golang拥有wireshark数据包解析能力
- 1. 功能和实现
wireshark拥有世界上最全面的协议解析能力并且还在不断更新中,通过调研,没有办法找到与wireshark同水平的解析工具。
为了使得golang语言可以拥有wireshark一样强大的协议解析能力,库 gowireshark通过golang --wrap–> c --wrap–> wireshark dll的形式做到了这点。
1. 功能和实现
简单来看下这个库的功能,并分析它的实现:
-
可以读取离线pcap文件或者抓取指定网卡数据包并解析
其中c封装的接口在include/目录的
lib.h、offline.h、online.h中,print_xxx开头的接口调用的是原生的wireshark接口proto_tree_print打印协议树,print_hex_data打印十六进制;
get_proto_tree_json接口封装的get_proto_tree_json函数明显是改变自原生wireshark接口write_json_proto_tree(print.c文件中),原本write_json_proto_tree生成和输出json结果使用的是jdump对象,修改后使用cJson替代。 -
支持像wireshark一样解析各种协议,并输出为json格式,字段也能翻译成wireshark一样的解释性文字:
json结果:
{"_index": "packets-2020-12-14","_type": "doc","_score": {},"offset": ["0000", "0010", "0020", "0030", "0040", "0050", "0060"],"hex": ["00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 02", "00 58 00 01 40 00 40 84 3c 1d 7f 00 00 01 7f 00", "00 01 98 3a 96 48 a6 25 c3 63 00 00 00 00 00 03", "00 38 e3 0b 04 a7 00 00 00 00 00 00 00 3e 40 01", "00 0e 00 00 02 00 4e 00 02 00 14 00 00 00 01 00", "00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 55", "79 4b 65 55 00 00 "],"ascii": ["..............E.", ".X..@.@.<.......", "...:.H.%.c......", ".8...........>@.", "......N.........", "...............U", "yKeU.."],"_source": {"layers": {"frame": {"frame.section_number": "1","frame.interface_id": "0","frame.encap_type": "Ethernet (1)","frame.time": "Dec 14, 2020 16:01:11.974420814 UTC","frame.offset_shift": "0.000000000 seconds","frame.time_epoch": "1607961671.974420814 seconds","frame.time_delta": "0.000021538 seconds","frame.time_delta_displayed": "0.000021538 seconds","frame.time_relative": "0.000000000 seconds","frame.number": "5","frame.len": "102","frame.cap_len": "102","frame.marked": "False","frame.ignored": "False","frame.protocols": "eth:ethertype:ip:sctp:f1ap"},"eth": {"eth.dst": "00:00:00:00:00:00 (00:00:00:00:00:00)","eth.dst_tree": {"eth.dst_resolved": "00:00:00:00:00:00","eth.dst.oui": "00:00:00","eth.addr": "00:00:00:00:00:00 (00:00:00:00:00:00)","eth.addr_resolved": "00:00:00:00:00:00","eth.addr.oui": "00:00:00","eth.dst.lg": "Globally unique address (factory default)","eth.lg": "Globally unique address (factory default)","eth.dst.ig": "Individual address (unicast)","eth.ig": "Individual address (unicast)"},"eth.src": "00:00:00:00:00:00 (00:00:00:00:00:00)","eth.src_tree": {"eth.src_resolved": "00:00:00:00:00:00","eth.src.oui": "00:00:00","eth.addr": "00:00:00:00:00:00 (00:00:00:00:00:00)","eth.addr_resolved": "00:00:00:00:00:00","eth.addr.oui": "00:00:00","eth.src.lg": "Globally unique address (factory default)","eth.lg": "Globally unique address (factory default)","eth.src.ig": "Individual address (unicast)","eth.ig": "Individual address (unicast)"},"eth.type": "IPv4 (0x0800)"},"ip": {"ip.version": "4","ip.hdr_len": "20","ip.dsfield": "0x02","ip.dsfield_tree": {"ip.dsfield.dscp": "Default (0)","ip.dsfield.ecn": "ECN-Capable Transport codepoint '10' (2)"},"ip.len": "88","ip.id": "0x0001 (1)","ip.flags": "0x02","ip.flags_tree": {"ip.flags.rb": "Not set","ip.flags.df": "Set","ip.flags.mf": "Not set"},"ip.frag_offset": "0","ip.ttl": "64","ip.proto": "SCTP (132)","ip.checksum": "0x3c1d","ip.checksum.status": "Unverified","ip.src": "127.0.0.1","ip.addr": "127.0.0.1","ip.src_host": "127.0.0.1","ip.host": "127.0.0.1","ip.dst": "127.0.0.1","ip.dst_host": "127.0.0.1"},"sctp": {"sctp.srcport": "38970","sctp.dstport": "38472","sctp.verification_tag": "0xa625c363","sctp.assoc_index": "65535","sctp.port": "38970","sctp.checksum": "0x00000000","sctp.checksum.status": "Unverified","DATA chunk (ordered, complete segment, TSN: 0, SID: 0, SSN: 0, PPID: 62, payload length: 40 bytes)": {"sctp.chunk_type": "DATA (0)","sctp.chunk_type_tree": {"sctp.chunk_bit_1": "Stop processing of the packet","sctp.chunk_bit_2": "Do not report"},"sctp.chunk_flags": "0x03","sctp.chunk_flags_tree": {"sctp.data_i_bit": "Possibly delay SACK","sctp.data_u_bit": "Ordered delivery","sctp.data_b_bit": "First segment","sctp.data_e_bit": "Last segment"},"sctp.chunk_length": "56","sctp.data_tsn": "0","sctp.data_tsn_raw": "3809150119","sctp.data_sid": "0x0000","sctp.data_ssn": "0","sctp.data_payload_proto_id": "F1 AP (62)"}},"f1ap": {"per.choice_index": "1","f1ap.F1AP_PDU": "successfulOutcome (1)","f1ap.F1AP_PDU_tree": {"f1ap.successfulOutcome_element": {"f1ap.procedureCode": "id-F1Setup (1)","per.enum_index": "0","f1ap.criticality": "reject (0)","per.open_type_length": "14","f1ap.value_element": {"f1ap.F1SetupResponse_element": {"per.extension_bit": "0","per.sequence_of_length": "2","f1ap.protocolIEs": "2","f1ap.protocolIEs_tree": {"Item 0: id-TransactionID": {"f1ap.ProtocolIE_Field_element": {"f1ap.id": "id-TransactionID (78)","per.enum_index": "0","f1ap.criticality": "reject (0)","per.open_type_length": "2","f1ap.value_element": {"per.extension_present_bit": "0","f1ap.TransactionID": "20"}}},"Item 1: id-Cause": {"f1ap.ProtocolIE_Field_element": {"f1ap.id": "id-Cause (0)","per.enum_index": "0","f1ap.criticality": "reject (0)","per.open_type_length": "1","f1ap.value_element": {"per.choice_index": "0","f1ap.Cause": "radioNetwork (0)","f1ap.Cause_tree": {"per.extension_present_bit": "0","per.enum_index": "0","f1ap.radioNetwork": "unspecified (0)"}}}}}}}}}}}}
}
- 目前好像还有内存泄露问题和支持多设备实时读取解析功能,wireshark应该无法在线程或协程层面实现并发读取解析,如果使用这个库,也许可以通过docker启动多个微服务来做到。
