Open brightpinefield opened 3 years ago
It's possible to decode the encapsulated IP layer (in this case) by manually applying it to the underlying UDP data, and skipping the 8 bytes of JMirror header. E.g. for the 1st packet of this pcap:
>> dpkt.ip.IP(dpkt.ethernet.Ethernet(buf).ip.udp.data[8:])
IP(len=60, id=22676, ttl=126, p=1, sum=48995, src=b'E\x9e\xc0N', dst=b'CF\xdb\x96', opts=b'',
data=ICMP(sum=55054, data=Echo(id=512, seq=29773, data=b'abcdefghijklmnopqrstuvwabcdefghi')))
@obormot thank you for this! will try it out.. so that will work for the IP layer... is there a way to get to the application layer as well?
@brightpinefield dpkt will auto-decode layers if they are linked (in this example IP -> ICMP -> ICMP Echo were auto-decoded). For application layer usually one would need to specify the decoder to apply.
(Leaving the issue open since dpkt doesn't support JMirror encapsulation).
Is it possible for dpkt to read JMirror encapsulated packets, given the known JMirror UDP port? For example. In Wireshark, if I don't specify the JMirror port as UDP port 6502 this is what I see:
When I decode the UDP Port 6502 as JMirror , I get this:
I've attached a sample pcap if it helps... Thank you! jmirror_ip.pcap.zip