2021-11-23 00:08:36 +03:00
|
|
|
package pcap
|
|
|
|
|
2021-11-24 23:20:46 +03:00
|
|
|
import (
|
|
|
|
"github.com/wader/fq/format"
|
|
|
|
"github.com/wader/fq/format/inet/flowsdecoder"
|
|
|
|
"github.com/wader/fq/pkg/bitio"
|
|
|
|
"github.com/wader/fq/pkg/decode"
|
2021-11-23 00:08:36 +03:00
|
|
|
)
|
|
|
|
|
2021-12-06 19:56:48 +03:00
|
|
|
var linkToDecodeFn = map[int]func(fd *flowsdecoder.Decoder, bs []byte) error{
|
2022-08-16 14:33:58 +03:00
|
|
|
format.LinkTypeETHERNET: (*flowsdecoder.Decoder).EthernetFrame,
|
2023-02-20 03:11:53 +03:00
|
|
|
format.LinkTypeIPv4: (*flowsdecoder.Decoder).IPv4Packet,
|
|
|
|
format.LinkTypeIPv6: (*flowsdecoder.Decoder).IPv6Packet,
|
2022-08-16 14:33:58 +03:00
|
|
|
format.LinkTypeLINUX_SLL: (*flowsdecoder.Decoder).SLLPacket,
|
|
|
|
format.LinkTypeLINUX_SLL2: (*flowsdecoder.Decoder).SLL2Packet,
|
2023-02-20 03:11:53 +03:00
|
|
|
format.LinkTypeNULL: (*flowsdecoder.Decoder).LoopbackFrame,
|
2023-03-02 20:30:35 +03:00
|
|
|
format.LinkTypeRAW: (*flowsdecoder.Decoder).RAWIPFrame,
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
2022-05-06 17:45:59 +03:00
|
|
|
// TODO: make some of this shared if more packet capture formats are added
|
2021-11-24 23:20:46 +03:00
|
|
|
func fieldFlows(d *decode.D, fd *flowsdecoder.Decoder, tcpStreamFormat decode.Group, ipv4PacketFormat decode.Group) {
|
|
|
|
d.FieldArray("ipv4_reassembled", func(d *decode.D) {
|
2021-12-06 19:56:48 +03:00
|
|
|
for _, p := range fd.IPV4Reassembled {
|
2022-01-24 23:21:48 +03:00
|
|
|
br := bitio.NewBitReader(p.Datagram, -1)
|
2021-11-24 23:20:46 +03:00
|
|
|
if dv, _, _ := d.TryFieldFormatBitBuf(
|
|
|
|
"ipv4_packet",
|
2022-01-24 23:21:48 +03:00
|
|
|
br,
|
2023-03-29 01:36:55 +03:00
|
|
|
&ipv4PacketFormat,
|
2021-11-24 23:20:46 +03:00
|
|
|
nil,
|
|
|
|
); dv == nil {
|
2022-01-24 23:21:48 +03:00
|
|
|
d.FieldRootBitBuf("ipv4_packet", br)
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
d.FieldArray("tcp_connections", func(d *decode.D) {
|
|
|
|
for _, s := range fd.TCPConnections {
|
2022-04-21 18:31:34 +03:00
|
|
|
d.FieldStruct("tcp_connection", func(d *decode.D) {
|
2023-05-01 14:19:04 +03:00
|
|
|
f := func(d *decode.D, td *flowsdecoder.TCPDirection, tsi format.TCP_Stream_In) any {
|
2022-05-06 17:45:59 +03:00
|
|
|
d.FieldValueStr("ip", td.Endpoint.IP.String())
|
2022-09-30 14:58:23 +03:00
|
|
|
d.FieldValueUint("port", uint64(td.Endpoint.Port), format.TCPPortMap)
|
2022-05-06 17:45:59 +03:00
|
|
|
d.FieldValueBool("has_start", td.HasStart)
|
|
|
|
d.FieldValueBool("has_end", td.HasEnd)
|
2022-09-30 14:58:23 +03:00
|
|
|
d.FieldValueUint("skipped_bytes", td.SkippedBytes)
|
2022-05-06 17:45:59 +03:00
|
|
|
|
|
|
|
br := bitio.NewBitReader(td.Buffer.Bytes(), -1)
|
2023-02-10 22:06:38 +03:00
|
|
|
dv, outV, _ := d.TryFieldFormatBitBuf(
|
2022-05-06 17:45:59 +03:00
|
|
|
"stream",
|
|
|
|
br,
|
2023-03-29 01:36:55 +03:00
|
|
|
&tcpStreamFormat,
|
2022-05-06 17:45:59 +03:00
|
|
|
tsi,
|
2023-02-10 22:06:38 +03:00
|
|
|
)
|
|
|
|
if dv == nil {
|
2022-05-06 17:45:59 +03:00
|
|
|
d.FieldRootBitBuf("stream", br)
|
|
|
|
}
|
2023-02-10 22:06:38 +03:00
|
|
|
return outV
|
2021-11-24 23:20:46 +03:00
|
|
|
}
|
|
|
|
|
2023-02-10 22:06:38 +03:00
|
|
|
var clientV any
|
|
|
|
var serverV any
|
2022-05-06 17:45:59 +03:00
|
|
|
d.FieldStruct("client", func(d *decode.D) {
|
2023-08-21 20:26:21 +03:00
|
|
|
clientV = f(d, s.Client, format.TCP_Stream_In{
|
2022-05-06 17:45:59 +03:00
|
|
|
IsClient: true,
|
|
|
|
HasStart: s.Client.HasStart,
|
|
|
|
HasEnd: s.Client.HasEnd,
|
|
|
|
SkippedBytes: s.Client.SkippedBytes,
|
|
|
|
SourcePort: s.Client.Endpoint.Port,
|
|
|
|
DestinationPort: s.Server.Endpoint.Port,
|
|
|
|
})
|
|
|
|
})
|
|
|
|
d.FieldStruct("server", func(d *decode.D) {
|
2023-08-21 20:26:21 +03:00
|
|
|
serverV = f(d, s.Server, format.TCP_Stream_In{
|
2022-03-29 23:41:11 +03:00
|
|
|
IsClient: false,
|
2022-05-06 17:45:59 +03:00
|
|
|
HasStart: s.Server.HasStart,
|
|
|
|
HasEnd: s.Server.HasEnd,
|
|
|
|
SkippedBytes: s.Server.SkippedBytes,
|
|
|
|
SourcePort: s.Server.Endpoint.Port,
|
|
|
|
DestinationPort: s.Client.Endpoint.Port,
|
|
|
|
})
|
|
|
|
})
|
2023-02-10 22:06:38 +03:00
|
|
|
|
2023-05-01 14:19:04 +03:00
|
|
|
clientTo, clientToOk := clientV.(format.TCP_Stream_Out)
|
|
|
|
serverTo, serverToOk := serverV.(format.TCP_Stream_Out)
|
2023-02-10 22:06:38 +03:00
|
|
|
if clientToOk && serverToOk {
|
|
|
|
if clientTo.PostFn != nil {
|
|
|
|
clientTo.PostFn(serverTo.InArg)
|
|
|
|
}
|
|
|
|
if serverTo.PostFn != nil {
|
|
|
|
serverTo.PostFn(clientTo.InArg)
|
|
|
|
}
|
|
|
|
}
|
2021-11-24 23:20:46 +03:00
|
|
|
})
|
|
|
|
}
|
|
|
|
})
|
2021-11-23 00:08:36 +03:00
|
|
|
}
|