search

rusticata / pcap-parser

PCAP/PCAPNG file format parser written in pure Rust. Fast, zero-copy, safe.
Other
103 stars 24 forks source link

Support nanosecond-resolution PCAP file parsing #8

Closed robber-m closed 4 years ago

robber-m commented 4 years ago

Hello, I'm just getting started with one of my first Rust projects and I'm hoping to make use of your crate!

In using your LegacyPcapReader, I ran into some trouble. The PCAP recordings I am working with are all Legacy PCAPs recorded with nanosecond-resolution timestamps, so they use a not-yet-supported magic number.

These excerpts from the Wireshark wiki cover the key information for interpreting nanosecond-resolution PCAPs:

The reading application will read either 0xa1b2c3d4 (identical) or 0xd4c3b2a1 (swapped). If the reading application reads the swapped 0xd4c3b2a1 value, it knows that all the following fields will have to be swapped too. For nanosecond-resolution files, the writing application writes 0xa1b23c4d, with the two nibbles of the two lower-order bytes swapped, and the reading application will read either 0xa1b23c4d (identical) or 0x4d3cb2a1 (swapped).

ts_usec: in regular pcap files, the microseconds when this packet was captured, as an offset to ts_sec. In nanosecond-resolution files, this is, instead, the nanoseconds when the packet was captured, as an offset to ts_sec

Source: https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat

I took a first pass at supporting this new magic number myself, but I'm very new to Rust (and nom as well), so please let me know if I did something ugly, unidiomatic, or different from the way you think this should be implemented. I'll be happy to rework my PR to incorporate your feedback!

Thanks for writing an awesome crate! I tried writing a similar-style pcap iterator using nom a few months ago and really struggled!

chifflier commented 4 years ago

Hi, Thanks for the PR and the explanation. Your patch looks correct, I'm reviewing and running some tests, but I think there are no problems and that it will be merged soon.

Just to be sure of one thing: it is up to the crate user to check the precision, and use microseconds/nanoseconds depending on the header? There are similar problems (even more complex) with pcap-ng, so I added a function to extract the timestamp. Maybe this should be abstracted for both formats.

chifflier commented 4 years ago

Merged (with some changes), thanks!

robber-m commented 4 years ago

Thanks so much! Sorry I missed your earlier comments! I had my Github email notification settings misconfigured. Really, thanks again!

robber-m commented 4 years ago

Hi, Thanks for the PR and the explanation. Your patch looks correct, I'm reviewing and running some tests, but I think there are no problems and that it will be merged soon.

Just to be sure of one thing: it is up to the crate user to check the precision, and use microseconds/nanoseconds depending on the header? There are similar problems (even more complex) with pcap-ng, so I added a function to extract the timestamp. Maybe this should be abstracted for both formats.

A function to extract the timestamp feels to me like it would be a nice addition here. Because I have so little Rust experience, I thought I would try to incorporate my changes in a way that had minimal impact on the library to avoid doing something unidiomatic