forked from google/gopacket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pcapng.go
187 lines (161 loc) · 8.19 KB
/
pcapng.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
// Copyright 2018 The GoPacket Authors. All rights reserved.
//
// Use of this source code is governed by a BSD-style license
// that can be found in the LICENSE file in the root of the source
// tree.
package pcapgo
import (
"errors"
"math"
"time"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
)
// ErrNgVersionMismatch gets returned for unknown pcapng section versions. This can only happen if ReaderOptions.SkipUnknownVersion == false
var ErrNgVersionMismatch = errors.New("Unknown pcapng Version in Section Header")
// ErrNgLinkTypeMismatch gets returned if the link type of an interface is not the same as the link type from the first interface. This can only happen if ReaderOptions.ErrorOnMismatchingLinkType == true && ReaderOptions.WantMixedLinkType == false
var ErrNgLinkTypeMismatch = errors.New("Link type of current interface is different from first one")
const (
ngByteOrderMagic = 0x1A2B3C4D
// We can handle only version 1.0
ngVersionMajor = 1
ngVersionMinor = 0
)
type ngBlockType uint32
const (
ngBlockTypeInterfaceDescriptor ngBlockType = 1 // Interface description block
ngBlockTypePacket ngBlockType = 2 // Packet block (deprecated)
ngBlockTypeSimplePacket ngBlockType = 3 // Simple packet block
ngBlockTypeInterfaceStatistics ngBlockType = 5 // Interface statistics block
ngBlockTypeEnhancedPacket ngBlockType = 6 // Enhanced packet block
ngBlockTypeSectionHeader ngBlockType = 0x0A0D0D0A // Section header block (same in both endians)
)
type ngOptionCode uint16
const (
ngOptionCodeEndOfOptions ngOptionCode = iota // end of options. must be at the end of options in a block
ngOptionCodeComment // comment
ngOptionCodeHardware // description of the hardware
ngOptionCodeOS // name of the operating system
ngOptionCodeUserApplication // name of the application
)
const (
ngOptionCodeInterfaceName ngOptionCode = iota + 2 // interface name
ngOptionCodeInterfaceDescription // interface description
ngOptionCodeInterfaceIPV4Address // IPv4 network address and netmask for the interface
ngOptionCodeInterfaceIPV6Address // IPv6 network address and prefix length for the interface
ngOptionCodeInterfaceMACAddress // interface hardware MAC address
ngOptionCodeInterfaceEUIAddress // interface hardware EUI address
ngOptionCodeInterfaceSpeed // interface speed in bits/s
ngOptionCodeInterfaceTimestampResolution // timestamp resolution
ngOptionCodeInterfaceTimezone // time zone
ngOptionCodeInterfaceFilter // capture filter
ngOptionCodeInterfaceOS // operating system
ngOptionCodeInterfaceFCSLength // length of the Frame Check Sequence in bits
ngOptionCodeInterfaceTimestampOffset // offset (in seconds) that must be added to packet timestamp
)
const (
ngOptionCodeInterfaceStatisticsStartTime ngOptionCode = iota + 2 // Start of capture
ngOptionCodeInterfaceStatisticsEndTime // End of capture
ngOptionCodeInterfaceStatisticsInterfaceReceived // Packets received by physical interface
ngOptionCodeInterfaceStatisticsInterfaceDropped // Packets dropped by physical interface
ngOptionCodeInterfaceStatisticsFilterAccept // Packets accepted by filter
ngOptionCodeInterfaceStatisticsOSDrop // Packets dropped by operating system
ngOptionCodeInterfaceStatisticsDelivered // Packets delivered to user
)
// ngOption is a pcapng option
type ngOption struct {
code ngOptionCode
value []byte
raw interface{}
length uint16
}
// ngBlock is a pcapng block header
type ngBlock struct {
typ ngBlockType
length uint32 // remaining length of block
}
// NgResolution represents a pcapng timestamp resolution
type NgResolution uint8
// Binary returns true if the timestamp resolution is a negative power of two. Otherwise NgResolution is a negative power of 10.
func (r NgResolution) Binary() bool {
if r&0x80 == 0x80 {
return true
}
return false
}
// Exponent returns the negative exponent of the resolution.
func (r NgResolution) Exponent() uint8 {
return uint8(r) & 0x7f
}
// ToTimestampResolution converts an NgResolution to a gopaket.TimestampResolution
func (r NgResolution) ToTimestampResolution() (ret gopacket.TimestampResolution) {
if r.Binary() {
ret.Base = 2
} else {
ret.Base = 10
}
ret.Exponent = -int(r.Exponent())
return
}
// NgNoValue64 is a placeholder for an empty numeric 64 bit value.
const NgNoValue64 = math.MaxUint64
// NgInterfaceStatistics hold the statistic for an interface at a single point in time. These values are already supposed to be accumulated. Most pcapng files contain this information at the end of the file/section.
type NgInterfaceStatistics struct {
// LastUpdate is the last time the statistics were updated.
LastUpdate time.Time
// StartTime is the time packet capture started on this interface. This value might be zero if this option is missing.
StartTime time.Time
// EndTime is the time packet capture ended on this interface This value might be zero if this option is missing.
EndTime time.Time
// Comment can be an arbitrary comment. This value might be empty if this option is missing.
Comment string
// PacketsReceived are the number of received packets. This value might be NoValue64 if this option is missing.
PacketsReceived uint64
// PacketsReceived are the number of received packets. This value might be NoValue64 if this option is missing.
PacketsDropped uint64
}
var ngEmptyStatistics = NgInterfaceStatistics{
PacketsReceived: NgNoValue64,
PacketsDropped: NgNoValue64,
}
// NgInterface holds all the information of a pcapng interface.
type NgInterface struct {
// Name is the name of the interface. This value might be empty if this option is missing.
Name string
// Comment can be an arbitrary comment. This value might be empty if this option is missing.
Comment string
// Description is a description of the interface. This value might be empty if this option is missing.
Description string
// Filter is the filter used during packet capture. This value might be empty if this option is missing.
Filter string
// OS is the operating system this interface was controlled by. This value might be empty if this option is missing.
OS string
// LinkType is the linktype of the interface.
LinkType layers.LinkType
// TimestampResolution is the timestamp resolution of the packets in the pcapng file belonging to this interface.
TimestampResolution NgResolution
// TimestampResolution is the timestamp offset in seconds of the packets in the pcapng file belonging to this interface.
TimestampOffset uint64
// SnapLength is the maximum packet length captured by this interface. 0 for unlimited
SnapLength uint32
// Statistics holds the interface statistics
Statistics NgInterfaceStatistics
secondMask uint64
scaleUp uint64
scaleDown uint64
}
// Resolution returns the timestamp resolution of acquired timestamps before scaling to NanosecondTimestampResolution.
func (i NgInterface) Resolution() gopacket.TimestampResolution {
return i.TimestampResolution.ToTimestampResolution()
}
// NgSectionInfo contains additional information of a pcapng section
type NgSectionInfo struct {
// Hardware is the hardware this file was generated on. This value might be empty if this option is missing.
Hardware string
// OS is the operating system this file was generated on. This value might be empty if this option is missing.
OS string
// Application is the user space application this file was generated with. This value might be empty if this option is missing.
Application string
// Comment can be an arbitrary comment. This value might be empty if this option is missing.
Comment string
}