基于Go Packet实现网络数据包的捕获与分析

摘要

  • Packet Capturing Overview
  • What is Packet Capturing
  • How can it be used
  • What is libpcap
  • Debug Tools: tcpdump & WinPcap & snoop
  • What is BPF
  • What is gopacket

What is Packet Capturing

Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network.Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed.

Packet Capture Overview

How can it be used

  • Development Testing & validating & Reverse engineer APP on API
  • Network Administration Seeing what traffic goes on in background,Looking for malicious traffic on networkData capturing is used to identify security flaws and breaches by determining the point of intrusion.
  • Troubleshooting Managed through data capturing, troubleshooting detects the occurrence of undesired events over a network and helps solve them. If the network administrator has full access to a network resource, he can access it remotely and troubleshoot any issues.
  • Security defcon Wall of Sheep.Hackers can also use packet capturing techniques to steal data that is being transmitted over a network, like Stealing credentials.When data is stolen, the network administrator can retrieve the stolen or lost information easily using data capturing techniques.
  • Forensics forensics for crime investigations.Whenever viruses, worms or other intrusions are detected in computers, the network administrator determines the extent of the problem. After initial analysis, she may block some segments and network traffic in order to save historical information and network data.

<!-- more -->

What is libpcap

libpcap flow involving data copy from kernel to user space.

//Compile with: gcc find_device.c -lpcap
#include <stdio.h>
#include <pcap.h>

int main(int argc, char \*\*argv) {
    char \*device;
    char error_buffer[PCAP_ERRBUF_SIZE];
    //Find a device
    device = pcap_lookupdev(error_buffer);
    if (device == NULL) {
        printf("Error finding device: %s\n", error_buffer);
        return 1;
    }

    printf("Network device found: %s\n", device);
    return 0;
}
#include <stdio.h>
#include <time.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>

void print_packet_info(const u_char \*packet, struct pcap_pkthdr packet_header);

int main(int argc, char \*argv[]) {
    char \*device;
    char error_buffer[PCAP_ERRBUF_SIZE];
    pcap_t *handle;
    const u_char *packet;
     struct pcap_pkthdr packet_header;
    int packet_count_limit = 1;
    int timeout_limit = 10000; /*In milliseconds*/

    device = pcap_lookupdev(error_buffer);
    if (device == NULL) {
        printf("Error finding device: %s\n", error_buffer);
        return 1;
    }

    /*Open device for live capture*/
    handle = pcap_open_live(
            device,
            BUFSIZ,
            packet_count_limit,
            timeout_limit,
            error_buffer
    );

     /*Attempt to capture one packet. If there is no network traffic
      and the timeout is reached, it will return NULL*/
     packet = pcap_next(handle, &packet_header);
     if (packet == NULL) {
        printf("No packet found.\n");
        return 2;
    }

    /*Our function to output some info*/
    print_packet_info(packet, packet_header);
    return 0;
}

void print_packet_info(const u_char \*packet, struct pcap_pkthdr packet_header) {
    printf("Packet capture length: %d\n", packet_header.caplen);
    printf("Packet total length %d\n", packet_header.len);
}

Debug Tools

#Older versions of tcpdump truncate packets to 68 or 96 bytes.
#If this is the case, use -s to capture full-sized packets:
$ tcpdump -i <interface> -s 65535 -w <some-file>
# A packet capturing tool similar to TcpDump for Solaris
$ snoop -r -o arp11.snoop -q -d nxge0 -c 150000

tcpdump

tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息,从而使用户能够进一步找出问题的根源。可以使用BPF来限制tcpdump产生的数据包数量。

snoop

snoop uses both the network packet filter and streams buffer modules to provide efficient capture of packets from the network. Captured packets can be displayed as they are received, or saved to a file for later inspection.

promiscuous mode

抓包工具需要工作在promiscuous mode(混杂模式)(superuser), 指一台机器的网卡能够接收所有经过它的数据流,而不论其目的地址是否是它。当网卡工作在混杂模式下时,网卡将来自接口的所有数据都捕获并交给相应的驱动程序。一般在分析网络数据作为网络故障诊断手段时用到,同时这个模式也被网络黑客利用来作为网络数据窃听的入口。

BPF

Berkeley Packet Filter,缩写BPF,是类Unix系统上数据链路层的一种接口,提供原始链路层封包的收发。BPF支持“过滤”封包,这样BPF会只把“感兴趣”的封包到上层软件,可以避免从操作系统内核向用户态复制其他封包,降低抓包的CPU的负担以及所需的缓冲区空间,从而减少丢包率。BPF的过滤功能是以BPF虚拟机机器语言的解释器的形式实现的,这种语言的程序可以抓取封包数据,对封包中的数据采取算术操作,并将结果与常量或封包中的数据或结果中的测试位比较,根据比较的结果决定接受还是拒绝封包。

BPF Overview

Go Packet

Find Devices

package main

import (
	"fmt"
	"log"
	"github.com/google/gopacket"
	"github.com/google/gopacket/layers"
	"github.com/google/gopacket/pcap"
)

func main() {
	fmt.Println("----------Find all devices---------\n ")

	devices, err := pcap.FindAllDevs()
	if err != nil {
		log.Fatal(err)
	}
	// Print device information
	for _, device := range devices {
		for _, address := range device.Addresses {
			fmt.Println("- IP address: ", address.IP)
			fmt.Println("- Subnet mask: ", address.Netmask)
		}
	}
	/*- IP address:  45.33.110.101
	  - Subnet mask:  ffffff00
	  - IP address:  2600:3c01::f03c:91ff:fee5:45b6
	  - Subnet mask:  ffffffffffffffff0000000000000000
	  - IP address:  fe80::f03c:91ff:fee5:45b6
	  - Subnet mask:  ffffffffffffffff0000000000000000
	  - IP address:  127.0.0.1
	  - Subnet mask:  ff000000
	  - IP address:  ::1
	  - Subnet mask:  ffffffffffffffffffffffffffffffff
	*/

Decoding Packet Layers

Capture Packet Workflow

  • Getting a list of network devices
  • Capturing packets from a network device
  • Analyzing packet layers
  • Using Berkeley Packet Filters
package main

import (
	"fmt"
	"log"
	"net"
	"github.com/google/gopacket"
	"github.com/google/gopacket/layers"
	"github.com/google/gopacket/pcap"
)

func main(){

	handle, err := pcap.OpenLive("eth0", 65536, true, pcap.BlockForever)
	if err != nil {
		fmt.Printf("Error: %s\n", err)
		return
	}
	defer handle.Close()

	//Create a new PacketDataSource
	src := gopacket.NewPacketSource(handle, layers.LayerTypeEthernet)
	//Packets returns a channel of packets
	in := src.Packets()

	for {
		var packet gopacket.Packet
		select {
		//case <-stop:
		//return
		case packet = <-in:
			arpLayer := packet.Layer(layers.LayerTypeARP)
			if arpLayer == nil {
				continue
			}
			arp := arpLayer.(*layers.ARP)

			if net.HardwareAddr(arp.SourceHwAddress).String() == "abc" {
				//Do something or don't
			}

			tcpLayer := packet.Layer(layers.LayerTypeTCP)
			if tcpLayer == nil {
				continue
			}
			tcp := tcpLayer.(*layers.TCP)

			//.......

		}
	}
}

Creating and Sending Packets

package main

import (
    "github.com/google/gopacket"
    "github.com/google/gopacket/layers"
    "github.com/google/gopacket/pcap"
    "log"
    "net"
    "time"
)

var (
    device       string = "eth0"
    snapshot_len int32  = 1024
    promiscuous  bool   = false
    err          error
    timeout      time.Duration = 30 * time.Second
    handle       *pcap.Handle
    buffer       gopacket.SerializeBuffer
    options      gopacket.SerializeOptions
)

func main() {
    // Open device
    handle, err = pcap.OpenLive(device, snapshot_len, promiscuous, timeout)
    if err != nil {log.Fatal(err) }
    defer handle.Close()

    // Send raw bytes over wire
    rawBytes := []byte{10, 20, 30}
    err = handle.WritePacketData(rawBytes)
    if err != nil {
        log.Fatal(err)
    }

    // Create a properly formed packet, just with
    // empty details. Should fill out MAC addresses,
    // IP addresses, etc.
    buffer = gopacket.NewSerializeBuffer()
    gopacket.SerializeLayers(buffer, options,
        &layers.Ethernet{},
        &layers.IPv4{},
        &layers.TCP{},
        gopacket.Payload(rawBytes),
    )
    outgoingPacket := buffer.Bytes()
    // Send our packet
    err = handle.WritePacketData(outgoingPacket)
    if err != nil {
        log.Fatal(err)
    }

    // This time lets fill out some information
    ipLayer := &layers.IPv4{
        SrcIP: net.IP{127, 0, 0, 1},
        DstIP: net.IP{8, 8, 8, 8},
    }
    ethernetLayer := &layers.Ethernet{
        SrcMAC: net.HardwareAddr{0xFF, 0xAA, 0xFA, 0xAA, 0xFF, 0xAA},
        DstMAC: net.HardwareAddr{0xBD, 0xBD, 0xBD, 0xBD, 0xBD, 0xBD},
    }
    tcpLayer := &layers.TCP{
        SrcPort: layers.TCPPort(4321),
        DstPort: layers.TCPPort(80),
    }
    // And create the packet with the layers
    buffer = gopacket.NewSerializeBuffer()
    gopacket.SerializeLayers(buffer, options,
        ethernetLayer,
        ipLayer,
        tcpLayer,
        gopacket.Payload(rawBytes),
    )
    outgoingPacket = buffer.Bytes()
}

Application

专题合辑:Network Engineering

原创声明,本文系作者授权云+社区发表,未经许可,不得转载。

如有侵权,请联系 yunjia_community@tencent.com 删除。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏Web 开发

暑假完了,又该找时间升级老Y了

嗯,上个暑假在电脑城,两个星期赚了千把块,就给老Y小小升级了一下,买了一条三星2G DDR3 1333内存和一块日立7K500硬盘

11000
来自专栏ChaMd5安全团队

世界智能驾驶挑战赛信息安全组——新人扫盲

0x00前言 感谢天津市人民政府与国家发展和改革委员会、科学技术部、工业和信息化部、国家互联网信息办公室、中国科学院、中国工程院、中国汽车技术研究中心、XCT...

33590
来自专栏数据小魔方

使用Python中的folium包创建热力密度图

最近探索出来一个在Python中创建热力图非常高效的方法,使用folium包来创建热力图,实际效果非常赞,过程简单,代码量少。

66720
来自专栏iOSDevLog

初试 iOS 11 新框架:Vision Framework 让文字检测变得更容易

69340
来自专栏移动开发之家

IJKPlayer问题集锦之不定时更新

1、IJKPlayer 不像系统播放器会给你旋转视频角度,所以你需要通过onInfo的what == IMediaPlayer.MEDIA_INFO_VIDEO...

65340
来自专栏应兆康的专栏

计算机网络笔记 —— 物理层 2

让多个用户共享同一根信道,复用技术是干线上的技术,主要问题在于干线起点如何共用,干线终点如何分离的。

8810
来自专栏杨建荣的学习笔记

dataguard中MRP无法启动的问题分析和解决(r5笔记第82天)

自己手头有一套dataguard环境,因为也有些日子没有用了,结果突然心血来潮准备启动起来学习一下,突然发现在敲了命令 recover managed stan...

28280
来自专栏落影的专栏

iOS音视频播放(Audio Unit播放音频+OpenGL ES绘制视频)

前言 相关文章: 使用VideoToolbox硬编码H.264 使用VideoToolbox硬解码H.264 使用AudioToolbox编码AAC 使...

57390
来自专栏菩提树下的杨过

flash开发中如何实现界面代码分离

“flash开发”发展到今天,大体上已经细分为二个分支:Flash 设计师 和 Flash程序员,然而设计师不懂代码,程序员不懂设计,如何把这二种角色有机结合起...

30970
来自专栏Jerry的SAP技术分享

SAP Cloud for Customer Price-计价简介

SAP Cloud for Customer(本文以下简称C4C)作为SAP新一代的CRM云产品,其Price功能实现虽不如以前的SAP ERP那么复杂,但是也...

12920

扫码关注云+社区

领取腾讯云代金券