "pdml": { + "$": { + "version": "0", + "creator": "wireshark/2.4.2", + "time": "Tue Mar 27 21:55:25 2018", + "capture_file": "./metron-platform/metron-api/src/test/resources/test-tcp-packet.pcap" + }, + "packet": [ + { + "proto": [ + { + "$": { + "name": "geninfo", + "pos": "0", + "showname": "General information", + "size": "104" + }, + "field": [ + { + "$": { + "name": "num", + "pos": "0", + "show": "1", + "showname": "Number", + "value": "1", + "size": "104" + } + }, + { + "$": { + "name": "len", + "pos": "0", + "show": "104", + "showname": "Frame Length", + "value": "68", + "size": "104" + } + }, + { + "$": { + "name": "caplen", + "pos": "0", + "show": "104", + "showname": "Captured Length", + "value": "68", + "size": "104" + } + }, + { + "$": { + "name": "timestamp", + "pos": "0", + "show": "Mar 26, 2014 19:59:40.024362000 GMT", + "showname": "Captured Time", + "value": "1395863980.024362000", + "size": "104" + } + } + ] + }, + { + "$": { + "name": "frame", + "showname": "Frame 1: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)", + "size": "104", + "pos": "0" + }, + "field": [ + { + "$": { + "name": "frame.encap_type", + "showname": "Encapsulation type: Ethernet (1)", + "size": "0", + "pos": "0", + "show": "1" + } + }, + { + "$": { + "name": "frame.time", + "showname": "Arrival Time: Mar 26, 2014 19:59:40.024362000 GMT", + "size": "0", + "pos": "0", + "show": "Mar 26, 2014 19:59:40.024362000 GMT" + } + }, + { + "$": { + "name": "frame.offset_shift", + "showname": "Time shift for this packet: 0.000000000 seconds", + "size": "0", + "pos": "0", + "show": "0.000000000" + } + }, + { + "$": { + "name": "frame.time_epoch", + "showname": "Epoch Time: 1395863980.024362000 seconds", + "size": "0", + "pos": "0", + "show": "1395863980.024362000" + } + }, + { + "$": { + "name": "frame.time_delta", + "showname": "Time delta from previous captured frame: 0.000000000 seconds", + "size": "0", + "pos": "0", + "show": "0.000000000" + } + }, + { + "$": { + "name": "frame.time_delta_displayed", + "showname": "Time delta from previous displayed frame: 0.000000000 seconds", + "size": "0", + "pos": "0", + "show": "0.000000000" + } + }, + { + "$": { + "name": "frame.time_relative", + "showname": "Time since reference or first frame: 0.000000000 seconds", + "size": "0", + "pos": "0", + "show": "0.000000000" + } + }, + { + "$": { + "name": "frame.number", + "showname": "Frame Number: 1", + "size": "0", + "pos": "0", + "show": "1" + } + }, + { + "$": { + "name": "frame.len", + "showname": "Frame Length: 104 bytes (832 bits)", + "size": "0", + "pos": "0", + "show": "104" + } + }, + { + "$": { + "name": "frame.cap_len", + "showname": "Capture Length: 104 bytes (832 bits)", + "size": "0", + "pos": "0", + "show": "104" + } + }, + { + "$": { + "name": "frame.marked", + "showname": "Frame is marked: False", + "size": "0", + "pos": "0", + "show": "0" + } + }, + { + "$": { + "name": "frame.ignored", + "showname": "Frame is ignored: False", + "size": "0", + "pos": "0", + "show": "0" + } + }, + { + "$": { + "name": "frame.protocols", + "showname": "Protocols in frame: eth:ethertype:ip:tcp:smtp", + "size": "0", + "pos": "0", + "show": "eth:ethertype:ip:tcp:smtp" + } + } + ] + }, + { + "$": { + "name": "eth", + "showname": "Ethernet II, Src: MS-NLB-PhysServer-26_c5:01:00:02 (02:1a:c5:01:00:02), Dst: MS-NLB-PhysServer-26_c5:05:00:02 (02:1a:c5:05:00:02)", + "size": "14", + "pos": "0" + }, + "field": [ + { + "$": { + "name": "eth.dst", + "showname": "Destination: MS-NLB-PhysServer-26_c5:05:00:02 (02:1a:c5:05:00:02)", + "size": "6", + "pos": "0", + "show": "02:1a:c5:05:00:02", + "value": "021ac5050002" + }, + "field": [ + { + "$": { + "name": "eth.dst_resolved", + "showname": "Destination (resolved): MS-NLB-PhysServer-26_c5:05:00:02", + "hide": "yes", + "size": "6", + "pos": "0", + "show": "MS-NLB-PhysServer-26_c5:05:00:02", + "value": "021ac5050002" + } + }, + { + "$": { + "name": "eth.addr", + "showname": "Address: MS-NLB-PhysServer-26_c5:05:00:02 (02:1a:c5:05:00:02)", + "size": "6", + "pos": "0", + "show": "02:1a:c5:05:00:02", + "value": "021ac5050002" + } + }, + { + "$": { + "name": "eth.addr_resolved", + "showname": "Address (resolved): MS-NLB-PhysServer-26_c5:05:00:02", + "hide": "yes", + "size": "6", + "pos": "0", + "show": "MS-NLB-PhysServer-26_c5:05:00:02", + "value": "021ac5050002" + } + }, + { + "$": { + "name": "eth.lg", + "showname": ".... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)", + "size": "3", + "pos": "0", + "show": "1", + "value": "1", + "unmaskedvalue": "021ac5" + } + }, + { + "$": { + "name": "eth.ig", + "showname": ".... ...0 .... .... .... .... = IG bit: Individual address (unicast)", + "size": "3", + "pos": "0", + "show": "0", + "value": "0", + "unmaskedvalue": "021ac5" + } + } + ] + }, + { + "$": { + "name": "eth.src", + "showname": "Source: MS-NLB-PhysServer-26_c5:01:00:02 (02:1a:c5:01:00:02)", + "size": "6", + "pos": "6", + "show": "02:1a:c5:01:00:02", + "value": "021ac5010002" + }, + "field": [ + { + "$": { + "name": "eth.src_resolved", + "showname": "Source (resolved): MS-NLB-PhysServer-26_c5:01:00:02", + "hide": "yes", + "size": "6", + "pos": "6", + "show": "MS-NLB-PhysServer-26_c5:01:00:02", + "value": "021ac5010002" + } + }, + { + "$": { + "name": "eth.addr", + "showname": "Address: MS-NLB-PhysServer-26_c5:01:00:02 (02:1a:c5:01:00:02)", + "size": "6", + "pos": "6", + "show": "02:1a:c5:01:00:02", + "value": "021ac5010002" + } + }, + { + "$": { + "name": "eth.addr_resolved", + "showname": "Address (resolved): MS-NLB-PhysServer-26_c5:01:00:02", + "hide": "yes", + "size": "6", + "pos": "6", + "show": "MS-NLB-PhysServer-26_c5:01:00:02", + "value": "021ac5010002" + } + }, + { + "$": { + "name": "eth.lg", + "showname": ".... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)", + "size": "3", + "pos": "6", + "show": "1", + "value": "1", + "unmaskedvalue": "021ac5" + } + }, + { + "$": { + "name": "eth.ig", + "showname": ".... ...0 .... .... .... .... = IG bit: Individual address (unicast)", + "size": "3", + "pos": "6", + "show": "0", + "value": "0", + "unmaskedvalue": "021ac5" + } + } + ] + }, + { + "$": { + "name": "eth.type", + "showname": "Type: IPv4 (0x0800)", + "size": "2", + "pos": "12", + "show": "0x00000800", + "value": "0800" + } + }, + { + "$": { + "name": "eth.fcs", + "showname": "Frame check sequence: 0x26469e92 [correct]", + "size": "4", + "pos": "100", + "show": "0x26469e92", + "value": "26469e92" + } + }, + { + "$": { + "name": "eth.fcs.status", + "showname": "FCS Status: Good", + "size": "0", + "pos": "100", + "show": "1" + } + } + ] + }, + { + "$": { + "name": "ip", + "showname": "Internet Protocol Version 4, Src: 24.0.0.2, Dst: 24.128.0.2", + "size": "20", + "pos": "14" + }, + "field": [ + { + "$": { + "name": "ip.version", + "showname": "0100 .... = Version: 4", + "size": "1", + "pos": "14", + "show": "4", + "value": "4", + "unmaskedvalue": "45" + } + }, + { + "$": { + "name": "ip.hdr_len", + "showname": ".... 0101 = Header Length: 20 bytes (5)", + "size": "1", + "pos": "14", + "show": "20", + "value": "45" + } + }, + { + "$": { + "name": "ip.dsfield", + "showname": "Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)", + "size": "1", + "pos": "15", + "show": "0x00000000", + "value": "00" + }, + "field": [ + { + "$": { + "name": "ip.dsfield.dscp", + "showname": "0000 00.. = Differentiated Services Codepoint: Default (0)", + "size": "1", + "pos": "15", + "show": "0", + "value": "0", + "unmaskedvalue": "00" + } + }, + { + "$": { + "name": "ip.dsfield.ecn", + "showname": ".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)", + "size": "1", + "pos": "15", + "show": "0", + "value": "0", + "unmaskedvalue": "00" + } + } + ] + }, + { + "$": { + "name": "ip.len", + "showname": "Total Length: 86", + "size": "2", + "pos": "16", + "show": "86", + "value": "0056" + } + }, + { + "$": { + "name": "ip.id", + "showname": "Identification: 0xcff6 (53238)", + "size": "2", + "pos": "18", + "show": "0x0000cff6", + "value": "cff6" + } + }, + { + "$": { + "name": "ip.flags", + "showname": "Flags: 0x02 (Don't Fragment)", + "size": "1", + "pos": "20", + "show": "0x00000002", + "value": "40" + }, + "field": [ + { + "$": { + "name": "ip.flags.rb", + "showname": "0... .... = Reserved bit: Not set", + "size": "1", + "pos": "20", + "show": "0", + "value": "40" + } + }, + { + "$": { + "name": "ip.flags.df", + "showname": ".1.. .... = Don't fragment: Set", + "size": "1", + "pos": "20", + "show": "1", + "value": "40" + } + }, + { + "$": { + "name": "ip.flags.mf", + "showname": "..0. .... = More fragments: Not set", + "size": "1", + "pos": "20", + "show": "0", + "value": "40" + } + } + ] + }, + { + "$": { + "name": "ip.frag_offset", + "showname": "Fragment offset: 0", + "size": "2", + "pos": "20", + "show": "0", + "value": "4000" + } + }, + { + "$": { + "name": "ip.ttl", + "showname": "Time to live: 32", + "size": "1", + "pos": "22", + "show": "32", + "value": "20" + } + }, + { + "$": { + "name": "ip.proto", + "showname": "Protocol: TCP (6)", + "size": "1", + "pos": "23", + "show": "6", + "value": "06" + } + }, + { + "$": { + "name": "ip.checksum", + "showname": "Header checksum: 0x5a28 [validation disabled]", + "size": "2", + "pos": "24", + "show": "0x00005a28", + "value": "5a28" + } + }, + { + "$": { + "name": "ip.checksum.status", + "showname": "Header checksum status: Unverified", + "size": "0", + "pos": "24", + "show": "2" + } + }, + { + "$": { + "name": "ip.src", + "showname": "Source: 24.0.0.2", + "size": "4", + "pos": "26", + "show": "24.0.0.2", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.addr", + "showname": "Source or Destination Address: 24.0.0.2", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "24.0.0.2", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.src_host", + "showname": "Source Host: 24.0.0.2", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "24.0.0.2", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.host", + "showname": "Source or Destination Host: 24.0.0.2", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "24.0.0.2", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.dst", + "showname": "Destination: 24.128.0.2", + "size": "4", + "pos": "30", + "show": "24.128.0.2", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.addr", + "showname": "Source or Destination Address: 24.128.0.2", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "24.128.0.2", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.dst_host", + "showname": "Destination Host: 24.128.0.2", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "24.128.0.2", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.host", + "showname": "Source or Destination Host: 24.128.0.2", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "24.128.0.2", + "value": "18800002" + } + }, + { + "$": { + "name": "", + "show": "Source GeoIP: United States, Woodbridge, NJ, AS7922 Comcast Cable Communications, LLC, United States, Woodbridge, NJ, AS7922 Comcast Cable Communications, LLC, 40.557598, -74.284599", + "size": "4", + "pos": "26", + "value": "18000002" + }, + "field": [ + { + "$": { + "name": "ip.geoip.src_country", + "showname": "Source GeoIP Country: United States", + "size": "4", + "pos": "26", + "show": "United States", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.country", + "showname": "Source or Destination GeoIP Country: United States", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "United States", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_city", + "showname": "Source GeoIP City: Woodbridge, NJ", + "size": "4", + "pos": "26", + "show": "Woodbridge, NJ", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.city", + "showname": "Source or Destination GeoIP City: Woodbridge, NJ", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "Woodbridge, NJ", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_asnum", + "showname": "Source GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "size": "4", + "pos": "26", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.asnum", + "showname": "Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_country", + "showname": "Source GeoIP Country: United States", + "size": "4", + "pos": "26", + "show": "United States", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.country", + "showname": "Source or Destination GeoIP Country: United States", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "United States", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_city", + "showname": "Source GeoIP City: Woodbridge, NJ", + "size": "4", + "pos": "26", + "show": "Woodbridge, NJ", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.city", + "showname": "Source or Destination GeoIP City: Woodbridge, NJ", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "Woodbridge, NJ", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_asnum", + "showname": "Source GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "size": "4", + "pos": "26", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.asnum", + "showname": "Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_lat", + "showname": "Source GeoIP Latitude: 40.557598", + "size": "4", + "pos": "26", + "show": "40.557598", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.lat", + "showname": "Source or Destination GeoIP Latitude: 40.557598", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "40.557598", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.src_lon", + "showname": "Source GeoIP Longitude: -74.284599", + "size": "4", + "pos": "26", + "show": "-74.284599", + "value": "18000002" + } + }, + { + "$": { + "name": "ip.geoip.lon", + "showname": "Source or Destination GeoIP Longitude: -74.284599", + "hide": "yes", + "size": "4", + "pos": "26", + "show": "-74.284599", + "value": "18000002" + } + } + ] + }, + { + "$": { + "name": "", + "show": "Destination GeoIP: United States, Groton, CT, AS7922 Comcast Cable Communications, LLC, United States, Groton, CT, AS7922 Comcast Cable Communications, LLC, 41.353199, -72.038597", + "size": "4", + "pos": "30", + "value": "18800002" + }, + "field": [ + { + "$": { + "name": "ip.geoip.dst_country", + "showname": "Destination GeoIP Country: United States", + "size": "4", + "pos": "30", + "show": "United States", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.country", + "showname": "Source or Destination GeoIP Country: United States", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "United States", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_city", + "showname": "Destination GeoIP City: Groton, CT", + "size": "4", + "pos": "30", + "show": "Groton, CT", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.city", + "showname": "Source or Destination GeoIP City: Groton, CT", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "Groton, CT", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_asnum", + "showname": "Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "size": "4", + "pos": "30", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.asnum", + "showname": "Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_country", + "showname": "Destination GeoIP Country: United States", + "size": "4", + "pos": "30", + "show": "United States", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.country", + "showname": "Source or Destination GeoIP Country: United States", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "United States", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_city", + "showname": "Destination GeoIP City: Groton, CT", + "size": "4", + "pos": "30", + "show": "Groton, CT", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.city", + "showname": "Source or Destination GeoIP City: Groton, CT", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "Groton, CT", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_asnum", + "showname": "Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "size": "4", + "pos": "30", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.asnum", + "showname": "Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "AS7922 Comcast Cable Communications, LLC", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_lat", + "showname": "Destination GeoIP Latitude: 41.353199", + "size": "4", + "pos": "30", + "show": "41.353199", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.lat", + "showname": "Source or Destination GeoIP Latitude: 41.353199", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "41.353199", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.dst_lon", + "showname": "Destination GeoIP Longitude: -72.038597", + "size": "4", + "pos": "30", + "show": "-72.038597", + "value": "18800002" + } + }, + { + "$": { + "name": "ip.geoip.lon", + "showname": "Source or Destination GeoIP Longitude: -72.038597", + "hide": "yes", + "size": "4", + "pos": "30", + "show": "-72.038597", + "value": "18800002" + } + } + ] + } + ] + }, + { + "$": { + "name": "tcp", + "showname": "Transmission Control Protocol, Src Port: 2137, Dst Port: 25, Seq: 1, Ack: 1, Len: 34", + "size": "32", + "pos": "34" + }, + "field": [ + { + "$": { + "name": "tcp.srcport", + "showname": "Source Port: 2137", + "size": "2", + "pos": "34", + "show": "2137", + "value": "0859" + } + }, + { + "$": { + "name": "tcp.dstport", + "showname": "Destination Port: 25", + "size": "2", + "pos": "36", + "show": "25", + "value": "0019" + } + }, + { + "$": { + "name": "tcp.port", + "showname": "Source or Destination Port: 2137", + "hide": "yes", + "size": "2", + "pos": "34", + "show": "2137", + "value": "0859" + } + }, + { + "$": { + "name": "tcp.port", + "showname": "Source or Destination Port: 25", + "hide": "yes", + "size": "2", + "pos": "36", + "show": "25", + "value": "0019" + } + }, + { + "$": { + "name": "tcp.stream", + "showname": "Stream index: 0", + "size": "0", + "pos": "34", + "show": "0" + } + }, + { + "$": { + "name": "tcp.len", + "showname": "TCP Segment Len: 34", + "size": "1", + "pos": "46", + "show": "34", + "value": "80" + } + }, + { + "$": { + "name": "tcp.seq", + "showname": "Sequence number: 1 (relative sequence number)", + "size": "4", + "pos": "38", + "show": "1", + "value": "f88900ce" + } + }, + { + "$": { + "name": "tcp.nxtseq", + "showname": "Next sequence number: 35 (relative sequence number)", + "size": "0", + "pos": "34", + "show": "35" + } + }, + { + "$": { + "name": "tcp.ack", + "showname": "Acknowledgment number: 1 (relative ack number)", + "size": "4", + "pos": "42", + "show": "1", + "value": "365aa74f" + } + }, + { + "$": { + "name": "tcp.hdr_len", + "showname": "1000 .... = Header Length: 32 bytes (8)", + "size": "1", + "pos": "46", + "show": "32", + "value": "80" + } + }, + { + "$": { + "name": "tcp.flags", + "showname": "Flags: 0x018 (PSH, ACK)", + "size": "2", + "pos": "46", + "show": "0x00000018", + "value": "18", + "unmaskedvalue": "8018" + }, + "field": [ + { + "$": { + "name": "tcp.flags.res", + "showname": "000. .... .... = Reserved: Not set", + "size": "1", + "pos": "46", + "show": "0", + "value": "0", + "unmaskedvalue": "80" + } + }, + { + "$": { + "name": "tcp.flags.ns", + "showname": "...0 .... .... = Nonce: Not set", + "size": "1", + "pos": "46", + "show": "0", + "value": "0", + "unmaskedvalue": "80" + } + }, + { + "$": { + "name": "tcp.flags.cwr", + "showname": ".... 0... .... = Congestion Window Reduced (CWR): Not set", + "size": "1", + "pos": "47", + "show": "0", + "value": "0", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.ecn", + "showname": ".... .0.. .... = ECN-Echo: Not set", + "size": "1", + "pos": "47", + "show": "0", + "value": "0", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.urg", + "showname": ".... ..0. .... = Urgent: Not set", + "size": "1", + "pos": "47", + "show": "0", + "value": "0", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.ack", + "showname": ".... ...1 .... = Acknowledgment: Set", + "size": "1", + "pos": "47", + "show": "1", + "value": "1", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.push", + "showname": ".... .... 1... = Push: Set", + "size": "1", + "pos": "47", + "show": "1", + "value": "1", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.reset", + "showname": ".... .... .0.. = Reset: Not set", + "size": "1", + "pos": "47", + "show": "0", + "value": "0", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.syn", + "showname": ".... .... ..0. = Syn: Not set", + "size": "1", + "pos": "47", + "show": "0", + "value": "0", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.fin", + "showname": ".... .... ...0 = Fin: Not set", + "size": "1", + "pos": "47", + "show": "0", + "value": "0", + "unmaskedvalue": "18" + } + }, + { + "$": { + "name": "tcp.flags.str", + "showname": "TCP Flags: \\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7AP\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7", + "size": "2", + "pos": "46", + "show": "\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7AP\\\\xc2\\\\xb7\\\\xc2\\\\xb7\\\\xc2\\\\xb7", + "value": "8018" + } + } + ] + }, + { + "$": { + "name": "tcp.window_size_value", + "showname": "Window size value: 7240", + "size": "2", + "pos": "48", + "show": "7240", + "value": "1c48" + } + }, + { + "$": { + "name": "tcp.window_size", + "showname": "Calculated window size: 7240", + "size": "2", + "pos": "48", + "show": "7240", + "value": "1c48" + } + }, + { + "$": { + "name": "tcp.window_size_scalefactor", + "showname": "Window size scaling factor: -1 (unknown)", + "size": "2", + "pos": "48", + "show": "-1", + "value": "1c48" + } + }, + { + "$": { + "name": "tcp.checksum", + "showname": "Checksum: 0x681f [unverified]", + "size": "2", + "pos": "50", + "show": "0x0000681f", + "value": "681f" + } + }, + { + "$": { + "name": "tcp.checksum.status", + "showname": "Checksum Status: Unverified", + "size": "0", + "pos": "50", + "show": "2" + } + }, + { + "$": { + "name": "tcp.urgent_pointer", + "showname": "Urgent pointer: 0", + "size": "2", + "pos": "52", + "show": "0", + "value": "0000" + } + }, + { + "$": { + "name": "tcp.options", + "showname": "Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps", + "size": "12", + "pos": "54", + "show": "01:01:08:0a:eb:83:4b:08:e8:8c:de:cb", + "value": "0101080aeb834b08e88cdecb" + }, + "field": [ + { + "$": { + "name": "tcp.options.nop", + "showname": "TCP Option - No-Operation (NOP)", + "size": "1", + "pos": "54", + "show": "01", + "value": "01" + }, + "field": [ + { + "$": { + "name": "tcp.option_kind", + "showname": "Kind: No-Operation (1)", + "size": "1", + "pos": "54", + "show": "1", + "value": "01" + } + } + ] + }, + { + "$": { + "name": "tcp.options.nop", + "showname": "TCP Option - No-Operation (NOP)", + "size": "1", + "pos": "55", + "show": "01", + "value": "01" + }, + "field": [ + { + "$": { + "name": "tcp.option_kind", + "showname": "Kind: No-Operation (1)", + "size": "1", + "pos": "55", + "show": "1", + "value": "01" + } + } + ] + }, + { + "$": { + "name": "tcp.options.timestamp", + "showname": "TCP Option - Timestamps: TSval 3951250184, TSecr 3901546187", + "size": "10", + "pos": "56", + "show": "08:0a:eb:83:4b:08:e8:8c:de:cb", + "value": "080aeb834b08e88cdecb" + }, + "field": [ + { + "$": { + "name": "tcp.option_kind", + "showname": "Kind: Time Stamp Option (8)", + "size": "1", + "pos": "56", + "show": "8", + "value": "08" + } + }, + { + "$": { + "name": "tcp.option_len", + "showname": "Length: 10", + "size": "1", + "pos": "57", + "show": "10", + "value": "0a" + } + }, + { + "$": { + "name": "tcp.options.timestamp.tsval", + "showname": "Timestamp value: 3951250184", + "size": "4", + "pos": "58", + "show": "3951250184", + "value": "eb834b08" + } + }, + { + "$": { + "name": "tcp.options.timestamp.tsecr", + "showname": "Timestamp echo reply: 3901546187", + "size": "4", + "pos": "62", + "show": "3901546187", + "value": "e88cdecb" + } + } + ] + } + ] + }, + { + "$": { + "name": "tcp.analysis", + "showname": "SEQ/ACK analysis", + "size": "0", + "pos": "34", + "show": "", + "value": "" + }, + "field": [ + { + "$": { + "name": "tcp.analysis.bytes_in_flight", + "showname": "Bytes in flight: 34", + "size": "0", + "pos": "34", + "show": "34" + } + }, + { + "$": { + "name": "tcp.analysis.push_bytes_sent", + "showname": "Bytes sent since last PSH flag: 34", + "size": "0", + "pos": "34", + "show": "34" + } + } + ] + }, + { + "$": { + "name": "tcp.payload", + "showname": "TCP payload (34 bytes)", + "size": "34", + "pos": "66", + "show": "45:48:4c:4f:20:63:6c:69:65:6e:74:2d:31:38:30:30:30:30:30:33:2e:65:78:61:6d:70:6c:65:2e:69:6e:74:0d:0a", + "value": "45484c4f20636c69656e742d31383030303030332e6578616d706c652e696e740d0a" + } + } + ] + }, + { + "$": { + "name": "smtp", + "showname": "Simple Mail Transfer Protocol", + "size": "34", + "pos": "66" + }, + "field": [ + { + "$": { + "name": "smtp.req", + "showname": "Request: True", + "hide": "yes", + "size": "0", + "pos": "66", + "show": "1" + } + }, + { + "$": { + "name": "smtp.command_line", + "showname": "Command Line: EHLO client-18000003.example.int\\\\r\\\\n", + "size": "34", + "pos": "66", + "show": "EHLO client-18000003.example.int\\\\xd\\\\xa", + "value": "45484c4f20636c69656e742d31383030303030332e6578616d706c652e696e740d0a" + }, + "field": [ + { + "$": { + "name": "smtp.req.command", + "showname": "Command: EHLO", + "size": "4", + "pos": "66", + "show": "EHLO", + "value": "45484c4f" + } + }, + { + "$": { + "name": "smtp.req.parameter", + "showname": "Request parameter: client-18000003.example.int", + "size": "27", + "pos": "71", + "show": "client-18000003.example.int", + "value": "636c69656e742d31383030303030332e6578616d706c652e696e74" + } + } + ] + } + ] + } + ] + } + ] + } +} +` +} + +function pdml() { + return `<?xml version="1.0" encoding="utf-8"?> + <?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?> + <!-- You can find pdml2html.xsl in /usr/share/wireshark or at https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=pdml2html.xsl. --> + <pdml version="0" creator="wireshark/2.4.2" time="Tue Mar 27 21:55:25 2018" capture_file="./metron-platform/metron-api/src/test/resources/test-tcp-packet.pcap"> + <packet> + <proto name="geninfo" pos="0" showname="General information" size="104"> + <field name="num" pos="0" show="1" showname="Number" value="1" size="104"/> + <field name="len" pos="0" show="104" showname="Frame Length" value="68" size="104"/> + <field name="caplen" pos="0" show="104" showname="Captured Length" value="68" size="104"/> + <field name="timestamp" pos="0" show="Mar 26, 2014 19:59:40.024362000 GMT" showname="Captured Time" value="1395863980.024362000" size="104"/> + </proto> + <proto name="frame" showname="Frame 1: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)" size="104" pos="0"> + <field name="frame.encap_type" showname="Encapsulation type: Ethernet (1)" size="0" pos="0" show="1"/> + <field name="frame.time" showname="Arrival Time: Mar 26, 2014 19:59:40.024362000 GMT" size="0" pos="0" show="Mar 26, 2014 19:59:40.024362000 GMT"/> + <field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/> + <field name="frame.time_epoch" showname="Epoch Time: 1395863980.024362000 seconds" size="0" pos="0" show="1395863980.024362000"/> + <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/> + <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/> + <field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/> + <field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/> + <field name="frame.len" showname="Frame Length: 104 bytes (832 bits)" size="0" pos="0" show="104"/> + <field name="frame.cap_len" showname="Capture Length: 104 bytes (832 bits)" size="0" pos="0" show="104"/> + <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/> + <field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/> + <field name="frame.protocols" showname="Protocols in frame: eth:ethertype:ip:tcp:smtp" size="0" pos="0" show="eth:ethertype:ip:tcp:smtp"/> + </proto> + <proto name="eth" showname="Ethernet II, Src: MS-NLB-PhysServer-26_c5:01:00:02 (02:1a:c5:01:00:02), Dst: MS-NLB-PhysServer-26_c5:05:00:02 (02:1a:c5:05:00:02)" size="14" pos="0"> + <field name="eth.dst" showname="Destination: MS-NLB-PhysServer-26_c5:05:00:02 (02:1a:c5:05:00:02)" size="6" pos="0" show="02:1a:c5:05:00:02" value="021ac5050002"> + <field name="eth.dst_resolved" showname="Destination (resolved): MS-NLB-PhysServer-26_c5:05:00:02" hide="yes" size="6" pos="0" show="MS-NLB-PhysServer-26_c5:05:00:02" value="021ac5050002"/> + <field name="eth.addr" showname="Address: MS-NLB-PhysServer-26_c5:05:00:02 (02:1a:c5:05:00:02)" size="6" pos="0" show="02:1a:c5:05:00:02" value="021ac5050002"/> + <field name="eth.addr_resolved" showname="Address (resolved): MS-NLB-PhysServer-26_c5:05:00:02" hide="yes" size="6" pos="0" show="MS-NLB-PhysServer-26_c5:05:00:02" value="021ac5050002"/> + <field name="eth.lg" showname=".... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)" size="3" pos="0" show="1" value="1" unmaskedvalue="021ac5"/> + <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="021ac5"/> + </field> + <field name="eth.src" showname="Source: MS-NLB-PhysServer-26_c5:01:00:02 (02:1a:c5:01:00:02)" size="6" pos="6" show="02:1a:c5:01:00:02" value="021ac5010002"> + <field name="eth.src_resolved" showname="Source (resolved): MS-NLB-PhysServer-26_c5:01:00:02" hide="yes" size="6" pos="6" show="MS-NLB-PhysServer-26_c5:01:00:02" value="021ac5010002"/> + <field name="eth.addr" showname="Address: MS-NLB-PhysServer-26_c5:01:00:02 (02:1a:c5:01:00:02)" size="6" pos="6" show="02:1a:c5:01:00:02" value="021ac5010002"/> + <field name="eth.addr_resolved" showname="Address (resolved): MS-NLB-PhysServer-26_c5:01:00:02" hide="yes" size="6" pos="6" show="MS-NLB-PhysServer-26_c5:01:00:02" value="021ac5010002"/> + <field name="eth.lg" showname=".... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)" size="3" pos="6" show="1" value="1" unmaskedvalue="021ac5"/> + <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="021ac5"/> + </field> + <field name="eth.type" showname="Type: IPv4 (0x0800)" size="2" pos="12" show="0x00000800" value="0800"/> + <field name="eth.fcs" showname="Frame check sequence: 0x26469e92 [correct]" size="4" pos="100" show="0x26469e92" value="26469e92"/> + <field name="eth.fcs.status" showname="FCS Status: Good" size="0" pos="100" show="1"/> + </proto> + <proto name="ip" showname="Internet Protocol Version 4, Src: 24.0.0.2, Dst: 24.128.0.2" size="20" pos="14"> + <field name="ip.version" showname="0100 .... = Version: 4" size="1" pos="14" show="4" value="4" unmaskedvalue="45"/> + <field name="ip.hdr_len" showname=".... 0101 = Header Length: 20 bytes (5)" size="1" pos="14" show="20" value="45"/> + <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)" size="1" pos="15" show="0x00000000" value="00"> + <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0)" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/> + <field name="ip.dsfield.ecn" showname=".... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/> + </field> + <field name="ip.len" showname="Total Length: 86" size="2" pos="16" show="86" value="0056"/> + <field name="ip.id" showname="Identification: 0xcff6 (53238)" size="2" pos="18" show="0x0000cff6" value="cff6"/> + <field name="ip.flags" showname="Flags: 0x02 (Don't Fragment)" size="1" pos="20" show="0x00000002" value="40"> + <field name="ip.flags.rb" showname="0... .... = Reserved bit: Not set" size="1" pos="20" show="0" value="40"/> + <field name="ip.flags.df" showname=".1.. .... = Don't fragment: Set" size="1" pos="20" show="1" value="40"/> + <field name="ip.flags.mf" showname="..0. .... = More fragments: Not set" size="1" pos="20" show="0" value="40"/> + </field> + <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="4000"/> + <field name="ip.ttl" showname="Time to live: 32" size="1" pos="22" show="32" value="20"/> + <field name="ip.proto" showname="Protocol: TCP (6)" size="1" pos="23" show="6" value="06"/> + <field name="ip.checksum" showname="Header checksum: 0x5a28 [validation disabled]" size="2" pos="24" show="0x00005a28" value="5a28"/> + <field name="ip.checksum.status" showname="Header checksum status: Unverified" size="0" pos="24" show="2"/> + <field name="ip.src" showname="Source: 24.0.0.2" size="4" pos="26" show="24.0.0.2" value="18000002"/> + <field name="ip.addr" showname="Source or Destination Address: 24.0.0.2" hide="yes" size="4" pos="26" show="24.0.0.2" value="18000002"/> + <field name="ip.src_host" showname="Source Host: 24.0.0.2" hide="yes" size="4" pos="26" show="24.0.0.2" value="18000002"/> + <field name="ip.host" showname="Source or Destination Host: 24.0.0.2" hide="yes" size="4" pos="26" show="24.0.0.2" value="18000002"/> + <field name="ip.dst" showname="Destination: 24.128.0.2" size="4" pos="30" show="24.128.0.2" value="18800002"/> + <field name="ip.addr" showname="Source or Destination Address: 24.128.0.2" hide="yes" size="4" pos="30" show="24.128.0.2" value="18800002"/> + <field name="ip.dst_host" showname="Destination Host: 24.128.0.2" hide="yes" size="4" pos="30" show="24.128.0.2" value="18800002"/> + <field name="ip.host" showname="Source or Destination Host: 24.128.0.2" hide="yes" size="4" pos="30" show="24.128.0.2" value="18800002"/> + <field name="" show="Source GeoIP: United States, Woodbridge, NJ, AS7922 Comcast Cable Communications, LLC, United States, Woodbridge, NJ, AS7922 Comcast Cable Communications, LLC, 40.557598, -74.284599" size="4" pos="26" value="18000002"> + <field name="ip.geoip.src_country" showname="Source GeoIP Country: United States" size="4" pos="26" show="United States" value="18000002"/> + <field name="ip.geoip.country" showname="Source or Destination GeoIP Country: United States" hide="yes" size="4" pos="26" show="United States" value="18000002"/> + <field name="ip.geoip.src_city" showname="Source GeoIP City: Woodbridge, NJ" size="4" pos="26" show="Woodbridge, NJ" value="18000002"/> + <field name="ip.geoip.city" showname="Source or Destination GeoIP City: Woodbridge, NJ" hide="yes" size="4" pos="26" show="Woodbridge, NJ" value="18000002"/> + <field name="ip.geoip.src_asnum" showname="Source GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" size="4" pos="26" show="AS7922 Comcast Cable Communications, LLC" value="18000002"/> + <field name="ip.geoip.asnum" showname="Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" hide="yes" size="4" pos="26" show="AS7922 Comcast Cable Communications, LLC" value="18000002"/> + <field name="ip.geoip.src_country" showname="Source GeoIP Country: United States" size="4" pos="26" show="United States" value="18000002"/> + <field name="ip.geoip.country" showname="Source or Destination GeoIP Country: United States" hide="yes" size="4" pos="26" show="United States" value="18000002"/> + <field name="ip.geoip.src_city" showname="Source GeoIP City: Woodbridge, NJ" size="4" pos="26" show="Woodbridge, NJ" value="18000002"/> + <field name="ip.geoip.city" showname="Source or Destination GeoIP City: Woodbridge, NJ" hide="yes" size="4" pos="26" show="Woodbridge, NJ" value="18000002"/> + <field name="ip.geoip.src_asnum" showname="Source GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" size="4" pos="26" show="AS7922 Comcast Cable Communications, LLC" value="18000002"/> + <field name="ip.geoip.asnum" showname="Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" hide="yes" size="4" pos="26" show="AS7922 Comcast Cable Communications, LLC" value="18000002"/> + <field name="ip.geoip.src_lat" showname="Source GeoIP Latitude: 40.557598" size="4" pos="26" show="40.557598" value="18000002"/> + <field name="ip.geoip.lat" showname="Source or Destination GeoIP Latitude: 40.557598" hide="yes" size="4" pos="26" show="40.557598" value="18000002"/> + <field name="ip.geoip.src_lon" showname="Source GeoIP Longitude: -74.284599" size="4" pos="26" show="-74.284599" value="18000002"/> + <field name="ip.geoip.lon" showname="Source or Destination GeoIP Longitude: -74.284599" hide="yes" size="4" pos="26" show="-74.284599" value="18000002"/> + </field> + <field name="" show="Destination GeoIP: United States, Groton, CT, AS7922 Comcast Cable Communications, LLC, United States, Groton, CT, AS7922 Comcast Cable Communications, LLC, 41.353199, -72.038597" size="4" pos="30" value="18800002"> + <field name="ip.geoip.dst_country" showname="Destination GeoIP Country: United States" size="4" pos="30" show="United States" value="18800002"/> + <field name="ip.geoip.country" showname="Source or Destination GeoIP Country: United States" hide="yes" size="4" pos="30" show="United States" value="18800002"/> + <field name="ip.geoip.dst_city" showname="Destination GeoIP City: Groton, CT" size="4" pos="30" show="Groton, CT" value="18800002"/> + <field name="ip.geoip.city" showname="Source or Destination GeoIP City: Groton, CT" hide="yes" size="4" pos="30" show="Groton, CT" value="18800002"/> + <field name="ip.geoip.dst_asnum" showname="Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" size="4" pos="30" show="AS7922 Comcast Cable Communications, LLC" value="18800002"/> + <field name="ip.geoip.asnum" showname="Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" hide="yes" size="4" pos="30" show="AS7922 Comcast Cable Communications, LLC" value="18800002"/> + <field name="ip.geoip.dst_country" showname="Destination GeoIP Country: United States" size="4" pos="30" show="United States" value="18800002"/> + <field name="ip.geoip.country" showname="Source or Destination GeoIP Country: United States" hide="yes" size="4" pos="30" show="United States" value="18800002"/> + <field name="ip.geoip.dst_city" showname="Destination GeoIP City: Groton, CT" size="4" pos="30" show="Groton, CT" value="18800002"/> + <field name="ip.geoip.city" showname="Source or Destination GeoIP City: Groton, CT" hide="yes" size="4" pos="30" show="Groton, CT" value="18800002"/> + <field name="ip.geoip.dst_asnum" showname="Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" size="4" pos="30" show="AS7922 Comcast Cable Communications, LLC" value="18800002"/> + <field name="ip.geoip.asnum" showname="Source or Destination GeoIP AS Number: AS7922 Comcast Cable Communications, LLC" hide="yes" size="4" pos="30" show="AS7922 Comcast Cable Communications, LLC" value="18800002"/> + <field name="ip.geoip.dst_lat" showname="Destination GeoIP Latitude: 41.353199" size="4" pos="30" show="41.353199" value="18800002"/> + <field name="ip.geoip.lat" showname="Source or Destination GeoIP Latitude: 41.353199" hide="yes" size="4" pos="30" show="41.353199" value="18800002"/> + <field name="ip.geoip.dst_lon" showname="Destination GeoIP Longitude: -72.038597" size="4" pos="30" show="-72.038597" value="18800002"/> + <field name="ip.geoip.lon" showname="Source or Destination GeoIP Longitude: -72.038597" hide="yes" size="4" pos="30" show="-72.038597" value="18800002"/> + </field> + </proto> + <proto name="tcp" showname="Transmission Control Protocol, Src Port: 2137, Dst Port: 25, Seq: 1, Ack: 1, Len: 34" size="32" pos="34"> + <field name="tcp.srcport" showname="Source Port: 2137" size="2" pos="34" show="2137" value="0859"/> + <field name="tcp.dstport" showname="Destination Port: 25" size="2" pos="36" show="25" value="0019"/> + <field name="tcp.port" showname="Source or Destination Port: 2137" hide="yes" size="2" pos="34" show="2137" value="0859"/> + <field name="tcp.port" showname="Source or Destination Port: 25" hide="yes" size="2" pos="36" show="25" value="0019"/> + <field name="tcp.stream" showname="Stream index: 0" size="0" pos="34" show="0"/> + <field name="tcp.len" showname="TCP Segment Len: 34" size="1" pos="46" show="34" value="80"/> + <field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="38" show="1" value="f88900ce"/> + <field name="tcp.nxtseq" showname="Next sequence number: 35 (relative sequence number)" size="0" pos="34" show="35"/> + <field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="42" show="1" value="365aa74f"/> + <field name="tcp.hdr_len" showname="1000 .... = Header Length: 32 bytes (8)" size="1" pos="46" show="32" value="80"/> + <field name="tcp.flags" showname="Flags: 0x018 (PSH, ACK)" size="2" pos="46" show="0x00000018" value="18" unmaskedvalue="8018"> + <field name="tcp.flags.res" showname="000. .... .... = Reserved: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="80"/> + <field name="tcp.flags.ns" showname="...0 .... .... = Nonce: Not set" size="1" pos="46" show="0" value="0" unmaskedvalue="80"/> + <field name="tcp.flags.cwr" showname=".... 0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/> + <field name="tcp.flags.ecn" showname=".... .0.. .... = ECN-Echo: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/> + <field name="tcp.flags.urg" showname=".... ..0. .... = Urgent: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/> + <field name="tcp.flags.ack" showname=".... ...1 .... = Acknowledgment: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="18"/> + <field name="tcp.flags.push" showname=".... .... 1... = Push: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="18"/> + <field name="tcp.flags.reset" showname=".... .... .0.. = Reset: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/> + <field name="tcp.flags.syn" showname=".... .... ..0. = Syn: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/> + <field name="tcp.flags.fin" showname=".... .... ...0 = Fin: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/> + <field name="tcp.flags.str" showname="TCP Flags: \\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7AP\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7" size="2" pos="46" show="\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7AP\\xc2\\xb7\\xc2\\xb7\\xc2\\xb7" value="8018"/> + </field> + <field name="tcp.window_size_value" showname="Window size value: 7240" size="2" pos="48" show="7240" value="1c48"/> + <field name="tcp.window_size" showname="Calculated window size: 7240" size="2" pos="48" show="7240" value="1c48"/> + <field name="tcp.window_size_scalefactor" showname="Window size scaling factor: -1 (unknown)" size="2" pos="48" show="-1" value="1c48"/> + <field name="tcp.checksum" showname="Checksum: 0x681f [unverified]" size="2" pos="50" show="0x0000681f" value="681f"/> + <field name="tcp.checksum.status" showname="Checksum Status: Unverified" size="0" pos="50" show="2"/> + <field name="tcp.urgent_pointer" showname="Urgent pointer: 0" size="2" pos="52" show="0" value="0000"/> + <field name="tcp.options" showname="Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps" size="12" pos="54" show="01:01:08:0a:eb:83:4b:08:e8:8c:de:cb" value="0101080aeb834b08e88cdecb"> + <field name="tcp.options.nop" showname="TCP Option - No-Operation (NOP)" size="1" pos="54" show="01" value="01"> + <field name="tcp.option_kind" showname="Kind: No-Operation (1)" size="1" pos="54" show="1" value="01"/> + </field> + <field name="tcp.options.nop" showname="TCP Option - No-Operation (NOP)" size="1" pos="55" show="01" value="01"> + <field name="tcp.option_kind" showname="Kind: No-Operation (1)" size="1" pos="55" show="1" value="01"/> + </field> + <field name="tcp.options.timestamp" showname="TCP Option - Timestamps: TSval 3951250184, TSecr 3901546187" size="10" pos="56" show="08:0a:eb:83:4b:08:e8:8c:de:cb" value="080aeb834b08e88cdecb"> + <field name="tcp.option_kind" showname="Kind: Time Stamp Option (8)" size="1" pos="56" show="8" value="08"/> + <field name="tcp.option_len" showname="Length: 10" size="1" pos="57" show="10" value="0a"/> + <field name="tcp.options.timestamp.tsval" showname="Timestamp value: 3951250184" size="4" pos="58" show="3951250184" value="eb834b08"/> + <field name="tcp.options.timestamp.tsecr" showname="Timestamp echo reply: 3901546187" size="4" pos="62" show="3901546187" value="e88cdecb"/> + </field> + </field> + <field name="tcp.analysis" showname="SEQ/ACK analysis" size="0" pos="34" show="" value=""> + <field name="tcp.analysis.bytes_in_flight" showname="Bytes in flight: 34" size="0" pos="34" show="34"/> + <field name="tcp.analysis.push_bytes_sent" showname="Bytes sent since last PSH flag: 34" size="0" pos="34" show="34"/> + </field> + <field name="tcp.payload" showname="TCP payload (34 bytes)" size="34" pos="66" show="45:48:4c:4f:20:63:6c:69:65:6e:74:2d:31:38:30:30:30:30:30:33:2e:65:78:61:6d:70:6c:65:2e:69:6e:74:0d:0a" value="45484c4f20636c69656e742d31383030303030332e6578616d706c652e696e740d0a"/> + </proto> + <proto name="smtp" showname="Simple Mail Transfer Protocol" size="34" pos="66"> + <field name="smtp.req" showname="Request: True" hide="yes" size="0" pos="66" show="1"/> + <field name="smtp.command_line" showname="Command Line: EHLO client-18000003.example.int\\r\\n" size="34" pos="66" show="EHLO client-18000003.example.int\\xd\\xa" value="45484c4f20636c69656e742d31383030303030332e6578616d706c652e696e740d0a"> + <field name="smtp.req.command" showname="Command: EHLO" size="4" pos="66" show="EHLO" value="45484c4f"/> + <field name="smtp.req.parameter" showname="Request parameter: client-18000003.example.int" size="27" pos="71" show="client-18000003.example.int" value="636c69656e742d31383030303030332e6578616d706c652e696e74"/> + </field> + </proto> + </packet> + + + </pdml>` +}
http://git-wip-us.apache.org/repos/asf/metron/blob/d5eb56a9/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.ts ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.ts b/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.ts new file mode 100644 index 0000000..5f6f33c --- /dev/null +++ b/metron-interface/metron-alerts/src/app/pcap/service/pcap.service.ts @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import {Injectable, NgZone} from '@angular/core'; +import {Observable, Subject} from 'rxjs/Rx'; +import {Http, Headers, RequestOptions, Response} from '@angular/http'; +import {HttpUtil} from '../../utils/httpUtil'; + +import 'rxjs/add/operator/map'; + +import {PcapRequest} from '../model/pcap.request'; +import {Pdml} from '../model/pdml'; + +export class PcapStatusResponse { + jobStatus: string; + percentComplete: number; + pageTotal: number; +} + +@Injectable() +export class PcapService { + + private statusInterval = 4; + defaultHeaders = {'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest'}; + + constructor(private http: Http, private ngZone: NgZone) { + } + + public pollStatus(id: string): Observable<{}> { + return Observable.interval(this.statusInterval * 1000).switchMap(() => { + return this.getStatus(id); + }); + } + + public submitRequest(pcapRequest: PcapRequest): Observable<string> { + return this.http.post('/api/v1/pcap/fixed', pcapRequest, new RequestOptions({headers: new Headers(this.defaultHeaders)})) + .map(result => JSON.parse(result.text()).jobId) + .catch(HttpUtil.handleError) + .onErrorResumeNext(); + } + + public getStatus(id: string): Observable<PcapStatusResponse> { + return this.http.get(`/api/v1/pcap/${id}`, + new RequestOptions({headers: new Headers(this.defaultHeaders)})) + .map(HttpUtil.extractData) + .catch(HttpUtil.handleError); + } + public getPackets(id: string, pageId: number): Observable<Pdml> { + return this.http.get(`/api/v1/pcap/${id}/pdml?page=${pageId}`, new RequestOptions({headers: new Headers(this.defaultHeaders)})) + .map(HttpUtil.extractData) + .catch(HttpUtil.handleError) + .onErrorResumeNext(); + } +}