From be7b470748dbb70d4e5421ea0611404a019cd4c3 Mon Sep 17 00:00:00 2001 From: Eugen Biegler Date: Sat, 10 Feb 2018 22:55:16 +0100 Subject: [PATCH 1/2] Check before set ProtoType --- decoder/decoder.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/decoder/decoder.go b/decoder/decoder.go index 5895f39..bef66b9 100644 --- a/decoder/decoder.go +++ b/decoder/decoder.go @@ -205,7 +205,9 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error return nil, nil } - pkt.ProtoType = 1 + if bytes.Contains(udp.Payload, []byte("sip")) { + pkt.ProtoType = 1 + } pkt.SrcPort = uint16(udp.SrcPort) pkt.DstPort = uint16(udp.DstPort) pkt.Payload = udp.Payload @@ -254,7 +256,9 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error return nil, nil } - pkt.ProtoType = 1 + if bytes.Contains(tcp.Payload, []byte("sip")) { + pkt.ProtoType = 1 + } pkt.SrcPort = uint16(tcp.SrcPort) pkt.DstPort = uint16(tcp.DstPort) pkt.Payload = tcp.Payload From 6ffa236adf3a2a5e978a15167fdb3d6f412186d2 Mon Sep 17 00:00:00 2001 From: negbie Date: Tue, 13 Feb 2018 16:40:47 +0100 Subject: [PATCH 2/2] Decode erspan --- config/config.go | 1 + decoder/decoder.go | 14 ++++++++++++++ main.go | 3 ++- sniffer/sniffer.go | 3 +++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 4b6fc45..edda531 100644 --- a/config/config.go +++ b/config/config.go @@ -29,6 +29,7 @@ type InterfacesConfig struct { RotationTime int `config:"rotation_time"` PortRange string `config:"port_range"` WithVlan bool `config:"with_vlan"` + WithErspan bool `config:"with_erspan"` Snaplen int `config:"snaplen"` BufferSizeMb int `config:"buffer_size_mb"` ReadSpeed bool `config:"top_speed"` diff --git a/decoder/decoder.go b/decoder/decoder.go index bef66b9..a2fba47 100644 --- a/decoder/decoder.go +++ b/decoder/decoder.go @@ -131,6 +131,20 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error packet := gopacket.NewPacket(data, d.LayerType, gopacket.DecodeOptions{Lazy: true, NoCopy: true}) logp.Debug("layer", "\n%v", packet) + if greLayer := packet.Layer(layers.LayerTypeGRE); greLayer != nil { + gre, ok := greLayer.(*layers.GRE) + if !ok { + return nil, nil + } + + if config.Cfg.Iface.WithErspan { + packet = gopacket.NewPacket(gre.Payload[8:], d.LayerType, gopacket.DecodeOptions{Lazy: true, NoCopy: true}) + } else { + packet = gopacket.NewPacket(gre.Payload, d.LayerType, gopacket.DecodeOptions{Lazy: true, NoCopy: true}) + } + logp.Debug("layer", "\nlayer inside GRE\n%v", packet) + } + if dot1qLayer := packet.Layer(layers.LayerTypeDot1Q); dot1qLayer != nil { dot1q, ok := dot1qLayer.(*layers.Dot1Q) if !ok { diff --git a/main.go b/main.go index 4700fc8..4f6a12c 100644 --- a/main.go +++ b/main.go @@ -36,7 +36,8 @@ func parseFlags() { flag.BoolVar(&ifaceConfig.ReadSpeed, "rs", false, "Maximum pcap read speed. Doesn't use packet timestamps") flag.IntVar(&ifaceConfig.Snaplen, "s", 16384, "Snaplength") flag.StringVar(&ifaceConfig.PortRange, "pr", "5060-5090", "Portrange to capture SIP") - flag.BoolVar(&ifaceConfig.WithVlan, "vl", false, "Vlan") + flag.BoolVar(&ifaceConfig.WithVlan, "vlan", false, "vlan") + flag.BoolVar(&ifaceConfig.WithErspan, "erspan", false, "erspan") flag.IntVar(&ifaceConfig.BufferSizeMb, "b", 32, "Interface buffersize (MB)") flag.StringVar(&logging.Level, "l", "info", "Log level [debug, info, warning, error]") flag.BoolVar(&ifaceConfig.OneAtATime, "o", false, "Read packet for packet") diff --git a/sniffer/sniffer.go b/sniffer/sniffer.go index f0e1c95..fefe254 100644 --- a/sniffer/sniffer.go +++ b/sniffer/sniffer.go @@ -109,6 +109,9 @@ func (sniffer *SnifferSetup) setFromConfig() error { if sniffer.config.WithVlan { sniffer.filter = fmt.Sprintf("%s or (vlan and (%s))", sniffer.filter, sniffer.filter) } + if sniffer.config.WithErspan { + sniffer.filter = fmt.Sprintf("%s or proto GRE", sniffer.filter) + } logp.Info("Sniffer [type:%s, device:%s, mode:%s] OS [type:%s, arch:%s]", sniffer.config.Type, sniffer.config.Device, sniffer.mode, runtime.GOOS, runtime.GOARCH)