Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipv4_packet,ipv6_packet,sll_packet,sll2_packet: Support ipv4/ipv6 lin… #590

Merged
merged 1 commit into from
Feb 20, 2023
Merged

ipv4_packet,ipv6_packet,sll_packet,sll2_packet: Support ipv4/ipv6 lin… #590

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions format/inet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,8 @@ const (
LinkTypeFC_2_WITH_FRAME_DELIMS = 225
LinkTypeIPNET = 226
LinkTypeCAN_SOCKETCAN = 227
LinkTypeIPV4 = 228
LinkTypeIPV6 = 229
LinkTypeIPv4 = 228
LinkTypeIPv6 = 229
LinkTypeIEEE802_15_4_NOFCS = 230
LinkTypeDBUS = 231
LinkTypeDVB_CI = 235
Expand Down Expand Up @@ -218,8 +218,8 @@ var LinkTypeMap = scalar.UintMap{
LinkTypeFC_2_WITH_FRAME_DELIMS: {Sym: "fc_2_with_frame_delims", Description: `Fibre Channel FC-2 frames, beginning an encoding of the SOF, followed by a Frame_Header, and ending with an encoding of the SOF`},
LinkTypeIPNET: {Sym: "ipnet", Description: `Solaris ipnet pseudo-header, followed by an IPv4 or IPv6 datagram`},
LinkTypeCAN_SOCKETCAN: {Sym: "can_socketcan", Description: `CAN (Controller Area Network) frames, with a pseudo-header followed by the frame payload`},
LinkTypeIPV4: {Sym: "ipv4", Description: `Raw IPv4`},
LinkTypeIPV6: {Sym: "ipv6", Description: `Raw IPv6`},
LinkTypeIPv4: {Sym: "ipv4", Description: `Raw IPv4`},
LinkTypeIPv6: {Sym: "ipv6", Description: `Raw IPv6`},
LinkTypeIEEE802_15_4_NOFCS: {Sym: "ieee802_15_4_nofcs", Description: `IEEE 802.15.4 Low-Rate Wireless Network, without the FCS at the end of the frame`},
LinkTypeDBUS: {Sym: "dbus", Description: `Raw D-Bus messages`},
LinkTypeDVB_CI: {Sym: "dvb_ci", Description: `DVB-CI (DVB Common Interface for communication between a PC Card module and a DVB receiver)`},
Expand Down
16 changes: 12 additions & 4 deletions format/inet/flowsdecoder/flowsdecoder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,18 @@ func New(options DecoderOptions) *Decoder {
return flowDecoder
}

func (fd *Decoder) EthernetFrame(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeEthernet, gopacket.Lazy))
}

func (fd *Decoder) IPv4Packet(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeIPv4, gopacket.Lazy))
}

func (fd *Decoder) IPv6Packet(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeIPv6, gopacket.Lazy))
}

func (fd *Decoder) SLLPacket(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLinuxSLL, gopacket.Lazy))
}
Expand All @@ -178,10 +190,6 @@ func (fd *Decoder) SLL2Packet(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLinuxSLL2, gopacket.Lazy))
}

func (fd *Decoder) EthernetFrame(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeEthernet, gopacket.Lazy))
}

func (fd *Decoder) LoopbackFrame(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLoopback, gopacket.Lazy))
}
Expand Down
8 changes: 7 additions & 1 deletion format/inet/ipv4_packet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,10 @@ func init() {
interp.RegisterFormat(decode.Format{
Name: format.IPV4_PACKET,
Description: "Internet protocol v4 packet",
Groups: []string{format.INET_PACKET},
Groups: []string{
format.INET_PACKET,
format.LINK_FRAME,
},
Dependencies: []decode.Dependency{
{Names: []string{format.IP_PACKET}, Group: &ipv4IpPacketGroup},
},
Expand Down Expand Up @@ -51,8 +54,11 @@ var mapUToIPv4Sym = scalar.UintFn(func(s scalar.Uint) (scalar.Uint, error) {

func decodeIPv4(d *decode.D) any {
var ipi format.InetPacketIn
var lfi format.LinkFrameIn
if d.ArgAs(&ipi) && ipi.EtherType != format.EtherTypeIPv4 {
d.Fatalf("incorrect ethertype %d", ipi.EtherType)
} else if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeIPv4 {
d.Fatalf("incorrect linktype %d", lfi.Type)
}

d.FieldU4("version")
Expand Down
8 changes: 7 additions & 1 deletion format/inet/ipv6_packet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@ func init() {
interp.RegisterFormat(decode.Format{
Name: format.IPV6_PACKET,
Description: "Internet protocol v6 packet",
Groups: []string{format.INET_PACKET},
Groups: []string{
format.INET_PACKET,
format.LINK_FRAME,
},
Dependencies: []decode.Dependency{
{Names: []string{format.IP_PACKET}, Group: &ipv6IpPacketGroup},
},
Expand Down Expand Up @@ -110,8 +113,11 @@ var mapUToIPv6Sym = scalar.BitBufFn(func(s scalar.BitBuf) (scalar.BitBuf, error)

func decodeIPv6(d *decode.D) any {
var ipi format.InetPacketIn
var lfi format.LinkFrameIn
if d.ArgAs(&ipi) && ipi.EtherType != format.EtherTypeIPv6 {
d.Fatalf("incorrect ethertype %d", ipi.EtherType)
} else if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeIPv6 {
d.Fatalf("incorrect linktype %d", lfi.Type)
}

d.FieldU4("version")
Expand Down
2 changes: 1 addition & 1 deletion format/inet/sll2_packet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func decodeSLL2(d *decode.D) any {
"payload",
d.BitsLeft(),
sllPacket2InetPacketGroup,
format.LinkFrameIn{Type: int(protcolType)},
format.InetPacketIn{EtherType: int(protcolType)},
)
default:
d.FieldRawLen("payload", d.BitsLeft())
Expand Down
2 changes: 1 addition & 1 deletion format/inet/sll_packet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ func decodeSLL(d *decode.D) any {
"payload",
d.BitsLeft(),
sllPacketInetPacketGroup,
format.LinkFrameIn{Type: int(protcolType)},
format.InetPacketIn{EtherType: int(protcolType)},
)
default:
d.FieldU16LE("protocol_type")
Expand Down
Binary file added format/inet/testdata/tls12-ipv4-linkframe-keylog.pcapng
View file
Open in desktop
Binary file not shown.
100 changes: 100 additions & 0 deletions format/inet/testdata/tls12-ipv4-linkframe-keylog.pcapng.fqtest
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# tls12-dsb.pcapng from https://gitlab.com/wireshark/wireshark/-/tree/master/test/captures
$ fq 'first(grep_by(.type=="enhanced_packet")), .[0].tcp_connections | dv' tls12-ipv4-linkframe-keylog.pcapng
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.[0].blocks[3]{}: block 0x12c-0x267.7 (316)
0x120| 06 00 00 00| ....| type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x12c-0x12f.7 (4)
0x130|3c 01 00 00 |<... | length: 316 0x130-0x133.7 (4)
0x130| 00 00 00 00 | .... | interface_id: 0 0x134-0x137.7 (4)
0x130| dd 7a 05 00 | .z.. | timestamp_high: 359133 0x138-0x13b.7 (4)
0x130| a3 2d 60 23| .-`#| timestamp_low: 593505699 0x13c-0x13f.7 (4)
0x140|19 01 00 00 |.... | capture_packet_length: 281 0x140-0x143.7 (4)
0x140| 19 01 00 00 | .... | original_packet_length: 281 0x144-0x147.7 (4)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| packet{}: (ipv4_packet) 0x148-0x260.7 (281)
0x140| 45 | E | version: 4 0x148-0x148.3 (0.4)
0x140| 45 | E | ihl: 5 0x148.4-0x148.7 (0.4)
0x140| 00 | . | dscp: 0 0x149-0x149.5 (0.6)
0x140| 00 | . | ecn: 0 0x149.6-0x149.7 (0.2)
0x140| 01 19 | .. | total_length: 281 0x14a-0x14b.7 (2)
0x140| e1 ea | .. | identification: 57834 0x14c-0x14d.7 (2)
0x140| 40 | @ | reserved: 0 0x14e-0x14e (0.1)
0x140| 40 | @ | dont_fragment: true 0x14e.1-0x14e.1 (0.1)
0x140| 40 | @ | more_fragments: false 0x14e.2-0x14e.2 (0.1)
0x140| 40 00| @.| fragment_offset: 0 0x14e.3-0x14f.7 (1.5)
0x150|40 |@ | ttl: 64 0x150-0x150.7 (1)
0x150| 06 | . | protocol: "tcp" (6) (Transmission control protocol) 0x151-0x151.7 (1)
0x150| 18 0f | .. | header_checksum: 0x180f (valid) 0x152-0x153.7 (2)
0x150| 0a 09 00 02 | .... | source_ip: "10.9.0.2" (0xa090002) 0x154-0x157.7 (4)
0x150| 5d b8 d8 22 | ].." | destination_ip: "93.184.216.34" (0x5db8d822) 0x158-0x15b.7 (4)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (tcp_segment) 0x15c-0x260.7 (261)
0x150| b6 d0 | .. | source_port: 46800 0x15c-0x15d.7 (2)
0x150| 01 bb| ..| destination_port: "https" (443) (http protocol over TLS/SSL) 0x15e-0x15f.7 (2)
0x160|fb c2 e0 52 |...R | sequence_number: 4223852626 0x160-0x163.7 (4)
0x160| de 55 1a e0 | .U.. | acknowledgment_number: 3730119392 0x164-0x167.7 (4)
0x160| 80 | . | data_offset: 8 0x168-0x168.3 (0.4)
0x160| 80 | . | reserved: 0 0x168.4-0x168.6 (0.3)
0x160| 80 | . | ns: false 0x168.7-0x168.7 (0.1)
0x160| 18 | . | cwr: false 0x169-0x169 (0.1)
0x160| 18 | . | ece: false 0x169.1-0x169.1 (0.1)
0x160| 18 | . | urg: false 0x169.2-0x169.2 (0.1)
0x160| 18 | . | ack: true 0x169.3-0x169.3 (0.1)
0x160| 18 | . | psh: true 0x169.4-0x169.4 (0.1)
0x160| 18 | . | rst: false 0x169.5-0x169.5 (0.1)
0x160| 18 | . | syn: false 0x169.6-0x169.6 (0.1)
0x160| 18 | . | fin: false 0x169.7-0x169.7 (0.1)
0x160| 00 e5 | .. | window_size: 229 0x16a-0x16b.7 (2)
0x160| 40 f1 | @. | checksum: 0x40f1 0x16c-0x16d.7 (2)
0x160| 00 00| ..| urgent_pointer: 0 0x16e-0x16f.7 (2)
| | | options[0:3]: 0x170-0x17b.7 (12)
| | | [0]{}: option 0x170-0x170.7 (1)
0x170|01 |. | kind: "nop" (1) (No operation) 0x170-0x170.7 (1)
| | | [1]{}: option 0x171-0x171.7 (1)
0x170| 01 | . | kind: "nop" (1) (No operation) 0x171-0x171.7 (1)
| | | [2]{}: option 0x172-0x17b.7 (10)
0x170| 08 | . | kind: "timestamp" (8) (Timestamp and echo of previous timestamp) 0x172-0x172.7 (1)
0x170| 0a | . | length: 10 0x173-0x173.7 (1)
0x170| c8 fa fa 0d | .... | value: 3371891213 0x174-0x177.7 (4)
0x170| 88 06 26 a6 | ..&. | echo_reply: 2282104486 0x178-0x17b.7 (4)
0x170| 16 03 01 00| ....| payload: raw bits 0x17c-0x260.7 (229)
0x180|e0 01 00 00 dc 03 03 f6 7a 28 b3 86 b3 1c 62 0d|........z(....b.|
* |until 0x260.7 (229) | |
0x260| 00 00 00 | ... | padding: raw bits 0x261-0x263.7 (3)
| | | options[0:0]: 0x264-NA (0)
0x260| 3c 01 00 00 | <... | footer_length: 316 0x264-0x267.7 (4)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.[0].tcp_connections[0:2]: 0x2814-NA (0)
| | | [0]{}: tcp_connection 0x2814-NA (0)
| | | client{}: 0x2814-NA (0)
| | | ip: "10.9.0.2" 0x2814-NA (0)
| | | port: 46800 0x2814-NA (0)
| | | has_start: false 0x2814-NA (0)
| | | has_end: false 0x2814-NA (0)
| | | skipped_bytes: 0 0x2814-NA (0)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|
0x000|16 03 01 00 e0 01 00 00 dc 03 03 f6 7a 28 b3 86|............z(..| stream: raw bits 0x0-0x1ea.7 (491)
* |until 0x1ea.7 (end) (491) | |
| | | server{}: 0x2814-NA (0)
| | | ip: "93.184.216.34" 0x2814-NA (0)
| | | port: "https" (443) (http protocol over TLS/SSL) 0x2814-NA (0)
| | | has_start: false 0x2814-NA (0)
| | | has_end: false 0x2814-NA (0)
| | | skipped_bytes: 0 0x2814-NA (0)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|
0x000|16 03 03 00 70 02 00 00 6c 03 03 75 d0 16 e2 3a|....p...l..u...:| stream: raw bits 0x0-0xe4d.7 (3662)
* |until 0xe4d.7 (end) (3662) | |
| | | [1]{}: tcp_connection 0x2814-NA (0)
| | | client{}: 0x2814-NA (0)
| | | ip: "10.9.0.2" 0x2814-NA (0)
| | | port: 46802 0x2814-NA (0)
| | | has_start: false 0x2814-NA (0)
| | | has_end: false 0x2814-NA (0)
| | | skipped_bytes: 0 0x2814-NA (0)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|
0x000|16 03 01 00 e0 01 00 00 dc 03 03 1e 0d 63 b4 1d|.............c..| stream: raw bits 0x0-0x1ea.7 (491)
* |until 0x1ea.7 (end) (491) | |
| | | server{}: 0x2814-NA (0)
| | | ip: "93.184.216.34" 0x2814-NA (0)
| | | port: "https" (443) (http protocol over TLS/SSL) 0x2814-NA (0)
| | | has_start: false 0x2814-NA (0)
| | | has_end: false 0x2814-NA (0)
| | | skipped_bytes: 0 0x2814-NA (0)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|
0x000|16 03 03 00 70 02 00 00 6c 03 03 2e af a1 24 6f|....p...l.....$o| stream: raw bits 0x0-0xe4d.7 (3662)
* |until 0xe4d.7 (end) (3662) | |
4 changes: 3 additions & 1 deletion format/pcap/shared.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,12 @@ import (
)

var linkToDecodeFn = map[int]func(fd *flowsdecoder.Decoder, bs []byte) error{
format.LinkTypeNULL: (*flowsdecoder.Decoder).LoopbackFrame,
format.LinkTypeETHERNET: (*flowsdecoder.Decoder).EthernetFrame,
format.LinkTypeIPv4: (*flowsdecoder.Decoder).IPv4Packet,
format.LinkTypeIPv6: (*flowsdecoder.Decoder).IPv6Packet,
format.LinkTypeLINUX_SLL: (*flowsdecoder.Decoder).SLLPacket,
format.LinkTypeLINUX_SLL2: (*flowsdecoder.Decoder).SLL2Packet,
format.LinkTypeNULL: (*flowsdecoder.Decoder).LoopbackFrame,
}

// TODO: make some of this shared if more packet capture formats are added
Expand Down