Add raw layertype for google #324
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed, please reply here (e.g.
|
|
On 6. Jun 2017, at 23:44, googlebot ***@***.***> wrote:
I signed it!
|
|
CLAs look good, thanks! |
zecke
force-pushed
the
add-raw-layertype-for-google
branch
from
8e47e36 to
ecb7ab1
Compare
layers/raw.go
Outdated
| @@ -0,0 +1,68 @@ | |||
| // Copyright 2012 Google, Inc. All rights reserved. | |||
| // Copyright 2009-2011 Andreas Krennmair. All rights reserved. | |||
There was a problem hiding this comment.
this second copyright notice isn't necessary on new files, just the Google line will do.
There was a problem hiding this comment.
I looked at the loop.go and decodeIPv4or6 and as I don't know who wrote it in the end copied the above copyright. If you think that Andreas's copyright don't apply then maybe Googles doesn't and I should claim it?
There was a problem hiding this comment.
As mentioned elsewhere, let's do "The GoPacket Authors" and make sure you, Andreas, and I at least are in the AUTHORS file.
layers/raw_test.go
Outdated
| @@ -0,0 +1,52 @@ | |||
| // Copyright 2017 Holger Hans Peter Freyther, Google, Inc. All rights reserved. | |||
There was a problem hiding this comment.
Please copyright to Google as in other files.
There was a problem hiding this comment.
Can you please elaborate? Which part do you think is copyrighted by Google?
There was a problem hiding this comment.
Looking through the CLA, you're absolutely right. The CLA allows us as Google to use the copyright code, but doesn't transfer the copyright to us as part of the contribution.
Would you mind, for this file, using the following language instead, and adding your name to AUTHORS?:
// Copyright 2014 The GoPacket Authors
I should probably standardize that on all the other files as well.
layers/raw_test.go
Outdated
| // 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# | ||
| // 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 | ||
| // 0x0050: 3435 3637 4567 | ||
| var testPacketPacket0 = []byte{ |
There was a problem hiding this comment.
please rename to testPacketRawICMP4 or something like that.
layers/enums.go
Outdated
| LinkTypeSLIP LinkType = 8 | ||
| LinkTypePPP LinkType = 9 | ||
| LinkTypeFDDI LinkType = 10 | ||
| LinkTypeRaw LinkType = 12 |
There was a problem hiding this comment.
I wonder if we should keep Raw at 101 and add Raw2 or something for 12?
There was a problem hiding this comment.
I need to see/understand how things will work out if there is not a 1:1 mapping from LinkType* to LayerType. Do you know how it works?
There was a problem hiding this comment.
I believe it should be fine... LinkType implements a Decoder, but there's nothing against different link types decoding into the same layer type.
| ) | ||
|
|
||
| // RawIP (DLT_RAW) contains no header and we start with the IP header | ||
| type Raw struct { |
There was a problem hiding this comment.
This is great code, but I'm not 100% sure its specific purpose... why would this be useful instead of just having a packet with either IPv4 or IPv6 as the first layer?
There was a problem hiding this comment.
- It models how wireshark displays/shows the frame and it kind of represents the "physical" structure of the frame.
- In Elasticsearch's packetbeat the DecodingLayer is used to decode (and not gopacket.Decoder but not sure if that would do)
But do you argue if the LayerTypeRaw should exist at all or if in decodeRawIP it should add its own layer?
|
|
||
| const ( | ||
| // According to pcap-linktype(7) and http://www.tcpdump.org/linktypes.html | ||
| // According to pcap-linktype(7) and http://www.tcpdump.org/linktypes.html with fixes from pcap/bpf.h |
There was a problem hiding this comment.
Sadly, it appears that raw can be 12 or 14 (https://opensource.apple.com/source/libpcap/libpcap-18/libpcap/pcap-bpf.h) or 101 https://github.com/the-tcpdump-group/libpcap/blob/1a6b088a88886eac782008f37a7219a32b86da45/pcap-common.c#L159. Note that 101 is canonical, since it's how libpcap says "this could be one of a few values". I wonder if we should do:
LinkTypeRaw 101
LinkTypeRawBSD 14
LinkTypeRawLinux 12Thoughts? Without 101 pointing at raw, pcap files from raw interfaces will no longer work.
There was a problem hiding this comment.
It is worth. On BSD it is 12 but on OpenBSD it is 14. On OpenBSD 12 is used for something else.
zecke
force-pushed
the
add-raw-layertype-for-google
branch
from
ecb7ab1 to
e4082df
Compare
According to http://www.tcpdump.org/linktypes.html the value is 101 but on FreeBSD/Linux it is 12 and on OpenBSD it 14. Add these as alternative types.
Create a Raw struct and make it implement the LayerType interface. Add a testcase to decode a raw IPv4/ICMPv4 frames. Remove decodeIPv4or6 that was only used for the raw ip link type. Use "The GoPacket Authors" as copyright holder and add myself to the list of contributors.
zecke
force-pushed
the
add-raw-layertype-for-google
branch
from
e4082df to
d030929
Compare
|
I think I had addressed all review comments. |
|
I'd like to add that until I merged this PR locally I couldn't get the https://github.com/google/gopacket/blob/master/examples/arpscan/arpscan.go example to receive any ARP packets in Linux (ubuntu 16.04 x64 with libpcap 1.7.4-2) ... I didn't have to change any code in the arpscan example. Is this going to get merged soon? Thanks. |
|
Sorry didn't see this pull request, when I added 0d76b76 |
6 participants
For Elasticsearch's packetbeat it is necessary to expose a LayerTypeRaw. Correct the LinkTypeRaw for mainstream platforms and add a LayerTpeRaw. Update the tests that use LinkTypeRaw right now.