1 // Copyright 2012 Google, Inc. All rights reserved.
3 // Use of this source code is governed by a BSD-style license
4 // that can be found in the LICENSE file in the root of the source
22 // CaptureInfo provides standardized information about a packet captured off
23 // the wire or read from a file.
24 type CaptureInfo struct {
25 // Timestamp is the time the packet was captured, if that is known.
27 // CaptureLength is the total number of bytes read off of the wire.
29 // Length is the size of the original packet. Should always be >=
36 // PacketMetadata contains metadata for a packet.
37 type PacketMetadata struct {
39 // Truncated is true if packet decoding logic detects that there are fewer
40 // bytes in the packet than are detailed in various headers (for example, if
41 // the number of bytes in the IPv4 contents/payload is less than IPv4.Length).
42 // This is also set automatically for packets captured off the wire if
43 // CaptureInfo.CaptureLength < CaptureInfo.Length.
47 // Packet is the primary object used by gopacket. Packets are created by a
48 // Decoder's Decode call. A packet is made up of a set of Data, which
49 // is broken into a number of Layers as it is decoded.
50 type Packet interface {
51 //// Functions for outputting the packet as a human-readable string:
52 //// ------------------------------------------------------------------
53 // String returns a human-readable string representation of the packet.
54 // It uses LayerString on each layer to output the layer.
56 // Dump returns a verbose human-readable string representation of the packet,
57 // including a hex dump of all layers. It uses LayerDump on each layer to
61 //// Functions for accessing arbitrary packet layers:
62 //// ------------------------------------------------------------------
63 // Layers returns all layers in this packet, computing them as necessary
65 // Layer returns the first layer in this packet of the given type, or nil
66 Layer(LayerType) Layer
67 // LayerClass returns the first layer in this packet of the given class,
69 LayerClass(LayerClass) Layer
71 //// Functions for accessing specific types of packet layers. These functions
72 //// return the first layer of each type found within the packet.
73 //// ------------------------------------------------------------------
74 // LinkLayer returns the first link layer in the packet
76 // NetworkLayer returns the first network layer in the packet
77 NetworkLayer() NetworkLayer
78 // TransportLayer returns the first transport layer in the packet
79 TransportLayer() TransportLayer
80 // ApplicationLayer returns the first application layer in the packet
81 ApplicationLayer() ApplicationLayer
82 // ErrorLayer is particularly useful, since it returns nil if the packet
83 // was fully decoded successfully, and non-nil if an error was encountered
84 // in decoding and the packet was only partially decoded. Thus, its output
85 // can be used to determine if the entire packet was able to be decoded.
86 ErrorLayer() ErrorLayer
88 //// Functions for accessing data specific to the packet:
89 //// ------------------------------------------------------------------
90 // Data returns the set of bytes that make up this entire packet.
92 // Metadata returns packet metadata associated with this packet.
93 Metadata() *PacketMetadata
96 // packet contains all the information we need to fulfill the Packet interface,
97 // and its two "subclasses" (yes, no such thing in Go, bear with me),
98 // eagerPacket and lazyPacket, provide eager and lazy decoding logic around the
99 // various functions needed to access this information.
101 // data contains the entire packet data for a packet
103 // initialLayers is space for an initial set of layers already created inside
105 initialLayers [6]Layer
106 // layers contains each layer we've already decoded
108 // last is the last layer added to the packet
110 // metadata is the PacketMetadata for this packet
111 metadata PacketMetadata
113 decodeOptions DecodeOptions
115 // Pointers to the various important layers
118 transport TransportLayer
119 application ApplicationLayer
123 func (p *packet) SetTruncated() {
124 p.metadata.Truncated = true
127 func (p *packet) SetLinkLayer(l LinkLayer) {
133 func (p *packet) SetNetworkLayer(l NetworkLayer) {
134 if p.network == nil {
139 func (p *packet) SetTransportLayer(l TransportLayer) {
140 if p.transport == nil {
145 func (p *packet) SetApplicationLayer(l ApplicationLayer) {
146 if p.application == nil {
151 func (p *packet) SetErrorLayer(l ErrorLayer) {
152 if p.failure == nil {
157 func (p *packet) AddLayer(l Layer) {
158 p.layers = append(p.layers, l)
162 func (p *packet) DumpPacketData() {
163 fmt.Fprint(os.Stderr, p.packetDump())
167 func (p *packet) Metadata() *PacketMetadata {
171 func (p *packet) Data() []byte {
175 func (p *packet) DecodeOptions() *DecodeOptions {
176 return &p.decodeOptions
179 func (p *packet) addFinalDecodeError(err error, stack []byte) {
180 fail := &DecodeFailure{err: err, stack: stack}
184 fail.data = p.last.LayerPayload()
187 p.SetErrorLayer(fail)
190 func (p *packet) recoverDecodeError() {
191 if !p.decodeOptions.SkipDecodeRecovery {
192 if r := recover(); r != nil {
193 p.addFinalDecodeError(fmt.Errorf("%v", r), debug.Stack())
198 // LayerString outputs an individual layer as a string. The layer is output
199 // in a single line, with no trailing newline. This function is specifically
200 // designed to do the right thing for most layers... it follows the following
202 // * If the Layer has a String function, just output that.
203 // * Otherwise, output all exported fields in the layer, recursing into
204 // exported slices and structs.
205 // NOTE: This is NOT THE SAME AS fmt's "%#v". %#v will output both exported
206 // and unexported fields... many times packet layers contain unexported stuff
207 // that would just mess up the output of the layer, see for example the
208 // Payload layer and it's internal 'data' field, which contains a large byte
209 // array that would really mess up formatting.
210 func LayerString(l Layer) string {
211 return fmt.Sprintf("%v\t%s", l.LayerType(), layerString(reflect.ValueOf(l), false, false))
214 // Dumper dumps verbose information on a value. If a layer type implements
215 // Dumper, then its LayerDump() string will include the results in its output.
216 type Dumper interface {
220 // LayerDump outputs a very verbose string representation of a layer. Its
221 // output is a concatenation of LayerString(l) and hex.Dump(l.LayerContents()).
222 // It contains newlines and ends with a newline.
223 func LayerDump(l Layer) string {
225 b.WriteString(LayerString(l))
227 if d, ok := l.(Dumper); ok {
231 if dump[len(dump)-1] != '\n' {
236 b.WriteString(hex.Dump(l.LayerContents()))
240 // layerString outputs, recursively, a layer in a "smart" way. See docs for
241 // LayerString for more details.
244 // i - value to write out
245 // anonymous: if we're currently recursing an anonymous member of a struct
246 // writeSpace: if we've already written a value in a struct, and need to
247 // write a space before writing more. This happens when we write various
248 // anonymous values, and need to keep writing more.
249 func layerString(v reflect.Value, anonymous bool, writeSpace bool) string {
250 // Let String() functions take precedence.
251 if v.CanInterface() {
252 if s, ok := v.Interface().(fmt.Stringer); ok {
256 // Reflect, and spit out all the exported fields as key=value.
257 switch v.Type().Kind() {
258 case reflect.Interface, reflect.Ptr:
263 return layerString(r, anonymous, writeSpace)
270 for i := 0; i < v.NumField(); i++ {
271 // Check if this is upper-case.
272 ftype := typ.Field(i)
275 anonStr := layerString(f, true, writeSpace)
276 writeSpace = writeSpace || anonStr != ""
277 b.WriteString(anonStr)
278 } else if ftype.PkgPath == "" { // exported
283 fmt.Fprintf(&b, "%s=%s", typ.Field(i).Name, layerString(f, false, writeSpace))
294 fmt.Fprintf(&b, "..%d..", v.Len())
296 for j := 0; j < v.Len(); j++ {
300 b.WriteString(layerString(v.Index(j), false, false))
306 return fmt.Sprintf("%v", v.Interface())
310 longBytesLength = 128
313 // LongBytesGoString returns a string representation of the byte slice shortened
314 // using the format '<type>{<truncated slice> ... (<n> bytes)}' if it
315 // exceeds a predetermined length. Can be used to avoid filling the display with
316 // very long byte strings.
317 func LongBytesGoString(buf []byte) string {
318 if len(buf) < longBytesLength {
319 return fmt.Sprintf("%#v", buf)
321 s := fmt.Sprintf("%#v", buf[:longBytesLength-1])
322 s = strings.TrimSuffix(s, "}")
323 return fmt.Sprintf("%s ... (%d bytes)}", s, len(buf))
326 func baseLayerString(value reflect.Value) string {
328 content := value.Field(0)
329 c := make([]byte, content.Len())
331 c[i] = byte(content.Index(i).Uint())
333 payload := value.Field(1)
334 p := make([]byte, payload.Len())
336 p[i] = byte(payload.Index(i).Uint())
338 return fmt.Sprintf("%s{Contents:%s, Payload:%s}", t.String(),
339 LongBytesGoString(c),
340 LongBytesGoString(p))
343 func layerGoString(i interface{}, b *bytes.Buffer) {
344 if s, ok := i.(fmt.GoStringer); ok {
345 b.WriteString(s.GoString())
351 if v, ok = i.(reflect.Value); !ok {
352 v = reflect.ValueOf(i)
355 case reflect.Ptr, reflect.Interface:
356 if v.Kind() == reflect.Ptr {
359 layerGoString(v.Elem().Interface(), b)
362 b.WriteString(t.String())
364 for i := 0; i < v.NumField(); i++ {
368 if t.Field(i).Name == "BaseLayer" {
369 fmt.Fprintf(b, "BaseLayer:%s", baseLayerString(v.Field(i)))
370 } else if v.Field(i).Kind() == reflect.Struct {
371 fmt.Fprintf(b, "%s:", t.Field(i).Name)
372 layerGoString(v.Field(i), b)
373 } else if v.Field(i).Kind() == reflect.Ptr {
375 layerGoString(v.Field(i), b)
377 fmt.Fprintf(b, "%s:%#v", t.Field(i).Name, v.Field(i))
382 fmt.Fprintf(b, "%#v", i)
386 // LayerGoString returns a representation of the layer in Go syntax,
387 // taking care to shorten "very long" BaseLayer byte slices
388 func LayerGoString(l Layer) string {
389 b := new(bytes.Buffer)
394 func (p *packet) packetString() string {
396 fmt.Fprintf(&b, "PACKET: %d bytes", len(p.Data()))
397 if p.metadata.Truncated {
398 b.WriteString(", truncated")
400 if p.metadata.Length > 0 {
401 fmt.Fprintf(&b, ", wire length %d cap length %d", p.metadata.Length, p.metadata.CaptureLength)
403 if !p.metadata.Timestamp.IsZero() {
404 fmt.Fprintf(&b, " @ %v", p.metadata.Timestamp)
407 for i, l := range p.layers {
408 fmt.Fprintf(&b, "- Layer %d (%02d bytes) = %s\n", i+1, len(l.LayerContents()), LayerString(l))
413 func (p *packet) packetDump() string {
415 fmt.Fprintf(&b, "-- FULL PACKET DATA (%d bytes) ------------------------------------\n%s", len(p.data), hex.Dump(p.data))
416 for i, l := range p.layers {
417 fmt.Fprintf(&b, "--- Layer %d ---\n%s", i+1, LayerDump(l))
422 // eagerPacket is a packet implementation that does eager decoding. Upon
423 // initial construction, it decodes all the layers it can from packet data.
424 // eagerPacket implements Packet and PacketBuilder.
425 type eagerPacket struct {
429 var errNilDecoder = errors.New("NextDecoder passed nil decoder, probably an unsupported decode type")
431 func (p *eagerPacket) NextDecoder(next Decoder) error {
436 return errors.New("NextDecoder called, but no layers added yet")
438 d := p.last.LayerPayload()
442 // Since we're eager, immediately call the next decoder.
443 return next.Decode(d, p)
445 func (p *eagerPacket) initialDecode(dec Decoder) {
446 defer p.recoverDecodeError()
447 err := dec.Decode(p.data, p)
449 p.addFinalDecodeError(err, nil)
452 func (p *eagerPacket) LinkLayer() LinkLayer {
455 func (p *eagerPacket) NetworkLayer() NetworkLayer {
458 func (p *eagerPacket) TransportLayer() TransportLayer {
461 func (p *eagerPacket) ApplicationLayer() ApplicationLayer {
464 func (p *eagerPacket) ErrorLayer() ErrorLayer {
467 func (p *eagerPacket) Layers() []Layer {
470 func (p *eagerPacket) Layer(t LayerType) Layer {
471 for _, l := range p.layers {
472 if l.LayerType() == t {
478 func (p *eagerPacket) LayerClass(lc LayerClass) Layer {
479 for _, l := range p.layers {
480 if lc.Contains(l.LayerType()) {
486 func (p *eagerPacket) String() string { return p.packetString() }
487 func (p *eagerPacket) Dump() string { return p.packetDump() }
489 // lazyPacket does lazy decoding on its packet data. On construction it does
490 // no initial decoding. For each function call, it decodes only as many layers
491 // as are necessary to compute the return value for that function.
492 // lazyPacket implements Packet and PacketBuilder.
493 type lazyPacket struct {
498 func (p *lazyPacket) NextDecoder(next Decoder) error {
505 func (p *lazyPacket) decodeNextLayer() {
511 d = p.last.LayerPayload()
515 // We've just set p.next to nil, so if we see we have no data, this should be
516 // the final call we get to decodeNextLayer if we return here.
520 defer p.recoverDecodeError()
521 err := next.Decode(d, p)
523 p.addFinalDecodeError(err, nil)
526 func (p *lazyPacket) LinkLayer() LinkLayer {
527 for p.link == nil && p.next != nil {
532 func (p *lazyPacket) NetworkLayer() NetworkLayer {
533 for p.network == nil && p.next != nil {
538 func (p *lazyPacket) TransportLayer() TransportLayer {
539 for p.transport == nil && p.next != nil {
544 func (p *lazyPacket) ApplicationLayer() ApplicationLayer {
545 for p.application == nil && p.next != nil {
550 func (p *lazyPacket) ErrorLayer() ErrorLayer {
551 for p.failure == nil && p.next != nil {
556 func (p *lazyPacket) Layers() []Layer {
562 func (p *lazyPacket) Layer(t LayerType) Layer {
563 for _, l := range p.layers {
564 if l.LayerType() == t {
568 numLayers := len(p.layers)
571 for _, l := range p.layers[numLayers:] {
572 if l.LayerType() == t {
576 numLayers = len(p.layers)
580 func (p *lazyPacket) LayerClass(lc LayerClass) Layer {
581 for _, l := range p.layers {
582 if lc.Contains(l.LayerType()) {
586 numLayers := len(p.layers)
589 for _, l := range p.layers[numLayers:] {
590 if lc.Contains(l.LayerType()) {
594 numLayers = len(p.layers)
598 func (p *lazyPacket) String() string { p.Layers(); return p.packetString() }
599 func (p *lazyPacket) Dump() string { p.Layers(); return p.packetDump() }
601 // DecodeOptions tells gopacket how to decode a packet.
602 type DecodeOptions struct {
603 // Lazy decoding decodes the minimum number of layers needed to return data
604 // for a packet at each function call. Be careful using this with concurrent
605 // packet processors, as each call to packet.* could mutate the packet, and
606 // two concurrent function calls could interact poorly.
608 // NoCopy decoding doesn't copy its input buffer into storage that's owned by
609 // the packet. If you can guarantee that the bytes underlying the slice
610 // passed into NewPacket aren't going to be modified, this can be faster. If
611 // there's any chance that those bytes WILL be changed, this will invalidate
614 // SkipDecodeRecovery skips over panic recovery during packet decoding.
615 // Normally, when packets decode, if a panic occurs, that panic is captured
616 // by a recover(), and a DecodeFailure layer is added to the packet detailing
617 // the issue. If this flag is set, panics are instead allowed to continue up
619 SkipDecodeRecovery bool
620 // DecodeStreamsAsDatagrams enables routing of application-level layers in the TCP
621 // decoder. If true, we should try to decode layers after TCP in single packets.
622 // This is disabled by default because the reassembly package drives the decoding
623 // of TCP payload data after reassembly.
624 DecodeStreamsAsDatagrams bool
627 // Default decoding provides the safest (but slowest) method for decoding
628 // packets. It eagerly processes all layers (so it's concurrency-safe) and it
629 // copies its input buffer upon creation of the packet (so the packet remains
630 // valid if the underlying slice is modified. Both of these take time,
631 // though, so beware. If you can guarantee that the packet will only be used
632 // by one goroutine at a time, set Lazy decoding. If you can guarantee that
633 // the underlying slice won't change, set NoCopy decoding.
634 var Default = DecodeOptions{}
636 // Lazy is a DecodeOptions with just Lazy set.
637 var Lazy = DecodeOptions{Lazy: true}
639 // NoCopy is a DecodeOptions with just NoCopy set.
640 var NoCopy = DecodeOptions{NoCopy: true}
642 // DecodeStreamsAsDatagrams is a DecodeOptions with just DecodeStreamsAsDatagrams set.
643 var DecodeStreamsAsDatagrams = DecodeOptions{DecodeStreamsAsDatagrams: true}
645 // NewPacket creates a new Packet object from a set of bytes. The
646 // firstLayerDecoder tells it how to interpret the first layer from the bytes,
647 // future layers will be generated from that first layer automatically.
648 func NewPacket(data []byte, firstLayerDecoder Decoder, options DecodeOptions) Packet {
650 dataCopy := make([]byte, len(data))
656 packet: packet{data: data, decodeOptions: options},
657 next: firstLayerDecoder,
659 p.layers = p.initialLayers[:0]
661 // If the following return statemet is REMOVED, and Lazy is FALSE, then
662 // eager packet processing becomes 17% FASTER. No, there is no logical
663 // explanation for this. However, it's such a hacky micro-optimization that
664 // we really can't rely on it. It appears to have to do with the size the
665 // compiler guesses for this function's stack space, since one symptom is
666 // that with the return statement in place, we more than double calls to
667 // runtime.morestack/runtime.lessstack. We'll hope the compiler gets better
668 // over time and we get this optimization for free. Until then, we'll have
669 // to live with slower packet processing.
673 packet: packet{data: data, decodeOptions: options},
675 p.layers = p.initialLayers[:0]
676 p.initialDecode(firstLayerDecoder)
680 // PacketDataSource is an interface for some source of packet data. Users may
681 // create their own implementations, or use the existing implementations in
682 // gopacket/pcap (libpcap, allows reading from live interfaces or from
683 // pcap files) or gopacket/pfring (PF_RING, allows reading from live
685 type PacketDataSource interface {
686 // ReadPacketData returns the next packet available from this data source.
688 // data: The bytes of an individual packet.
689 // ci: Metadata about the capture
690 // err: An error encountered while reading packet data. If err != nil,
691 // then data/ci will be ignored.
692 ReadPacketData() (data []byte, ci CaptureInfo, err error)
695 // ConcatFinitePacketDataSources returns a PacketDataSource that wraps a set
696 // of internal PacketDataSources, each of which will stop with io.EOF after
697 // reading a finite number of packets. The returned PacketDataSource will
698 // return all packets from the first finite source, followed by all packets from
699 // the second, etc. Once all finite sources have returned io.EOF, the returned
700 // source will as well.
701 func ConcatFinitePacketDataSources(pds ...PacketDataSource) PacketDataSource {
706 type concat []PacketDataSource
708 func (c *concat) ReadPacketData() (data []byte, ci CaptureInfo, err error) {
710 data, ci, err = (*c)[0].ReadPacketData()
717 return nil, CaptureInfo{}, io.EOF
720 // ZeroCopyPacketDataSource is an interface to pull packet data from sources
721 // that allow data to be returned without copying to a user-controlled buffer.
722 // It's very similar to PacketDataSource, except that the caller must be more
723 // careful in how the returned buffer is handled.
724 type ZeroCopyPacketDataSource interface {
725 // ZeroCopyReadPacketData returns the next packet available from this data source.
727 // data: The bytes of an individual packet. Unlike with
728 // PacketDataSource's ReadPacketData, the slice returned here points
729 // to a buffer owned by the data source. In particular, the bytes in
730 // this buffer may be changed by future calls to
731 // ZeroCopyReadPacketData. Do not use the returned buffer after
732 // subsequent ZeroCopyReadPacketData calls.
733 // ci: Metadata about the capture
734 // err: An error encountered while reading packet data. If err != nil,
735 // then data/ci will be ignored.
736 ZeroCopyReadPacketData() (data []byte, ci CaptureInfo, err error)
739 // PacketSource reads in packets from a PacketDataSource, decodes them, and
742 // There are currently two different methods for reading packets in through
745 // Reading With Packets Function
747 // This method is the most convenient and easiest to code, but lacks
748 // flexibility. Packets returns a 'chan Packet', then asynchronously writes
749 // packets into that channel. Packets uses a blocking channel, and closes
750 // it if an io.EOF is returned by the underlying PacketDataSource. All other
751 // PacketDataSource errors are ignored and discarded.
752 // for packet := range packetSource.Packets() {
756 // Reading With NextPacket Function
758 // This method is the most flexible, and exposes errors that may be
759 // encountered by the underlying PacketDataSource. It's also the fastest
760 // in a tight loop, since it doesn't have the overhead of a channel
761 // read/write. However, it requires the user to handle errors, most
762 // importantly the io.EOF error in cases where packets are being read from
765 // packet, err := packetSource.NextPacket()
766 // if err == io.EOF {
768 // } else if err != nil {
769 // log.Println("Error:", err)
772 // handlePacket(packet) // Do something with each packet.
774 type PacketSource struct {
775 source PacketDataSource
777 // DecodeOptions is the set of options to use for decoding each piece
778 // of packet data. This can/should be changed by the user to reflect the
779 // way packets should be decoded.
784 // NewPacketSource creates a packet data source.
785 func NewPacketSource(source PacketDataSource, decoder Decoder) *PacketSource {
786 return &PacketSource{
792 // NextPacket returns the next decoded packet from the PacketSource. On error,
793 // it returns a nil packet and a non-nil error.
794 func (p *PacketSource) NextPacket() (Packet, error) {
795 data, ci, err := p.source.ReadPacketData()
799 packet := NewPacket(data, p.decoder, p.DecodeOptions)
800 m := packet.Metadata()
802 m.Truncated = m.Truncated || ci.CaptureLength < ci.Length
806 // packetsToChannel reads in all packets from the packet source and sends them
807 // to the given channel. When it receives an error, it ignores it. When it
808 // receives an io.EOF, it closes the channel.
809 func (p *PacketSource) packetsToChannel() {
812 packet, err := p.NextPacket()
815 } else if err == nil {
821 // Packets returns a channel of packets, allowing easy iterating over
822 // packets. Packets will be asynchronously read in from the underlying
823 // PacketDataSource and written to the returned channel. If the underlying
824 // PacketDataSource returns an io.EOF error, the channel will be closed.
825 // If any other error is encountered, it is ignored.
827 // for packet := range packetSource.Packets() {
828 // handlePacket(packet) // Do something with each packet.
831 // If called more than once, returns the same channel.
832 func (p *PacketSource) Packets() chan Packet {
834 p.c = make(chan Packet, 1000)
835 go p.packetsToChannel()