node-pcap
Ability to specify protocol detection to use.
Rather than the following,
session.http_detect = this.detect_http_request(tcp.data);
if (session.http_detect) {
this.setup_http_tracking(session);
}
I think it would be good to be able to say what kind of protocols we are interested in when defining the tcp_tracker and specify detection function(s) to use.
var PacketNames = { 0: 'Test' };
function custom_detect(buf) {
// Do things with buff
// check length etc...
var packetID = buf.readUInt8(0);
// Look up name of packet in some object/array
// Maybe if packet buffer is compressed or encrypted we could run a script to decrypt or uncompres
// These definitions could be stored in their own js files to be included when needed or defined in a users project.
// Could return packet contents read as json if structure is known?
return { ID: packetID, name: PacketNames[packetID] || 'Unknown' };
}
var tcp_tracker = new pcap.TCP_tracker({
detectors: [
{ 'http': pcap.http_detect },
{ 'custom_protocol': custom_detect }
]
});
I think that some kind of addDetector('name', function) removeDetector('name') methods would be good idea.
Also an Idea if no detectors are matched it could filter out the packet if requested to.
I would be happy to work on a patch to add this kind of functionality as I am looking at using this in my packet logger project.
Of course to have backwards compatibility with existing things using this code http detector would have to be always enabled by default.
Or has someone else already started this kind of idea? I am new to node_pcap as of this morning and haven't had a good look around yet.
Cheers,
