1
1
mirror of https://github.com/wader/fq.git synced 2024-12-02 12:45:53 +03:00
fq/format/inet/sll_packet.go
2023-05-01 13:19:04 +02:00

145 lines
6.6 KiB
Go

package inet
// SLL stands for sockaddr_ll
// https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
import (
"github.com/wader/fq/format"
"github.com/wader/fq/pkg/decode"
"github.com/wader/fq/pkg/interp"
"github.com/wader/fq/pkg/scalar"
)
var sllPacketInetPacketGroup decode.Group
func init() {
interp.RegisterFormat(
format.SLL_Packet,
&decode.Format{
Description: "Linux cooked capture encapsulation",
Groups: []*decode.Group{format.Link_Frame},
Dependencies: []decode.Dependency{
{Groups: []*decode.Group{format.INET_Packet}, Out: &sllPacketInetPacketGroup},
},
DecodeFn: decodeSLL,
})
}
var sllPacketTypeMap = scalar.UintMap{
0: {Sym: "to_us", Description: "Sent to us"},
1: {Sym: "broadcast", Description: "Broadcast by somebody else"},
2: {Sym: "multicast", Description: "Multicast by somebody else"},
3: {Sym: "to_other", Description: "Sent to somebody else by somebody else"},
4: {Sym: "from_us", Description: "Sent by us"},
}
const (
arpHdrTypeEther = 1
arpHdrTypeLoopback = 772
)
// based on https://github.com/torvalds/linux/blob/master/include/uapi/linux/if_arp.h
var arpHdrTypeMAp = scalar.UintMap{
0: {Sym: "netrom", Description: `from KA9Q: NET/ROM pseudo`},
arpHdrTypeEther: {Sym: "ether", Description: `Ethernet 10Mbps`},
2: {Sym: "eether", Description: `Experimental Ethernet`},
3: {Sym: "ax25", Description: `AX.25 Level 2`},
4: {Sym: "pronet", Description: `PROnet token ring`},
5: {Sym: "chaos", Description: `Chaosnet`},
6: {Sym: "ieee802", Description: `IEEE 802.2 Ethernet/TR/TB`},
7: {Sym: "arcnet", Description: `ARCnet`},
8: {Sym: "appletlk", Description: `APPLEtalk`},
15: {Sym: "dlci", Description: `Frame Relay DLCI`},
19: {Sym: "atm", Description: `ATM`},
23: {Sym: "metricom", Description: `Metricom STRIP (new IANA id`},
24: {Sym: "ieee1394", Description: `IEEE 1394 IPv4 - RFC 2734`},
27: {Sym: "eui64", Description: `EUI-64`},
32: {Sym: "infiniband", Description: `InfiniBand`},
256: {Sym: "slip"},
257: {Sym: "cslip"},
258: {Sym: "slip6"},
259: {Sym: "cslip6"},
260: {Sym: "rsrvd", Description: `Notional KISS type`},
264: {Sym: "adapt"},
270: {Sym: "rose"},
271: {Sym: "x25", Description: `CCITT X.25`},
272: {Sym: "hwx25", Description: `Boards with X.25 in firmware`},
280: {Sym: "can", Description: `Controller Area Network`},
290: {Sym: "mctp"},
512: {Sym: "ppp"},
513: {Sym: "cisco", Description: `Cisco HDLC`},
516: {Sym: "lapb", Description: `LAPB`},
517: {Sym: "ddcmp", Description: `Digital's DDCMP protocol`},
518: {Sym: "rawhdlc", Description: `Raw HDLC`},
519: {Sym: "rawip", Description: `Raw IP`},
768: {Sym: "tunnel", Description: `IPIP tunnel`},
769: {Sym: "tunnel6", Description: `IP6IP6 tunnel`},
770: {Sym: "frad", Description: `Frame Relay Access Device`},
771: {Sym: "skip", Description: `SKIP vif`},
arpHdrTypeLoopback: {Sym: "loopback", Description: `Loopback device`},
773: {Sym: "localtlk", Description: `Localtalk device`},
774: {Sym: "fddi", Description: `Fiber Distributed Data Interface`},
775: {Sym: "bif", Description: `AP1000 BIF`},
776: {Sym: "sit", Description: `sit0 device - IPv6-in-IPv4`},
777: {Sym: "ipddp", Description: `IP over DDP tunneller`},
778: {Sym: "ipgre", Description: `GRE over IP`},
779: {Sym: "pimreg", Description: `PIMSM register interface`},
780: {Sym: "hippi", Description: `High Performance Parallel Interface`},
781: {Sym: "ash", Description: `Nexus 64Mbps Ash`},
782: {Sym: "econet", Description: `Acorn Econet`},
783: {Sym: "irda", Description: `Linux-IrDA`},
784: {Sym: "fcpp", Description: `Point to point fibrechannel`},
785: {Sym: "fcal", Description: `Fibrechannel arbitrated loop`},
786: {Sym: "fcpl", Description: `Fibrechannel public loop`},
787: {Sym: "fcfabric", Description: `Fibrechannel fabric`},
800: {Sym: "ieee802_tr", Description: `Magic type ident for TR`},
801: {Sym: "ieee80211", Description: `IEEE 802.11`},
802: {Sym: "ieee80211_prism", Description: `IEEE 802.11 + Prism2 header`},
803: {Sym: "ieee80211_radiotap", Description: `IEEE 802.11 + radiotap header`},
804: {Sym: "ieee802154"},
805: {Sym: "ieee802154_monitor", Description: `IEEE 802.15.4 network monitor`},
820: {Sym: "phonet", Description: `PhoNet media type`},
821: {Sym: "phonet_pipe", Description: `PhoNet pipe header`},
822: {Sym: "caif", Description: `CAIF media type`},
823: {Sym: "ip6gre", Description: `GRE over IPv6`},
824: {Sym: "netlink", Description: `Netlink header`},
825: {Sym: "6lowpan", Description: `IPv6 over LoWPAN`},
826: {Sym: "vsockmon", Description: `Vsock monitor header`},
0xffff: {Sym: "void", Description: `Void type, nothing is known`},
0xfffe: {Sym: "none", Description: `zero header length`},
}
func decodeSLL(d *decode.D) any {
var lfi format.Link_Frame_In
if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeLINUX_SLL {
d.Fatalf("wrong link type %d", lfi.Type)
}
d.FieldU16("packet_type", sllPacketTypeMap)
arpHdrType := d.FieldU16("arphdr_type", arpHdrTypeMAp)
addressLength := d.FieldU16("link_address_length")
d.FieldU("link_address", int(addressLength)*8)
addressDiff := 8 - addressLength
if addressDiff > 0 {
d.FieldRawLen("padding", int64(addressDiff)*8)
}
// TODO: handle other arphdr types
switch arpHdrType {
case arpHdrTypeLoopback, arpHdrTypeEther:
_ = d.FieldMustGet("link_address").TryUintScalarFn(mapUToEtherSym, scalar.UintHex)
protcolType := d.FieldU16("protocol_type", format.EtherTypeMap, scalar.UintHex)
d.FieldFormatOrRawLen(
"payload",
d.BitsLeft(),
&sllPacketInetPacketGroup,
format.INET_Packet_In{EtherType: int(protcolType)},
)
default:
d.FieldU16LE("protocol_type")
d.FieldRawLen("payload", d.BitsLeft())
}
return nil
}