maint: try to use less memory (#170)

## Which problem is this PR solving?

- All the problems. We hope.

## Short description of the changes

- comments added to functions 
- embiggen snaplen default to tcpdump's default
- don't set a timeout so that packets are given to us as fast as
possible
- return true for ReassemblyComplete so the assembler will free the
connection
- nillify or remove byte slices and an unused channel
- close http readers when stream closes

---------

Co-authored-by: Mike Goldsmith <goldsmith.mike@gmail.com>
Co-authored-by: Jamie Danielson <jamieedanielson@gmail.com>

assemblers/http_reader.go

@@ -25,7 +25,6 @@ type httpReader struct {
 	srcPort   string
 	dstIp     string
 	dstPort   string
-	bytes     chan []byte
 	data      []byte
 	parent    *tcpStream
 	messages  chan message
@@ -38,9 +37,10 @@ func (h *httpReader) Read(p []byte) (int, error) {
 	ok := true
 	for ok && len(h.data) == 0 {
 		msg, ok = <-h.messages
-		h.data = msg.data
 		h.timestamp = msg.timestamp
 		h.seq = msg.Seq
+		h.data = msg.data
+		msg.data = nil // clear the []byte so we can release the memory
 	}
 	if !ok || len(h.data) == 0 {
 		return 0, io.EOF
@@ -115,3 +115,9 @@ func (h *httpReader) processEvent(ident string, entry *entry) {
 		DstIp:             h.dstIp,
 	}
 }
+
+func (h *httpReader) close() error {
+	close(h.messages)
+	h.data = nil // release the data, free up that memory! ᕕ( ᐛ )ᕗ
+	return nil
+}

assemblers/tcp_assembler.go

@@ -225,7 +225,7 @@ func newPcapPacketSource(config config.Config) (*gopacket.PacketSource, error) {
 		Bool("promiscuous", config.Promiscuous).
 		Str("bpf_filter", config.BpfFilter).
 		Msg("Configuring pcap packet source")
-	handle, err := pcap.OpenLive(config.Interface, int32(config.Snaplen), config.Promiscuous, time.Second)
+	handle, err := pcap.OpenLive(config.Interface, int32(config.Snaplen), config.Promiscuous, pcap.BlockForever)
 	if err != nil {
 		log.Fatal().
 			Err(err).

assemblers/tcp_stream.go

@@ -155,24 +155,23 @@ func (t *tcpStream) ReassembledSG(sg reassembly.ScatterGather, ac reassembly.Ass
 	}
 }
 
+// ReassemblyComplete is called when the TCP assembler believes a stream has completed.
 func (t *tcpStream) ReassemblyComplete(ac reassembly.AssemblerContext) bool {
 	log.Debug().
 		Str("tcp_stream_ident", t.ident).
 		Msg("Connection closed")
 	t.close()
-	// do not remove the connection to allow last ACK
-	return false
+	return true // remove the connection, heck with the last ACK
 }
 
+// close closes the tcpStream and its httpReaders.
 func (t *tcpStream) close() {
 	t.Lock()
 	defer t.Unlock()
 
 	if !t.closed {
 		t.closed = true
-		close(t.client.messages)
-		close(t.client.bytes)
-		close(t.server.messages)
-		close(t.server.bytes)
+		t.client.close()
+		t.server.close()
 	}
 }

assemblers/tcp_stream_factory.go

@@ -49,7 +49,6 @@ func (factory *tcpStreamFactory) New(net, transport gopacket.Flow, tcp *layers.T
 	}
 
 	stream.client = httpReader{
-		bytes:    make(chan []byte),
 		parent:   stream,
 		isClient: true,
 		srcIp:    net.Src().String(),
@@ -59,7 +58,6 @@ func (factory *tcpStreamFactory) New(net, transport gopacket.Flow, tcp *layers.T
 		messages: make(chan message, factory.config.ChannelBufferSize),
 	}
 	stream.server = httpReader{
-		bytes:    make(chan []byte),
 		parent:   stream,
 		isClient: false,
 		srcIp:    net.Reverse().Src().String(),

config/config.go

@@ -24,7 +24,7 @@ var quiet = flag.Bool("quiet", false, "Be quiet regarding errors")
 // capture
 var iface = flag.String("i", "any", "Interface to read packets from")
 var fname = flag.String("r", "", "Filename to read from, overrides -i")
-var snaplen = flag.Int("s", 65536, "Snap length (number of bytes max to read per packet")
+var snaplen = flag.Int("s", 262144, "Snap length (number of bytes max to read per packet") // 262144 is the default snaplen for tcpdump
 var tstype = flag.String("timestamp_type", "", "Type of timestamps to use")
 var promisc = flag.Bool("promisc", true, "Set promiscuous mode")
 var packetSource = flag.String("source", "pcap", "Packet source (defaults to pcap)")