Documentation ¶
Overview ¶
WARNING: This package is experimental and may change without notice!
The trace package provides support for analyzing and storing the data gathered by the pcap package.
Index ¶
- Constants
- Variables
- func ACKCapacity(d []*pkt.Packet, pm map[uint32]*pkt.Packet) ([]time.Duration, []float64, error)
- func ACKThroughput(d []*pkt.Packet) ([]time.Duration, []float64, error)
- func ACKTimes(d []*pkt.Packet) ([]time.Time, []uint32, error)
- func GetHTTPTraffic(d []*pkt.Packet) map[string]*HTTPExchange
- func GetIPTraffic(d []*pkt.Packet) map[string]*IPFlow
- func GetTCPTraffic(d []*pkt.Packet) map[string]*TCPFlow
- func SEQCapacity(d []*pkt.Packet, pm map[uint32]*pkt.Packet) ([]time.Duration, []float64, error)
- func SEQThroughput(d []*pkt.Packet) ([]time.Duration, []float64, error)
- func SEQTimes(d []*pkt.Packet) ([]time.Time, []uint32, error)
- func TCPContextDump(d []*pkt.Packet, l, c int) ([]string, int, error)
- func TCPDataDump(d []*pkt.Packet) ([]string, error)
- type HTTPExchange
- type IPFlow
- type IPTuple
- type MetaPcap
- type PktTrace
- type TCPFlow
- type TCPFlowStats
- type TCPTuple
Constants ¶
const ( Version = "beta-0-0-1" // For compatibility checks if PktTrace changes ArchiveType = "application/gzip" // MIME type for archived PktTrace results )
Variables ¶
var ( ErrApplicationLayerHeader = errors.New("Application Layer Header Error") ErrBadPort = errors.New("No ports match") ErrEmptyData = errors.New("Data is empty") ErrFlowMismatch = errors.New("Flows do not match") ErrNetworkLayerHeader = errors.New("Network Layer Header Error") ErrSameSrcDstPorts = errors.New("Src and Dst ports match") ErrTCPSeqMissing = errors.New("TCP Sequnce Number Missing") ErrTransportLayerHeader = errors.New("Transport Layer Header Error") )
Package errors
var ( ApplicationLayer = 3 // Index for OSI Application Layer in Pkt.Headers ServerSrcPort = int(80) // Expected server source port )
Functions ¶
func ACKCapacity ¶
ACKCapacity calculates the IP capacity in bits per nanosecond for every monotonically increasing ACK in d. The resulting slices are suitable for use as the x and y values in a plot of IP capacity vs. time.
func ACKThroughput ¶
ACKThroughput calculates the throughput in bits per nanosecond for every monotonically increasing ACK in d. The resulting slices are suitable for use as the x and y values in a plot of throughput vs. time.
func ACKTimes ¶
ACKTimes returns the timestamps and ACK sequence numbers that are strictly increasing within d.
func GetHTTPTraffic ¶
func GetHTTPTraffic(d []*pkt.Packet) map[string]*HTTPExchange
GetHTTPTraffic parses the packets in d []*pkt.Packet looking for *pkt.HttpHdr, When one is found we slice that section of the packets to create a new HTTPExchange. The result is a map of httpHdr.RequestURI to HTTPExchange. The Data for the HTTPExchange is a slice backed by the same array as d.
For now this is not designed to work well on pipelined responses.
func GetIPTraffic ¶
GetIPTraffic separates all the IP traffic in the slice of pkt.Packet into their respective flows. The resulting map of IPFlow are keyed by the string of their IPTuple.
func GetTCPTraffic ¶
GetTCPTraffic separates all the TCP traffic in the slice of pkt.Packet into their respective flows. The resulting map of TCPFlow are keyed by the string of their TCPTuple.
func SEQCapacity ¶
SEQCapacity calculates the IP capacity in bits per nanosecond for every monotonically increasing sequence number in d. The resulting slices are suitable for use as the x and y values in a plot of IP capacity vs. time.
func SEQThroughput ¶
SEQThroughput calculates the throughput in bits per nanosecond for every monotonically increasing sequence number in d. The resulting slices are suitable for use as the x and y values in a plot of throughput vs. time.
func SEQTimes ¶
SeqTimes returns the timestamps and sequence numbers that are strictly increasing within d.
func TCPContextDump ¶
TCPContextDump provides debugging information for d[l] with up to c lines of context. The int is the index of the d[l] within the context. A result that returns with an error may still have d[l] with partial context.
Types ¶
type HTTPExchange ¶
type HTTPExchange struct { TCPTuple *TCPTuple // The source and destination addresses ReqHTTPHdr *pkt.HttpHdr // The HTTP request Header RespHTTPHdr *pkt.HttpHdr // The HTTP response Header Data []*pkt.Packet // The array of packets Resp int // The beginning of the HTTP response }
A HTTPExchange makes working with HTTP data easier. The TCPTuple will have the Dst set as the address that is sending the request, and the Src as the address that responds. The data will always have the packet that contains the request as Data[0].
For now this is not designed to work well on pipelined responses.
func NewHTTPExchange ¶
func NewHTTPExchange(d []*pkt.Packet, respIndex int) (*HTTPExchange, error)
NewHTTPExchange creates and returns a HTTPExchange with the given packet data. it is important that the packet with the HTTP request be present in d[0], and it is assumed that the ACK for the last packet of response is in d[len(d)-1]. Having a valid respIndex for the first packet of the response containing the HTTP response header will speed this up, if it is not valid (<0 if unknown) then this method will search for it. The Data for the HTTPExchange is a slice backed by the same array as d.
This method does not check the rest of d to make sure that the packets are in fact part of this transfer, so only pass what should be used.
func (*HTTPExchange) GetTCPFlow ¶
func (e *HTTPExchange) GetTCPFlow() *TCPFlow
GetTCPFlow returns a new *TCPFlow using the packet data in the HTTPExchange.
func (*HTTPExchange) String ¶
func (e *HTTPExchange) String() string
String returns the ReqHTTPHdr.RequestURI for use as a non-robust key.
type IPFlow ¶
type IPFlow struct { IPTuple *IPTuple // The source and destination addresses Data []*pkt.Packet // The array of packets StartTime time.Time // Time of the first packet EndTime time.Time // Time of the last packet Bytes int64 // Number of bytes from the source to the destination PLBytes int64 // Number of payload bytes from the source to the destination }
An IPFlow makes working with IP data easier.
type IPTuple ¶
type IPTuple struct { Src net.IP // The source IP address Dst net.IP // The destination IP address }
An IPTuple encapsulates the source and destination address for analysing IP packet traces.
func NewIPTuple ¶
NewIPTuple constructs an IPTuple from the information in the pkt.Packet headers. This assumes that the packet is an IP packet.
type MetaPcap ¶
type MetaPcap struct { Device string // The device used for packet capture FileName string // The filename used for reading a pcap savefile Snaplen int32 // Specifies the maximum number of bytes to capture Promisc int32 // 0->false, 1->true Timeout int32 // ms Filters []string // track filters applied to the capture }
A MetaPcap is a copy of the meta data from pcap.Pcap. We keep this copy separate so that it cannot be executed by mistake, and by not depending on the system's C libraries it can be more portable.
type PktTrace ¶
type PktTrace struct { Version string // For trace version compatibility issues LibVersion string // The version of libpcap being used Date time.Time // Date the trace was created Notes string // Meta data not otherwise specified MetaPcap *MetaPcap // Meta data from pcap.Pcap Stats *stat.Stat // Capture stats straight from libpcap Data *[]*pkt.Packet // The headers of the captured packets }
A PktTrace combines the pkt.Packet data with meta data so that it can be archived and analyzed.
func PktTraceFromArchive ¶
PktTraceFromArchive reads a given gzip compressed gob encoded PktTrace. This is the standard format for storing a PktTrace to a file.
type TCPFlow ¶
type TCPFlow struct { TCPTuple *TCPTuple // The source and destination addresses Data []*pkt.Packet // The array of packets StartTime time.Time // Time of the first packet EndTime time.Time // Time of the last packet SrcFirstSeq uint32 // The first seq number in the flow DstFirstSeq uint32 // The first seq number in the flow SrcFirstAckSeq uint32 // The first ACK seq number in the flow DstFirstAckSeq uint32 // The first ACK seq number in the flow SrcBytes int64 // Number of application bytes Src->Dst DstBytes int64 // Number of application bytes Dst->Src SrcPLBytes int64 // Number of IP payload bytes Src->Dst DstPLBytes int64 // Number of IP payload bytes Dst->Src SrcWireBytes int64 // Number of off the wire bytes Src->Dst DstWireBytes int64 // Number of off the wire bytes Dst->Src SrcPktCnt int64 // Number of packets Src->Dst DstPktCnt int64 // Number of packets Dst->Src SrcData []*pkt.Packet // An array of packets Src->Dst DstData []*pkt.Packet // An array of packets Dst->Src SrcDataMap map[uint32]*pkt.Packet // A map of seq to packets Src->Dst DstDataMap map[uint32]*pkt.Packet // A map of seq to packets Dst->Src }
A TCPFlow makes working with TCP data easier.
func NewTCPFlow ¶
NewTCPFlow filters the packet in d by t.MatchFlow and returns the resulting TCPFlow for analysis.
func (*TCPFlow) AddData ¶
AddData will call f.AddPacket for each packet in d where f.TCPTuple.MatchFlow is true. This is a faster way to create a TCPFlow if you know you are only interested in the TCP traffic for a single TCPTuple.
func (*TCPFlow) AddPacket ¶
AddPacket updates the meta data for a TCPFlow and saves a reference to the pkt.Packet. This assumes the packet addresses have been checked and the TCP flow matches (it does not check for matching addresses).
func (*TCPFlow) Analyze ¶
func (f *TCPFlow) Analyze() (*TCPFlowStats, error)
Analyze computes the aggregate packet-level data for a TCPFlow. This does not take into account packets that may have been dropped by the pcap trace and the analysis of such traces will be less accurate than those without any missing packets.
type TCPFlowStats ¶
type TCPFlowStats struct { DstDupAck int // Total number of duplicate Dst ACKs DstLoss int // Number retransmitted Dst packets DstLossBytes uint32 // Number of retransmitted Dst bytes DstOrder int // Number of out-of-order Dst packets DstOther int // Number of other non-normal Dst packets SrcDupAck int // Total number of duplicate Src ACKs sent SrcLoss int // Number retransmitted Src packets SrcLossBytes uint32 // Number of retransmitted Src bytes SrcOrder int // Number of out-of-order Src packets SrcOther int // Number of other non-normal Src packets }
Aggregate packet-level data for a TCPFlow. This is usually returned from a call to TCPFlow.Analysis().
func TCPFlowAnalysis ¶
func TCPFlowAnalysis(d []*pkt.Packet, t *TCPTuple) (*TCPFlowStats, error)
Analysis computes the aggregate packet-level data for a TCPFlow. This does not take into account packets that may have been dropped by the pcap trace and the analysis of such traces will be less accurate than those without any missing packets.
type TCPTuple ¶
type TCPTuple struct { Src *net.TCPAddr // The source IP address Dst *net.TCPAddr // The destination IP address }
A TCPTuple encapsulates the source and destination address for analysing TCP/IP packet traces.
func NewTCPTuple ¶
NewTCPTuple constructs a TCPTuple from the information in the pkt.Packet headers. This assumes that the packet is a TCP/IP packet.
func (*TCPTuple) Equal ¶
Equal returns true if t and x have the same source and destination IP:Port address.