default log level info, better tls handshake bpf

sipcapture · Sep 17, 2017 · bf79336 · bf79336
1 parent cfc8665
commit bf79336
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 63 deletions.
diff --git a/decoder/decoder.go b/decoder/decoder.go
@@ -1,7 +1,6 @@
 package decoder
 
 import (
-	"encoding/json"
 	"hash"
 	"os"
 
@@ -13,9 +12,6 @@ import (
 	"github.com/negbie/heplify/ip4defrag"
 	"github.com/negbie/heplify/logp"
 	"github.com/negbie/heplify/protos"
-	"github.com/negbie/tlsx"
-	//"github.com/negbie/sippar"
-	//"github.com/negbie/siprocket"
 )
 
 type Decoder struct {
@@ -36,9 +32,6 @@ type Packet struct {
 	Dport         uint16
 	CorrelationID []byte
 	Payload       []byte
-	//sipMsg        *sipparser.SipMsg
-	//SipMsg        siprocket.SipMsg
-	//SipHeader map[string][]string
 }
 
 func NewDecoder() *Decoder {
@@ -64,12 +57,6 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 		Tmsec: uint32(ci.Timestamp.Nanosecond() / 1000),
 	}
 
-	/* 	if config.Cfg.Mode == "SIP" {
-		pkt.SipMsg = siprocket.Parse(data)
-		pkt.sipMsg = sipparser.ParseMsg(string(data))
-		return pkt, nil
-	} */
-
 	packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.DecodeOptions{Lazy: true, NoCopy: true})
 	logp.Debug("decoder", "Captured packet layers:\n%v\n", packet)
 
@@ -109,9 +96,9 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 			d.mfc++
 
 			if d.mfc%128 == 0 {
-				logp.Warn("Defragmentated packet counter: %d", d.mfc)
+				logp.Info("Defragmentated packet counter: %d", d.mfc)
 			}
-			logp.Info("Decoding fragmented packet layers:\n%v\nFragmented packet payload:\n%v\nRe-assembled packet payload:\n%v\nRe-assembled packet length:\n%v\n\n",
+			logp.Debug("decoder", "Decoding fragmented packet layers:\n%v\nFragmented packet payload:\n%v\nRe-assembled packet payload:\n%v\nRe-assembled packet length:\n%v\n\n",
 				packet, string(packet.ApplicationLayer().Payload()), string(ip4New.Payload[8:]), ip4New.Length,
 			)
 
@@ -131,16 +118,6 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 		}
 	}
 
-	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
-		tcp, ok := tcpLayer.(*layers.TCP)
-		if !ok {
-			return nil, nil
-		}
-		pkt.Sport = uint16(tcp.SrcPort)
-		pkt.Dport = uint16(tcp.DstPort)
-		pkt.Payload = tcp.Payload
-	}
-
 	if udpLayer := packet.Layer(layers.LayerTypeUDP); udpLayer != nil {
 		udp, ok := udpLayer.(*layers.UDP)
 		if !ok {
@@ -149,51 +126,33 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 		pkt.Sport = uint16(udp.SrcPort)
 		pkt.Dport = uint16(udp.DstPort)
 		pkt.Payload = udp.Payload
+
+	} else if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
+		tcp, ok := tcpLayer.(*layers.TCP)
+		if !ok {
+			return nil, nil
+		}
+		pkt.Sport = uint16(tcp.SrcPort)
+		pkt.Dport = uint16(tcp.DstPort)
+		pkt.Payload = tcp.Payload
 	}
 
 	if dnsLayer := packet.Layer(layers.LayerTypeDNS); dnsLayer != nil {
 		dns, ok := dnsLayer.(*layers.DNS)
 		if !ok {
 			return nil, nil
 		}
-
-		jsonDNS, err := json.Marshal(protos.NewDNS(dns))
-		if err != nil {
-			logp.Warn("jsonDNS marshal", err)
-			return nil, err
-		}
-		pkt.Payload = jsonDNS
+		pkt.Payload = protos.NewDNS(dns)
 	}
 
 	// TODO: add more layers like DHCP, NTP
-	if appLayer := packet.ApplicationLayer(); appLayer != nil {
-		logp.Debug("decoder", "Captured payload:\n%v\n", string(appLayer.Payload()))
 
-		// TODO: move this to protos tls
+	if appLayer := packet.ApplicationLayer(); appLayer != nil {
 		if config.Cfg.Mode == "TLS" {
-			if pkt.Dport == 443 || pkt.Sport == 443 {
-				var hello = tlsx.ClientHello{}
-				err := hello.Unmarshall(appLayer.Payload())
-
-				switch err {
-				case nil:
-					logp.Debug("Captured payload:\n %v\n", hello.String())
-					pkt.Payload = []byte(hello.String())
-				case tlsx.ErrHandshakeWrongType:
-					return nil, nil
-				default:
-					return nil, nil
-				}
-			}
+			pkt.Payload = protos.NewTLS(appLayer.Payload())
+		} else {
+			logp.Debug("decoder", "Captured payload:\n%v\n", string(appLayer.Payload()))
 		}
-
-		/* 	if config.Cfg.Mode == "SIP" {
-			sipl := gopacket.NewPacket(appLayer.Payload(), ownlayers.LayerTypeSIP, gopacket.DecodeOptions{Lazy: true, NoCopy: true})
-			_, ok := sipl.Layers()[0].(*ownlayers.SIP)
-			if !ok {
-				return nil, nil
-			}
-		} */
 	}
 
 	if pkt.Payload != nil {

diff --git a/main.go b/main.go
@@ -33,7 +33,7 @@ func flagParse() {
 	flag.IntVar(&ifaceConfig.Snaplen, "s", 32767, "Snap length")
 	flag.IntVar(&ifaceConfig.BufferSizeMb, "b", 64, "Interface buffersize (MB)")
 	flag.IntVar(&keepLogFiles, "kl", 4, "Rotate the number of log files")
-	flag.StringVar(&logging.Level, "l", "warning", "Log level [debug, info, warning, error]")
+	flag.StringVar(&logging.Level, "l", "info", "Log level [debug, info, warning, error]")
 	flag.BoolVar(&ifaceConfig.OneAtATime, "o", false, "Read packet for packet")
 	flag.StringVar(&fileRotator.Path, "p", "./", "Log filepath")
 	flag.StringVar(&fileRotator.Name, "n", "heplify.log", "Log filename")

diff --git a/protos/dns.go b/protos/dns.go
@@ -1,9 +1,11 @@
 package protos
 
 import (
+	"encoding/json"
 	"net"
 
 	"github.com/google/gopacket/layers"
+	"github.com/negbie/heplify/logp"
 )
 
 type DNS struct {
@@ -44,7 +46,7 @@ type DNSResourceRecord struct {
 	CNAME string `json:"cname,omitempty"`
 }
 
-func NewDNS(dns *layers.DNS) (d *DNS) {
+func toDNS(dns *layers.DNS) (d *DNS) {
 	d = &DNS{}
 
 	d.ID = dns.ID
@@ -87,3 +89,12 @@ func NewDNS(dns *layers.DNS) (d *DNS) {
 
 	return d
 }
+
+func NewDNS(d *layers.DNS) []byte {
+	nd, err := json.Marshal(toDNS(d))
+	if err != nil {
+		logp.Warn("NewDNS marshal", err)
+		return nil
+	}
+	return nd
+}
diff --git a/protos/sip.go b/protos/sip.go
@@ -0,0 +1,23 @@
+package protos
+
+import (
+	"github.com/google/gopacket"
+	"github.com/negbie/heplify/ownlayers"
+	//"github.com/negbie/sippar"
+	//"github.com/negbie/siprocket"
+)
+
+type SIP struct {
+	//sipMsg        *sipparser.SipMsg
+	//SipMsg        siprocket.SipMsg
+	SipHeader map[string][]string
+}
+
+func NewSIP(raw []byte) []byte {
+	sipl := gopacket.NewPacket(raw, ownlayers.LayerTypeSIP, gopacket.DecodeOptions{Lazy: true, NoCopy: true})
+	sip, ok := sipl.Layers()[0].(*ownlayers.SIP)
+	if !ok {
+		return nil
+	}
+	return sip.Contents
+}
diff --git a/protos/tls.go b/protos/tls.go
@@ -1,6 +1,7 @@
 package protos
 
 import (
+	"github.com/negbie/heplify/logp"
 	"github.com/negbie/tlsx"
 )
 
@@ -26,7 +27,17 @@ type TLSHandshake struct {
 }
 
 // TODO: complete this
-func NewTLS(tls *tlsx.ClientHello) (t *TLSHandshake) {
-	t = &TLSHandshake{}
-	return t
+func NewTLS(raw []byte) []byte {
+	var hello = tlsx.ClientHello{}
+	err := hello.Unmarshall(raw)
+
+	switch err {
+	case nil:
+		logp.Info("Captured TLS handshake:\n%v\n", hello.String())
+		return []byte(hello.String())
+	case tlsx.ErrHandshakeWrongType:
+		return nil
+	default:
+		return nil
+	}
 }
diff --git a/sniffer/sniffer.go b/sniffer/sniffer.go
@@ -98,7 +98,7 @@ func (sniffer *SnifferSetup) setFromConfig(cfg *config.InterfacesConfig) error {
 	case "DNS":
 		sniffer.filter = "greater 50 and ip and dst port 53"
 	case "TLS":
-		sniffer.filter = "greater 100 and tcp and port 443"
+		sniffer.filter = "tcp and port 443 and tcp[(((tcp[12:1] & 0xf0) >> 2)):1] = 0x16 and ((tcp[(((tcp[12:1] & 0xf0) >> 2)+5):1] = 0x01) or (tcp[(((tcp[12:1] & 0xf0) >> 2)+5):1] = 0x02))"
 	default:
 		sniffer.mode = "SIP"
 		sniffer.filter = "(greater 300 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0) or (vlan and (greater 300 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0))"