PcapFileEx.Flows.TCPExtractor (pcap_file_ex v0.5.5)
View SourceExtracts and reassembles TCP segments from PCAP files.
This module provides shared TCP extraction logic used by both HTTP/1 and HTTP/2 analyzers. It handles:
- Decoding packets from various formats (Ethernet, null loopback, etc.)
- Extracting TCP segment information
- Reassembling TCP flows with sequence number ordering
- Detecting and filtering retransmissions
Segment Format
Each extracted segment is a map with:
%{
flow_key: {{src_ip, src_port}, {dst_ip, dst_port}},
direction: :a_to_b | :b_to_a,
data: binary(),
src_port: integer(),
dst_port: integer(),
seq_num: integer(),
timestamp: DateTime.t()
}Example
{:ok, segments} = TCPExtractor.extract("capture.pcap")
# Filter by port
{:ok, segments} = TCPExtractor.extract("capture.pcap", port: 8080)Summary
Functions
Extracts TCP segments from a PCAP file.
Extracts TCP segments from a stream of packets.
Groups segments by flow key.
Types
@type segment() :: %{ flow_key: {{tuple(), non_neg_integer()}, {tuple(), non_neg_integer()}}, direction: :a_to_b | :b_to_a, data: binary(), src_port: non_neg_integer(), dst_port: non_neg_integer(), seq_num: non_neg_integer(), timestamp: DateTime.t() }
Functions
Extracts TCP segments from a PCAP file.
Options
:port- Filter to specific TCP port (default: nil, all ports)
Returns
{:ok, segments} where segments is a list of reassembled TCP segments
ordered by timestamp, or {:error, reason} on failure.
Examples
{:ok, segments} = TCPExtractor.extract("capture.pcap")
{:ok, segments} = TCPExtractor.extract("capture.pcap", port: 8080)@spec extract_from_stream( Enumerable.t(), keyword() ) :: [segment()]
Extracts TCP segments from a stream of packets.
Use this when you already have a packet stream.
Options
:port- Filter to specific TCP port (default: nil, all ports)
Groups segments by flow key.
Returns a map of {flow_key => segments} where segments are
ordered by timestamp.