Closed ki4rbc closed 7 years ago
With further testing using nodejs pcap directly, I am finding this same behavior.
here is the test script var pcap = require('/usr/lib/node_modules/pcap'), pcap_session = pcap.createSession("lo", "udp");
console.log("Listening on " + pcap_session.device_name);
pcap_session.on('packet', function (raw_packet) { var packet = pcap.decode.packet(raw_packet); console.log(packet.payload); });
resulting output
EthernetPacket { emitter: undefined, dhost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, shost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, ethertype: 2048, vlan: null, payload: IPv4 { emitter: undefined, version: 4, headerLength: 20, diffserv: 0, length: 212, identification: 15488, flags: IPFlags { emitter: undefined, reserved: false, doNotFragment: true, moreFragments: false }, fragmentOffset: 0, ttl: 64, protocol: 17, headerChecksum: 65430, saddr: IPv4Addr { addr: [Object] }, daddr: IPv4Addr { addr: [Object] }, protocolName: undefined, payload: UDP { emitter: undefined, sport: 42504, dport: 6343, length: 192, checksum: 65235, data: <Buffer 00 00 00 05 00 00 00 01 0a 00 00 67 00 00 00 00 00 06 54 b0 13 3e e1 40 00 00 00 01 00 00 00 02 00 00 00 94 00 00 7e 21 00 00 00 05 00 00 00 03 00 00 ... > } } }
I will open this on https://github.com/node-pcap/node_pcap/issues
btw. I am a bit of a noob on js.
Yes, node_pcap does all the hard work. This module just hooks it up to Node-RED.
Given that so many people are having issues with node_pcap, I am thinking about writing a new node that uses libwireshark instead.
It seems to have much better packet parsing / JSON generation and will hopefully be more reliable.
$ sudo tshark -i eth0 -T json "icmp6"
[
Capturing on 'eth0'
{
"_index": "packets-2017-09-01",
"_type": "pcap_file",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.encap_type": "1",
"frame.time": "Sep 1, 2017 22:55:26.648727044 BST",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1504302926.648727044",
"frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000",
"frame.time_relative": "0.000000000",
"frame.number": "1",
"frame.len": "86",
"frame.cap_len": "86",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ipv6:icmpv6"
},
"eth": {
"eth.dst": "fe:ff:00:00:54:7b",
"eth.dst_tree": {
"eth.dst_resolved": "fe:ff:00:00:54:7b",
"eth.addr": "fe:ff:00:00:54:7b",
"eth.addr_resolved": "fe:ff:00:00:54:7b",
"eth.lg": "1",
"eth.ig": "0"
},
"eth.src": "c8:4c:75:e9:1f:3f",
"eth.src_tree": {
"eth.src_resolved": "Cisco_e9:1f:3f",
"eth.addr": "c8:4c:75:e9:1f:3f",
"eth.addr_resolved": "Cisco_e9:1f:3f",
"eth.lg": "0",
"eth.ig": "0"
},
"eth.type": "0x000086dd"
},
"ipv6": {
"ipv6.version": "6",
"ip.version": "6",
"ipv6.tclass": "0x000000e0",
"ipv6.tclass_tree": {
"ipv6.tclass.dscp": "56",
"ipv6.tclass.ecn": "0"
},
"ipv6.flow": "0x00000000",
"ipv6.plen": "32",
"ipv6.nxt": "58",
"ipv6.hlim": "255",
"ipv6.src": "fe80::ca4c:75ff:fee9:1f3f",
"ipv6.addr": "fe80::ca4c:75ff:fee9:1f3f",
"ipv6.src_host": "fe80::ca4c:75ff:fee9:1f3f",
"ipv6.host": "fe80::ca4c:75ff:fee9:1f3f",
"ipv6.src_sa_mac": "c8:4c:75:e9:1f:3f",
"ipv6.sa_mac": "c8:4c:75:e9:1f:3f",
"ipv6.dst": "2001:41c8:51:7cf::207",
"ipv6.addr": "2001:41c8:51:7cf::207",
"ipv6.dst_host": "2001:41c8:51:7cf::207",
"ipv6.host": "2001:41c8:51:7cf::207",
"Source GeoIP: Unknown": "",
"Destination GeoIP: United Kingdom": {
"ipv6.geoip.dst_country": "United Kingdom",
"ipv6.geoip.country": "United Kingdom"
}
},
"icmpv6": {
"icmpv6.type": "135",
"icmpv6.code": "0",
"icmpv6.checksum": "0x0000e557",
"icmpv6.checksum.status": "1",
"icmpv6.reserved": "00:00:00:00",
"icmpv6.nd.ns.target_address": "2001:41c8:51:7cf::207",
"icmpv6.opt": {
"icmpv6.opt.type": "1",
"icmpv6.opt.length": "1",
"icmpv6.opt.linkaddr": "c8:4c:75:e9:1f:3f",
"icmpv6.opt.src_linkaddr": "c8:4c:75:e9:1f:3f"
}
}
}
}
}
Greetings,
I'm working out how to pull sflow data from an openvswitch bridge sflow agent in order to send flow information to a message buss (rabbitMQ, Kafka, etc)
I am able to decode a packet partly but not the entirely. So I'm wondering if I am doing or not doing something that may result in this behavior.
my node setup
[{"id":"69d45db6.b00d94","type":"debug","z":"abe93a93.3f0958","name":"Standard Output","active":true,"console":"true","complete":"true","x":410,"y":260,"wires":[]},{"id":"bb03c17a.c4b1e","type":"pcap","z":"abe93a93.3f0958","name":"sflow","ifname":"lo","output":"object","filter":"udp port 6343","path":"","x":130,"y":260,"wires":[["69d45db6.b00d94"]]}]
an example output
{ payload: PcapPacket { link_type: 'LINKTYPE_ETHERNET', pcap_header: PcapHeader { tv_sec: 1504215419, tv_usec: 716635, caplen: 226, len: 226 }, payload: EthernetPacket { emitter: undefined, dhost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, shost: EthernetAddr { addr: [ 0, 0, 0, 0, 0, 0 ] }, ethertype: 2048, vlan: null, payload: IPv4 { emitter: undefined, version: 4, headerLength: 20, diffserv: 0, length: 212, identification: 6659, flags: IPFlags { emitter: undefined, reserved: false, doNotFragment: true, moreFragments: false }, fragmentOffset: 0, ttl: 64, protocol: 17, headerChecksum: 8724, saddr: IPv4Addr { addr: [ 127, 0, 0, 1 ] }, daddr: IPv4Addr { addr: [ 127, 0, 0, 1 ] }, protocolName: undefined, payload: UDP { emitter: undefined, sport: 42504, dport: 6343, length: 192, checksum: 65235, data: <Buffer 00 00 00 05 00 00 00 01 0a 00 00 67 00 00 00 00 00 05 ee 30 0f 55 e7 40 00 00 00 01 00 00 00 02 00 00 00 94 00 00 64 81 00 00 00 05 00 00 00 03 00 00 ... > } } }, emitter: undefined }, topic: 'lo', _msgid: '5d5703d5.30f54c' }
dot cap fill attached test.zip