// Copyright 2012 Google, Inc. All rights reserved. // // Use of this source code is governed by a BSD-style license // that can be found in the LICENSE file in the root of the source // tree. package gopacket import ( "bytes" "encoding/hex" "errors" "fmt" "io" "os" "reflect" "runtime/debug" "strings" "time" ) // CaptureInfo provides standardized information about a packet captured off // the wire or read from a file. type CaptureInfo struct { // Timestamp is the time the packet was captured, if that is known. Timestamp time.Time // CaptureLength is the total number of bytes read off of the wire. CaptureLength int // Length is the size of the original packet. Should always be >= // CaptureLength. Length int // InterfaceIndex InterfaceIndex int } // PacketMetadata contains metadata for a packet. type PacketMetadata struct { CaptureInfo // Truncated is true if packet decoding logic detects that there are fewer // bytes in the packet than are detailed in various headers (for example, if // the number of bytes in the IPv4 contents/payload is less than IPv4.Length). // This is also set automatically for packets captured off the wire if // CaptureInfo.CaptureLength < CaptureInfo.Length. Truncated bool } // Packet is the primary object used by gopacket. Packets are created by a // Decoder's Decode call. A packet is made up of a set of Data, which // is broken into a number of Layers as it is decoded. type Packet interface { //// Functions for outputting the packet as a human-readable string: //// ------------------------------------------------------------------ // String returns a human-readable string representation of the packet. // It uses LayerString on each layer to output the layer. String() string // Dump returns a verbose human-readable string representation of the packet, // including a hex dump of all layers. It uses LayerDump on each layer to // output the layer. Dump() string //// Functions for accessing arbitrary packet layers: //// ------------------------------------------------------------------ // Layers returns all layers in this packet, computing them as necessary Layers() []Layer // Layer returns the first layer in this packet of the given type, or nil Layer(LayerType) Layer // LayerClass returns the first layer in this packet of the given class, // or nil. LayerClass(LayerClass) Layer //// Functions for accessing specific types of packet layers. These functions //// return the first layer of each type found within the packet. //// ------------------------------------------------------------------ // LinkLayer returns the first link layer in the packet LinkLayer() LinkLayer // NetworkLayer returns the first network layer in the packet NetworkLayer() NetworkLayer // TransportLayer returns the first transport layer in the packet TransportLayer() TransportLayer // ApplicationLayer returns the first application layer in the packet ApplicationLayer() ApplicationLayer // ErrorLayer is particularly useful, since it returns nil if the packet // was fully decoded successfully, and non-nil if an error was encountered // in decoding and the packet was only partially decoded. Thus, its output // can be used to determine if the entire packet was able to be decoded. ErrorLayer() ErrorLayer //// Functions for accessing data specific to the packet: //// ------------------------------------------------------------------ // Data returns the set of bytes that make up this entire packet. Data() []byte // Metadata returns packet metadata associated with this packet. Metadata() *PacketMetadata } // packet contains all the information we need to fulfill the Packet interface, // and its two "subclasses" (yes, no such thing in Go, bear with me), // eagerPacket and lazyPacket, provide eager and lazy decoding logic around the // various functions needed to access this information. type packet struct { // data contains the entire packet data for a packet data []byte // initialLayers is space for an initial set of layers already created inside // the packet. initialLayers [6]Layer // layers contains each layer we've already decoded layers []Layer // last is the last layer added to the packet last Layer // metadata is the PacketMetadata for this packet metadata PacketMetadata decodeOptions DecodeOptions // Pointers to the various important layers link LinkLayer network NetworkLayer transport TransportLayer application ApplicationLayer failure ErrorLayer } func (p *packet) SetTruncated() { p.metadata.Truncated = true } func (p *packet) SetLinkLayer(l LinkLayer) { if p.link == nil { p.link = l } } func (p *packet) SetNetworkLayer(l NetworkLayer) { if p.network == nil { p.network = l } } func (p *packet) SetTransportLayer(l TransportLayer) { if p.transport == nil { p.transport = l } } func (p *packet) SetApplicationLayer(l ApplicationLayer) { if p.application == nil { p.application = l } } func (p *packet) SetErrorLayer(l ErrorLayer) { if p.failure == nil { p.failure = l } } func (p *packet) AddLayer(l Layer) { p.layers = append(p.layers, l) p.last = l } func (p *packet) DumpPacketData() { fmt.Fprint(os.Stderr, p.packetDump()) os.Stderr.Sync() } func (p *packet) Metadata() *PacketMetadata { return &p.metadata } func (p *packet) Data() []byte { return p.data } func (p *packet) DecodeOptions() *DecodeOptions { return &p.decodeOptions } func (p *packet) addFinalDecodeError(err error, stack []byte) { fail := &DecodeFailure{err: err, stack: stack} if p.last == nil { fail.data = p.data } else { fail.data = p.last.LayerPayload() } p.AddLayer(fail) p.SetErrorLayer(fail) } func (p *packet) recoverDecodeError() { if !p.decodeOptions.SkipDecodeRecovery { if r := recover(); r != nil { p.addFinalDecodeError(fmt.Errorf("%v", r), debug.Stack()) } } } // LayerString outputs an individual layer as a string. The layer is output // in a single line, with no trailing newline. This function is specifically // designed to do the right thing for most layers... it follows the following // rules: // * If the Layer has a String function, just output that. // * Otherwise, output all exported fields in the layer, recursing into // exported slices and structs. // NOTE: This is NOT THE SAME AS fmt's "%#v". %#v will output both exported // and unexported fields... many times packet layers contain unexported stuff // that would just mess up the output of the layer, see for example the // Payload layer and it's internal 'data' field, which contains a large byte // array that would really mess up formatting. func LayerString(l Layer) string { return fmt.Sprintf("%v\t%s", l.LayerType(), layerString(reflect.ValueOf(l), false, false)) } // Dumper dumps verbose information on a value. If a layer type implements // Dumper, then its LayerDump() string will include the results in its output. type Dumper interface { Dump() string } // LayerDump outputs a very verbose string representation of a layer. Its // output is a concatenation of LayerString(l) and hex.Dump(l.LayerContents()). // It contains newlines and ends with a newline. func LayerDump(l Layer) string { var b bytes.Buffer b.WriteString(LayerString(l)) b.WriteByte('\n') if d, ok := l.(Dumper); ok { dump := d.Dump() if dump != "" { b.WriteString(dump) if dump[len(dump)-1] != '\n' { b.WriteByte('\n') } } } b.WriteString(hex.Dump(l.LayerContents())) return b.String() } // layerString outputs, recursively, a layer in a "smart" way. See docs for // LayerString for more details. // // Params: // i - value to write out // anonymous: if we're currently recursing an anonymous member of a struct // writeSpace: if we've already written a value in a struct, and need to // write a space before writing more. This happens when we write various // anonymous values, and need to keep writing more. func layerString(v reflect.Value, anonymous bool, writeSpace bool) string { // Let String() functions take precedence. if v.CanInterface() { if s, ok := v.Interface().(fmt.Stringer); ok { return s.String() } } // Reflect, and spit out all the exported fields as key=value. switch v.Type().Kind() { case reflect.Interface, reflect.Ptr: if v.IsNil() { return "nil" } r := v.Elem() return layerString(r, anonymous, writeSpace) case reflect.Struct: var b bytes.Buffer typ := v.Type() if !anonymous { b.WriteByte('{') } for i := 0; i < v.NumField(); i++ { // Check if this is upper-case. ftype := typ.Field(i) f := v.Field(i) if ftype.Anonymous { anonStr := layerString(f, true, writeSpace) writeSpace = writeSpace || anonStr != "" b.WriteString(anonStr) } else if ftype.PkgPath == "" { // exported if writeSpace { b.WriteByte(' ') } writeSpace = true fmt.Fprintf(&b, "%s=%s", typ.Field(i).Name, layerString(f, false, writeSpace)) } } if !anonymous { b.WriteByte('}') } return b.String() case reflect.Slice: var b bytes.Buffer b.WriteByte('[') if v.Len() > 4 { fmt.Fprintf(&b, "..%d..", v.Len()) } else { for j := 0; j < v.Len(); j++ { if j != 0 { b.WriteString(", ") } b.WriteString(layerString(v.Index(j), false, false)) } } b.WriteByte(']') return b.String() } return fmt.Sprintf("%v", v.Interface()) } const ( longBytesLength = 128 ) // LongBytesGoString returns a string representation of the byte slice shortened // using the format '{ ... ( bytes)}' if it // exceeds a predetermined length. Can be used to avoid filling the display with // very long byte strings. func LongBytesGoString(buf []byte) string { if len(buf) < longBytesLength { return fmt.Sprintf("%#v", buf) } s := fmt.Sprintf("%#v", buf[:longBytesLength-1]) s = strings.TrimSuffix(s, "}") return fmt.Sprintf("%s ... (%d bytes)}", s, len(buf)) } func baseLayerString(value reflect.Value) string { t := value.Type() content := value.Field(0) c := make([]byte, content.Len()) for i := range c { c[i] = byte(content.Index(i).Uint()) } payload := value.Field(1) p := make([]byte, payload.Len()) for i := range p { p[i] = byte(payload.Index(i).Uint()) } return fmt.Sprintf("%s{Contents:%s, Payload:%s}", t.String(), LongBytesGoString(c), LongBytesGoString(p)) } func layerGoString(i interface{}, b *bytes.Buffer) { if s, ok := i.(fmt.GoStringer); ok { b.WriteString(s.GoString()) return } var v reflect.Value var ok bool if v, ok = i.(reflect.Value); !ok { v = reflect.ValueOf(i) } switch v.Kind() { case reflect.Ptr, reflect.Interface: if v.Kind() == reflect.Ptr { b.WriteByte('&') } layerGoString(v.Elem().Interface(), b) case reflect.Struct: t := v.Type() b.WriteString(t.String()) b.WriteByte('{') for i := 0; i < v.NumField(); i++ { if i > 0 { b.WriteString(", ") } if t.Field(i).Name == "BaseLayer" { fmt.Fprintf(b, "BaseLayer:%s", baseLayerString(v.Field(i))) } else if v.Field(i).Kind() == reflect.Struct { fmt.Fprintf(b, "%s:", t.Field(i).Name) layerGoString(v.Field(i), b) } else if v.Field(i).Kind() == reflect.Ptr { b.WriteByte('&') layerGoString(v.Field(i), b) } else { fmt.Fprintf(b, "%s:%#v", t.Field(i).Name, v.Field(i)) } } b.WriteByte('}') default: fmt.Fprintf(b, "%#v", i) } } // LayerGoString returns a representation of the layer in Go syntax, // taking care to shorten "very long" BaseLayer byte slices func LayerGoString(l Layer) string { b := new(bytes.Buffer) layerGoString(l, b) return b.String() } func (p *packet) packetString() string { var b bytes.Buffer fmt.Fprintf(&b, "PACKET: %d bytes", len(p.Data())) if p.metadata.Truncated { b.WriteString(", truncated") } if p.metadata.Length > 0 { fmt.Fprintf(&b, ", wire length %d cap length %d", p.metadata.Length, p.metadata.CaptureLength) } if !p.metadata.Timestamp.IsZero() { fmt.Fprintf(&b, " @ %v", p.metadata.Timestamp) } b.WriteByte('\n') for i, l := range p.layers { fmt.Fprintf(&b, "- Layer %d (%02d bytes) = %s\n", i+1, len(l.LayerContents()), LayerString(l)) } return b.String() } func (p *packet) packetDump() string { var b bytes.Buffer fmt.Fprintf(&b, "-- FULL PACKET DATA (%d bytes) ------------------------------------\n%s", len(p.data), hex.Dump(p.data)) for i, l := range p.layers { fmt.Fprintf(&b, "--- Layer %d ---\n%s", i+1, LayerDump(l)) } return b.String() } // eagerPacket is a packet implementation that does eager decoding. Upon // initial construction, it decodes all the layers it can from packet data. // eagerPacket implements Packet and PacketBuilder. type eagerPacket struct { packet } var errNilDecoder = errors.New("NextDecoder passed nil decoder, probably an unsupported decode type") func (p *eagerPacket) NextDecoder(next Decoder) error { if next == nil { return errNilDecoder } if p.last == nil { return errors.New("NextDecoder called, but no layers added yet") } d := p.last.LayerPayload() if len(d) == 0 { return nil } // Since we're eager, immediately call the next decoder. return next.Decode(d, p) } func (p *eagerPacket) initialDecode(dec Decoder) { defer p.recoverDecodeError() err := dec.Decode(p.data, p) if err != nil { p.addFinalDecodeError(err, nil) } } func (p *eagerPacket) LinkLayer() LinkLayer { return p.link } func (p *eagerPacket) NetworkLayer() NetworkLayer { return p.network } func (p *eagerPacket) TransportLayer() TransportLayer { return p.transport } func (p *eagerPacket) ApplicationLayer() ApplicationLayer { return p.application } func (p *eagerPacket) ErrorLayer() ErrorLayer { return p.failure } func (p *eagerPacket) Layers() []Layer { return p.layers } func (p *eagerPacket) Layer(t LayerType) Layer { for _, l := range p.layers { if l.LayerType() == t { return l } } return nil } func (p *eagerPacket) LayerClass(lc LayerClass) Layer { for _, l := range p.layers { if lc.Contains(l.LayerType()) { return l } } return nil } func (p *eagerPacket) String() string { return p.packetString() } func (p *eagerPacket) Dump() string { return p.packetDump() } // lazyPacket does lazy decoding on its packet data. On construction it does // no initial decoding. For each function call, it decodes only as many layers // as are necessary to compute the return value for that function. // lazyPacket implements Packet and PacketBuilder. type lazyPacket struct { packet next Decoder } func (p *lazyPacket) NextDecoder(next Decoder) error { if next == nil { return errNilDecoder } p.next = next return nil } func (p *lazyPacket) decodeNextLayer() { if p.next == nil { return } d := p.data if p.last != nil { d = p.last.LayerPayload() } next := p.next p.next = nil // We've just set p.next to nil, so if we see we have no data, this should be // the final call we get to decodeNextLayer if we return here. if len(d) == 0 { return } defer p.recoverDecodeError() err := next.Decode(d, p) if err != nil { p.addFinalDecodeError(err, nil) } } func (p *lazyPacket) LinkLayer() LinkLayer { for p.link == nil && p.next != nil { p.decodeNextLayer() } return p.link } func (p *lazyPacket) NetworkLayer() NetworkLayer { for p.network == nil && p.next != nil { p.decodeNextLayer() } return p.network } func (p *lazyPacket) TransportLayer() TransportLayer { for p.transport == nil && p.next != nil { p.decodeNextLayer() } return p.transport } func (p *lazyPacket) ApplicationLayer() ApplicationLayer { for p.application == nil && p.next != nil { p.decodeNextLayer() } return p.application } func (p *lazyPacket) ErrorLayer() ErrorLayer { for p.failure == nil && p.next != nil { p.decodeNextLayer() } return p.failure } func (p *lazyPacket) Layers() []Layer { for p.next != nil { p.decodeNextLayer() } return p.layers } func (p *lazyPacket) Layer(t LayerType) Layer { for _, l := range p.layers { if l.LayerType() == t { return l } } numLayers := len(p.layers) for p.next != nil { p.decodeNextLayer() for _, l := range p.layers[numLayers:] { if l.LayerType() == t { return l } } numLayers = len(p.layers) } return nil } func (p *lazyPacket) LayerClass(lc LayerClass) Layer { for _, l := range p.layers { if lc.Contains(l.LayerType()) { return l } } numLayers := len(p.layers) for p.next != nil { p.decodeNextLayer() for _, l := range p.layers[numLayers:] { if lc.Contains(l.LayerType()) { return l } } numLayers = len(p.layers) } return nil } func (p *lazyPacket) String() string { p.Layers(); return p.packetString() } func (p *lazyPacket) Dump() string { p.Layers(); return p.packetDump() } // DecodeOptions tells gopacket how to decode a packet. type DecodeOptions struct { // Lazy decoding decodes the minimum number of layers needed to return data // for a packet at each function call. Be careful using this with concurrent // packet processors, as each call to packet.* could mutate the packet, and // two concurrent function calls could interact poorly. Lazy bool // NoCopy decoding doesn't copy its input buffer into storage that's owned by // the packet. If you can guarantee that the bytes underlying the slice // passed into NewPacket aren't going to be modified, this can be faster. If // there's any chance that those bytes WILL be changed, this will invalidate // your packets. NoCopy bool // SkipDecodeRecovery skips over panic recovery during packet decoding. // Normally, when packets decode, if a panic occurs, that panic is captured // by a recover(), and a DecodeFailure layer is added to the packet detailing // the issue. If this flag is set, panics are instead allowed to continue up // the stack. SkipDecodeRecovery bool // DecodeStreamsAsDatagrams enables routing of application-level layers in the TCP // decoder. If true, we should try to decode layers after TCP in single packets. // This is disabled by default because the reassembly package drives the decoding // of TCP payload data after reassembly. DecodeStreamsAsDatagrams bool } // Default decoding provides the safest (but slowest) method for decoding // packets. It eagerly processes all layers (so it's concurrency-safe) and it // copies its input buffer upon creation of the packet (so the packet remains // valid if the underlying slice is modified. Both of these take time, // though, so beware. If you can guarantee that the packet will only be used // by one goroutine at a time, set Lazy decoding. If you can guarantee that // the underlying slice won't change, set NoCopy decoding. var Default = DecodeOptions{} // Lazy is a DecodeOptions with just Lazy set. var Lazy = DecodeOptions{Lazy: true} // NoCopy is a DecodeOptions with just NoCopy set. var NoCopy = DecodeOptions{NoCopy: true} // DecodeStreamsAsDatagrams is a DecodeOptions with just DecodeStreamsAsDatagrams set. var DecodeStreamsAsDatagrams = DecodeOptions{DecodeStreamsAsDatagrams: true} // NewPacket creates a new Packet object from a set of bytes. The // firstLayerDecoder tells it how to interpret the first layer from the bytes, // future layers will be generated from that first layer automatically. func NewPacket(data []byte, firstLayerDecoder Decoder, options DecodeOptions) Packet { if !options.NoCopy { dataCopy := make([]byte, len(data)) copy(dataCopy, data) data = dataCopy } if options.Lazy { p := &lazyPacket{ packet: packet{data: data, decodeOptions: options}, next: firstLayerDecoder, } p.layers = p.initialLayers[:0] // Crazy craziness: // If the following return statemet is REMOVED, and Lazy is FALSE, then // eager packet processing becomes 17% FASTER. No, there is no logical // explanation for this. However, it's such a hacky micro-optimization that // we really can't rely on it. It appears to have to do with the size the // compiler guesses for this function's stack space, since one symptom is // that with the return statement in place, we more than double calls to // runtime.morestack/runtime.lessstack. We'll hope the compiler gets better // over time and we get this optimization for free. Until then, we'll have // to live with slower packet processing. return p } p := &eagerPacket{ packet: packet{data: data, decodeOptions: options}, } p.layers = p.initialLayers[:0] p.initialDecode(firstLayerDecoder) return p } // PacketDataSource is an interface for some source of packet data. Users may // create their own implementations, or use the existing implementations in // gopacket/pcap (libpcap, allows reading from live interfaces or from // pcap files) or gopacket/pfring (PF_RING, allows reading from live // interfaces). type PacketDataSource interface { // ReadPacketData returns the next packet available from this data source. // It returns: // data: The bytes of an individual packet. // ci: Metadata about the capture // err: An error encountered while reading packet data. If err != nil, // then data/ci will be ignored. ReadPacketData() (data []byte, ci CaptureInfo, err error) } // ConcatFinitePacketDataSources returns a PacketDataSource that wraps a set // of internal PacketDataSources, each of which will stop with io.EOF after // reading a finite number of packets. The returned PacketDataSource will // return all packets from the first finite source, followed by all packets from // the second, etc. Once all finite sources have returned io.EOF, the returned // source will as well. func ConcatFinitePacketDataSources(pds ...PacketDataSource) PacketDataSource { c := concat(pds) return &c } type concat []PacketDataSource func (c *concat) ReadPacketData() (data []byte, ci CaptureInfo, err error) { for len(*c) > 0 { data, ci, err = (*c)[0].ReadPacketData() if err == io.EOF { *c = (*c)[1:] continue } return } return nil, CaptureInfo{}, io.EOF } // ZeroCopyPacketDataSource is an interface to pull packet data from sources // that allow data to be returned without copying to a user-controlled buffer. // It's very similar to PacketDataSource, except that the caller must be more // careful in how the returned buffer is handled. type ZeroCopyPacketDataSource interface { // ZeroCopyReadPacketData returns the next packet available from this data source. // It returns: // data: The bytes of an individual packet. Unlike with // PacketDataSource's ReadPacketData, the slice returned here points // to a buffer owned by the data source. In particular, the bytes in // this buffer may be changed by future calls to // ZeroCopyReadPacketData. Do not use the returned buffer after // subsequent ZeroCopyReadPacketData calls. // ci: Metadata about the capture // err: An error encountered while reading packet data. If err != nil, // then data/ci will be ignored. ZeroCopyReadPacketData() (data []byte, ci CaptureInfo, err error) } // PacketSource reads in packets from a PacketDataSource, decodes them, and // returns them. // // There are currently two different methods for reading packets in through // a PacketSource: // // Reading With Packets Function // // This method is the most convenient and easiest to code, but lacks // flexibility. Packets returns a 'chan Packet', then asynchronously writes // packets into that channel. Packets uses a blocking channel, and closes // it if an io.EOF is returned by the underlying PacketDataSource. All other // PacketDataSource errors are ignored and discarded. // for packet := range packetSource.Packets() { // ... // } // // Reading With NextPacket Function // // This method is the most flexible, and exposes errors that may be // encountered by the underlying PacketDataSource. It's also the fastest // in a tight loop, since it doesn't have the overhead of a channel // read/write. However, it requires the user to handle errors, most // importantly the io.EOF error in cases where packets are being read from // a file. // for { // packet, err := packetSource.NextPacket() // if err == io.EOF { // break // } else if err != nil { // log.Println("Error:", err) // continue // } // handlePacket(packet) // Do something with each packet. // } type PacketSource struct { source PacketDataSource decoder Decoder // DecodeOptions is the set of options to use for decoding each piece // of packet data. This can/should be changed by the user to reflect the // way packets should be decoded. DecodeOptions c chan Packet } // NewPacketSource creates a packet data source. func NewPacketSource(source PacketDataSource, decoder Decoder) *PacketSource { return &PacketSource{ source: source, decoder: decoder, } } // NextPacket returns the next decoded packet from the PacketSource. On error, // it returns a nil packet and a non-nil error. func (p *PacketSource) NextPacket() (Packet, error) { data, ci, err := p.source.ReadPacketData() if err != nil { return nil, err } packet := NewPacket(data, p.decoder, p.DecodeOptions) m := packet.Metadata() m.CaptureInfo = ci m.Truncated = m.Truncated || ci.CaptureLength < ci.Length return packet, nil } // packetsToChannel reads in all packets from the packet source and sends them // to the given channel. When it receives an error, it ignores it. When it // receives an io.EOF, it closes the channel. func (p *PacketSource) packetsToChannel() { defer close(p.c) for { packet, err := p.NextPacket() if err == io.EOF { return } else if err == nil { p.c <- packet } } } // Packets returns a channel of packets, allowing easy iterating over // packets. Packets will be asynchronously read in from the underlying // PacketDataSource and written to the returned channel. If the underlying // PacketDataSource returns an io.EOF error, the channel will be closed. // If any other error is encountered, it is ignored. // // for packet := range packetSource.Packets() { // handlePacket(packet) // Do something with each packet. // } // // If called more than once, returns the same channel. func (p *PacketSource) Packets() chan Packet { if p.c == nil { p.c = make(chan Packet, 1000) go p.packetsToChannel() } return p.c }