-
Notifications
You must be signed in to change notification settings - Fork 16
/
pcap-parser.js
152 lines (125 loc) · 3.97 KB
/
pcap-parser.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
var util = require('util');
var events = require('events');
var fs = require('fs');
var GLOBAL_HEADER_LENGTH = 24; //bytes
var PACKET_HEADER_LENGTH = 16; //bytes
function onError(err) {
this.emit('error', err);
}
function onEnd() {
this.emit('end');
}
function onData(data) {
if (this.errored) {
return;
}
updateBuffer.call(this, data);
while (this.state.call(this)) {}
}
function updateBuffer(data) {
if (data === null || data === undefined) {
return;
}
if (this.buffer === null) {
this.buffer = data;
} else {
var extendedBuffer = new Buffer(this.buffer.length + data.length);
this.buffer.copy(extendedBuffer);
data.copy(extendedBuffer, this.buffer.length);
this.buffer = extendedBuffer;
}
}
function parseGlobalHeader() {
var buffer = this.buffer;
if (buffer.length >= GLOBAL_HEADER_LENGTH) {
var msg;
var magicNumber = buffer.toString('hex', 0, 4);
// determine pcap endianness
if (magicNumber == "a1b2c3d4") {
this.endianness = "BE";
} else if (magicNumber == "d4c3b2a1") {
this.endianness = "LE";
} else {
this.errored = true;
this.stream.pause();
msg = util.format('unknown magic number: %s', magicNumber);
this.emit('error', new Error(msg));
onEnd.call(this);
return false;
}
var header = {
magicNumber: buffer['readUInt32' + this.endianness](0, true),
majorVersion: buffer['readUInt16' + this.endianness](4, true),
minorVersion: buffer['readUInt16' + this.endianness](6, true),
gmtOffset: buffer['readInt32' + this.endianness](8, true),
timestampAccuracy: buffer['readUInt32' + this.endianness](12, true),
snapshotLength: buffer['readUInt32' + this.endianness](16, true),
linkLayerType: buffer['readUInt32' + this.endianness](20, true)
};
if (header.majorVersion != 2 && header.minorVersion != 4) {
this.errored = true;
this.stream.pause();
msg = util.format('unsupported version %d.%d. pcap-parser only parses libpcap file format 2.4', header.majorVersion, header.minorVersion);
this.emit('error', new Error(msg));
onEnd.call(this);
} else {
this.emit('globalHeader', header);
this.buffer = buffer.slice(GLOBAL_HEADER_LENGTH);
this.state = parsePacketHeader;
return true;
}
}
return false;
}
function parsePacketHeader() {
var buffer = this.buffer;
if (buffer.length >= PACKET_HEADER_LENGTH) {
var header = {
timestampSeconds: buffer['readUInt32' + this.endianness](0, true),
timestampMicroseconds: buffer['readUInt32' + this.endianness](4, true),
capturedLength: buffer['readUInt32' + this.endianness](8, true),
originalLength: buffer['readUInt32' + this.endianness](12, true)
};
this.currentPacketHeader = header;
this.emit('packetHeader', header);
this.buffer = buffer.slice(PACKET_HEADER_LENGTH);
this.state = parsePacketBody;
return true;
}
return false;
}
function parsePacketBody() {
var buffer = this.buffer;
if (buffer.length >= this.currentPacketHeader.capturedLength) {
var data = buffer.slice(0, this.currentPacketHeader.capturedLength);
this.emit('packetData', data);
this.emit('packet', {
header: this.currentPacketHeader,
data: data
});
this.buffer = buffer.slice(this.currentPacketHeader.capturedLength);
this.state = parsePacketHeader;
return true;
}
return false;
}
function Parser(input) {
if (typeof(input) == 'string') {
this.stream = fs.createReadStream(input);
} else {
// assume a ReadableStream
this.stream = input;
}
this.stream.pause();
this.stream.on('data', onData.bind(this));
this.stream.on('error', onError.bind(this));
this.stream.on('end', onEnd.bind(this));
this.buffer = null;
this.state = parseGlobalHeader;
this.endianness = null;
process.nextTick(this.stream.resume.bind(this.stream));
}
util.inherits(Parser, events.EventEmitter);
exports.parse = function (input) {
return new Parser(input);
};