pcapgo

package
v0.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 29, 2023 License: AGPL-3.0 Imports: 9 Imported by: 0

Documentation

Overview

Package pcapgo provides some native PCAP support, not requiring C libpcap to be installed.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Reader

type Reader struct {
	// contains filtered or unexported fields
}

Reader wraps an underlying io.Reader to read packet data in PCAP format. See http://wiki.wireshark.org/Development/LibpcapFileFormat for information on the file format.

We currenty read v2.4 file format with nanosecond and microsecdond timestamp resolution in little-endian and big-endian encoding.

If the PCAP data is gzip compressed it is transparently uncompressed by wrapping the given io.Reader with a gzip.Reader.

func NewReader

func NewReader(r io.Reader) (*Reader, error)

NewReader returns a new reader object, for reading packet data from the given reader. The reader must be open and header data is read from it at this point. If the file format is not supported an error is returned

// Create new reader:
f, _ := os.Open("/tmp/file.pcap")
defer f.Close()
r, err := NewReader(f)
data, ci, err := r.ReadPacketData()

func (*Reader) LinkType

func (r *Reader) LinkType() layers.LinkType

LinkType returns network, as a layers.LinkType.

func (*Reader) ReadPacketData

func (r *Reader) ReadPacketData() (data []byte, ci gopacket.CaptureInfo, err error)

ReadPacketData reads next packet from file.

func (*Reader) SetSnaplen

func (r *Reader) SetSnaplen(newSnaplen uint32)

SetSnaplen sets the snapshot length of the capture file.

This is useful when a pcap file contains packets bigger than then snaplen. Pcapgo will error when reading packets bigger than snaplen, then it dumps those packets and reads the next 16 bytes, which are part of the "faulty" packet's payload, but pcapgo thinks it's the next header, which is probably also faulty because it's not really a packet header. This can lead to a lot of faulty reads.

The SetSnaplen function can be used to set a bigger snaplen to prevent those read errors.

This snaplen situation can happen when a pcap writer doesn't truncate packets to the snaplen size while writing packets to file. E.g. In Python, dpkt.pcap.Writer sets snaplen by default to 1500 (https://dpkt.readthedocs.io/en/latest/api/api_auto.html#dpkt.pcap.Writer) but doesn't enforce this when writing packets (https://dpkt.readthedocs.io/en/latest/_modules/dpkt/pcap.html#Writer.writepkt). When reading, tools like tcpdump, tcpslice, mergecap and wireshark ignore the snaplen and use their own defined snaplen. E.g. When reading packets, tcpdump defines MAXIMUM_SNAPLEN (https://github.com/the-tcpdump-group/tcpdump/blob/6e80fcdbe9c41366df3fa244ffe4ac8cce2ab597/netdissect.h#L290) and uses it (https://github.com/the-tcpdump-group/tcpdump/blob/66384fa15b04b47ad08c063d4728df3b9c1c0677/print.c#L343-L358).

For further reading:

func (*Reader) Snaplen

func (r *Reader) Snaplen() uint32

Snaplen returns the snapshot length of the capture file.

func (*Reader) String

func (r *Reader) String() string

Reader formater

type Writer

type Writer struct {
	// contains filtered or unexported fields
}

Writer wraps an underlying io.Writer to write packet data in PCAP format. See http://wiki.wireshark.org/Development/LibpcapFileFormat for information on the file format.

For those that care, we currently write v2.4 files with nanosecond timestamp resolution and little-endian encoding.

func NewWriter

func NewWriter(w io.Writer) *Writer

NewWriter returns a new writer object, for writing packet data out to the given writer. If this is a new empty writer (as opposed to an append), you must call WriteFileHeader before WritePacket.

// Write a new file:
f, _ := os.Create("/tmp/file.pcap")
w := pcapgo.NewWriter(f)
w.WriteFileHeader(65536, layers.LinkTypeEthernet)  // new file, must do this.
w.WritePacket(gopacket.CaptureInfo{...}, data1)
f.Close()
// Append to existing file (must have same snaplen and linktype)
f2, _ := os.OpenFile("/tmp/file.pcap", os.O_APPEND, 0700)
w2 := pcapgo.NewWriter(f2)
// no need for file header, it's already written.
w2.WritePacket(gopacket.CaptureInfo{...}, data2)
f2.Close()

func (*Writer) WriteFileHeader

func (w *Writer) WriteFileHeader(snaplen uint32, linktype layers.LinkType) error

WriteFileHeader writes a file header out to the writer. This must be called exactly once per destination.

func (*Writer) WritePacket

func (w *Writer) WritePacket(ci gopacket.CaptureInfo, data []byte) error

WritePacket writes the given packet data out to the file.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL