packet_via_dmem 0.0.6 → 0.0.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/lib/packet_via_dmem.rb +2 -1
- data/lib/packet_via_dmem/cli.rb +3 -1
- data/lib/packet_via_dmem/packets.rb +4 -3
- data/lib/packet_via_dmem/received.rb +39 -10
- data/lib/packet_via_dmem/sent.rb +2 -1
- data/packet_via_dmem.gemspec +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0147a2a28aec0b7d80b8e8fc84b3ae62e228893f
|
4
|
+
data.tar.gz: 231b1c57cbb1902621382913c3eab7c9d86e2c57
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ec74f12df72f23334e86568b15a0e20f66ac7223fbc1d3072ae34d47f619d207353bb69b9d19168db4b071c0a12c4b0ee5cc214e4ce532f6f433b49e69ac9360
|
7
|
+
data.tar.gz: e3772c982460028fd3d4fbc79a78cd1ce8dc4328fdb95db108cceaaeb3f2add2a32da506bd9230b853ab27c8cde1123e376f420022bdb46918ad379787a6e986
|
data/README.md
CHANGED
@@ -98,8 +98,8 @@ To capture say packets with IP address 10.11.12.13
|
|
98
98
|
|
99
99
|
* value of fift+sixth seems to sometime indicate special cases
|
100
100
|
* 0x1fff - Packet missing everything before IPv4 TTL, yet has some extra. I saw BGP from control-plane with this and also TCP/SMB2 with Seq1, it was transit, but perhaps it was via ARP resolve/punt and thus coming from control-plane?
|
101
|
-
* 0x2000 - BFD frames from control-plane, missing
|
102
|
-
* 0x4220 - Was
|
101
|
+
* 0x2000 - BFD frames from control-plane or LACP IPv4, if next byte is 1 like below, if next byte is 0 missing MACs too (+5bytes)
|
102
|
+
* 0x4220 - Was LACP MPLS traffic, missing ethertype, MACs changed, 2 mystery bytes
|
103
103
|
* 0x8000 - I need to pop 14 bytes extra
|
104
104
|
|
105
105
|
* 00 (22) (33) (44) \<src\> (66)
|
data/lib/packet_via_dmem.rb
CHANGED
@@ -18,12 +18,13 @@ class PacketViaDMEM
|
|
18
18
|
def initialize opts={}
|
19
19
|
@received = opts.delete :received
|
20
20
|
@sent = opts.delete :sent
|
21
|
+
@debug = opts.delete :debug
|
21
22
|
@received ||= HEADER_SIZE[:received]
|
22
23
|
@sc = StringScanner.new ''
|
23
24
|
end
|
24
25
|
|
25
26
|
def parse str
|
26
|
-
packets = Packets.new
|
27
|
+
packets = Packets.new @debug
|
27
28
|
@sc.string = str
|
28
29
|
while @sc.scan_until PACKET
|
29
30
|
match = @sc.matched.split(/\s+/)
|
data/lib/packet_via_dmem/cli.rb
CHANGED
@@ -20,7 +20,9 @@ class PacketViaDMEM
|
|
20
20
|
rescue
|
21
21
|
raise InvalidFile, "unable to read #{file}"
|
22
22
|
end
|
23
|
-
packets = PacketViaDMEM.new(:received=>@opts
|
23
|
+
packets = PacketViaDMEM.new(:received=>@opts.received?,
|
24
|
+
:sent=>@opts.sent?,
|
25
|
+
:debug=>@opts.debug?).parse file
|
24
26
|
count = 0
|
25
27
|
packets.each do |pkt|
|
26
28
|
pop = false
|
@@ -7,14 +7,15 @@ class PacketViaDMEM
|
|
7
7
|
include Enumerable
|
8
8
|
class InvalidType < Error; end
|
9
9
|
|
10
|
-
def initialize
|
10
|
+
def initialize debug
|
11
|
+
@debug = debug
|
11
12
|
@packets = []
|
12
13
|
end
|
13
14
|
|
14
15
|
def add packet, type
|
15
16
|
packet = case type
|
16
|
-
when :received then Received.new packet
|
17
|
-
when :sent then Sent.new packet
|
17
|
+
when :received then Received.new packet, @debug
|
18
|
+
when :sent then Sent.new packet, @debug
|
18
19
|
else raise InvalidType, "#{type} not valid packet type"
|
19
20
|
end
|
20
21
|
@packets << packet
|
@@ -1,7 +1,8 @@
|
|
1
1
|
class PacketViaDMEM
|
2
2
|
class Received < Packet
|
3
3
|
|
4
|
-
def initialize packet
|
4
|
+
def initialize packet, debug
|
5
|
+
@debug = debug
|
5
6
|
@type = :received
|
6
7
|
@original = packet
|
7
8
|
@header, @packet = parse_packet packet
|
@@ -17,25 +18,53 @@ class PacketViaDMEM
|
|
17
18
|
when 0x10 then offset = 2 #1,2,3,4,7,8,5,6
|
18
19
|
end
|
19
20
|
pop += offset
|
20
|
-
|
21
|
-
|
21
|
+
type = pkt[4+offset..5+offset].join.to_i(16)
|
22
|
+
macs = pkt[6+offset].to_i(16) > 0 # macs, maybe...
|
23
|
+
case type
|
24
|
+
# these were self originated
|
25
|
+
when 0x8000
|
26
|
+
pop+=14
|
22
27
|
# ae/802.1AX is special, I seem to have 2 bytes I don't know
|
23
28
|
# and ethertype missing, and MAC is weird, mpls labels are present
|
24
29
|
# i'd need example carrying IPv4/IPv6 instead of MPLS to decide those two bytes
|
25
|
-
when
|
26
|
-
pop
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
push = FAKE[:dmac] + FAKE[:smac] + FAKE[:etype_ipv4]
|
31
|
-
# some BGP packets like this
|
30
|
+
when *MAGIC::MPLS
|
31
|
+
pop, push = get_pop_push(pkt, pop, offset, macs, FAKE[:etype_mpls])
|
32
|
+
when *MAGIC::IPV4 # these were BFD packets from control-plane
|
33
|
+
pop, push = get_pop_push(pkt, pop, offset, macs, FAKE[:etype_ipv4])
|
34
|
+
# some BGP packets were like this
|
32
35
|
# also SMB2 TCP Seq1 (maybe post ARP from control-plane?)
|
33
36
|
# they are misssing all of ipv4 headers before TTL
|
34
37
|
when 0x1f00
|
35
38
|
pop+=7
|
36
39
|
push = FAKE[:dmac] + FAKE[:smac] + FAKE[:etype_ipv4] + FAKE[:ipv4]
|
40
|
+
when *MAGIC::NOPOP
|
41
|
+
# no-op, DMAC follows immedately
|
42
|
+
else
|
43
|
+
$stderr.puts "unknown type: 0x#{type.to_s(16)}" if @debug
|
37
44
|
end
|
38
45
|
header_and_packet pkt, pop, push
|
39
46
|
end
|
47
|
+
|
48
|
+
def get_pop_push pkt, pop, offset, macs, ether_type
|
49
|
+
if macs
|
50
|
+
pop+=14 #pop macs and weird two bytes (return macs in push)
|
51
|
+
push = pkt[8+offset..19+offset] + ether_type
|
52
|
+
[pop, push]
|
53
|
+
else
|
54
|
+
pop+=5
|
55
|
+
push = FAKE[:dmac] + FAKE[:smac] + ether_type
|
56
|
+
[pop, push]
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
module MAGIC
|
61
|
+
MPLS = [ 0x4220 ]
|
62
|
+
IPV4 = [ 0x2000 ]
|
63
|
+
# 4008, 8008, 8108 were ETH, MPLS, IPV4
|
64
|
+
# 9208 was ETH, IPv4, UDP, IPSEC/ESP
|
65
|
+
# 4108 was ETH, IPv4, UDP, BFD
|
66
|
+
# b080 was unknown just 9 bytes after header (c013c6752759644ae0)
|
67
|
+
NOPOP = [ 0x4008, 0x4108, 0x8008, 0x8108, 0x9208, 0xb080 ]
|
68
|
+
end
|
40
69
|
end
|
41
70
|
end
|
data/lib/packet_via_dmem/sent.rb
CHANGED
data/packet_via_dmem.gemspec
CHANGED