2021-11-23 00:08:36 +03:00
|
|
|
package pcap
|
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
import (
|
2021-12-06 19:56:48 +03:00
|
|
|
"fmt"
|
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
"github.com/wader/fq/format"
|
|
|
|
"github.com/wader/fq/format/inet/flowsdecoder"
|
|
|
|
"github.com/wader/fq/pkg/bitio"
|
|
|
|
"github.com/wader/fq/pkg/decode"
|
2021-11-23 00:08:36 +03:00
|
|
|
)
|
|
|
|
|
2021-12-06 19:56:48 +03:00
|
|
|
var linkToDecodeFn = map[int]func(fd *flowsdecoder.Decoder, bs []byte) error{
|
2022-01-03 22:17:01 +03:00
|
|
|
format.LinkTypeNULL: (*flowsdecoder.Decoder).LoopbackFrame,
|
2021-11-24 23:20:46 +03:00
|
|
|
format.LinkTypeETHERNET: (*flowsdecoder.Decoder).EthernetFrame,
|
|
|
|
format.LinkTypeLINUX_SLL: (*flowsdecoder.Decoder).SLLPacket,
|
2021-12-06 19:56:48 +03:00
|
|
|
format.LinkTypeLINUX_SLL2: func(fd *flowsdecoder.Decoder, bs []byte) error {
|
|
|
|
if len(bs) < 20 {
|
|
|
|
// TODO: too short sll packet, error somehow?
|
|
|
|
return fmt.Errorf("packet too short %d", len(bs))
|
|
|
|
}
|
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
// TODO: gopacket does not support SLL2 atm so convert SLL to SSL2
|
|
|
|
nbs := []byte{
|
|
|
|
0, bs[10], // packet type
|
|
|
|
bs[8], bs[9], // arphdr
|
|
|
|
0, bs[11], // link layer address length
|
|
|
|
bs[12], bs[13], bs[14], bs[15], bs[16], bs[17], bs[18], bs[19], // link layer address
|
|
|
|
bs[0], bs[1], // protocol type
|
|
|
|
}
|
|
|
|
nbs = append(nbs, bs[20:]...)
|
2021-12-06 19:56:48 +03:00
|
|
|
|
|
|
|
return fd.SLLPacket(nbs)
|
2021-11-24 23:20:46 +03:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
func fieldFlows(d *decode.D, fd *flowsdecoder.Decoder, tcpStreamFormat decode.Group, ipv4PacketFormat decode.Group) {
|
|
|
|
d.FieldArray("ipv4_reassembled", func(d *decode.D) {
|
2021-12-06 19:56:48 +03:00
|
|
|
for _, p := range fd.IPV4Reassembled {
|
2022-01-24 23:21:48 +03:00
|
|
|
br := bitio.NewBitReader(p.Datagram, -1)
|
2021-11-24 23:20:46 +03:00
|
|
|
if dv, _, _ := d.TryFieldFormatBitBuf(
|
|
|
|
"ipv4_packet",
|
2022-01-24 23:21:48 +03:00
|
|
|
br,
|
2021-11-24 23:20:46 +03:00
|
|
|
ipv4PacketFormat,
|
|
|
|
nil,
|
|
|
|
); dv == nil {
|
2022-01-24 23:21:48 +03:00
|
|
|
d.FieldRootBitBuf("ipv4_packet", br)
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
d.FieldArray("tcp_connections", func(d *decode.D) {
|
|
|
|
for _, s := range fd.TCPConnections {
|
|
|
|
d.FieldStruct("flow", func(d *decode.D) {
|
|
|
|
d.FieldValueStr("source_ip", s.ClientEndpoint.IP.String())
|
2021-12-02 00:48:25 +03:00
|
|
|
d.FieldValueU("source_port", uint64(s.ClientEndpoint.Port), format.TCPPortMap)
|
2021-12-06 19:56:48 +03:00
|
|
|
d.FieldValueStr("destination_ip", s.ServerEndpoint.IP.String())
|
|
|
|
d.FieldValueU("destination_port", uint64(s.ServerEndpoint.Port), format.TCPPortMap)
|
2022-01-24 23:21:48 +03:00
|
|
|
csBR := bitio.NewBitReader(s.ClientToServer.Bytes(), -1)
|
2021-11-24 23:20:46 +03:00
|
|
|
if dv, _, _ := d.TryFieldFormatBitBuf(
|
|
|
|
"client_stream",
|
2022-01-24 23:21:48 +03:00
|
|
|
csBR,
|
2021-11-24 23:20:46 +03:00
|
|
|
tcpStreamFormat,
|
|
|
|
format.TCPStreamIn{
|
|
|
|
SourcePort: s.ClientEndpoint.Port,
|
2021-12-06 19:56:48 +03:00
|
|
|
DestinationPort: s.ServerEndpoint.Port,
|
2021-11-24 23:20:46 +03:00
|
|
|
},
|
|
|
|
); dv == nil {
|
2022-01-24 23:21:48 +03:00
|
|
|
d.FieldRootBitBuf("client_stream", csBR)
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
2022-01-24 23:21:48 +03:00
|
|
|
scBR := bitio.NewBitReader(s.ServerToClient.Bytes(), -1)
|
2021-11-24 23:20:46 +03:00
|
|
|
if dv, _, _ := d.TryFieldFormatBitBuf(
|
|
|
|
"server_stream",
|
2022-01-24 23:21:48 +03:00
|
|
|
scBR,
|
2021-11-24 23:20:46 +03:00
|
|
|
tcpStreamFormat,
|
|
|
|
format.TCPStreamIn{
|
|
|
|
SourcePort: s.ClientEndpoint.Port,
|
2021-12-06 19:56:48 +03:00
|
|
|
DestinationPort: s.ServerEndpoint.Port,
|
2021-11-24 23:20:46 +03:00
|
|
|
},
|
|
|
|
); dv == nil {
|
2022-01-24 23:21:48 +03:00
|
|
|
d.FieldRootBitBuf("server_stream", scBR)
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
})
|
2021-11-23 00:08:36 +03:00
|
|
|
}
|