Documentation
¶
Overview ¶
Package pcapgo provides some native PCAP support, not requiring C libpcap to be installed.
Example (CaptureEthernet) ¶
package main
import (
"log"
"os"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
"github.com/google/gopacket/pcapgo"
)
func main() {
f, err := os.Create("/tmp/lo.pcap")
if err != nil {
log.Fatal(err)
}
defer f.Close()
pcapw := pcapgo.NewWriter(f)
if err := pcapw.WriteFileHeader(1600, layers.LinkTypeEthernet); err != nil {
log.Fatalf("WriteFileHeader: %v", err)
}
handle, err := pcapgo.NewEthernetHandle("lo")
if err != nil {
log.Fatalf("OpenEthernet: %v", err)
}
pkgsrc := gopacket.NewPacketSource(handle, layers.LayerTypeEthernet)
for packet := range pkgsrc.Packets() {
if err := pcapw.WritePacket(packet.Metadata().CaptureInfo, packet.Data()); err != nil {
log.Fatalf("pcap.WritePacket(): %v", err)
}
}
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EthernetHandle ¶ added in v1.1.15
EthernetHandle wraps a raw.Conn, implementing gopacket.PacketDataSource so that the handle can be used with gopacket.NewPacketSource.
func NewEthernetHandle ¶ added in v1.1.15
func NewEthernetHandle(ifname string) (*EthernetHandle, error)
NewEthernetHandle implements pcap.OpenLive for ethernet interfaces only.
func (*EthernetHandle) ReadPacketData ¶ added in v1.1.15
func (h *EthernetHandle) ReadPacketData() ([]byte, gopacket.CaptureInfo, error)
ReadPacketData implements gopacket.PacketDataSource.
type Reader ¶ added in v1.1.10
type Reader struct {
// contains filtered or unexported fields
}
Reader wraps an underlying io.Reader to read packet data in PCAP format. See http://wiki.wireshark.org/Development/LibpcapFileFormat for information on the file format.
We currenty read v2.4 file format with nanosecond and microsecdond timestamp resolution in little-endian and big-endian encoding.
If the PCAP data is gzip compressed it is transparently uncompressed by wrapping the given io.Reader with a gzip.Reader.
func NewReader ¶ added in v1.1.10
NewReader returns a new reader object, for reading packet data from the given reader. The reader must be open and header data is read from it at this point. If the file format is not supported an error is returned
// Create new reader:
f, _ := os.Open("/tmp/file.pcap")
defer f.Close()
r, err := NewReader(f)
data, ci, err := r.ReadPacketData()
func (*Reader) ReadPacketData ¶ added in v1.1.10
func (r *Reader) ReadPacketData() (data []byte, ci gopacket.CaptureInfo, err error)
ReadPacketData reads next packet from file.
func (*Reader) SetSnaplen ¶ added in v1.1.15
SetSnaplen sets the snapshot length of the capture file.
This is useful when a pcap file contains packets bigger than then snaplen. Pcapgo will error when reading packets bigger than snaplen, then it dumps those packets and reads the next 16 bytes, which are part of the "faulty" packet's payload, but pcapgo thinks it's the next header, which is probably also faulty because it's not really a packet header. This can lead to a lot of faulty reads.
The SetSnaplen function can be used to set a bigger snaplen to prevent those read errors.
This snaplen situation can happen when a pcap writer doesn't truncate packets to the snaplen size while writing packets to file. E.g. In Python, dpkt.pcap.Writer sets snaplen by default to 1500 (https://dpkt.readthedocs.io/en/latest/api/api_auto.html#dpkt.pcap.Writer) but doesn't enforce this when writing packets (https://dpkt.readthedocs.io/en/latest/_modules/dpkt/pcap.html#Writer.writepkt). When reading, tools like tcpdump, tcpslice, mergecap and wireshark ignore the snaplen and use their own defined snaplen. E.g. When reading packets, tcpdump defines MAXIMUM_SNAPLEN (https://github.com/the-tcpdump-group/tcpdump/blob/6e80fcdbe9c41366df3fa244ffe4ac8cce2ab597/netdissect.h#L290) and uses it (https://github.com/the-tcpdump-group/tcpdump/blob/66384fa15b04b47ad08c063d4728df3b9c1c0677/print.c#L343-L358).
For further reading:
- https://github.com/the-tcpdump-group/tcpdump/issues/389
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8808
- https://www.wireshark.org/lists/wireshark-dev/201307/msg00061.html
- https://github.com/wireshark/wireshark/blob/bfd51199e707c1d5c28732be34b44a9ee8a91cd8/wiretap/pcap-common.c#L723-L742
- https://github.com/wireshark/wireshark/blob/f07fb6cdfc0904905627707b88450054e921f092/wiretap/libpcap.c#L592-L598
- https://github.com/wireshark/wireshark/blob/f07fb6cdfc0904905627707b88450054e921f092/wiretap/libpcap.c#L714-L727
- https://github.com/the-tcpdump-group/tcpdump/commit/d033c1bc381c76d13e4aface97a4f4ec8c3beca2
- https://github.com/the-tcpdump-group/tcpdump/blob/88e87cb2cb74c5f939792171379acd9e0efd8b9a/netdissect.h#L263-L290
type Writer ¶
type Writer struct {
// contains filtered or unexported fields
}
Writer wraps an underlying io.Writer to write packet data in PCAP format. See http://wiki.wireshark.org/Development/LibpcapFileFormat for information on the file format.
For those that care, we currently write v2.4 files with nanosecond timestamp resolution and little-endian encoding.
func NewWriter ¶
NewWriter returns a new writer object, for writing packet data out to the given writer. If this is a new empty writer (as opposed to an append), you must call WriteFileHeader before WritePacket.
// Write a new file:
f, _ := os.Create("/tmp/file.pcap")
w := pcapgo.NewWriter(f)
w.WriteFileHeader(65536, layers.LinkTypeEthernet) // new file, must do this.
w.WritePacket(gopacket.CaptureInfo{...}, data1)
f.Close()
// Append to existing file (must have same snaplen and linktype)
f2, _ := os.OpenFile("/tmp/file.pcap", os.O_APPEND, 0700)
w2 := pcapgo.NewWriter(f2)
// no need for file header, it's already written.
w2.WritePacket(gopacket.CaptureInfo{...}, data2)
f2.Close()
func (*Writer) WriteFileHeader ¶
WriteFileHeader writes a file header out to the writer. This must be called exactly once per output.
func (*Writer) WritePacket ¶
func (w *Writer) WritePacket(ci gopacket.CaptureInfo, data []byte) error
WritePacket writes the given packet data out to the file.
Source Files