From 09c8a7438f893e481d9a1c583e09c583a22b67c8 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Fri, 12 Jun 2020 23:17:52 +0200 Subject: [PATCH] modularized linktypes, transport layer generic function call possible --- src/main.rs | 2 +- src/parser.json | 2 +- src/parser/mod.rs | 126 +++++++++++++++++------------------ src/parser/packet_handler.rs | 8 +-- 4 files changed, 66 insertions(+), 72 deletions(-) diff --git a/src/main.rs b/src/main.rs index d72cd36..809755f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -59,7 +59,7 @@ async fn main() -> Result<(), Error> { false => for (_pcap_file, _pcap_info) in pcap_map.iter() { println!("{:?}",&_pcap_file); // TODO: Tuning vector capacity according to mean average & std dev of packet size - let v: Vec = parser::parse(&_pcap_file, &config.filter, &config.regex_filter, _pcap_info.encapsulation_type); + let v: Vec = parser::parse(&_pcap_file, &config.filter, &config.regex_filter); //let mut v = Vec::::with_capacity(35536); //v.extend(parser::parse(&_pcap_file, &config.filter)); diff --git a/src/parser.json b/src/parser.json index 75461fa..2d0148c 100644 --- a/src/parser.json +++ b/src/parser.json @@ -1,6 +1,6 @@ { "insert_max": 20000, - "filter": "ip6 && tcp ", + "filter": "ip6 && tcp", "regex_filter": "(?:http|https)[[::punct::]]//([[::word::]]+\\.)*", "from_device": false, "parse_device": "enp7s0", diff --git a/src/parser/mod.rs b/src/parser/mod.rs index 648b3cc..276f8ee 100644 --- a/src/parser/mod.rs +++ b/src/parser/mod.rs @@ -5,6 +5,7 @@ mod packet_handler; use pcap::{Capture, Linktype}; use regex::bytes::Regex; use std::str; +use std::convert::TryInto; //use std::thread::{spawn, JoinHandle}; //use std::sync::mpsc::{channel, Receiver}; @@ -22,6 +23,7 @@ const ETH_P_RARP: usize = 0x3580; On the one hand, only the actual type of frame/packet/segment would be contained in the resulting struct. So, increased benefit in serialization/cpu time, could result in less data to be serialized, depending on layout. On the other hand, each datagram::type needs to implement traits which would need to be dynamically dispatched by returning any of these types per iso level from a single function each. The result would be a performance decrease. + See: https://doc.rust-lang.org/book/ch10-02-traits.html#returning-types-that-implement-traits See: https://doc.rust-lang.org/book/ch17-02-trait-objects.html#trait-objects-perform-dynamic-dispatch Then again, parser logic would be fewer lines + more unified using the latter method. Maybe better optimizable as well? Maybe this is a nice tradeoff? TODO: Implement and benchmark dynamically dispatched packet data in conjunction with restructured QryData. @@ -56,6 +58,7 @@ fn init_qrydata( ) -> Result { } +#[allow(dead_code)] enum EncapsulationType { // pcap::Linktype::get_name() is unsafe. EN10MB = 1, // See: https://docs.rs/pcap/0.7.0/src/pcap/lib.rs.html#247-261 RAW = 101, // Would this be an issue? @@ -64,57 +67,21 @@ enum EncapsulationType { // pcap::Linktype::get_name() is unsafe. impl QryData { // This is not cool! // This will get modularized into subfunctions - fn encap_ether( packet_data: &[u8] ) -> Option { + fn encap_en10mb( packet_data: &[u8] ) -> Option { let mut pkg: QryData = init_qrydata().unwrap(); pkg.ether_header = Some(packet_handler::ethernet_handler(packet_data)).unwrap(); match pkg.ether_header.unwrap().ether_type as usize { ETH_P_IP => { pkg.ipv4_header = Some(packet_handler::ip_handler(packet_data)).unwrap(); - match pkg.ipv4_header.unwrap().ip_protocol as usize { - TCP => { - pkg.tcp_header = Some(packet_handler::tcp_handler( - pkg.ipv4_header.unwrap().ip_ihl, - packet_data, - )) - .unwrap(); - pkg.data = Some(packet_handler::payload_handler( - pkg.ipv4_header.unwrap().ip_ihl, - pkg.tcp_header.unwrap().data_offset, - packet_data, - )).unwrap(); - } - UDP => { - pkg.udp_header = Some(packet_handler::udp_handler( - pkg.ipv4_header.unwrap().ip_ihl, - packet_data, - )) - .unwrap(); - pkg.data = Some(packet_handler::payload_handler( - pkg.ipv4_header.unwrap().ip_ihl, - 7, - packet_data, - )).unwrap(); - } - _ => println!("Transport layer protocol not implemented"), - } + let protocol_type = pkg.ipv4_header.unwrap().ip_protocol.clone() as usize; + let l3_header_length = pkg.ipv4_header.unwrap().ip_ihl; + pkg.transport_layer(packet_data, protocol_type, l3_header_length).unwrap(); } ETH_P_IPV6 => { pkg.ipv6_header = Some(packet_handler::ipv6_handler(packet_data)).unwrap(); - match pkg.ipv6_header.unwrap().next_header as usize { - TCP => { - pkg.tcp_header = Some(packet_handler::tcp_handler(10, packet_data)).unwrap(); - pkg.data = Some(packet_handler::payload_handler( - 10, - pkg.tcp_header.unwrap().data_offset, - packet_data, - )).unwrap(); - } - UDP => { - pkg.udp_header = Some(packet_handler::udp_handler(10, packet_data)).unwrap(); - pkg.data = Some(packet_handler::payload_handler(10, 7, packet_data)).unwrap(); - } - _ => println!("Transport layer protocol not implemented"), - } + let protocol_type = pkg.ipv6_header.unwrap().next_header.clone() as usize; + pkg.transport_layer(packet_data, protocol_type, 10).unwrap(); + } ETH_P_ARP | ETH_P_RARP => { pkg.arp_header = Some(packet_handler::arp_handler(packet_data)).unwrap(); @@ -124,41 +91,66 @@ impl QryData { Some(pkg) } - fn encap_rawip ( packet_data: &[u8] ) -> Option { + fn encap_raw ( packet_data: &[u8] ) -> Option { let mut pkg: QryData = init_qrydata().unwrap(); - pkg.ipv4_header = Some(packet_handler::ip_handler(packet_data)).unwrap(); - match pkg.ipv4_header.unwrap().ip_protocol as usize { + let ip_version: usize = ((packet_data[0] & 0xf0) >> 4).try_into().unwrap(); + match ip_version { + 4 => { + pkg.ipv4_header = Some(packet_handler::ip_handler(packet_data)).unwrap(); + let protocol_type = pkg.ipv4_header.unwrap().ip_protocol.clone() as usize; + let l3_header_length = pkg.ipv4_header.unwrap().ip_ihl; + pkg.transport_layer(packet_data, protocol_type, l3_header_length).unwrap(); + } + 6 => { + pkg.ipv6_header = Some(packet_handler::ipv6_handler(packet_data)).unwrap(); + let protocol_type = pkg.ipv6_header.unwrap().next_header.clone() as usize; + pkg.transport_layer(packet_data, protocol_type, 10).unwrap(); + } + _ => println!("Network Protocol not implemented") + } + Some(pkg) + } + + // TODO: impl correct Err type and use in Result + fn transport_layer (&mut self, packet_data: &[u8], protocol_type: usize, l3_header_length: u32) -> Result<(), core::fmt::Error> { + match protocol_type { TCP => { - pkg.tcp_header = Some(packet_handler::tcp_handler( - pkg.ipv4_header.unwrap().ip_ihl, + + self.tcp_header = Some(packet_handler::tcp_handler( + l3_header_length, packet_data, + )) .unwrap(); - pkg.data = Some(packet_handler::payload_handler( - pkg.ipv4_header.unwrap().ip_ihl, - pkg.tcp_header.unwrap().data_offset, + self.data = Some(packet_handler::payload_handler( + l3_header_length, + self.tcp_header.unwrap().data_offset, packet_data, )).unwrap(); } - UDP => { - pkg.udp_header = Some(packet_handler::udp_handler( - pkg.ipv4_header.unwrap().ip_ihl, + UDP => { + + self.udp_header = Some(packet_handler::udp_handler( + l3_header_length, packet_data, )) .unwrap(); - pkg.data = Some(packet_handler::payload_handler( - pkg.ipv4_header.unwrap().ip_ihl, + self.data = Some(packet_handler::payload_handler( + l3_header_length, 7, packet_data, )).unwrap(); } - _ => println!("Transport layer protocol not implemented"), - - } - Some(pkg) + _ => println!("Transport layer protocol not implemented"), + } + Ok(()) } + + } + + /* Regex parse _complete_ package */ fn flag_carnage(re: &Regex, payload: &[u8]) -> Option { let mut flags: String = String::new(); @@ -175,19 +167,21 @@ fn flag_carnage(re: &Regex, payload: &[u8]) -> Option { } } -pub fn parse(parse_file: &std::path::Path, filter_str: &str, regex_filter: &str, encap: u16) -> Vec { +pub fn parse(parse_file: &std::path::Path, filter_str: &str, regex_filter: &str) -> Vec { let mut me: QryData = init_qrydata().unwrap(); let mut v: Vec = Vec::new(); let mut cap = Capture::from_file(parse_file).unwrap(); Capture::filter(&mut cap, &filter_str).unwrap(); + let linktype = cap.get_datalink(); + println!("{:?}", &linktype); let re = Regex::new(regex_filter).unwrap(); while let Ok(packet) = cap.next() { - match encap { + match linktype { // Syntax is clunky, but no num_derive + num_traits dependencies. - encap if encap == EncapsulationType::EN10MB as u16 => me = QryData::encap_ether(packet.data).unwrap(), - encap if encap == EncapsulationType::RAW as u16 => me = QryData::encap_rawip(packet.data).unwrap(), + Linktype(1) => me = QryData::encap_en10mb(packet.data).unwrap(), // EN10MB + Linktype(101) => me = QryData::encap_raw(packet.data).unwrap(), // RAW _ => (), }; @@ -210,8 +204,8 @@ pub fn parse_device(parse_device: &str, filter_str: &str, insert_max: &usize, re let re = Regex::new(regex_filter).unwrap(); 'parse: while let Ok(packet) = cap.next() { match linktype { - Linktype(1) => me = QryData::encap_ether(packet.data).unwrap(), - Linktype(101) => me = QryData::encap_rawip(packet.data).unwrap(), + Linktype(1) => me = QryData::encap_en10mb(packet.data).unwrap(), + Linktype(101) => me = QryData::encap_raw(packet.data).unwrap(), _ => (), } diff --git a/src/parser/packet_handler.rs b/src/parser/packet_handler.rs index b721b06..46b884a 100644 --- a/src/parser/packet_handler.rs +++ b/src/parser/packet_handler.rs @@ -29,8 +29,8 @@ pub fn ethernet_handler(packet_data: &[u8]) -> Option { let mut _ether_shost: [u8; ETH_ALEN] = [0; ETH_ALEN]; let mut _ether_type: u16 = 0; - _ether_dhost.clone_from_slice(&packet_data[0..ETH_ALEN]); - _ether_shost.clone_from_slice(&packet_data[ETH_ALEN..ETH_ALEN * 2]); + _ether_dhost.copy_from_slice(&packet_data[0..ETH_ALEN]); + _ether_shost.copy_from_slice(&packet_data[ETH_ALEN..ETH_ALEN * 2]); _ether_type = LittleEndian::read_u16(&packet_data[ETH_ALEN * 2..(ETH_ALEN * 2) + ETH_TLEN]); Some(EtherHeader { @@ -239,8 +239,8 @@ pub fn arp_handler(packet_data: &[u8]) -> Option { let mut _sha: [u8; 6] = [0; 6]; let mut _tha: [u8; 6] = [0; 6]; - _sha.clone_from_slice(&raw_hdr[8..14]); - _tha.clone_from_slice(&raw_hdr[18..24]); + _sha.copy_from_slice(&raw_hdr[8..14]); + _tha.copy_from_slice(&raw_hdr[18..24]); Some(ArpHeader{ htype: BigEndian::read_u16(&raw_hdr[0..2]),