From f0b5ab140e78ff0ee9001660e280473eeb250978 Mon Sep 17 00:00:00 2001 From: maride Date: Mon, 9 Dec 2019 12:14:01 +0100 Subject: [PATCH] Get rid of LinkType-style branching: different LinkTypes may use the same Protocol modules. --- ethernet/ethernet.go => analyze/analyzer.go | 38 ++++------- analyzer.go | 23 ------- ethernet/dhcpv4/request.go | 21 ------ main.go | 8 ++- {ethernet => protocol}/arp/arp.go | 31 +++++---- {ethernet => protocol}/arp/arpDevice.go | 0 {ethernet => protocol}/arp/arpStats.go | 0 {ethernet => protocol}/dhcpv4/dhcp.go | 39 +++++++---- {ethernet => protocol}/dhcpv4/dhcpResponse.go | 0 {ethernet => protocol}/dhcpv4/hostname.go | 0 {ethernet => protocol}/dhcpv4/hostnames.go | 30 ++++----- {ethernet => protocol}/dhcpv4/network.go | 66 +++++++++---------- protocol/dhcpv4/request.go | 17 +++++ {ethernet => protocol}/dhcpv4/response.go | 18 ++--- {ethernet => protocol}/dns/answer.go | 8 +-- {ethernet => protocol}/dns/common.go | 4 +- {ethernet => protocol}/dns/dns.go | 20 ++++-- {ethernet => protocol}/dns/question.go | 8 +-- protocol/index.go | 15 +++++ protocol/protocol.go | 9 +++ 20 files changed, 182 insertions(+), 173 deletions(-) rename ethernet/ethernet.go => analyze/analyzer.go (52%) delete mode 100644 analyzer.go delete mode 100644 ethernet/dhcpv4/request.go rename {ethernet => protocol}/arp/arp.go (80%) rename {ethernet => protocol}/arp/arpDevice.go (100%) rename {ethernet => protocol}/arp/arpStats.go (100%) rename {ethernet => protocol}/dhcpv4/dhcp.go (55%) rename {ethernet => protocol}/dhcpv4/dhcpResponse.go (100%) rename {ethernet => protocol}/dhcpv4/hostname.go (100%) rename {ethernet => protocol}/dhcpv4/hostnames.go (86%) rename {ethernet => protocol}/dhcpv4/network.go (78%) create mode 100644 protocol/dhcpv4/request.go rename {ethernet => protocol}/dhcpv4/response.go (82%) rename {ethernet => protocol}/dns/answer.go (91%) rename {ethernet => protocol}/dns/common.go (91%) rename {ethernet => protocol}/dns/dns.go (53%) rename {ethernet => protocol}/dns/question.go (89%) create mode 100644 protocol/index.go create mode 100644 protocol/protocol.go diff --git a/ethernet/ethernet.go b/analyze/analyzer.go similarity index 52% rename from ethernet/ethernet.go rename to analyze/analyzer.go index df4fa4c..0f7b0de 100644 --- a/ethernet/ethernet.go +++ b/analyze/analyzer.go @@ -1,11 +1,8 @@ -package ethernet +package analyze import ( - "git.darknebu.la/maride/pancap/ethernet/arp" - "git.darknebu.la/maride/pancap/ethernet/dhcpv4" - "git.darknebu.la/maride/pancap/ethernet/dns" + "git.darknebu.la/maride/pancap/protocol" "github.com/google/gopacket" - "github.com/google/gopacket/layers" "log" ) @@ -22,33 +19,23 @@ func Analyze(source *gopacket.PacketSource) error { continue } - if packet.Layer(layers.LayerTypeDNS) != nil { - // Handle DNS packet - handleErr(dns.ProcessDNSPacket(packet)) - } - - if packet.Layer(layers.LayerTypeARP) != nil { - // Handle ARP packet - handleErr(arp.ProcessARPPacket(packet)) - } - - if packet.Layer(layers.LayerTypeDHCPv4) != nil { - // Handle DHCP (v4) packet - handleErr(dhcpv4.HandleDHCPv4Packet(packet)) + // Iterate over all possible protocols + for _, p := range protocol.Protocols { + // Check if this protocol can handle this packet + if p.CanAnalyze(packet) { + handleErr(p.Analyze(packet)) + } } } - // After processing all packets, print summary - printSummary() - return nil } // Prints all the summaries. -func printSummary() { - arp.PrintARPSummary() - dns.PrintDNSSummary() - dhcpv4.PrintDHCPv4Summary() +func PrintSummary() { + for _, p := range protocol.Protocols { + p.PrintSummary() + } } // Handles an error, if err is not nil. @@ -58,3 +45,4 @@ func handleErr(err error) { log.Printf("Encountered error while examining packets, continuing anyway. Error: %s", err.Error()) } } + diff --git a/analyzer.go b/analyzer.go deleted file mode 100644 index 92abee8..0000000 --- a/analyzer.go +++ /dev/null @@ -1,23 +0,0 @@ -package main - -import ( - "errors" - "fmt" - "git.darknebu.la/maride/pancap/ethernet" - "github.com/google/gopacket" - "github.com/google/gopacket/layers" -) - -// Analyzes the given packet source -func analyzePCAP(source *gopacket.PacketSource, linkType layers.LinkType) error { - // Switch over link type to determine correct module to ask for analysis - switch linkType { - case layers.LinkTypeEthernet: - // Ethernet - return ethernet.Analyze(source) - } - - // if we reach this point, the given PCAP contains a link type we can't handle (yet). - errorMsg := fmt.Sprintf("Asked for link type %s (ID %d), but not supported by pancap. :( sorry!", linkType.String(), linkType) - return errors.New(errorMsg) -} diff --git a/ethernet/dhcpv4/request.go b/ethernet/dhcpv4/request.go deleted file mode 100644 index 85b5fb1..0000000 --- a/ethernet/dhcpv4/request.go +++ /dev/null @@ -1,21 +0,0 @@ -package dhcpv4 - -import ( - "fmt" - "git.darknebu.la/maride/pancap/common" - "github.com/google/gopacket/layers" -) - -var ( - requestMAC []string -) - -// Processes the DHCP request packet handed over -func processRequestPacket(dhcppacket layers.DHCPv4) { - requestMAC = common.AppendIfUnique(dhcppacket.ClientHWAddr.String(), requestMAC) -} - -// Generates the summary of all DHCP request packets -func generateRequestSummary() string { - return fmt.Sprintf("%d unique DHCP requests\n%s", len(requestMAC), common.GenerateTree(requestMAC)) -} diff --git a/main.go b/main.go index 6f789c2..9ebb4fb 100644 --- a/main.go +++ b/main.go @@ -3,6 +3,7 @@ package main import ( "flag" "fmt" + "git.darknebu.la/maride/pancap/analyze" "git.darknebu.la/maride/pancap/output" "log" "math/rand" @@ -19,19 +20,22 @@ func main() { flag.Parse() // Open the given PCAP - packetSource, linkType, fileErr := openPCAP() + packetSource, _, fileErr := openPCAP() if fileErr != nil { // Encountered problems with the PCAP - permission and/or existance error log.Fatalf("Error occured while opeining specified file: %s", fileErr.Error()) } // Start analyzing - analyzeErr := analyzePCAP(packetSource, linkType) + analyzeErr := analyze.Analyze(packetSource) if analyzeErr != nil { // Mh, encountered some problems while analyzing file log.Fatalf("Error occurred while analyzing: %s", analyzeErr.Error()) } + // Show user analysis + analyze.PrintSummary() + // Finalize output output.Finalize() } diff --git a/ethernet/arp/arp.go b/protocol/arp/arp.go similarity index 80% rename from ethernet/arp/arp.go rename to protocol/arp/arp.go index 9054aff..c4118cd 100644 --- a/ethernet/arp/arp.go +++ b/protocol/arp/arp.go @@ -15,8 +15,15 @@ var ( devices []arpDevice ) -// Called on every ARP packet -func ProcessARPPacket(packet gopacket.Packet) error { +type Protocol struct {} + +// Checks if the given packet is an ARP packet we can process +func (p *Protocol) CanAnalyze(packet gopacket.Packet) bool { + return packet.Layer(layers.LayerTypeARP) != nil +} + +// Analyzes the given ARP packet +func (p *Protocol) Analyze(packet gopacket.Packet) error { var arppacket layers.ARP // Decode raw packet into ARP @@ -28,7 +35,7 @@ func ProcessARPPacket(packet gopacket.Packet) error { // Convert MAC address byte array to string sourceAddr := net.HardwareAddr(arppacket.SourceHwAddress).String() - participant := getStatOrCreate(sourceAddr) + participant := p.getStatOrCreate(sourceAddr) // Raise stats if arppacket.Operation == layers.ARPRequest { @@ -37,27 +44,27 @@ func ProcessARPPacket(packet gopacket.Packet) error { participant.askedList = common.AppendIfUnique(net.IP(arppacket.DstProtAddress).String(), participant.askedList) // Add device entry - addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String()) + p.addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String()) } else { // Response packet participant.answered++ participant.answeredList = common.AppendIfUnique(net.IP(arppacket.SourceProtAddress).String(), participant.answeredList) // Add device entry - addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String()) + p.addDeviceEntry(sourceAddr, net.IP(arppacket.SourceProtAddress).String()) } return nil } // Print a summary after all packets are processed -func PrintARPSummary() { - output.PrintBlock("ARP traffic summary", generateTrafficStats()) - output.PrintBlock("ARP LAN overview", generateLANOverview()) +func (p *Protocol) PrintSummary() { + output.PrintBlock("ARP traffic summary", p.generateTrafficStats()) + output.PrintBlock("ARP LAN overview", p.generateLANOverview()) } // Generates an answer regarding the ARP traffic -func generateTrafficStats() string { +func (p *Protocol) generateTrafficStats() string { var tmparr []string // Iterate over all participants @@ -83,7 +90,7 @@ func generateTrafficStats() string { } // Generates an overview over all connected devices in the LAN -func generateLANOverview() string { +func (p *Protocol) generateLANOverview() string { var tmparr []string // iterate over all devices @@ -96,7 +103,7 @@ func generateLANOverview() string { } // Returns the arpStats object for the given MAC address, or creates a new one -func getStatOrCreate(macaddr string) *arpStats { +func (p *Protocol) getStatOrCreate(macaddr string) *arpStats { // Try to find the given macaddr for i := 0; i < len(arpStatsList); i++ { if arpStatsList[i].macaddr == macaddr { @@ -115,7 +122,7 @@ func getStatOrCreate(macaddr string) *arpStats { } // Adds a new entry to the devices array, checking if there may be a collision (=ARP Spoofing) -func addDeviceEntry(macaddr string, ipaddr string) { +func (p *Protocol) addDeviceEntry(macaddr string, ipaddr string) { if ipaddr == "0.0.0.0" { // Possible ARP request if sender doesn't have an IP address yet. Ignore. return diff --git a/ethernet/arp/arpDevice.go b/protocol/arp/arpDevice.go similarity index 100% rename from ethernet/arp/arpDevice.go rename to protocol/arp/arpDevice.go diff --git a/ethernet/arp/arpStats.go b/protocol/arp/arpStats.go similarity index 100% rename from ethernet/arp/arpStats.go rename to protocol/arp/arpStats.go diff --git a/ethernet/dhcpv4/dhcp.go b/protocol/dhcpv4/dhcp.go similarity index 55% rename from ethernet/dhcpv4/dhcp.go rename to protocol/dhcpv4/dhcp.go index dc25349..b132b13 100644 --- a/ethernet/dhcpv4/dhcp.go +++ b/protocol/dhcpv4/dhcp.go @@ -6,11 +6,28 @@ import ( "github.com/google/gopacket/layers" ) -// Called on every DHCP (v4) packet -func HandleDHCPv4Packet(packet gopacket.Packet) error { +type Protocol struct { + hostnames []hostname + networkSetup map[layers.DHCPOpt][]byte + requestMAC []string + responses []dhcpResponse +} + +// Checks if the given packet is a DHCP packet we can process +func (p *Protocol) CanAnalyze(packet gopacket.Packet) bool { + return packet.Layer(layers.LayerTypeDHCPv4) != nil && packet.Layer(layers.LayerTypeEthernet) != nil && packet.Layers()[2].LayerPayload() != nil +} + +// Analyzes the given DHCP packet +func (p *Protocol) Analyze(packet gopacket.Packet) error { var dhcppacket layers.DHCPv4 var ethernetpacket layers.Ethernet + // Check if it's the first run - init networkSetup map then + if p.networkSetup == nil { + p.networkSetup = make(map[layers.DHCPOpt][]byte) + } + // For some reason I can't find an explanation for, // packet.Layer(layers.LayerTypeDHCPv4).LayerContents(), which effectively is // packet.Layers()[3].layerContents(), is empty, but @@ -35,23 +52,23 @@ func HandleDHCPv4Packet(packet gopacket.Packet) error { // Examine packet further if dhcppacket.Operation == layers.DHCPOpRequest { // Request packet - processRequestPacket(dhcppacket) + p.processRequestPacket(dhcppacket) } else { // Response/Offer packet - processResponsePacket(dhcppacket, ethernetpacket) + p.processResponsePacket(dhcppacket, ethernetpacket) } // Check for Hostname DHCP option (12) - checkForHostname(dhcppacket) - checkForNetworkInfos(dhcppacket) + p.checkForHostname(dhcppacket) + p.checkForNetworkInfos(dhcppacket) return nil } // Print summary after all packets are processed -func PrintDHCPv4Summary() { - output.PrintBlock("DHCP Network Overview", generateNetworkSummary()) - output.PrintBlock("DHCP Requests", generateRequestSummary()) - output.PrintBlock("DHCP Responses/Offers", generateResponseSummary()) - output.PrintBlock("DHCP Hostnames", generateHostnamesSummary()) +func (p *Protocol) PrintSummary() { + output.PrintBlock("DHCP Network Overview", p.generateNetworkSummary()) + output.PrintBlock("DHCP Requests", p.generateRequestSummary()) + output.PrintBlock("DHCP Responses/Offers", p.generateResponseSummary()) + output.PrintBlock("DHCP Hostnames", p.generateHostnamesSummary()) } diff --git a/ethernet/dhcpv4/dhcpResponse.go b/protocol/dhcpv4/dhcpResponse.go similarity index 100% rename from ethernet/dhcpv4/dhcpResponse.go rename to protocol/dhcpv4/dhcpResponse.go diff --git a/ethernet/dhcpv4/hostname.go b/protocol/dhcpv4/hostname.go similarity index 100% rename from ethernet/dhcpv4/hostname.go rename to protocol/dhcpv4/hostname.go diff --git a/ethernet/dhcpv4/hostnames.go b/protocol/dhcpv4/hostnames.go similarity index 86% rename from ethernet/dhcpv4/hostnames.go rename to protocol/dhcpv4/hostnames.go index 76793ea..3191055 100644 --- a/ethernet/dhcpv4/hostnames.go +++ b/protocol/dhcpv4/hostnames.go @@ -7,25 +7,21 @@ import ( "log" ) -var ( - hostnames []hostname -) - -func checkForHostname(dhcppacket layers.DHCPv4) { +func (p *Protocol) checkForHostname(dhcppacket layers.DHCPv4) { // Search for "Hostname" option (ID 12) in DHCP Packet Options for _, o := range dhcppacket.Options { if o.Type == layers.DHCPOptHostname { // found it. Let's see if it's a request or response if dhcppacket.Operation == layers.DHCPOpRequest { // request, not granted yet. - addHostname(hostname{ + p.addHostname(hostname{ hostname: string(o.Data), requestedByMAC: dhcppacket.ClientHWAddr.String(), granted: false, }) } else { // Response, DHCP issued this hostname - addHostname(hostname{ + p.addHostname(hostname{ hostname: string(o.Data), requestedByMAC: "", granted: true, @@ -40,11 +36,11 @@ func checkForHostname(dhcppacket layers.DHCPv4) { } // Generates the list of all hostnames encountered. -func generateHostnamesSummary() string { +func (p *Protocol) generateHostnamesSummary() string { var tmparr []string // Construct meaningful text - for _, h := range hostnames { + for _, h := range p.hostnames { answer := "" // check what kind of answer we need to construct @@ -76,11 +72,11 @@ func generateHostnamesSummary() string { } // Adds the given hostname to the hostname array, or patches an existing entry if found -func addHostname(tmph hostname) { +func (p *Protocol) addHostname(tmph hostname) { // see if we have an existing entry for this hostname - for i := 0; i < len(hostnames); i++ { + for i := 0; i < len(p.hostnames); i++ { // get ith hostname in the list - h := hostnames[i] + h := p.hostnames[i] // ... and check if it's the one requested if h.hostname == tmph.hostname { @@ -97,13 +93,13 @@ func addHostname(tmph hostname) { // Received a response for this hostname, check if it was granted if h.hostname == tmph.hostname { // granted, everything is fine. - hostnames[i].granted = true + p.hostnames[i].granted = true } else { // Received a different hostname than the one requested by the MAC. Report that. log.Printf("Client %s asked for hostname '%s' but was given '%s' by DHCP server", h.requestedByMAC, tmph.hostname, h.hostname) - hostnames[i].deniedHostname = hostnames[i].hostname - hostnames[i].hostname = tmph.hostname - hostnames[i].granted = false + p.hostnames[i].deniedHostname = p.hostnames[i].hostname + p.hostnames[i].hostname = tmph.hostname + p.hostnames[i].granted = false } // in either case, it's a response by the DHCP server - hostname is granted in this context @@ -114,5 +110,5 @@ func addHostname(tmph hostname) { } // We didn't find the desired hostname, append given object to the list - hostnames = append(hostnames, tmph) + p.hostnames = append(p.hostnames, tmph) } diff --git a/ethernet/dhcpv4/network.go b/protocol/dhcpv4/network.go similarity index 78% rename from ethernet/dhcpv4/network.go rename to protocol/dhcpv4/network.go index 907c597..6a3ed2a 100644 --- a/ethernet/dhcpv4/network.go +++ b/protocol/dhcpv4/network.go @@ -11,7 +11,6 @@ import ( ) var ( - networkSetup = make(map[layers.DHCPOpt][]byte) watchedOpts = []layers.DHCPOpt{ layers.DHCPOptSubnetMask, // Option 1 layers.DHCPOptRouter, // Option 3 @@ -23,6 +22,19 @@ var ( } ) +// Generates the summary of relevant DHCP options +func (p *Protocol) generateNetworkSummary() string { + // It's also possible to use strings.Builder here, but it produces code which is longer than this solution :shrug: + summary := fmt.Sprintf("Subnet Mask: %s\n", formatIP(p.networkSetup[layers.DHCPOptSubnetMask])) + summary = fmt.Sprintf("%sBroadcast: %s\n", summary, formatIP(p.networkSetup[layers.DHCPOptBroadcastAddr])) + summary = fmt.Sprintf("%sRouter: %s\n", summary, formatIP(p.networkSetup[layers.DHCPOptRouter])) + summary = fmt.Sprintf("%sDNS Server: %s\n", summary, formatIP(p.networkSetup[layers.DHCPOptDNS])) + summary = fmt.Sprintf("%sNTP Server: %s\n", summary, formatIP(p.networkSetup[layers.DHCPOptNTPServers])) + summary = fmt.Sprintf( "%sLease Time: %s\n", summary, formatDate(p.networkSetup[layers.DHCPOptLeaseTime])) + summary = fmt.Sprintf("%sRenewal Time: %s\n", summary, formatDate(p.networkSetup[layers.DHCPOptT1])) + return summary +} + // Looks for information specifying the setup of the network. This includes // - Option 1: Subnet Mask // - Option 3: Router address @@ -31,7 +43,7 @@ var ( // - Option 42: NTP Server address // - Option 51: IP Address Lease time // - Option 58: IP Renewal time -func checkForNetworkInfos(dhcppacket layers.DHCPv4) { +func (p *Protocol) checkForNetworkInfos(dhcppacket layers.DHCPv4) { // Check if it is a DHCP request if dhcppacket.Operation == layers.DHCPOpRequest { // We can ignore requests, they won't help us here @@ -42,12 +54,29 @@ func checkForNetworkInfos(dhcppacket layers.DHCPv4) { for _, o := range dhcppacket.Options { if isRelevantOption(o) { // Found DHCP option to be watched, let's watch it - saveOption(o) + p.saveOption(o) } } } +// Saves the given option in the networkSetup map, and informs the user if the value changes +func (p *Protocol) saveOption(opt layers.DHCPOption) { + // check if we already stored this value + if p.networkSetup[opt.Type] != nil { + // We already stored a value, let's check if it's the same as the new one + if !bytes.Equal(p.networkSetup[opt.Type], opt.Data) { + // Already stored a value and it's different from our new value - inform user and overwrite value later + log.Printf("Received different values for DHCP Option %s (ID %d). (Old: %s, New. %s)", opt.Type.String(), opt.Type, p.networkSetup[opt.Type], opt.Data) + } else { + // Exactly this value was already stored, no need to overwrite it + return + } + } + + p.networkSetup[opt.Type] = opt.Data +} + // Checks if the given DHCPOption is part of the watchlist func isRelevantOption(opt layers.DHCPOption) bool { // Iterate over all DHCP options in our watchlist @@ -62,23 +91,6 @@ func isRelevantOption(opt layers.DHCPOption) bool { return false } -// Saves the given option in the networkSetup map, and informs the user if the value changes -func saveOption(opt layers.DHCPOption) { - // check if we already stored this value - if networkSetup[opt.Type] != nil { - // We already stored a value, let's check if it's the same as the new one - if !bytes.Equal(networkSetup[opt.Type], opt.Data) { - // Already stored a value and it's different from our new value - inform user and overwrite value later - log.Printf("Received different values for DHCP Option %s (ID %d). (Old: %s, New. %s)", opt.Type.String(), opt.Type, networkSetup[opt.Type], opt.Data) - } else { - // Exactly this value was already stored, no need to overwrite it - return - } - } - - networkSetup[opt.Type] = opt.Data -} - // Formats the given byte array as string representing the IP address, or returns an error (as string) func formatIP(rawIP []byte) string { // Check if we even have an IP @@ -139,17 +151,3 @@ func formatDate(rawDate []byte) string { return formattedDate } - -// Generates the summary of relevant DHCP options -func generateNetworkSummary() string { - // It's also possible to use strings.Builder here, but it produces code which is longer than this solution :shrug: - summary := fmt.Sprintf("Subnet Mask: %s\n", formatIP(networkSetup[layers.DHCPOptSubnetMask])) - summary = fmt.Sprintf("%sBroadcast: %s\n", summary, formatIP(networkSetup[layers.DHCPOptBroadcastAddr])) - summary = fmt.Sprintf("%sRouter: %s\n", summary, formatIP(networkSetup[layers.DHCPOptRouter])) - summary = fmt.Sprintf("%sDNS Server: %s\n", summary, formatIP(networkSetup[layers.DHCPOptDNS])) - summary = fmt.Sprintf("%sNTP Server: %s\n", summary, formatIP(networkSetup[layers.DHCPOptNTPServers])) - summary = fmt.Sprintf("%sLease Time: %s\n", summary, formatDate(networkSetup[layers.DHCPOptLeaseTime])) - summary = fmt.Sprintf("%sRenewal Time: %s\n", summary, formatDate(networkSetup[layers.DHCPOptT1])) - return summary -} - diff --git a/protocol/dhcpv4/request.go b/protocol/dhcpv4/request.go new file mode 100644 index 0000000..981af1e --- /dev/null +++ b/protocol/dhcpv4/request.go @@ -0,0 +1,17 @@ +package dhcpv4 + +import ( + "fmt" + "git.darknebu.la/maride/pancap/common" + "github.com/google/gopacket/layers" +) + +// Processes the DHCP request packet handed over +func (p *Protocol) processRequestPacket(dhcppacket layers.DHCPv4) { + p.requestMAC = common.AppendIfUnique(dhcppacket.ClientHWAddr.String(), p.requestMAC) +} + +// Generates the summary of all DHCP request packets +func (p *Protocol) generateRequestSummary() string { + return fmt.Sprintf("%d unique DHCP requests\n%s", len(p.requestMAC), common.GenerateTree(p.requestMAC)) +} diff --git a/ethernet/dhcpv4/response.go b/protocol/dhcpv4/response.go similarity index 82% rename from ethernet/dhcpv4/response.go rename to protocol/dhcpv4/response.go index fa80637..5ae746c 100644 --- a/ethernet/dhcpv4/response.go +++ b/protocol/dhcpv4/response.go @@ -7,20 +7,16 @@ import ( "log" ) -var ( - responses []dhcpResponse -) - -func processResponsePacket(dhcppacket layers.DHCPv4, ethernetpacket layers.Ethernet) { - addResponseEntry(dhcppacket.ClientIP.String(), dhcppacket.YourClientIP.String(), dhcppacket.ClientHWAddr.String(), ethernetpacket.SrcMAC.String()) +func (p *Protocol) processResponsePacket(dhcppacket layers.DHCPv4, ethernetpacket layers.Ethernet) { + p.addResponseEntry(dhcppacket.ClientIP.String(), dhcppacket.YourClientIP.String(), dhcppacket.ClientHWAddr.String(), ethernetpacket.SrcMAC.String()) } // Generates the summary of all DHCP offer packets -func generateResponseSummary() string { +func (p *Protocol) generateResponseSummary() string { var tmpaddr []string // Iterate over all responses - for _, r := range responses { + for _, r := range p.responses { addition := "" if r.askedFor { @@ -35,7 +31,7 @@ func generateResponseSummary() string { } // Adds a new response entry. If an IP address was already issued or a MAC asks multiple times for DNS, the case is examined further -func addResponseEntry(newIP string, yourIP string, destMAC string, serverMAC string) { +func (p *Protocol) addResponseEntry(newIP string, yourIP string, destMAC string, serverMAC string) { // Check if client asked for a specific address (which was granted by the DHCP server) askedFor := false if newIP == "0.0.0.0" { @@ -44,7 +40,7 @@ func addResponseEntry(newIP string, yourIP string, destMAC string, serverMAC str askedFor = true } - for _, r := range responses { + for _, r := range p.responses { // Check for interesting cases if r.destMACAddr == destMAC { // The same client device received multiple IP addresses, let's examine further @@ -71,7 +67,7 @@ func addResponseEntry(newIP string, yourIP string, destMAC string, serverMAC str } // Add a response entry - even if we found some "strange" behavior before. - responses = append(responses, dhcpResponse{ + p.responses = append(p.responses, dhcpResponse{ destMACAddr: destMAC, newIPAddr: newIP, serverMACAddr: serverMAC, diff --git a/ethernet/dns/answer.go b/protocol/dns/answer.go similarity index 91% rename from ethernet/dns/answer.go rename to protocol/dns/answer.go index ab99d51..2479289 100644 --- a/ethernet/dns/answer.go +++ b/protocol/dns/answer.go @@ -19,7 +19,7 @@ var ( ) // Called on every DNS packet to process response(s) -func processDNSAnswer(answers []layers.DNSResourceRecord) { +func (p *Protocol) processDNSAnswer(answers []layers.DNSResourceRecord) { for _, answer := range answers { // Raise stats numAnswers++ @@ -35,7 +35,7 @@ func processDNSAnswer(answers []layers.DNSResourceRecord) { } // Process type answers - processType(answerType, answer.Type) + p.processType(answerType, answer.Type) // Append full domain and base domain answerDomains = common.AppendIfUnique(name, answerDomains) @@ -63,12 +63,12 @@ func processDNSAnswer(answers []layers.DNSResourceRecord) { } // Generates a summary of all DNS answers -func generateDNSAnswerSummary() string { +func (p *Protocol) generateDNSAnswerSummary() string { summary := "" // Overall question stats summary = fmt.Sprintf("%s%d DNS answers in total\n", summary, numAnswers) - summary = fmt.Sprintf("%s%s records\n", summary, generateDNSTypeSummary(answerType)) + summary = fmt.Sprintf("%s%s records\n", summary, p.generateDNSTypeSummary(answerType)) summary = fmt.Sprintf("%s%d unique domains of %d base domains, of which are %d private (non-ICANN) TLDs.\n", summary, len(answerDomains), len(answerBaseDomains), len(answerPrivateDomains)) // Output base domains answered with diff --git a/ethernet/dns/common.go b/protocol/dns/common.go similarity index 91% rename from ethernet/dns/common.go rename to protocol/dns/common.go index 707409c..21fb960 100644 --- a/ethernet/dns/common.go +++ b/protocol/dns/common.go @@ -17,7 +17,7 @@ var ( ) // Processes the given dnstype and raises its stats in the given array -func processType(typearr map[layers.DNSType]int, dnstype layers.DNSType) { +func (p *Protocol) processType(typearr map[layers.DNSType]int, dnstype layers.DNSType) { typearr[dnstype]++ } @@ -36,7 +36,7 @@ func ipIsPrivate(ip net.IP) bool { } // Generates a summary string for DNS types in the given array -func generateDNSTypeSummary(typearr map[layers.DNSType]int) string { +func (p *Protocol) generateDNSTypeSummary(typearr map[layers.DNSType]int) string { var answerarr []string // Iterate over all possible DNS types diff --git a/ethernet/dns/dns.go b/protocol/dns/dns.go similarity index 53% rename from ethernet/dns/dns.go rename to protocol/dns/dns.go index f4ba6af..03e5ac7 100644 --- a/ethernet/dns/dns.go +++ b/protocol/dns/dns.go @@ -6,8 +6,14 @@ import ( "github.com/google/gopacket/layers" ) -// Called on every DNS packet -func ProcessDNSPacket(packet gopacket.Packet) error { +type Protocol struct {} + +func (p *Protocol) CanAnalyze(packet gopacket.Packet) bool { + return packet.Layer(layers.LayerTypeDNS) != nil +} + +// Analyzes the given DHCP packet +func (p *Protocol) Analyze(packet gopacket.Packet) error { var dnspacket layers.DNS // Decode raw packet into DNS @@ -18,15 +24,15 @@ func ProcessDNSPacket(packet gopacket.Packet) error { } // Further process the packet - processDNSQuestion(dnspacket.Questions) - processDNSAnswer(dnspacket.Answers) + p.processDNSQuestion(dnspacket.Questions) + p.processDNSAnswer(dnspacket.Answers) // No error encountered, return clean return nil } // Print a summary after all DNS packets were processed -func PrintDNSSummary() { - output.PrintBlock("DNS Request Summary", generateDNSQuestionSummary()) - output.PrintBlock("DNS Response Summary", generateDNSAnswerSummary()) +func (p *Protocol) PrintSummary() { + output.PrintBlock("DNS Request Summary", p.generateDNSQuestionSummary()) + output.PrintBlock("DNS Response Summary", p.generateDNSAnswerSummary()) } diff --git a/ethernet/dns/question.go b/protocol/dns/question.go similarity index 89% rename from ethernet/dns/question.go rename to protocol/dns/question.go index 04d5f70..9698cfe 100644 --- a/ethernet/dns/question.go +++ b/protocol/dns/question.go @@ -17,7 +17,7 @@ var ( ) // Called on every DNS packet to process questions -func processDNSQuestion(questions []layers.DNSQuestion) { +func (p *Protocol) processDNSQuestion(questions []layers.DNSQuestion) { // Iterate over all questions for _, question := range questions { // Raise stats @@ -34,7 +34,7 @@ func processDNSQuestion(questions []layers.DNSQuestion) { } // Process type questions - processType(questionType, question.Type) + p.processType(questionType, question.Type) // Append full domain and base domain questionDomains = common.AppendIfUnique(name, questionDomains) @@ -52,12 +52,12 @@ func processDNSQuestion(questions []layers.DNSQuestion) { } // Generates a summary of all DNS questions -func generateDNSQuestionSummary() string { +func (p *Protocol) generateDNSQuestionSummary() string { summary := "" // Overall question stats summary = fmt.Sprintf("%s%d DNS questions in total\n", summary, numQuestions) - summary = fmt.Sprintf("%s%s records\n", summary, generateDNSTypeSummary(questionType)) + summary = fmt.Sprintf("%s%s records\n", summary, p.generateDNSTypeSummary(questionType)) summary = fmt.Sprintf("%s%d unique domains of %d base domains, of which are %d private (non-ICANN) TLDs.\n", summary, len(questionDomains), len(questionBaseDomains), len(questionPrivateDomains)) // Output base domains asked for diff --git a/protocol/index.go b/protocol/index.go new file mode 100644 index 0000000..239d70b --- /dev/null +++ b/protocol/index.go @@ -0,0 +1,15 @@ +package protocol + +import ( + "git.darknebu.la/maride/pancap/protocol/arp" + "git.darknebu.la/maride/pancap/protocol/dhcpv4" + "git.darknebu.la/maride/pancap/protocol/dns" +) + +var ( + Protocols = []Protocol{ + &arp.Protocol{}, + &dhcpv4.Protocol{}, + &dns.Protocol{}, + } +) diff --git a/protocol/protocol.go b/protocol/protocol.go new file mode 100644 index 0000000..924c885 --- /dev/null +++ b/protocol/protocol.go @@ -0,0 +1,9 @@ +package protocol + +import "github.com/google/gopacket" + +type Protocol interface { + CanAnalyze(gopacket.Packet) bool + Analyze(gopacket.Packet) error + PrintSummary() +}