mirror of https://github.com/subgraph/fw-daemon
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
366 lines
15 KiB
366 lines
15 KiB
7 years ago
|
// Copyright 2012 Google, Inc. All rights reserved.
|
||
|
//
|
||
|
// Use of this source code is governed by a BSD-style license
|
||
|
// that can be found in the LICENSE file in the root of the source
|
||
|
// tree.
|
||
|
|
||
|
/*
|
||
|
Package gopacket provides packet decoding for the Go language.
|
||
|
|
||
|
gopacket contains many sub-packages with additional functionality you may find
|
||
|
useful, including:
|
||
|
|
||
|
* layers: You'll probably use this every time. This contains of the logic
|
||
|
built into gopacket for decoding packet protocols. Note that all example
|
||
|
code below assumes that you have imported both gopacket and
|
||
|
gopacket/layers.
|
||
|
* pcap: C bindings to use libpcap to read packets off the wire.
|
||
|
* pfring: C bindings to use PF_RING to read packets off the wire.
|
||
|
* afpacket: C bindings for Linux's AF_PACKET to read packets off the wire.
|
||
|
* tcpassembly: TCP stream reassembly
|
||
|
|
||
|
Also, if you're looking to dive right into code, see the examples subdirectory
|
||
|
for numerous simple binaries built using gopacket libraries.
|
||
|
|
||
|
Basic Usage
|
||
|
|
||
|
gopacket takes in packet data as a []byte and decodes it into a packet with
|
||
|
a non-zero number of "layers". Each layer corresponds to a protocol
|
||
|
within the bytes. Once a packet has been decoded, the layers of the packet
|
||
|
can be requested from the packet.
|
||
|
|
||
|
// Decode a packet
|
||
|
packet := gopacket.NewPacket(myPacketData, layers.LayerTypeEthernet, gopacket.Default)
|
||
|
// Get the TCP layer from this packet
|
||
|
if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
|
||
|
fmt.Println("This is a TCP packet!")
|
||
|
// Get actual TCP data from this layer
|
||
|
tcp, _ := tcpLayer.(*layers.TCP)
|
||
|
fmt.Printf("From src port %d to dst port %d\n", tcp.SrcPort, tcp.DstPort)
|
||
|
}
|
||
|
// Iterate over all layers, printing out each layer type
|
||
|
for _, layer := range packet.Layers() {
|
||
|
fmt.Println("PACKET LAYER:", layer.LayerType())
|
||
|
}
|
||
|
|
||
|
Packets can be decoded from a number of starting points. Many of our base
|
||
|
types implement Decoder, which allow us to decode packets for which
|
||
|
we don't have full data.
|
||
|
|
||
|
// Decode an ethernet packet
|
||
|
ethP := gopacket.NewPacket(p1, layers.LayerTypeEthernet, gopacket.Default)
|
||
|
// Decode an IPv6 header and everything it contains
|
||
|
ipP := gopacket.NewPacket(p2, layers.LayerTypeIPv6, gopacket.Default)
|
||
|
// Decode a TCP header and its payload
|
||
|
tcpP := gopacket.NewPacket(p3, layers.LayerTypeTCP, gopacket.Default)
|
||
|
|
||
|
|
||
|
Reading Packets From A Source
|
||
|
|
||
|
Most of the time, you won't just have a []byte of packet data lying around.
|
||
|
Instead, you'll want to read packets in from somewhere (file, interface, etc)
|
||
|
and process them. To do that, you'll want to build a PacketSource.
|
||
|
|
||
|
First, you'll need to construct an object that implements the PacketDataSource
|
||
|
interface. There are implementations of this interface bundled with gopacket
|
||
|
in the gopacket/pcap and gopacket/pfring subpackages... see their documentation
|
||
|
for more information on their usage. Once you have a PacketDataSource, you can
|
||
|
pass it into NewPacketSource, along with a Decoder of your choice, to create
|
||
|
a PacketSource.
|
||
|
|
||
|
Once you have a PacketSource, you can read packets from it in multiple ways.
|
||
|
See the docs for PacketSource for more details. The easiest method is the
|
||
|
Packets function, which returns a channel, then asynchronously writes new
|
||
|
packets into that channel, closing the channel if the packetSource hits an
|
||
|
end-of-file.
|
||
|
|
||
|
packetSource := ... // construct using pcap or pfring
|
||
|
for packet := range packetSource.Packets() {
|
||
|
handlePacket(packet) // do something with each packet
|
||
|
}
|
||
|
|
||
|
You can change the decoding options of the packetSource by setting fields in
|
||
|
packetSource.DecodeOptions... see the following sections for more details.
|
||
|
|
||
|
|
||
|
Lazy Decoding
|
||
|
|
||
|
gopacket optionally decodes packet data lazily, meaning it
|
||
|
only decodes a packet layer when it needs to handle a function call.
|
||
|
|
||
|
// Create a packet, but don't actually decode anything yet
|
||
|
packet := gopacket.NewPacket(myPacketData, layers.LayerTypeEthernet, gopacket.Lazy)
|
||
|
// Now, decode the packet up to the first IPv4 layer found but no further.
|
||
|
// If no IPv4 layer was found, the whole packet will be decoded looking for
|
||
|
// it.
|
||
|
ip4 := packet.Layer(layers.LayerTypeIPv4)
|
||
|
// Decode all layers and return them. The layers up to the first IPv4 layer
|
||
|
// are already decoded, and will not require decoding a second time.
|
||
|
layers := packet.Layers()
|
||
|
|
||
|
Lazily-decoded packets are not concurrency-safe. Since layers have not all been
|
||
|
decoded, each call to Layer() or Layers() has the potential to mutate the packet
|
||
|
in order to decode the next layer. If a packet is used
|
||
|
in multiple goroutines concurrently, don't use gopacket.Lazy. Then gopacket
|
||
|
will decode the packet fully, and all future function calls won't mutate the
|
||
|
object.
|
||
|
|
||
|
|
||
|
NoCopy Decoding
|
||
|
|
||
|
By default, gopacket will copy the slice passed to NewPacket and store the
|
||
|
copy within the packet, so future mutations to the bytes underlying the slice
|
||
|
don't affect the packet and its layers. If you can guarantee that the
|
||
|
underlying slice bytes won't be changed, you can use NoCopy to tell
|
||
|
gopacket.NewPacket, and it'll use the passed-in slice itself.
|
||
|
|
||
|
// This channel returns new byte slices, each of which points to a new
|
||
|
// memory location that's guaranteed immutable for the duration of the
|
||
|
// packet.
|
||
|
for data := range myByteSliceChannel {
|
||
|
p := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
|
||
|
doSomethingWithPacket(p)
|
||
|
}
|
||
|
|
||
|
The fastest method of decoding is to use both Lazy and NoCopy, but note from
|
||
|
the many caveats above that for some implementations either or both may be
|
||
|
dangerous.
|
||
|
|
||
|
|
||
|
Pointers To Known Layers
|
||
|
|
||
|
During decoding, certain layers are stored in the packet as well-known
|
||
|
layer types. For example, IPv4 and IPv6 are both considered NetworkLayer
|
||
|
layers, while TCP and UDP are both TransportLayer layers. We support 4
|
||
|
layers, corresponding to the 4 layers of the TCP/IP layering scheme (roughly
|
||
|
anagalous to layers 2, 3, 4, and 7 of the OSI model). To access these,
|
||
|
you can use the packet.LinkLayer, packet.NetworkLayer,
|
||
|
packet.TransportLayer, and packet.ApplicationLayer functions. Each of
|
||
|
these functions returns a corresponding interface
|
||
|
(gopacket.{Link,Network,Transport,Application}Layer). The first three
|
||
|
provide methods for getting src/dst addresses for that particular layer,
|
||
|
while the final layer provides a Payload function to get payload data.
|
||
|
This is helpful, for example, to get payloads for all packets regardless
|
||
|
of their underlying data type:
|
||
|
|
||
|
// Get packets from some source
|
||
|
for packet := range someSource {
|
||
|
if app := packet.ApplicationLayer(); app != nil {
|
||
|
if strings.Contains(string(app.Payload()), "magic string") {
|
||
|
fmt.Println("Found magic string in a packet!")
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
A particularly useful layer is ErrorLayer, which is set whenever there's
|
||
|
an error parsing part of the packet.
|
||
|
|
||
|
packet := gopacket.NewPacket(myPacketData, layers.LayerTypeEthernet, gopacket.Default)
|
||
|
if err := packet.ErrorLayer(); err != nil {
|
||
|
fmt.Println("Error decoding some part of the packet:", err)
|
||
|
}
|
||
|
|
||
|
Note that we don't return an error from NewPacket because we may have decoded
|
||
|
a number of layers successfully before running into our erroneous layer. You
|
||
|
may still be able to get your Ethernet and IPv4 layers correctly, even if
|
||
|
your TCP layer is malformed.
|
||
|
|
||
|
|
||
|
Flow And Endpoint
|
||
|
|
||
|
gopacket has two useful objects, Flow and Endpoint, for communicating in a protocol
|
||
|
independent manner the fact that a packet is coming from A and going to B.
|
||
|
The general layer types LinkLayer, NetworkLayer, and TransportLayer all provide
|
||
|
methods for extracting their flow information, without worrying about the type
|
||
|
of the underlying Layer.
|
||
|
|
||
|
A Flow is a simple object made up of a set of two Endpoints, one source and one
|
||
|
destination. It details the sender and receiver of the Layer of the Packet.
|
||
|
|
||
|
An Endpoint is a hashable representation of a source or destination. For
|
||
|
example, for LayerTypeIPv4, an Endpoint contains the IP address bytes for a v4
|
||
|
IP packet. A Flow can be broken into Endpoints, and Endpoints can be combined
|
||
|
into Flows:
|
||
|
|
||
|
packet := gopacket.NewPacket(myPacketData, layers.LayerTypeEthernet, gopacket.Lazy)
|
||
|
netFlow := packet.NetworkLayer().NetworkFlow()
|
||
|
src, dst := netFlow.Endpoints()
|
||
|
reverseFlow := gopacket.NewFlow(dst, src)
|
||
|
|
||
|
Both Endpoint and Flow objects can be used as map keys, and the equality
|
||
|
operator can compare them, so you can easily group together all packets
|
||
|
based on endpoint criteria:
|
||
|
|
||
|
flows := map[gopacket.Endpoint]chan gopacket.Packet
|
||
|
packet := gopacket.NewPacket(myPacketData, layers.LayerTypeEthernet, gopacket.Lazy)
|
||
|
// Send all TCP packets to channels based on their destination port.
|
||
|
if tcp := packet.Layer(layers.LayerTypeTCP); tcp != nil {
|
||
|
flows[tcp.TransportFlow().Dst()] <- packet
|
||
|
}
|
||
|
// Look for all packets with the same source and destination network address
|
||
|
if net := packet.NetworkLayer(); net != nil {
|
||
|
src, dst := net.NetworkFlow().Endpoints()
|
||
|
if src == dst {
|
||
|
fmt.Println("Fishy packet has same network source and dst: %s", src)
|
||
|
}
|
||
|
}
|
||
|
// Find all packets coming from UDP port 1000 to UDP port 500
|
||
|
interestingFlow := gopacket.NewFlow(layers.NewUDPPortEndpoint(1000), layers.NewUDPPortEndpoint(500))
|
||
|
if t := packet.NetworkLayer(); t != nil && t.TransportFlow() == interestingFlow {
|
||
|
fmt.Println("Found that UDP flow I was looking for!")
|
||
|
}
|
||
|
|
||
|
For load-balancing purposes, both Flow and Endpoint have FastHash() functions,
|
||
|
which provide quick, non-cryptographic hashes of their contents. Of particular
|
||
|
importance is the fact that Flow FastHash() is symmetric: A->B will have the same
|
||
|
hash as B->A. An example usage could be:
|
||
|
|
||
|
channels := [8]chan gopacket.Packet
|
||
|
for i := 0; i < 8; i++ {
|
||
|
channels[i] = make(chan gopacket.Packet)
|
||
|
go packetHandler(channels[i])
|
||
|
}
|
||
|
for packet := range getPackets() {
|
||
|
if net := packet.NetworkLayer(); net != nil {
|
||
|
channels[int(net.NetworkFlow().FastHash()) & 0x7] <- packet
|
||
|
}
|
||
|
}
|
||
|
|
||
|
This allows us to split up a packet stream while still making sure that each
|
||
|
stream sees all packets for a flow (and its bidirectional opposite).
|
||
|
|
||
|
|
||
|
Implementing Your Own Decoder
|
||
|
|
||
|
If your network has some strange encapsulation, you can implement your own
|
||
|
decoder. In this example, we handle Ethernet packets which are encapsulated
|
||
|
in a 4-byte header.
|
||
|
|
||
|
// Create a layer type, should be unique and high, so it doesn't conflict,
|
||
|
// giving it a name and a decoder to use.
|
||
|
var MyLayerType = gopacket.RegisterLayerType(12345, "MyLayerType", gopacket.DecodeFunc(decodeMyLayer))
|
||
|
|
||
|
// Implement my layer
|
||
|
type MyLayer struct {
|
||
|
StrangeHeader []byte
|
||
|
payload []byte
|
||
|
}
|
||
|
func (m MyLayer) LayerType() LayerType { return MyLayerType }
|
||
|
func (m MyLayer) LayerContents() []byte { return m.StrangeHeader }
|
||
|
func (m MyLayer) LayerPayload() []byte { return m.payload }
|
||
|
|
||
|
// Now implement a decoder... this one strips off the first 4 bytes of the
|
||
|
// packet.
|
||
|
func decodeMyLayer(data []byte, p gopacket.PacketBuilder) error {
|
||
|
// Create my layer
|
||
|
p.AddLayer(&MyLayer{data[:4], data[4:]})
|
||
|
// Determine how to handle the rest of the packet
|
||
|
return p.NextDecoder(layers.LayerTypeEthernet)
|
||
|
}
|
||
|
|
||
|
// Finally, decode your packets:
|
||
|
p := gopacket.NewPacket(data, MyLayerType, gopacket.Lazy)
|
||
|
|
||
|
See the docs for Decoder and PacketBuilder for more details on how coding
|
||
|
decoders works, or look at RegisterLayerType and RegisterEndpointType to see how
|
||
|
to add layer/endpoint types to gopacket.
|
||
|
|
||
|
|
||
|
Fast Decoding With DecodingLayerParser
|
||
|
|
||
|
TLDR: DecodingLayerParser takes about 10% of the time as NewPacket to decode
|
||
|
packet data, but only for known packet stacks.
|
||
|
|
||
|
Basic decoding using gopacket.NewPacket or PacketSource.Packets is somewhat slow
|
||
|
due to its need to allocate a new packet and every respective layer. It's very
|
||
|
versatile and can handle all known layer types, but sometimes you really only
|
||
|
care about a specific set of layers regardless, so that versatility is wasted.
|
||
|
|
||
|
DecodingLayerParser avoids memory allocation altogether by decoding packet
|
||
|
layers directly into preallocated objects, which you can then reference to get
|
||
|
the packet's information. A quick example:
|
||
|
|
||
|
func main() {
|
||
|
var eth layers.Ethernet
|
||
|
var ip4 layers.IPv4
|
||
|
var ip6 layers.IPv6
|
||
|
var tcp layers.TCP
|
||
|
parser := gopacket.NewDecodingLayerParser(layers.LayerTypeEthernet, ð, &ip4, &ip6, &tcp)
|
||
|
decoded := []gopacket.LayerType{}
|
||
|
for packetData := range somehowGetPacketData() {
|
||
|
err := parser.DecodeLayers(packetData, &decoded)
|
||
|
for _, layerType := range decoded {
|
||
|
switch layerType {
|
||
|
case layers.LayerTypeIPv6:
|
||
|
fmt.Println(" IP6 ", ip6.SrcIP, ip6.DstIP)
|
||
|
case layers.LayerTypeIPv4:
|
||
|
fmt.Println(" IP4 ", ip4.SrcIP, ip4.DstIP)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
The important thing to note here is that the parser is modifying the passed in
|
||
|
layers (eth, ip4, ip6, tcp) instead of allocating new ones, thus greatly
|
||
|
speeding up the decoding process. It's even branching based on layer type...
|
||
|
it'll handle an (eth, ip4, tcp) or (eth, ip6, tcp) stack. However, it won't
|
||
|
handle any other type... since no other decoders were passed in, an (eth, ip4,
|
||
|
udp) stack will stop decoding after ip4, and only pass back [LayerTypeEthernet,
|
||
|
LayerTypeIPv4] through the 'decoded' slice (along with an error saying it can't
|
||
|
decode a UDP packet).
|
||
|
|
||
|
Unfortunately, not all layers can be used by DecodingLayerParser... only those
|
||
|
implementing the DecodingLayer interface are usable. Also, it's possible to
|
||
|
create DecodingLayers that are not themselves Layers... see
|
||
|
layers.IPv6ExtensionSkipper for an example of this.
|
||
|
|
||
|
|
||
|
Creating Packet Data
|
||
|
|
||
|
As well as offering the ability to decode packet data, gopacket will allow you
|
||
|
to create packets from scratch, as well. A number of gopacket layers implement
|
||
|
the SerializableLayer interface; these layers can be serialized to a []byte in
|
||
|
the following manner:
|
||
|
|
||
|
ip := &layers.IPv4{
|
||
|
SrcIP: net.IP{1, 2, 3, 4},
|
||
|
DstIP: net.IP{5, 6, 7, 8},
|
||
|
// etc...
|
||
|
}
|
||
|
buf := gopacket.NewSerializeBuffer()
|
||
|
opts := gopacket.SerializeOptions{} // See SerializeOptions for more details.
|
||
|
err := ip.SerializeTo(&buf, opts)
|
||
|
if err != nil { panic(err) }
|
||
|
fmt.Println(buf.Bytes()) // prints out a byte slice containing the serialized IPv4 layer.
|
||
|
|
||
|
SerializeTo PREPENDS the given layer onto the SerializeBuffer, and they treat
|
||
|
the current buffer's Bytes() slice as the payload of the serializing layer.
|
||
|
Therefore, you can serialize an entire packet by serializing a set of layers in
|
||
|
reverse order (Payload, then TCP, then IP, then Ethernet, for example). The
|
||
|
SerializeBuffer's SerializeLayers function is a helper that does exactly that.
|
||
|
|
||
|
To generate a (empty and useless, because no fields are set)
|
||
|
Ethernet(IPv4(TCP(Payload))) packet, for example, you can run:
|
||
|
|
||
|
buf := gopacket.NewSerializeBuffer()
|
||
|
opts := gopacket.SerializeOptions{}
|
||
|
gopacket.SerializeLayers(buf, opts,
|
||
|
&layers.Ethernet{},
|
||
|
&layers.IPv4{},
|
||
|
&layers.TCP{},
|
||
|
gopacket.Payload([]byte{1, 2, 3, 4}))
|
||
|
packetData := buf.Bytes()
|
||
|
|
||
|
A Final Note
|
||
|
|
||
|
If you use gopacket, you'll almost definitely want to make sure gopacket/layers
|
||
|
is imported, since when imported it sets all the LayerType variables and fills
|
||
|
in a lot of interesting variables/maps (DecodersByLayerName, etc). Therefore,
|
||
|
it's recommended that even if you don't use any layers functions directly, you still import with:
|
||
|
|
||
|
import (
|
||
|
_ "github.com/google/gopacket/layers"
|
||
|
)
|
||
|
*/
|
||
|
package gopacket
|