func (b *Benchmark) decodePacket(pkt gopacket.Packet) (key *FiveTuple, payload []byte) {
ipv4, ok := pkt.NetworkLayer().(*layers.IPv4)
if !ok {
return // Ignore packets that aren't IPv4
}
if ipv4.FragOffset != 0 || (ipv4.Flags&layers.IPv4MoreFragments) != 0 {
return // Ignore fragmented packets.
}
var stream FiveTuple
stream.protocol = ipv4.Protocol
stream.srcAddr = ipv4.SrcIP
stream.dstAddr = ipv4.DstIP
switch t := pkt.TransportLayer().(type) {
case *layers.TCP:
stream.srcPort = uint16(t.SrcPort)
stream.dstPort = uint16(t.DstPort)
return &stream, t.Payload
case *layers.UDP:
stream.srcPort = uint16(t.SrcPort)
stream.dstPort = uint16(t.DstPort)
return &stream, t.Payload
}
return
}
// IsUdpPacket returns true if the packet is of UDP type
func IsUdpPacket(packet gopacket.Packet) bool {
if packet == nil {
return false
}
if packet.NetworkLayer() == nil || packet.TransportLayer() == nil || packet.TransportLayer().LayerType() != layers.LayerTypeUDP {
return false
}
return true
}
func (p *processor) getFlow(pkt gopacket.Packet) gopacket.Flow {
mu := moldudp64Layer(pkt)
//p.flowBufSrc.Reset()
//p.flowBufSrc.Write(pkt.NetworkLayer().NetworkFlow().Src().Raw())
//p.flowBufSrc.Write(pkt.TransportLayer().TransportFlow().Src().Raw())
//p.flowBufSrc.Write(mu.Flow().Src().Raw())
p.flowBufDst.Reset()
p.flowBufDst.Write(pkt.NetworkLayer().NetworkFlow().Dst().Raw())
p.flowBufDst.Write(pkt.TransportLayer().TransportFlow().Dst().Raw())
p.flowBufDst.Write(mu.Flow().Dst().Raw())
return gopacket.NewFlow(packet.EndpointCombinedSession, p.flowBufSrc.Bytes(), p.flowBufDst.Bytes())
}
func SendPacket(packet gopacket.Packet,
connectionWaitGroup *sync.WaitGroup,
mongodHost string,
mongodPort string) {
// If packet contains a mongo message
if packet.ApplicationLayer() != nil {
payload := packet.ApplicationLayer().Payload()
delta := GetPacketTime(packet).Sub(packetMinTimestamp)
// Get timestamp's delta from first packet
// Get mongo wire protocol payload
mongoPacket := MongoPacket{
payload: payload,
delta: delta,
}
transportLayer := packet.TransportLayer()
networkLayer := packet.NetworkLayer()
var srcIp string
var srcPort string
if networkLayer.LayerType() == layers.LayerTypeIPv4 {
ip4header := networkLayer.LayerContents()
// Convert binary to IP string
srcIp = strconv.Itoa(int(ip4header[12])) + "." +
strconv.Itoa(int(ip4header[13])) + "." +
strconv.Itoa(int(ip4header[14])) + "." +
strconv.Itoa(int(ip4header[15]))
}
if transportLayer.LayerType() == layers.LayerTypeTCP {
tcpHeader := transportLayer.LayerContents()
// Hack to be able to use convert what should be a uint16 to string
tcpHeaderSrcPort := []byte{0, 0, tcpHeader[0], tcpHeader[1]}
srcPort = strconv.Itoa(int(binary.BigEndian.Uint32(tcpHeaderSrcPort)))
}
src := srcIp + ":" + srcPort
if mConnection, ok := mapHostConnection[src]; ok {
mConnection.Send(mongoPacket)
} else {
connectionWaitGroup.Add(1)
mConnection := NewMongoConnection(mongodHost, mongodPort, 100)
mapHostConnection[src] = mConnection
go mConnection.ExecuteConnection(connectionWaitGroup)
mConnection.Send(mongoPacket)
}
}
}
func onRecvPing(pkt gopacket.Packet, icmp *layers.ICMPv4, ci *gopacket.CaptureInfo) {
payload := icmp.Payload
if payload == nil || len(payload) <= 0 {
return
}
sendStamp := binary.LittleEndian.Uint64(payload)
if sendStamp < 1000000 {
return
}
delay := ci.Timestamp.UnixNano() - int64(sendStamp)
probeResult := &types.ProbeResult{}
probeResult.Src = pkt.NetworkLayer().NetworkFlow().Dst().Raw()
probeResult.Dest = pkt.NetworkLayer().NetworkFlow().Src().Raw()
probeResult.Delay = int(delay / 1000)
probeResult.Stamp = ci.Timestamp.Unix()
probeResult.Type = types.ProbeTypePing
db.InsertProbeResult(probeResult)
}
// handle a network packet
func handlePacket(p gopacket.Packet) {
flow := p.NetworkLayer().NetworkFlow()
// get the destination ip address
dst := flow.Dst().String()
// check if we need to count packets
if !locals[dst] && !offenders[dst] {
//log.Printf("%s -> %s", flow.Src(), flow.Dst())
bkt := getRateLimit(dst)
tokens := bkt.TakeAvailable(1)
// if all tokens are used, ban the ip address
// because it's most likely trying to abuse our bandwidth
if tokens == 0 {
offenders[dst] = true
log.Printf("Offender %s", dst)
output, err := exec.Command("iptables", "-A", "INPUT", "-s", dst, "-j", "DROP").CombinedOutput()
if err != nil {
log.Printf("Failed banning IP: %s %s %s", dst, err.Error(), string(output))
}
}
}
}
func originalSize(packet gopacket.Packet) int {
return len(packet.NetworkLayer().LayerPayload()) + len(packet.NetworkLayer().LayerContents())
}
func handlePacket(handle *pcap.Handle, packet gopacket.Packet) {
ethLayer := packet.LinkLayer()
if ethLayer == nil {
return
}
eth, ok := ethLayer.(*layers.Ethernet)
if !ok {
return
}
ipLayer := packet.NetworkLayer()
if ipLayer == nil {
return
}
ip, ok := ipLayer.(*layers.IPv4)
if !ok {
return
}
tcpLayer := packet.Layer(layers.LayerTypeTCP)
if tcpLayer == nil {
return
}
tcp, ok := tcpLayer.(*layers.TCP)
if !ok {
return
}
// 服务器回应 SYN 请求
if tcp.SYN == true && tcp.ACK == true {
ttl := uint8(0)
switch {
case ip.TTL > 128:
//Solaris/AIX
ttl = 254 - ip.TTL
case ip.TTL > 64:
// windows
ttl = 128 - ip.TTL
default:
// linux
ttl = 64 - ip.TTL
}
switch {
case ttl > 10:
ttl -= 4
case ttl > 5:
ttl -= 2
case ttl > 2:
ttl -= 1
default:
return
}
ack := tcp.Seq + uint32(len(tcp.Payload)) + 1
data := []byte{1, 2, 3, 4, 5, 6, 7, 8, 9}
seq := tcp.Ack
sendPacket(handle, eth.DstMAC, eth.SrcMAC, ip.DstIP, ip.SrcIP, tcp.DstPort, tcp.SrcPort, ip.Id+123, ttl, seq, ack, 258, data)
seq += 2048
sendPacket(handle, eth.DstMAC, eth.SrcMAC, ip.DstIP, ip.SrcIP, tcp.DstPort, tcp.SrcPort, ip.Id+123, ttl, seq, ack, 258, nil)
//go fmt.Printf("伪重置 %v:%v 的 tcp 连接。\r\n", ip.SrcIP, tcp.SrcPort)
}
}
