2021-11-24 23:20:46 +03:00
|
|
|
package flowsdecoder
|
|
|
|
|
2022-01-07 14:02:38 +03:00
|
|
|
// TODO: option to not allow missing syn/ack?
|
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/binary"
|
2023-03-02 20:30:35 +03:00
|
|
|
"fmt"
|
2021-11-24 23:20:46 +03:00
|
|
|
"net"
|
|
|
|
|
2022-08-16 14:33:58 +03:00
|
|
|
"github.com/gopacket/gopacket"
|
|
|
|
"github.com/gopacket/gopacket/ip4defrag"
|
|
|
|
"github.com/gopacket/gopacket/layers"
|
|
|
|
"github.com/gopacket/gopacket/reassembly"
|
2021-11-24 23:20:46 +03:00
|
|
|
)
|
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
type TCPEndpoint struct {
|
2021-11-24 23:20:46 +03:00
|
|
|
IP net.IP
|
|
|
|
Port int
|
|
|
|
}
|
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
type TCPDirection struct {
|
|
|
|
Endpoint TCPEndpoint
|
|
|
|
HasStart bool
|
|
|
|
HasEnd bool
|
|
|
|
Buffer *bytes.Buffer
|
|
|
|
SkippedBytes uint64
|
|
|
|
}
|
2021-12-06 19:56:48 +03:00
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
type TCPConnection struct {
|
2023-08-21 20:26:21 +03:00
|
|
|
Client *TCPDirection
|
|
|
|
Server *TCPDirection
|
2021-12-06 19:56:48 +03:00
|
|
|
tcpState *reassembly.TCPSimpleFSM
|
2023-01-28 22:48:31 +03:00
|
|
|
optChecker *reassembly.TCPOptionCheck
|
2021-12-06 19:56:48 +03:00
|
|
|
net gopacket.Flow
|
|
|
|
transport gopacket.Flow
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *TCPConnection) Accept(tcp *layers.TCP, ci gopacket.CaptureInfo, dir reassembly.TCPFlowDirection, nextSeq reassembly.Sequence, start *bool, ac reassembly.AssemblerContext) bool {
|
|
|
|
// has ok state?
|
2021-12-06 19:56:48 +03:00
|
|
|
if !t.tcpState.CheckState(tcp, dir) {
|
2021-11-24 23:20:46 +03:00
|
|
|
// TODO: handle err?
|
|
|
|
return false
|
|
|
|
}
|
2023-01-28 22:48:31 +03:00
|
|
|
if t.optChecker != nil {
|
|
|
|
// has ok options?
|
|
|
|
if err := t.optChecker.Accept(tcp, ci, dir, nextSeq, start); err != nil {
|
|
|
|
// TODO: handle err?
|
|
|
|
return false
|
|
|
|
}
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
// TODO: checksum?
|
|
|
|
|
|
|
|
// accept
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *TCPConnection) ReassembledSG(sg reassembly.ScatterGather, ac reassembly.AssemblerContext) {
|
2022-04-08 16:03:47 +03:00
|
|
|
dir, start, end, skip := sg.Info()
|
2021-11-24 23:20:46 +03:00
|
|
|
length, _ := sg.Lengths()
|
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
var d *TCPDirection
|
|
|
|
switch dir {
|
|
|
|
case reassembly.TCPDirClientToServer:
|
2023-08-21 20:26:21 +03:00
|
|
|
d = t.Client
|
2022-05-06 17:45:59 +03:00
|
|
|
case reassembly.TCPDirServerToClient:
|
2023-08-21 20:26:21 +03:00
|
|
|
d = t.Server
|
2022-05-06 17:45:59 +03:00
|
|
|
default:
|
|
|
|
panic("unreachable")
|
|
|
|
}
|
|
|
|
|
2022-01-07 14:02:38 +03:00
|
|
|
if skip == -1 {
|
|
|
|
// can't find where skip == -1 is documented but this is what gopacket reassemblydump does
|
|
|
|
// to allow missing syn/ack
|
|
|
|
} else if skip != 0 {
|
2021-12-07 20:47:31 +03:00
|
|
|
// stream has missing bytes
|
2022-05-06 17:45:59 +03:00
|
|
|
d.SkippedBytes += uint64(skip)
|
2021-12-07 20:47:31 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
d.HasStart = d.HasStart || start
|
|
|
|
d.HasEnd = d.HasEnd || end
|
2022-04-08 16:03:47 +03:00
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
data := sg.Fetch(length)
|
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
d.Buffer.Write(data)
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *TCPConnection) ReassemblyComplete(ac reassembly.AssemblerContext) bool {
|
|
|
|
// do not remove the connection to allow last ACK
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
type IPV4Reassembled struct {
|
|
|
|
SourceIP net.IP
|
|
|
|
DestinationIP net.IP
|
|
|
|
Datagram []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fd *Decoder) New(net, transport gopacket.Flow, tcp *layers.TCP, ac reassembly.AssemblerContext) reassembly.Stream {
|
|
|
|
fsmOptions := reassembly.TCPSimpleFSMOptions{
|
|
|
|
SupportMissingEstablishment: true,
|
|
|
|
}
|
2021-12-09 16:19:09 +03:00
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
// TODO: get ip layer somehow?
|
2021-12-09 16:19:09 +03:00
|
|
|
// TODO: understand how gopacket handles broken/too short packets, seems like
|
|
|
|
// we can get here when lots of things are missing, assume zero port for now
|
|
|
|
var clientPort int
|
|
|
|
if len(transport.Src().Raw()) == 2 {
|
|
|
|
clientPort = int(binary.BigEndian.Uint16(transport.Src().Raw()))
|
|
|
|
}
|
|
|
|
var serverPort int
|
|
|
|
if len(transport.Dst().Raw()) == 2 {
|
|
|
|
serverPort = int(binary.BigEndian.Uint16(transport.Dst().Raw()))
|
|
|
|
}
|
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
stream := &TCPConnection{
|
2023-08-21 20:26:21 +03:00
|
|
|
Client: &TCPDirection{
|
2022-05-06 17:45:59 +03:00
|
|
|
Endpoint: TCPEndpoint{
|
|
|
|
IP: append([]byte(nil), net.Src().Raw()...),
|
|
|
|
Port: clientPort,
|
|
|
|
},
|
|
|
|
Buffer: &bytes.Buffer{},
|
2021-11-24 23:20:46 +03:00
|
|
|
},
|
2023-08-21 20:26:21 +03:00
|
|
|
Server: &TCPDirection{
|
2022-05-06 17:45:59 +03:00
|
|
|
Endpoint: TCPEndpoint{
|
|
|
|
IP: append([]byte(nil), net.Dst().Raw()...),
|
|
|
|
Port: serverPort,
|
|
|
|
},
|
|
|
|
Buffer: &bytes.Buffer{},
|
2021-11-24 23:20:46 +03:00
|
|
|
},
|
|
|
|
|
2023-01-28 22:48:31 +03:00
|
|
|
net: net,
|
|
|
|
transport: transport,
|
|
|
|
tcpState: reassembly.NewTCPSimpleFSM(fsmOptions),
|
|
|
|
}
|
|
|
|
|
|
|
|
if fd.Options.CheckTCPOptions {
|
|
|
|
c := reassembly.NewTCPOptionCheck()
|
|
|
|
stream.optChecker = &c
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
fd.TCPConnections = append(fd.TCPConnections, stream)
|
|
|
|
|
|
|
|
return stream
|
|
|
|
}
|
|
|
|
|
|
|
|
type Decoder struct {
|
2023-01-28 22:48:31 +03:00
|
|
|
Options DecoderOptions
|
|
|
|
|
2021-12-06 19:56:48 +03:00
|
|
|
TCPConnections []*TCPConnection
|
|
|
|
IPV4Reassembled []IPV4Reassembled
|
2021-11-24 23:20:46 +03:00
|
|
|
|
|
|
|
ipv4Defrag *ip4defrag.IPv4Defragmenter
|
|
|
|
tcpAssembler *reassembly.Assembler
|
|
|
|
}
|
|
|
|
|
2023-01-28 22:48:31 +03:00
|
|
|
type DecoderOptions struct {
|
|
|
|
CheckTCPOptions bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func New(options DecoderOptions) *Decoder {
|
|
|
|
flowDecoder := &Decoder{
|
|
|
|
Options: options,
|
|
|
|
}
|
2021-11-24 23:20:46 +03:00
|
|
|
streamPool := reassembly.NewStreamPool(flowDecoder)
|
|
|
|
tcpAssembler := reassembly.NewAssembler(streamPool)
|
|
|
|
flowDecoder.tcpAssembler = tcpAssembler
|
|
|
|
flowDecoder.ipv4Defrag = ip4defrag.NewIPv4Defragmenter()
|
|
|
|
|
|
|
|
return flowDecoder
|
|
|
|
}
|
|
|
|
|
2023-02-20 03:11:53 +03:00
|
|
|
func (fd *Decoder) EthernetFrame(bs []byte) error {
|
|
|
|
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeEthernet, gopacket.Lazy))
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fd *Decoder) IPv4Packet(bs []byte) error {
|
|
|
|
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeIPv4, gopacket.Lazy))
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fd *Decoder) IPv6Packet(bs []byte) error {
|
|
|
|
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeIPv6, gopacket.Lazy))
|
|
|
|
}
|
|
|
|
|
2021-12-06 19:56:48 +03:00
|
|
|
func (fd *Decoder) SLLPacket(bs []byte) error {
|
|
|
|
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLinuxSLL, gopacket.Lazy))
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
2022-08-16 14:33:58 +03:00
|
|
|
func (fd *Decoder) SLL2Packet(bs []byte) error {
|
|
|
|
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLinuxSLL2, gopacket.Lazy))
|
|
|
|
}
|
|
|
|
|
2022-01-03 22:17:01 +03:00
|
|
|
func (fd *Decoder) LoopbackFrame(bs []byte) error {
|
|
|
|
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLoopback, gopacket.Lazy))
|
|
|
|
}
|
|
|
|
|
2023-03-02 20:30:35 +03:00
|
|
|
// LinkTypeRAW IPv4 or Ipv6
|
|
|
|
func (fd *Decoder) RAWIPFrame(bs []byte) error {
|
|
|
|
version := bs[0] >> 4
|
|
|
|
switch version {
|
|
|
|
case 4:
|
|
|
|
return fd.IPv4Packet(bs)
|
|
|
|
case 6:
|
|
|
|
return fd.IPv6Packet(bs)
|
|
|
|
}
|
|
|
|
return fmt.Errorf("invalid ip version %v", version)
|
|
|
|
}
|
|
|
|
|
2021-12-06 19:56:48 +03:00
|
|
|
func (fd *Decoder) packet(p gopacket.Packet) error {
|
2021-11-24 23:20:46 +03:00
|
|
|
// TODO: linkType
|
|
|
|
ip4Layer := p.Layer(layers.LayerTypeIPv4)
|
|
|
|
if ip4Layer != nil {
|
|
|
|
ip4, _ := ip4Layer.(*layers.IPv4)
|
|
|
|
l := ip4.Length
|
2021-12-06 19:56:48 +03:00
|
|
|
newIPv4, err := fd.ipv4Defrag.DefragIPv4(ip4)
|
2021-11-24 23:20:46 +03:00
|
|
|
if err != nil {
|
2021-12-06 19:56:48 +03:00
|
|
|
return err
|
|
|
|
} else if newIPv4 != nil {
|
2021-11-24 23:20:46 +03:00
|
|
|
// TODO: correct way to detect finished reassemble?
|
2021-12-06 19:56:48 +03:00
|
|
|
if newIPv4.Length != l {
|
2021-11-24 23:20:46 +03:00
|
|
|
// TODO: better way to reconstruct package?
|
|
|
|
sb := gopacket.NewSerializeBuffer()
|
2021-12-06 19:56:48 +03:00
|
|
|
b, _ := sb.PrependBytes(len(newIPv4.Payload))
|
|
|
|
copy(b, newIPv4.Payload)
|
|
|
|
if err := newIPv4.SerializeTo(sb, gopacket.SerializeOptions{
|
2021-11-24 23:20:46 +03:00
|
|
|
FixLengths: true,
|
|
|
|
ComputeChecksums: true,
|
2021-12-06 19:56:48 +03:00
|
|
|
}); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-11-24 23:20:46 +03:00
|
|
|
|
2021-12-06 19:56:48 +03:00
|
|
|
fd.IPV4Reassembled = append(fd.IPV4Reassembled, IPV4Reassembled{
|
2021-11-24 23:20:46 +03:00
|
|
|
SourceIP: ip4.SrcIP,
|
|
|
|
DestinationIP: ip4.DstIP,
|
|
|
|
Datagram: sb.Bytes(),
|
|
|
|
})
|
|
|
|
|
2023-02-20 13:44:39 +03:00
|
|
|
// i think this replaces p with the newly defragmented ip packet and is
|
|
|
|
// used below when reassembling tcp streams
|
|
|
|
// see gopacket reassemblydump example
|
2021-11-24 23:20:46 +03:00
|
|
|
pb, ok := p.(gopacket.PacketBuilder)
|
|
|
|
if !ok {
|
|
|
|
panic("not a PacketBuilder")
|
|
|
|
}
|
2021-12-06 19:56:48 +03:00
|
|
|
nextDecoder := newIPv4.NextLayerType()
|
|
|
|
if err := nextDecoder.Decode(newIPv4.Payload, pb); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
tcp := p.Layer(layers.LayerTypeTCP)
|
|
|
|
if tcp != nil {
|
|
|
|
tcp, _ := tcp.(*layers.TCP)
|
|
|
|
fd.tcpAssembler.Assemble(p.NetworkLayer().NetworkFlow(), tcp)
|
|
|
|
}
|
2021-12-06 19:56:48 +03:00
|
|
|
|
|
|
|
return nil
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
func (fd *Decoder) Flush() {
|
|
|
|
fd.tcpAssembler.FlushAll()
|
|
|
|
}
|