TCP/IP Analysis support

[UwUDev]

So, the "best" solution I found was to retrieve the entire packet, but unfortunately, with libc, nix, or other crates, this isn't really possible except by listening to an interface or changing the HTTP server. So you have to run it as root with the --capture-packets argument, which also allows you to retrieve all TCP packets before the start of the HTTP protocol with the SYN ACK of the TCP handshake.

I didn't implement JA4T because I saw several methods for doing the fingerprint, so I'll leave that part to you.

There's the raw packet in the response with the information parsed like this, for example

Pingly response

[
  {
    "timestamp": 1755726194073,
    "direction": "inbound",
    "src_ip": "127.0.0.1",
    "dst_ip": "127.0.0.1",
    "src_port": 57486,
    "dst_port": 8181,
    "protocol": "TCP",
    "payload_hex": "00000000000000000000000008004500003404bc4000400638067f0000017f000001e08e1ff531bb24caa762708d801003b6fe2800000101080a7e3e24ea7e3e24ea",
    "packet_size": 66,
    "parsed_info": {
      "ethernet": {
        "ethertype": "IPv4"
      },
      "ipv4": {
        "chksum": 14342,
        "dest_addr": "127.0.0.1",
        "flags": 2,
        "fragment_offset": 0,
        "id": 1212,
        "ihl": 5,
        "length": 52,
        "protocol": "TCP",
        "source_addr": "127.0.0.1",
        "tos": 0,
        "ttl": 64,
        "version": 4
      },
      "tcp": {
        "ack_no": 2808246413,
        "checksum": 65064,
        "data_offset": 8,
        "dest_port": 8181,
        "flag_ack": true,
        "flag_fin": false,
        "flag_psh": false,
        "flag_rst": false,
        "flag_syn": false,
        "flag_urg": false,
        "options": null,
        "reserved": 0,
        "sequence_no": 834348234,
        "source_port": 57486,
        "urgent_pointer": 0,
        "window": 950
      }
    }
  },
  {
    "timestamp": 1755726194073,
    "direction": "inbound",
    "src_ip": "127.0.0.1",
    "dst_ip": "127.0.0.1",
    "src_port": 57486,
    "dst_port": 8181,
    "protocol": "TCP",
    "payload_hex": "00000000000000000000000008004500003404bd4000400638057f0000017f000001e08e1ff531bb24caa7627ceb8010039efe2800000101080a7e3e24ea7e3e24ea",
    "packet_size": 66,
    "parsed_info": {
      "ethernet": {
        "ethertype": "IPv4"
      },
      "ipv4": {
        "chksum": 14341,
        "dest_addr": "127.0.0.1",
        "flags": 2,
        "fragment_offset": 0,
        "id": 1213,
        "ihl": 5,
        "length": 52,
        "protocol": "TCP",
        "source_addr": "127.0.0.1",
        "tos": 0,
        "ttl": 64,
        "version": 4
      },
      "tcp": {
        "ack_no": 2808249579,
        "checksum": 65064,
        "data_offset": 8,
        "dest_port": 8181,
        "flag_ack": true,
        "flag_fin": false,
        "flag_psh": false,
        "flag_rst": false,
        "flag_syn": false,
        "flag_urg": false,
        "options": null,
        "reserved": 0,
        "sequence_no": 834348234,
        "source_port": 57486,
        "urgent_pointer": 0,
        "window": 926
      }
    }
  },
  {
    "timestamp": 1755726194176,
    "direction": "inbound",
    "src_ip": "127.0.0.1",
    "dst_ip": "127.0.0.1",
    "src_port": 57486,
    "dst_port": 8181,
    "protocol": "TCP",
    "payload_hex": "00000000000000000000000008004500007604be4000400637c27f0000017f000001e08e1ff531bb24caa7627ceb801803b6fe6a00000101080a7e3e25437e3e24ea170303003dc1a984746d886c6d0fae7b25d7b2c190550adcc137fc9b65d085821c98dce28f7cbe4757f72dab95eb0ba62abcbca55dbb6061634220c2d4f7d7b999d0",
    "packet_size": 132,
    "parsed_info": {
      "application_data": {
        "length": 66,
        "preview_ascii": "....=...tm.lm..{%....U...7..e........|.GW.-.....*...].`acB .....",
        "preview_hex": "170303003dc1a984746d886c6d0fae7b25d7b2c190550adcc137fc9b65d085821c98dce28f7cbe4757f72dab95eb0ba62abcbca55dbb6061634220c2d4f7d7b9"
      },
      "ethernet": {
        "ethertype": "IPv4"
      },
      "ipv4": {
        "chksum": 14274,
        "dest_addr": "127.0.0.1",
        "flags": 2,
        "fragment_offset": 0,
        "id": 1214,
        "ihl": 5,
        "length": 118,
        "protocol": "TCP",
        "source_addr": "127.0.0.1",
        "tos": 0,
        "ttl": 64,
        "version": 4
      },
      "tcp": {
        "ack_no": 2808249579,
        "checksum": 65130,
        "data_offset": 8,
        "dest_port": 8181,
        "flag_ack": true,
        "flag_fin": false,
        "flag_psh": true,
        "flag_rst": false,
        "flag_syn": false,
        "flag_urg": false,
        "options": null,
        "reserved": 0,
        "sequence_no": 834348234,
        "source_port": 57486,
        "urgent_pointer": 0,
        "window": 950
      }
    }
  }
]

I wasn't sure what to put as the patch for the request, so I put /api/packets, but maybe /api/tcp or /api/tcp-ip would be better.

There was a problem with the sysinfo compilation for me, so I had to revert to 0.30 with the default features.

[UwUDev]

Perhaps it should be added to /api/all as well

[0x676e67]

I suggest keeping it under the /api/tcp API path. For /api/all, you can add a tcp field to include the new information.

[0x676e67]

On macOS it seems packet capture doesn’t work; I haven’t checked yet. Also, the data format needs some adjustments—try to avoid using JSON string fields as references.

[UwUDev]

It should be possible on MacOS to capture the packets since tcpdump seems to exists but i have no way to test it.. https://developer.apple.com/documentation/Network/recording-a-packet-trace

[UwUDev]

I was able to do some test on a Mac but I wasn't able to make it work so i made this feature only possible on Linux for now. Theoretically, it should be possible on macOS (and Windows), but I don't have the equipment to test it.

[UwUDev]

@0x676e67 should I merge it ?