8. TCP

8.1. Types

class tcp.tcp_connection

srcip

dstip

Source and destination IP addresses.

srcport

dstport

Source and destination ports.

data

A user field that can be used to store some data associated with the connection.

class tcp.tcp_stream

init(seq)

Initialize the initial sequence number of the stream.

push(tcp)

Push a tcp packet into the stream.

pop()

Pop a tcp packet out of the stream.

seq(tcp)

Update the sequence number of a tcp packet.

ack(tcp)

Update the ack number of a packet.

8.2. Dissectors

8.2.1. TCP

tcp.create(ip)

Create a new TCP packet on top of the given IP packet.

class tcp.tcp

Dissector data for a TCP packet. This dissector is state-less. It will only parse the packet headers.

See also

haka.dissector_data.

srcport

dstport

seq

ack_seq

res

hdr_len

window_size

checksum

urgent_pointer

TCP fields as numbers.

ip

IPv4 packet.

flags

TCP flags table.

fin

syn

rst

psh

ack

urg

ecn

cwr

Individual flags as boolean.

all

Flags value as number.

payload

Payload of the packet. Class that contains the TCP data payload. The data can be accessed using the standard Lua operators # to get the length and [] to access the bytes.

verify_checksum()

Verify if the checksum is correct.

compute_checksum()

Recompute the checksum and set the resulting value in the packet.

newconnection()

Creates a new TCP connection from this packet.

getconnection()

Gets the connection if any associated with this packet.

Returns:

• The TCP connection as tcp.tcp_connection.
• A boolean containing the direction of this packet in the connection.
• A boolean indicating if the packet is part of a dropped connection.

drop()

Drop the TCP packet.

8.2.2. TCP connection

class tcp-connection.connection

State-full dissector for TCP which define one additional hook tcp-connection-new that is called whenever a packet will create a new TCP connection.

See also

haka.dissector_data.

connection

Contains the current TCP connection.

stream

Contains the stream associated with the connection.

direction

Contains the direction of the current packet.

drop()

Drop the TCP connection. All future packets that belong to this connection will be silently dropped.

reset()

Reset the TCP connection. A RST packet will be sent to both end and all future packet that belong to this connection will be silently dropped.

8.3. Example

------------------------------------
-- Firewall rules
------------------------------------

local client_network = ipv4.network("192.168.10.0/25");
local server_network = ipv4.network("192.168.20.0/25");

local group = haka.rule_group{
    name = "group",
    init = function (self, pkt)
        haka.log.debug("filter", "entering packet filtering rules : %d --> %d",
            pkt.tcp.srcport, pkt.tcp.dstport)
    end,
    fini = function (self, pkt)
        haka.alert{
            description = "Packet dropped : drop by default",
            sources = haka.alert.address(pkt.tcp.ip.src, pkt.tcp.srcport),
            targets = haka.alert.address(pkt.tcp.ip.dst, pkt.tcp.dstport)
        }
        pkt:drop()
    end,
    continue = function (self, pkt, ret)
        return not ret
    end
}


group:rule{
    hooks = { 'tcp-connection-new' },
    eval = function (self, pkt)

        local tcp = pkt.tcp

        if client_network:contains(tcp.ip.src) and
            server_network:contains(tcp.ip.dst) and
            tcp.dstport == 80 then
            haka.log.warning("filter", "authorizing http traffic")
            pkt.next_dissector = "http"
            return true
        end
    end
}

group:rule{
    hooks = { 'tcp-connection-new' },
    eval = function (self, pkt)

        local tcp = pkt.tcp

        if client_network:contains(tcp.ip.src) and
            server_network:contains(tcp.ip.dst) and
            tcp.dstport == 22 then
            haka.log.warning("filter", "authorizing ssh traffic")
            haka.log.warning("filter", "no available dissector for ssh")
            return true
        end
    end
}