search

njh / node-red-contrib-pcap

Network packet capture for Node-RED
http://flows.nodered.org/node/node-red-contrib-pcap
Apache License 2.0
8 stars 7 forks source link

sflow packets not entirely decoded #3

Closed ki4rbc closed 7 years ago

ki4rbc commented 7 years ago

Greetings,

I'm working out how to pull sflow data from an openvswitch bridge sflow agent in order to send flow information to a message buss (rabbitMQ, Kafka, etc)

I am able to decode a packet partly but not the entirely. So I'm wondering if I am doing or not doing something that may result in this behavior.

my node setup

[{"id":"69d45db6.b00d94","type":"debug","z":"abe93a93.3f0958","name":"Standard Output","active":true,"console":"true","complete":"true","x":410,"y":260,"wires":[]},{"id":"bb03c17a.c4b1e","type":"pcap","z":"abe93a93.3f0958","name":"sflow","ifname":"lo","output":"object","filter":"udp port 6343","path":"","x":130,"y":260,"wires":[["69d45db6.b00d94"]]}]

an example output

{ payload: PcapPacket { link_type: 'LINKTYPE_ETHERNET', pcap_header: PcapHeader { tv_sec: 1504215419, tv_usec: 716635, caplen: 226, len: 226 }, payload: EthernetPacket { emitter: undefined, dhost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, shost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, ethertype: 2048, vlan: null, payload: IPv4 { emitter: undefined, version: 4, headerLength: 20, diffserv: 0, length: 212, identification: 6659, flags: IPFlags { emitter: undefined, reserved: false, doNotFragment: true, moreFragments: false }, fragmentOffset: 0, ttl: 64, protocol: 17, headerChecksum: 8724, saddr: IPv4Addr { addr: [ 127, 0, 0, 1 ] }, daddr: IPv4Addr { addr: [ 127, 0, 0, 1 ] }, protocolName: undefined, payload: UDP { emitter: undefined, sport: 42504, dport: 6343, length: 192, checksum: 65235, data: <Buffer 00 00 00 05 00 00 00 01 0a 00 00 67 00 00 00 00 00 05 ee 30 0f 55 e7 40 00 00 00 01 00 00 00 02 00 00 00 94 00 00 64 81 00 00 00 05 00 00 00 03 00 00 ... > } } }, emitter: undefined }, topic: 'lo', _msgid: '5d5703d5.30f54c' }

dot cap fill attached test.zip

ki4rbc commented 7 years ago

With further testing using nodejs pcap directly, I am finding this same behavior.

here is the test script var pcap = require('/usr/lib/node_modules/pcap'), pcap_session = pcap.createSession("lo", "udp");

console.log("Listening on " + pcap_session.device_name);

pcap_session.on('packet', function (raw_packet) { var packet = pcap.decode.packet(raw_packet); console.log(packet.payload); });

resulting output

EthernetPacket { emitter: undefined, dhost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, shost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, ethertype: 2048, vlan: null, payload: IPv4 { emitter: undefined, version: 4, headerLength: 20, diffserv: 0, length: 212, identification: 15488, flags: IPFlags { emitter: undefined, reserved: false, doNotFragment: true, moreFragments: false }, fragmentOffset: 0, ttl: 64, protocol: 17, headerChecksum: 65430, saddr: IPv4Addr { addr: [Object] }, daddr: IPv4Addr { addr: [Object] }, protocolName: undefined, payload: UDP { emitter: undefined, sport: 42504, dport: 6343, length: 192, checksum: 65235, data: <Buffer 00 00 00 05 00 00 00 01 0a 00 00 67 00 00 00 00 00 06 54 b0 13 3e e1 40 00 00 00 01 00 00 00 02 00 00 00 94 00 00 7e 21 00 00 00 05 00 00 00 03 00 00 ... > } } }

ki4rbc commented 7 years ago

I will open this on https://github.com/node-pcap/node_pcap/issues

btw. I am a bit of a noob on js.

njh commented 7 years ago

Yes, node_pcap does all the hard work. This module just hooks it up to Node-RED.

Given that so many people are having issues with node_pcap, I am thinking about writing a new node that uses libwireshark instead.

It seems to have much better packet parsing / JSON generation and will hopefully be more reliable.

$ sudo tshark -i eth0 -T json "icmp6"
[
Capturing on 'eth0'
  {
    "_index": "packets-2017-09-01",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.encap_type": "1",
          "frame.time": "Sep  1, 2017 22:55:26.648727044 BST",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1504302926.648727044",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",
          "frame.len": "86",
          "frame.cap_len": "86",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "eth:ethertype:ipv6:icmpv6"
        },
        "eth": {
          "eth.dst": "fe:ff:00:00:54:7b",
          "eth.dst_tree": {
            "eth.dst_resolved": "fe:ff:00:00:54:7b",
            "eth.addr": "fe:ff:00:00:54:7b",
            "eth.addr_resolved": "fe:ff:00:00:54:7b",
            "eth.lg": "1",
            "eth.ig": "0"
          },
          "eth.src": "c8:4c:75:e9:1f:3f",
          "eth.src_tree": {
            "eth.src_resolved": "Cisco_e9:1f:3f",
            "eth.addr": "c8:4c:75:e9:1f:3f",
            "eth.addr_resolved": "Cisco_e9:1f:3f",
            "eth.lg": "0",
            "eth.ig": "0"
          },
          "eth.type": "0x000086dd"
        },
        "ipv6": {
          "ipv6.version": "6",
          "ip.version": "6",
          "ipv6.tclass": "0x000000e0",
          "ipv6.tclass_tree": {
            "ipv6.tclass.dscp": "56",
            "ipv6.tclass.ecn": "0"
          },
          "ipv6.flow": "0x00000000",
          "ipv6.plen": "32",
          "ipv6.nxt": "58",
          "ipv6.hlim": "255",
          "ipv6.src": "fe80::ca4c:75ff:fee9:1f3f",
          "ipv6.addr": "fe80::ca4c:75ff:fee9:1f3f",
          "ipv6.src_host": "fe80::ca4c:75ff:fee9:1f3f",
          "ipv6.host": "fe80::ca4c:75ff:fee9:1f3f",
          "ipv6.src_sa_mac": "c8:4c:75:e9:1f:3f",
          "ipv6.sa_mac": "c8:4c:75:e9:1f:3f",
          "ipv6.dst": "2001:41c8:51:7cf::207",
          "ipv6.addr": "2001:41c8:51:7cf::207",
          "ipv6.dst_host": "2001:41c8:51:7cf::207",
          "ipv6.host": "2001:41c8:51:7cf::207",
          "Source GeoIP: Unknown": "",
          "Destination GeoIP: United Kingdom": {
            "ipv6.geoip.dst_country": "United Kingdom",
            "ipv6.geoip.country": "United Kingdom"
          }
        },
        "icmpv6": {
          "icmpv6.type": "135",
          "icmpv6.code": "0",
          "icmpv6.checksum": "0x0000e557",
          "icmpv6.checksum.status": "1",
          "icmpv6.reserved": "00:00:00:00",
          "icmpv6.nd.ns.target_address": "2001:41c8:51:7cf::207",
          "icmpv6.opt": {
            "icmpv6.opt.type": "1",
            "icmpv6.opt.length": "1",
            "icmpv6.opt.linkaddr": "c8:4c:75:e9:1f:3f",
            "icmpv6.opt.src_linkaddr": "c8:4c:75:e9:1f:3f"
          }
        }
      }
    }
  }
ki4rbc commented 7 years ago

Thanks @njh I ended up running sflow-rt and ingesting flow data via its REST APIs thereby pushing the heavy lift to work already done by inMon.

I look forward to seeing your efforts porting over to tshark.