stefan
/
tpcpr
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

modularized linktypes, transport layer generic function call possible

This commit is contained in:
gurkenhabicht 2020-06-12 23:17:52 +02:00
parent faddf64307
commit 09c8a7438f
4 changed files with 66 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main.rs
View File

@ -59,7 +59,7 @@ async fn main() -> Result<(), Error> {
false => for (_pcap_file, _pcap_info) in pcap_map.iter() {
println!("{:?}",&_pcap_file);
// TODO: Tuning vector capacity according to mean average & std dev of packet size
let v: Vec<parser::QryData> = parser::parse(&_pcap_file, &config.filter, &config.regex_filter, _pcap_info.encapsulation_type);
let v: Vec<parser::QryData> = parser::parse(&_pcap_file, &config.filter, &config.regex_filter);
//let mut v = Vec::<parser::QryData>::with_capacity(35536);
//v.extend(parser::parse(&_pcap_file, &config.filter));

2
src/parser.json
View File

@ -1,6 +1,6 @@
{
"insert_max": 20000,
"filter": "ip6 && tcp ",
"filter": "ip6 && tcp",
"regex_filter": "(?:http|https)[[::punct::]]//([[::word::]]+\\.)*",
"from_device": false,
"parse_device": "enp7s0",

120
src/parser/mod.rs
View File

@ -5,6 +5,7 @@ mod packet_handler;
use pcap::{Capture, Linktype};
use regex::bytes::Regex;
use std::str;
use std::convert::TryInto;
//use std::thread::{spawn, JoinHandle};
//use std::sync::mpsc::{channel, Receiver};
@ -22,6 +23,7 @@ const ETH_P_RARP: usize = 0x3580;
On the one hand, only the actual type of frame/packet/segment would be contained in the resulting struct.
So, increased benefit in serialization/cpu time, could result in less data to be serialized, depending on layout.
On the other hand, each datagram::type needs to implement traits which would need to be dynamically dispatched by returning any of these types per iso level from a single function each. The result would be a performance decrease.
See: https://doc.rust-lang.org/book/ch10-02-traits.html#returning-types-that-implement-traits
See: https://doc.rust-lang.org/book/ch17-02-trait-objects.html#trait-objects-perform-dynamic-dispatch
Then again, parser logic would be fewer lines + more unified using the latter method. Maybe better optimizable as well? Maybe this is a nice tradeoff?
TODO: Implement and benchmark dynamically dispatched packet data in conjunction with restructured QryData.
@ -56,6 +58,7 @@ fn init_qrydata( ) -> Result<QryData, core::fmt::Error> {
}
#[allow(dead_code)]
enum EncapsulationType { // pcap::Linktype::get_name() is unsafe.
EN10MB = 1, // See: https://docs.rs/pcap/0.7.0/src/pcap/lib.rs.html#247-261
RAW = 101, // Would this be an issue?
@ -64,57 +67,21 @@ enum EncapsulationType { // pcap::Linktype::get_name() is unsafe.
impl QryData {
// This is not cool!
// This will get modularized into subfunctions
fn encap_ether( packet_data: &[u8] ) -> Option<QryData> {
fn encap_en10mb( packet_data: &[u8] ) -> Option<QryData> {
let mut pkg: QryData = init_qrydata().unwrap();
pkg.ether_header = Some(packet_handler::ethernet_handler(packet_data)).unwrap();
match pkg.ether_header.unwrap().ether_type as usize {
ETH_P_IP => {
pkg.ipv4_header = Some(packet_handler::ip_handler(packet_data)).unwrap();
match pkg.ipv4_header.unwrap().ip_protocol as usize {
TCP => {
pkg.tcp_header = Some(packet_handler::tcp_handler(
pkg.ipv4_header.unwrap().ip_ihl,
packet_data,
))
.unwrap();
pkg.data = Some(packet_handler::payload_handler(
pkg.ipv4_header.unwrap().ip_ihl,
pkg.tcp_header.unwrap().data_offset,
packet_data,
)).unwrap();
}
UDP => {
pkg.udp_header = Some(packet_handler::udp_handler(
pkg.ipv4_header.unwrap().ip_ihl,
packet_data,
))
.unwrap();
pkg.data = Some(packet_handler::payload_handler(
pkg.ipv4_header.unwrap().ip_ihl,
7,
packet_data,
)).unwrap();
}
_ => println!("Transport layer protocol not implemented"),
}
let protocol_type = pkg.ipv4_header.unwrap().ip_protocol.clone() as usize;
let l3_header_length = pkg.ipv4_header.unwrap().ip_ihl;
pkg.transport_layer(packet_data, protocol_type, l3_header_length).unwrap();
}
ETH_P_IPV6 => {
pkg.ipv6_header = Some(packet_handler::ipv6_handler(packet_data)).unwrap();
match pkg.ipv6_header.unwrap().next_header as usize {
TCP => {
pkg.tcp_header = Some(packet_handler::tcp_handler(10, packet_data)).unwrap();
pkg.data = Some(packet_handler::payload_handler(
10,
pkg.tcp_header.unwrap().data_offset,
packet_data,
)).unwrap();
}
UDP => {
pkg.udp_header = Some(packet_handler::udp_handler(10, packet_data)).unwrap();
pkg.data = Some(packet_handler::payload_handler(10, 7, packet_data)).unwrap();
}
_ => println!("Transport layer protocol not implemented"),
}
let protocol_type = pkg.ipv6_header.unwrap().next_header.clone() as usize;
pkg.transport_layer(packet_data, protocol_type, 10).unwrap();
}
ETH_P_ARP | ETH_P_RARP => {
pkg.arp_header = Some(packet_handler::arp_handler(packet_data)).unwrap();
@ -124,41 +91,66 @@ impl QryData {
Some(pkg)
}
fn encap_rawip ( packet_data: &[u8] ) -> Option<QryData> {
fn encap_raw ( packet_data: &[u8] ) -> Option<QryData> {
let mut pkg: QryData = init_qrydata().unwrap();
let ip_version: usize = ((packet_data[0] & 0xf0) >> 4).try_into().unwrap();
match ip_version {
4 => {
pkg.ipv4_header = Some(packet_handler::ip_handler(packet_data)).unwrap();
match pkg.ipv4_header.unwrap().ip_protocol as usize {
let protocol_type = pkg.ipv4_header.unwrap().ip_protocol.clone() as usize;
let l3_header_length = pkg.ipv4_header.unwrap().ip_ihl;
pkg.transport_layer(packet_data, protocol_type, l3_header_length).unwrap();
}
6 => {
pkg.ipv6_header = Some(packet_handler::ipv6_handler(packet_data)).unwrap();
let protocol_type = pkg.ipv6_header.unwrap().next_header.clone() as usize;
pkg.transport_layer(packet_data, protocol_type, 10).unwrap();
}
_ => println!("Network Protocol not implemented")
}
Some(pkg)
}
// TODO: impl correct Err type and use in Result
fn transport_layer (&mut self, packet_data: &[u8], protocol_type: usize, l3_header_length: u32) -> Result<(), core::fmt::Error> {
match protocol_type {
TCP => {
pkg.tcp_header = Some(packet_handler::tcp_handler(
pkg.ipv4_header.unwrap().ip_ihl,
self.tcp_header = Some(packet_handler::tcp_handler(
l3_header_length,
packet_data,
))
.unwrap();
pkg.data = Some(packet_handler::payload_handler(
pkg.ipv4_header.unwrap().ip_ihl,
pkg.tcp_header.unwrap().data_offset,
self.data = Some(packet_handler::payload_handler(
l3_header_length,
self.tcp_header.unwrap().data_offset,
packet_data,
)).unwrap();
}
UDP => {
pkg.udp_header = Some(packet_handler::udp_handler(
pkg.ipv4_header.unwrap().ip_ihl,
self.udp_header = Some(packet_handler::udp_handler(
l3_header_length,
packet_data,
))
.unwrap();
pkg.data = Some(packet_handler::payload_handler(
pkg.ipv4_header.unwrap().ip_ihl,
self.data = Some(packet_handler::payload_handler(
l3_header_length,
7,
packet_data,
)).unwrap();
}
_ => println!("Transport layer protocol not implemented"),
}
Ok(())
}
}
Some(pkg)
}
}
/* Regex parse _complete_ package */
fn flag_carnage(re: &Regex, payload: &[u8]) -> Option<String> {
let mut flags: String = String::new();
@ -175,19 +167,21 @@ fn flag_carnage(re: &Regex, payload: &[u8]) -> Option<String> {
}
}
pub fn parse(parse_file: &std::path::Path, filter_str: &str, regex_filter: &str, encap: u16) -> Vec<QryData> {
pub fn parse(parse_file: &std::path::Path, filter_str: &str, regex_filter: &str) -> Vec<QryData> {
let mut me: QryData = init_qrydata().unwrap();
let mut v: Vec<QryData> = Vec::new();
let mut cap = Capture::from_file(parse_file).unwrap();
Capture::filter(&mut cap, &filter_str).unwrap();
let linktype = cap.get_datalink();
println!("{:?}", &linktype);
let re = Regex::new(regex_filter).unwrap();
while let Ok(packet) = cap.next() {
match encap {
match linktype {
// Syntax is clunky, but no num_derive + num_traits dependencies.
encap if encap == EncapsulationType::EN10MB as u16 => me = QryData::encap_ether(packet.data).unwrap(),
encap if encap == EncapsulationType::RAW as u16 => me = QryData::encap_rawip(packet.data).unwrap(),
Linktype(1) => me = QryData::encap_en10mb(packet.data).unwrap(), // EN10MB
Linktype(101) => me = QryData::encap_raw(packet.data).unwrap(), // RAW
_ => (),
};
@ -210,8 +204,8 @@ pub fn parse_device(parse_device: &str, filter_str: &str, insert_max: &usize, re
let re = Regex::new(regex_filter).unwrap();
'parse: while let Ok(packet) = cap.next() {
match linktype {
Linktype(1) => me = QryData::encap_ether(packet.data).unwrap(),
Linktype(101) => me = QryData::encap_rawip(packet.data).unwrap(),
Linktype(1) => me = QryData::encap_en10mb(packet.data).unwrap(),
Linktype(101) => me = QryData::encap_raw(packet.data).unwrap(),
_ => (),
}

8
src/parser/packet_handler.rs
View File

@ -29,8 +29,8 @@ pub fn ethernet_handler(packet_data: &[u8]) -> Option<EtherHeader> {
let mut _ether_shost: [u8; ETH_ALEN] = [0; ETH_ALEN];
let mut _ether_type: u16 = 0;
_ether_dhost.clone_from_slice(&packet_data[0..ETH_ALEN]);
_ether_shost.clone_from_slice(&packet_data[ETH_ALEN..ETH_ALEN * 2]);
_ether_dhost.copy_from_slice(&packet_data[0..ETH_ALEN]);
_ether_shost.copy_from_slice(&packet_data[ETH_ALEN..ETH_ALEN * 2]);
_ether_type = LittleEndian::read_u16(&packet_data[ETH_ALEN * 2..(ETH_ALEN * 2) + ETH_TLEN]);
Some(EtherHeader {
@ -239,8 +239,8 @@ pub fn arp_handler(packet_data: &[u8]) -> Option<ArpHeader> {
let mut _sha: [u8; 6] = [0; 6];
let mut _tha: [u8; 6] = [0; 6];
_sha.clone_from_slice(&raw_hdr[8..14]);
_tha.clone_from_slice(&raw_hdr[18..24]);
_sha.copy_from_slice(&raw_hdr[8..14]);
_tha.copy_from_slice(&raw_hdr[18..24]);
Some(ArpHeader{
htype: BigEndian::read_u16(&raw_hdr[0..2]),