-
Notifications
You must be signed in to change notification settings - Fork 8
/
pcapng.go
191 lines (165 loc) · 8.03 KB
/
pcapng.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
// The code in this source file is derived from
// https://github.com/google/gopacket/blob/master/pcapgo/ngread.go
// as of February 2020 and is covered by the copyright below.
// The changes are covered by the copyright and license in the
// LICENSE file in the root directory of this repository.
// Copyright 2018 The GoPacket Authors. All rights reserved.
// See acknowledgments.txt for full license text from:
// https://github.com/google/gopacket/LICENSE
package pcapio
import (
"fmt"
"math"
"time"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
)
const (
ngByteOrderMagic = 0x1A2B3C4D
// We can handle only version 1.0
ngVersionMajor = 1
ngVersionMinor = 0
)
type ngBlockType uint32
const (
ngBlockTypeInterfaceDescriptor ngBlockType = 1 // Interface description block
ngBlockTypePacket ngBlockType = 2 // Packet block (deprecated)
ngBlockTypeSimplePacket ngBlockType = 3 // Simple packet block
ngBlockTypeInterfaceStatistics ngBlockType = 5 // Interface statistics block
ngBlockTypeEnhancedPacket ngBlockType = 6 // Enhanced packet block
ngBlockTypeSectionHeader ngBlockType = 0x0A0D0D0A // Section header block (same in both endians)
)
type ngOptionCode uint16
const (
ngOptionCodeEndOfOptions ngOptionCode = iota // end of options. must be at the end of options in a block
ngOptionCodeComment // comment
ngOptionCodeHardware // description of the hardware
ngOptionCodeOS // name of the operating system
ngOptionCodeUserApplication // name of the application
)
const (
ngOptionCodeInterfaceName ngOptionCode = iota + 2 // interface name
ngOptionCodeInterfaceDescription // interface description
ngOptionCodeInterfaceIPV4Address // IPv4 network address and netmask for the interface
ngOptionCodeInterfaceIPV6Address // IPv6 network address and prefix length for the interface
ngOptionCodeInterfaceMACAddress // interface hardware MAC address
ngOptionCodeInterfaceEUIAddress // interface hardware EUI address
ngOptionCodeInterfaceSpeed // interface speed in bits/s
ngOptionCodeInterfaceTimestampResolution // timestamp resolution
ngOptionCodeInterfaceTimezone // time zone
ngOptionCodeInterfaceFilter // capture filter
ngOptionCodeInterfaceOS // operating system
ngOptionCodeInterfaceFCSLength // length of the Frame Check Sequence in bits
ngOptionCodeInterfaceTimestampOffset // offset (in seconds) that must be added to packet timestamp
)
const (
ngOptionCodeInterfaceStatisticsStartTime ngOptionCode = iota + 2 // Start of capture
ngOptionCodeInterfaceStatisticsEndTime // End of capture
ngOptionCodeInterfaceStatisticsInterfaceReceived // Packets received by physical interface
ngOptionCodeInterfaceStatisticsInterfaceDropped // Packets dropped by physical interface
ngOptionCodeInterfaceStatisticsFilterAccept // Packets accepted by filter
ngOptionCodeInterfaceStatisticsOSDrop // Packets dropped by operating system
ngOptionCodeInterfaceStatisticsDelivered // Packets delivered to user
)
// ngOption is a pcapng option
type ngOption struct {
code ngOptionCode
value []byte
raw interface{}
length uint16
}
// ngBlock is a pcapng block header
type ngBlock struct {
typ ngBlockType
length uint32 // remaining length of block
}
// NgResolution represents a pcapng timestamp resolution
type NgResolution uint8
// Binary returns true if the timestamp resolution is a negative power of two. Otherwise NgResolution is a negative power of 10.
func (r NgResolution) Binary() bool {
if r&0x80 == 0x80 {
return true
}
return false
}
// Exponent returns the negative exponent of the resolution.
func (r NgResolution) Exponent() uint8 {
return uint8(r) & 0x7f
}
// ToTimestampResolution converts an NgResolution to a gopaket.TimestampResolution
func (r NgResolution) ToTimestampResolution() (ret gopacket.TimestampResolution) {
if r.Binary() {
ret.Base = 2
} else {
ret.Base = 10
}
ret.Exponent = -int(r.Exponent())
return
}
// NgNoValue64 is a placeholder for an empty numeric 64 bit value.
const NgNoValue64 = math.MaxUint64
// NgInterfaceStatistics hold the statistic for an interface at a single point in time. These values are already supposed to be accumulated. Most pcapng files contain this information at the end of the file/section.
type NgInterfaceStatistics struct {
// LastUpdate is the last time the statistics were updated.
LastUpdate time.Time
// StartTime is the time packet capture started on this interface. This value might be zero if this option is missing.
StartTime time.Time
// EndTime is the time packet capture ended on this interface This value might be zero if this option is missing.
EndTime time.Time
// Comment can be an arbitrary comment. This value might be empty if this option is missing.
Comment string
// PacketsReceived are the number of received packets. This value might be NoValue64 if this option is missing.
PacketsReceived uint64
// PacketsReceived are the number of received packets. This value might be NoValue64 if this option is missing.
PacketsDropped uint64
}
var ngEmptyStatistics = NgInterfaceStatistics{
PacketsReceived: NgNoValue64,
PacketsDropped: NgNoValue64,
}
// NgInterface holds all the information of a pcapng interface.
type NgInterface struct {
// Name is the name of the interface. This value might be empty if this option is missing.
Name string
// Comment can be an arbitrary comment. This value might be empty if this option is missing.
Comment string
// Description is a description of the interface. This value might be empty if this option is missing.
Description string
// Filter is the filter used during packet capture. This value might be empty if this option is missing.
Filter string
// OS is the operating system this interface was controlled by. This value might be empty if this option is missing.
OS string
// LinkType is the linktype of the interface.
LinkType layers.LinkType
// TimestampResolution is the timestamp resolution of the packets in the pcapng file belonging to this interface.
TimestampResolution NgResolution
// TimestampResolution is the timestamp offset in seconds of the packets in the pcapng file belonging to this interface.
TimestampOffset uint64
// SnapLength is the maximum packet length captured by this interface. 0 for unlimited
SnapLength uint32
// Statistics holds the interface statistics
Statistics NgInterfaceStatistics
secondMask uint64
scaleUp uint64
scaleDown uint64
}
// Resolution returns the timestamp resolution of acquired timestamps before scaling to NanosecondTimestampResolution.
func (i NgInterface) Resolution() gopacket.TimestampResolution {
return i.TimestampResolution.ToTimestampResolution()
}
// NgSectionInfo contains additional information of a pcapng section
type NgSectionInfo struct {
MajorVersion uint16
MinorVersion uint16
// Hardware is the hardware this file was generated on. This value might be empty if this option is missing.
Hardware string
// OS is the operating system this file was generated on. This value might be empty if this option is missing.
OS string
// Application is the user space application this file was generated with. This value might be empty if this option is missing.
Application string
// Comment can be an arbitrary comment. This value might be empty if this option is missing.
Comment string
}
func (n NgSectionInfo) Version() string {
return fmt.Sprintf("%d.%d", n.MajorVersion, n.MinorVersion)
}