search

kbandla / dpkt

fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols
Other
1.09k stars 270 forks source link

JMirror encapsulation #504

Open brightpinefield opened 3 years ago

brightpinefield commented 3 years ago

Is it possible for dpkt to read JMirror encapsulated packets, given the known JMirror UDP port? For example. In Wireshark, if I don't specify the JMirror port as UDP port 6502 this is what I see:

Screen Shot 2020-12-14 at 11 17 50 AM

When I decode the UDP Port 6502 as JMirror , I get this:

Screen Shot 2020-12-14 at 11 17 19 AM

I've attached a sample pcap if it helps... Thank you! jmirror_ip.pcap.zip

obormot commented 3 years ago

It's possible to decode the encapsulated IP layer (in this case) by manually applying it to the underlying UDP data, and skipping the 8 bytes of JMirror header. E.g. for the 1st packet of this pcap:

>> dpkt.ip.IP(dpkt.ethernet.Ethernet(buf).ip.udp.data[8:])

IP(len=60, id=22676, ttl=126, p=1, sum=48995, src=b'E\x9e\xc0N', dst=b'CF\xdb\x96', opts=b'', 
   data=ICMP(sum=55054, data=Echo(id=512, seq=29773, data=b'abcdefghijklmnopqrstuvwabcdefghi')))
brightpinefield commented 3 years ago

@obormot thank you for this! will try it out.. so that will work for the IP layer... is there a way to get to the application layer as well?

obormot commented 3 years ago

@brightpinefield dpkt will auto-decode layers if they are linked (in this example IP -> ICMP -> ICMP Echo were auto-decoded). For application layer usually one would need to specify the decoder to apply.

(Leaving the issue open since dpkt doesn't support JMirror encapsulation).