func (b *Benchmark) decodePacket(pkt gopacket.Packet) (key *FiveTuple, payload []byte) { ipv4, ok := pkt.NetworkLayer().(*layers.IPv4) if !ok { return // Ignore packets that aren't IPv4 } if ipv4.FragOffset != 0 || (ipv4.Flags&layers.IPv4MoreFragments) != 0 { return // Ignore fragmented packets. } var stream FiveTuple stream.protocol = ipv4.Protocol stream.srcAddr = ipv4.SrcIP stream.dstAddr = ipv4.DstIP switch t := pkt.TransportLayer().(type) { case *layers.TCP: stream.srcPort = uint16(t.SrcPort) stream.dstPort = uint16(t.DstPort) return &stream, t.Payload case *layers.UDP: stream.srcPort = uint16(t.SrcPort) stream.dstPort = uint16(t.DstPort) return &stream, t.Payload } return }
// IsUdpPacket returns true if the packet is of UDP type func IsUdpPacket(packet gopacket.Packet) bool { if packet == nil { return false } if packet.NetworkLayer() == nil || packet.TransportLayer() == nil || packet.TransportLayer().LayerType() != layers.LayerTypeUDP { return false } return true }
func (p *processor) getFlow(pkt gopacket.Packet) gopacket.Flow { mu := moldudp64Layer(pkt) //p.flowBufSrc.Reset() //p.flowBufSrc.Write(pkt.NetworkLayer().NetworkFlow().Src().Raw()) //p.flowBufSrc.Write(pkt.TransportLayer().TransportFlow().Src().Raw()) //p.flowBufSrc.Write(mu.Flow().Src().Raw()) p.flowBufDst.Reset() p.flowBufDst.Write(pkt.NetworkLayer().NetworkFlow().Dst().Raw()) p.flowBufDst.Write(pkt.TransportLayer().TransportFlow().Dst().Raw()) p.flowBufDst.Write(mu.Flow().Dst().Raw()) return gopacket.NewFlow(packet.EndpointCombinedSession, p.flowBufSrc.Bytes(), p.flowBufDst.Bytes()) }
func SendPacket(packet gopacket.Packet, connectionWaitGroup *sync.WaitGroup, mongodHost string, mongodPort string) { // If packet contains a mongo message if packet.ApplicationLayer() != nil { payload := packet.ApplicationLayer().Payload() delta := GetPacketTime(packet).Sub(packetMinTimestamp) // Get timestamp's delta from first packet // Get mongo wire protocol payload mongoPacket := MongoPacket{ payload: payload, delta: delta, } transportLayer := packet.TransportLayer() networkLayer := packet.NetworkLayer() var srcIp string var srcPort string if networkLayer.LayerType() == layers.LayerTypeIPv4 { ip4header := networkLayer.LayerContents() // Convert binary to IP string srcIp = strconv.Itoa(int(ip4header[12])) + "." + strconv.Itoa(int(ip4header[13])) + "." + strconv.Itoa(int(ip4header[14])) + "." + strconv.Itoa(int(ip4header[15])) } if transportLayer.LayerType() == layers.LayerTypeTCP { tcpHeader := transportLayer.LayerContents() // Hack to be able to use convert what should be a uint16 to string tcpHeaderSrcPort := []byte{0, 0, tcpHeader[0], tcpHeader[1]} srcPort = strconv.Itoa(int(binary.BigEndian.Uint32(tcpHeaderSrcPort))) } src := srcIp + ":" + srcPort if mConnection, ok := mapHostConnection[src]; ok { mConnection.Send(mongoPacket) } else { connectionWaitGroup.Add(1) mConnection := NewMongoConnection(mongodHost, mongodPort, 100) mapHostConnection[src] = mConnection go mConnection.ExecuteConnection(connectionWaitGroup) mConnection.Send(mongoPacket) } } }
func onRecvPing(pkt gopacket.Packet, icmp *layers.ICMPv4, ci *gopacket.CaptureInfo) { payload := icmp.Payload if payload == nil || len(payload) <= 0 { return } sendStamp := binary.LittleEndian.Uint64(payload) if sendStamp < 1000000 { return } delay := ci.Timestamp.UnixNano() - int64(sendStamp) probeResult := &types.ProbeResult{} probeResult.Src = pkt.NetworkLayer().NetworkFlow().Dst().Raw() probeResult.Dest = pkt.NetworkLayer().NetworkFlow().Src().Raw() probeResult.Delay = int(delay / 1000) probeResult.Stamp = ci.Timestamp.Unix() probeResult.Type = types.ProbeTypePing db.InsertProbeResult(probeResult) }
// handle a network packet func handlePacket(p gopacket.Packet) { flow := p.NetworkLayer().NetworkFlow() // get the destination ip address dst := flow.Dst().String() // check if we need to count packets if !locals[dst] && !offenders[dst] { //log.Printf("%s -> %s", flow.Src(), flow.Dst()) bkt := getRateLimit(dst) tokens := bkt.TakeAvailable(1) // if all tokens are used, ban the ip address // because it's most likely trying to abuse our bandwidth if tokens == 0 { offenders[dst] = true log.Printf("Offender %s", dst) output, err := exec.Command("iptables", "-A", "INPUT", "-s", dst, "-j", "DROP").CombinedOutput() if err != nil { log.Printf("Failed banning IP: %s %s %s", dst, err.Error(), string(output)) } } } }
func originalSize(packet gopacket.Packet) int { return len(packet.NetworkLayer().LayerPayload()) + len(packet.NetworkLayer().LayerContents()) }
func handlePacket(handle *pcap.Handle, packet gopacket.Packet) { ethLayer := packet.LinkLayer() if ethLayer == nil { return } eth, ok := ethLayer.(*layers.Ethernet) if !ok { return } ipLayer := packet.NetworkLayer() if ipLayer == nil { return } ip, ok := ipLayer.(*layers.IPv4) if !ok { return } tcpLayer := packet.Layer(layers.LayerTypeTCP) if tcpLayer == nil { return } tcp, ok := tcpLayer.(*layers.TCP) if !ok { return } // 服务器回应 SYN 请求 if tcp.SYN == true && tcp.ACK == true { ttl := uint8(0) switch { case ip.TTL > 128: //Solaris/AIX ttl = 254 - ip.TTL case ip.TTL > 64: // windows ttl = 128 - ip.TTL default: // linux ttl = 64 - ip.TTL } switch { case ttl > 10: ttl -= 4 case ttl > 5: ttl -= 2 case ttl > 2: ttl -= 1 default: return } ack := tcp.Seq + uint32(len(tcp.Payload)) + 1 data := []byte{1, 2, 3, 4, 5, 6, 7, 8, 9} seq := tcp.Ack sendPacket(handle, eth.DstMAC, eth.SrcMAC, ip.DstIP, ip.SrcIP, tcp.DstPort, tcp.SrcPort, ip.Id+123, ttl, seq, ack, 258, data) seq += 2048 sendPacket(handle, eth.DstMAC, eth.SrcMAC, ip.DstIP, ip.SrcIP, tcp.DstPort, tcp.SrcPort, ip.Id+123, ttl, seq, ack, 258, nil) //go fmt.Printf("伪重置 %v:%v 的 tcp 连接。\r\n", ip.SrcIP, tcp.SrcPort) } }