131 lines
4.2 KiB
Go
131 lines
4.2 KiB
Go
package packetAnalyzer
|
|
|
|
import (
|
|
"log"
|
|
"net"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/google/gopacket"
|
|
"github.com/google/gopacket/layers"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// Function to get information from packet layers.
|
|
func PacketInfo(packet gopacket.Packet) (string, string, int, time.Time) {
|
|
var connection string = ""
|
|
packetData := strings.Split(packet.String(), "\n")[0]
|
|
|
|
layout := "2006-01-02 15:04:05 -0700 MST"
|
|
|
|
packetSize, _ := strconv.Atoi(strings.Split(strings.Split(strings.Split(packetData, ":")[1], ",")[0], " ")[1])
|
|
packetTime, _ := time.Parse(layout, strings.Split(packetData, "@")[1][1:])
|
|
|
|
// Let's see if the packet is an ethernet packet
|
|
// ethernetLayer := packet.Layer(layers.LayerTypeEthernet)
|
|
// if ethernetLayer != nil {
|
|
// logrus.Info("Ethernet layer detected.")
|
|
// ethernetPacket, _ := ethernetLayer.(*layers.Ethernet)
|
|
// logrus.Info("Source MAC: ", ethernetPacket.SrcMAC)
|
|
// logrus.Info("Destination MAC: ", ethernetPacket.DstMAC)
|
|
// // Ethernet type is typically IPv4 but could be ARP or other
|
|
// logrus.Info("Ethernet type: ", ethernetPacket.EthernetType)
|
|
// logrus.Info()
|
|
// }
|
|
|
|
// Let's see if the packet is IP (even though the ether type told us)
|
|
ipLayer := packet.Layer(layers.LayerTypeIPv4)
|
|
protocol := ""
|
|
if ipLayer != nil {
|
|
//logrus.Info("IPv4 layer detected.")
|
|
ip, _ := ipLayer.(*layers.IPv4)
|
|
|
|
// IP layer variables:
|
|
// Version (Either 4 or 6)
|
|
// IHL (IP Header Length in 32-bit words)
|
|
// TOS, Length, Id, Flags, FragOffset, TTL, Protocol (TCP?),
|
|
// Checksum, SrcIP, DstIP
|
|
connection += ip.SrcIP.String() + "--" + ip.DstIP.String() + "--" + ip.Protocol.String()
|
|
protocol = ip.Protocol.String()
|
|
}
|
|
|
|
// Let's see if the packet is TCP
|
|
tcpLayer := packet.Layer(layers.LayerTypeTCP)
|
|
if tcpLayer != nil {
|
|
//logrus.Info("TCP layer detected.")
|
|
tcp, _ := tcpLayer.(*layers.TCP)
|
|
connection += "--" + tcp.SrcPort.String() + "--" + tcp.DstPort.String()
|
|
|
|
// TCP layer variables:
|
|
// SrcPort, DstPort, Seq, Ack, DataOffset, Window, Checksum, Urgent
|
|
// Bool flags: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR, NS
|
|
// logrus.Info("Sequence number: ", tcp.Seq)
|
|
}
|
|
|
|
// Let's see if the packet is TCP
|
|
udpLayer := packet.Layer(layers.LayerTypeUDP)
|
|
if udpLayer != nil {
|
|
//logrus.Info("UDP layer detected.")
|
|
udp, _ := udpLayer.(*layers.UDP)
|
|
connection += "--" + udp.SrcPort.String() + "--" + udp.DstPort.String()
|
|
|
|
// UDP layer variables:
|
|
// SrcPort, DstPort, Length, Checksum
|
|
}
|
|
|
|
// // Iterate over all layers, printing out each layer type
|
|
// logrus.Info("All packet layers:")
|
|
// for _, layer := range packet.Layers() {
|
|
// logrus.Info("- ", layer.LayerType())
|
|
// }
|
|
|
|
// When iterating through packet.Layers() above,
|
|
// if it lists Payload layer then that is the same as
|
|
// this applicationLayer. applicationLayer contains the payload
|
|
|
|
applicationLayer := packet.ApplicationLayer()
|
|
|
|
if applicationLayer != nil {
|
|
// logrus.Info("Application layer/Payload found. ", applicationLayer.Payload())
|
|
// logrus.Info("%s\n", applicationLayer.Payload())
|
|
|
|
// // Search for a string inside the payload
|
|
// if strings.Contains(string(applicationLayer.Payload()), "HTTP") {
|
|
// logrus.Info("HTTP found!")
|
|
// }
|
|
}
|
|
|
|
// Check for errors
|
|
if err := packet.ErrorLayer(); err != nil {
|
|
logrus.Info("Error decoding some part of the packet:", err)
|
|
}
|
|
|
|
// Return if protocol=TCP/UDP and if packets have correct time stamps.
|
|
if (protocol == "TCP") || (protocol == "UDP") && (packetTime.String()[0:19] != "0001-01-01 00:00:00") {
|
|
return connection, Reverse5Tuple(connection), packetSize, packetTime
|
|
} else {
|
|
return connection, "nil", packetSize, packetTime
|
|
}
|
|
}
|
|
|
|
// GetOutboundIP: Get preferred outbound ip of this machine.
|
|
func GetOutboundIP() net.IP {
|
|
conn, err := net.Dial("udp", "8.8.8.8:80")
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
localAddr := conn.LocalAddr().(*net.UDPAddr)
|
|
|
|
return localAddr.IP
|
|
}
|
|
|
|
// Reverse a 5 tuple.
|
|
func Reverse5Tuple(fTuple string) string {
|
|
srcIP, dstIP, protocol, srcPort, dstPort := strings.Split(fTuple, "--")[0], strings.Split(fTuple, "--")[1], strings.Split(fTuple, "--")[2], strings.Split(fTuple, "--")[3], strings.Split(fTuple, "--")[4]
|
|
|
|
return dstIP + "--" + srcIP + "--" + protocol + "--" + dstPort + "--" + srcPort
|
|
}
|