Skip to content

Commit

Permalink
pcap,pcapng,ipv4,ipv6: Support raw link type (ipv4 or ipv6)
Browse files Browse the repository at this point in the history
  • Loading branch information
@wader
wader committed Mar 2, 2023
1 parent cbd2df2 commit 6c03245
Show file tree
Hide file tree
Showing 18 changed files with 246 additions and 156 deletions.
13 changes: 13 additions & 0 deletions format/inet/flowsdecoder/flowsdecoder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package flowsdecoder
import (
"bytes"
"encoding/binary"
"fmt"
"net"

"github.com/gopacket/gopacket"
Expand Down Expand Up @@ -194,6 +195,18 @@ func (fd *Decoder) LoopbackFrame(bs []byte) error {
return fd.packet(gopacket.NewPacket(bs, layers.LayerTypeLoopback, gopacket.Lazy))
}

// LinkTypeRAW IPv4 or Ipv6
func (fd *Decoder) RAWIPFrame(bs []byte) error {
version := bs[0] >> 4
switch version {
case 4:
return fd.IPv4Packet(bs)
case 6:
return fd.IPv6Packet(bs)
}
return fmt.Errorf("invalid ip version %v", version)
}

func (fd *Decoder) packet(p gopacket.Packet) error {
// TODO: linkType
ip4Layer := p.Layer(layers.LayerTypeIPv4)
Expand Down
4 changes: 2 additions & 2 deletions format/inet/ipv4_packet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,11 @@ func decodeIPv4(d *decode.D) any {
var lfi format.LinkFrameIn
if d.ArgAs(&ipi) && ipi.EtherType != format.EtherTypeIPv4 {
d.Fatalf("incorrect ethertype %d", ipi.EtherType)
} else if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeIPv4 {
} else if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeIPv4 && lfi.Type != format.LinkTypeRAW {
d.Fatalf("incorrect linktype %d", lfi.Type)
}

d.FieldU4("version")
d.FieldU4("version", d.UintAssert(4))
ihl := d.FieldU4("ihl")
d.FieldU6("dscp")
d.FieldU2("ecn")
Expand Down
4 changes: 2 additions & 2 deletions format/inet/ipv6_packet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,11 +116,11 @@ func decodeIPv6(d *decode.D) any {
var lfi format.LinkFrameIn
if d.ArgAs(&ipi) && ipi.EtherType != format.EtherTypeIPv6 {
d.Fatalf("incorrect ethertype %d", ipi.EtherType)
} else if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeIPv6 {
} else if d.ArgAs(&lfi) && lfi.Type != format.LinkTypeIPv6 && lfi.Type != format.LinkTypeRAW {
d.Fatalf("incorrect linktype %d", lfi.Type)
}

d.FieldU4("version")
d.FieldU4("version", d.UintAssert(6))
d.FieldU6("ds")
d.FieldU2("ecn")
d.FieldU20("flow_label")
Expand Down
2 changes: 1 addition & 1 deletion format/inet/testdata/ether8023_frame.fqtest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ $ fq -d ether8023_frame dv ether8023_frame
0x00| a4 5e 60 f1 7d 93 | .^`.}. | source: "a4:5e:60:f1:7d:93" (0xa45e60f17d93) 0x6-0xb.7 (6)
0x00| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0xc-0xd.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0xe-0xb1.7 (164)
0x00| 45 | E | version: 4 0xe-0xe.3 (0.4)
0x00| 45 | E | version: 4 (valid) 0xe-0xe.3 (0.4)
0x00| 45 | E | ihl: 5 0xe.4-0xe.7 (0.4)
0x00| 00| .| dscp: 0 0xf-0xf.5 (0.6)
0x00| 00| .| ecn: 0 0xf.6-0xf.7 (0.2)
Expand Down
2 changes: 1 addition & 1 deletion format/inet/testdata/ipv4_packet.fqtest
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# fq 'first(.. | select(format=="ipv4")) | tobytes' many_interfaces.pcapng > ipv4_packet
$ fq -d ipv4_packet dv ipv4_packet
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: ipv4_packet (ipv4_packet) 0x0-0x3e3.7 (996)
0x000|45 |E | version: 4 0x0-0x0.3 (0.4)
0x000|45 |E | version: 4 (valid) 0x0-0x0.3 (0.4)
0x000|45 |E | ihl: 5 0x0.4-0x0.7 (0.4)
0x000| 00 | . | dscp: 0 0x1-0x1.5 (0.6)
0x000| 00 | . | ecn: 0 0x1.6-0x1.7 (0.2)
Expand Down
2 changes: 1 addition & 1 deletion format/inet/testdata/tls12-ipv4-linkframe-keylog.pcapng.fqtest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ $ fq 'first(grep_by(.type=="enhanced_packet")), .[0].tcp_connections | dv' tls12
0x140|19 01 00 00 |.... | capture_packet_length: 281 0x140-0x143.7 (4)
0x140| 19 01 00 00 | .... | original_packet_length: 281 0x144-0x147.7 (4)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| packet{}: (ipv4_packet) 0x148-0x260.7 (281)
0x140| 45 | E | version: 4 0x148-0x148.3 (0.4)
0x140| 45 | E | version: 4 (valid) 0x148-0x148.3 (0.4)
0x140| 45 | E | ihl: 5 0x148.4-0x148.7 (0.4)
0x140| 00 | . | dscp: 0 0x149-0x149.5 (0.6)
0x140| 00 | . | ecn: 0 0x149.6-0x149.7 (0.2)
Expand Down
1 change: 1 addition & 0 deletions format/pcap/shared.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ var linkToDecodeFn = map[int]func(fd *flowsdecoder.Decoder, bs []byte) error{
format.LinkTypeLINUX_SLL: (*flowsdecoder.Decoder).SLLPacket,
format.LinkTypeLINUX_SLL2: (*flowsdecoder.Decoder).SLL2Packet,
format.LinkTypeNULL: (*flowsdecoder.Decoder).LoopbackFrame,
format.LinkTypeRAW: (*flowsdecoder.Decoder).RAWIPFrame,
}

// TODO: make some of this shared if more packet capture formats are added
Expand Down
8 changes: 4 additions & 4 deletions format/pcap/testdata/dhcp_big_endian.fqtest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ $ fq -d pcapng dv dhcp_big_endian.pcapng
0x070| 00 0b 82 01 fc 42 | .....B | source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x76-0x7b.7 (6)
0x070| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x7c-0x7d.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x7e-0x1a9.7 (300)
0x070| 45 | E | version: 4 0x7e-0x7e.3 (0.4)
0x070| 45 | E | version: 4 (valid) 0x7e-0x7e.3 (0.4)
0x070| 45 | E | ihl: 5 0x7e.4-0x7e.7 (0.4)
0x070| 00| .| dscp: 0 0x7f-0x7f.5 (0.6)
0x070| 00| .| ecn: 0 0x7f.6-0x7f.7 (0.2)
Expand Down Expand Up @@ -90,7 +90,7 @@ $ fq -d pcapng dv dhcp_big_endian.pcapng
0x1d0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x1d2-0x1d7.7 (6)
0x1d0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x1d8-0x1d9.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x1da-0x321.7 (328)
0x1d0| 45 | E | version: 4 0x1da-0x1da.3 (0.4)
0x1d0| 45 | E | version: 4 (valid) 0x1da-0x1da.3 (0.4)
0x1d0| 45 | E | ihl: 5 0x1da.4-0x1da.7 (0.4)
0x1d0| 00 | . | dscp: 0 0x1db-0x1db.5 (0.6)
0x1d0| 00 | . | ecn: 0 0x1db.6-0x1db.7 (0.2)
Expand Down Expand Up @@ -129,7 +129,7 @@ $ fq -d pcapng dv dhcp_big_endian.pcapng
0x340| 00 0b 82 01 fc 42| .....B| source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x34a-0x34f.7 (6)
0x350|08 00 |.. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x350-0x351.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x352-0x47d.7 (300)
0x350| 45 | E | version: 4 0x352-0x352.3 (0.4)
0x350| 45 | E | version: 4 (valid) 0x352-0x352.3 (0.4)
0x350| 45 | E | ihl: 5 0x352.4-0x352.7 (0.4)
0x350| 00 | . | dscp: 0 0x353-0x353.5 (0.6)
0x350| 00 | . | ecn: 0 0x353.6-0x353.7 (0.2)
Expand Down Expand Up @@ -169,7 +169,7 @@ $ fq -d pcapng dv dhcp_big_endian.pcapng
0x4a0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x4a6-0x4ab.7 (6)
0x4a0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x4ac-0x4ad.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x4ae-0x5f5.7 (328)
0x4a0| 45 | E | version: 4 0x4ae-0x4ae.3 (0.4)
0x4a0| 45 | E | version: 4 (valid) 0x4ae-0x4ae.3 (0.4)
0x4a0| 45 | E | ihl: 5 0x4ae.4-0x4ae.7 (0.4)
0x4a0| 00| .| dscp: 0 0x4af-0x4af.5 (0.6)
0x4a0| 00| .| ecn: 0 0x4af.6-0x4af.7 (0.2)
Expand Down
8 changes: 4 additions & 4 deletions format/pcap/testdata/dhcp_little_endian.fqtest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ $ fq dv dhcp_little_endian.pcapng
0x070| 00 0b 82 01 fc 42 | .....B | source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x76-0x7b.7 (6)
0x070| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x7c-0x7d.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x7e-0x1a9.7 (300)
0x070| 45 | E | version: 4 0x7e-0x7e.3 (0.4)
0x070| 45 | E | version: 4 (valid) 0x7e-0x7e.3 (0.4)
0x070| 45 | E | ihl: 5 0x7e.4-0x7e.7 (0.4)
0x070| 00| .| dscp: 0 0x7f-0x7f.5 (0.6)
0x070| 00| .| ecn: 0 0x7f.6-0x7f.7 (0.2)
Expand Down Expand Up @@ -101,7 +101,7 @@ $ fq dv dhcp_little_endian.pcapng
0x1d0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x1d2-0x1d7.7 (6)
0x1d0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x1d8-0x1d9.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x1da-0x321.7 (328)
0x1d0| 45 | E | version: 4 0x1da-0x1da.3 (0.4)
0x1d0| 45 | E | version: 4 (valid) 0x1da-0x1da.3 (0.4)
0x1d0| 45 | E | ihl: 5 0x1da.4-0x1da.7 (0.4)
0x1d0| 00 | . | dscp: 0 0x1db-0x1db.5 (0.6)
0x1d0| 00 | . | ecn: 0 0x1db.6-0x1db.7 (0.2)
Expand Down Expand Up @@ -140,7 +140,7 @@ $ fq dv dhcp_little_endian.pcapng
0x340| 00 0b 82 01 fc 42| .....B| source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x34a-0x34f.7 (6)
0x350|08 00 |.. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x350-0x351.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x352-0x47d.7 (300)
0x350| 45 | E | version: 4 0x352-0x352.3 (0.4)
0x350| 45 | E | version: 4 (valid) 0x352-0x352.3 (0.4)
0x350| 45 | E | ihl: 5 0x352.4-0x352.7 (0.4)
0x350| 00 | . | dscp: 0 0x353-0x353.5 (0.6)
0x350| 00 | . | ecn: 0 0x353.6-0x353.7 (0.2)
Expand Down Expand Up @@ -180,7 +180,7 @@ $ fq dv dhcp_little_endian.pcapng
0x4a0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x4a6-0x4ab.7 (6)
0x4a0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x4ac-0x4ad.7 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x4ae-0x5f5.7 (328)
0x4a0| 45 | E | version: 4 0x4ae-0x4ae.3 (0.4)
0x4a0| 45 | E | version: 4 (valid) 0x4ae-0x4ae.3 (0.4)
0x4a0| 45 | E | ihl: 5 0x4ae.4-0x4ae.7 (0.4)
0x4a0| 00| .| dscp: 0 0x4af-0x4af.5 (0.6)
0x4a0| 00| .| ecn: 0 0x4af.6-0x4af.7 (0.2)
Expand Down

0 comments on commit 6c03245

Please sign in to comment.