Xplico.org
http://forum.xplico.org/

Questions about PEI format/purpose; extracting info from PEI
http://forum.xplico.org/viewtopic.php?f=3&t=224
Page 5 of 5

Author:  gianluca.costa [ Thu Aug 19, 2010 9:33 am ]
Post subject:  Re: Questions about PEI format/purpose; extracting info from

Hi Kizzo,
Quote:
Is there any way to detect a TCP open/connect in this way?

This task is done by TCP dissector. Each stream (thread) delivered to a dissector over TCP is a TCP stream.
Not all packages are delivered to the dissectors above TCP, but only the SYN packets and non-empty packets. The packets ordering (by sequences numbers) is guaranteed, also the absence of (any type of) repetition and the reporting of lost data.
Quote:
And what about TCP opens/connects later on in the traffic stream? How do you detect those?

It is the TCP dissector that make it.
Quote:
My current solution seems to only tell me when the first SYN occurred - not any later ones, if any. Maybe that's something I'll figure out after I figure out the above problem.

If FTP have a flow then this is a stream and it start by SYN, SYN/ACK, ACK, but not all packet are sent to FTP (or other dissectors). Xplico is not a protocol analyzer like Wireshark, it does not focus on the packets but on the information (application) carried.
The PEI is not intended to describe each packet of a protocol, not every message of a protocol but only macroscopic information (eg HTML page, or VoIP call , channel in a chat) carried by the protocol.

Quote:
One definition I propose: A PEI is constructed from whatever data a dissector chooses to dissect from each packet given to it. For each piece of data that the dissector considers to be important about a packet, it will represent it as a PEI component of the overall PEI for this packet.

A PEI is constructed from whatever data a dissector chooses to dissect from each packet or stream given to it. For each piece of data that the dissector considers to be important about a packet or stream, it will represent it as a PEI component of the overall PEI for this packet or stream.
The aim is to extract the information exchanged (by users) with the protocol, no protocol analysis. Then the PEI and its components is the container of this information.

I do not have much time to respond, I do better when I get back from vacation.

Ciao.
Gianluca

Page 5 of 5 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/