Closed faser2k closed 2 months ago
I was able to analyse the PPPoE encapsulated stuff. I openend a pull request for gopacket https://github.com/google/gopacket/pull/876
If this is merged into master you can add the PPPoE and PPP decoding layer
diff --git a/decoder/decoder.go b/decoder/decoder.go
index afd9825..c9580af 100644
--- a/decoder/decoder.go
+++ b/decoder/decoder.go
@@ -42,6 +42,8 @@ type Decoder struct {
udp layers.UDP
dns layers.DNS
sctp layers.SCTP
+ pppoe layers.PPPoE
+ ppp layers.PPP
payload gopacket.Payload
dedupCache *freecache.Cache
filter []string
@@ -106,6 +108,8 @@ func NewDecoder(datalink layers.LinkType) *Decoder {
dlp.SetDecodingLayerContainer(gopacket.DecodingLayerSparse(nil))
dlp.AddDecodingLayer(&d.sll)
dlp.AddDecodingLayer(&d.d1q)
+ dlp.AddDecodingLayer(&d.pppoe)
+ dlp.AddDecodingLayer(&d.ppp)
dlp.AddDecodingLayer(&d.gre)
dlp.AddDecodingLayer(&d.eth)
dlp.AddDecodingLayer(&d.vxl)
I was playing around with the bpf but didnt get it working with "pppoes and vlan" as I got an error string which I wasn't able to find out which library is doing that.
ritical: SetBPFFilter '(tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc) or (vlan and ((tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc))) or (pppoes and ((tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc) or (vlan and ((tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc)))))' for ReadFile pcap: no VLAN support for PPP
My workaround was using a custom bpf with " " as my PCAP only contain SIP related stuff anyways.
@faser2k Let's hope google update your PR for gopacket soon so we can do a PR for this. Thanks!
Hi, I have a PCAP with VLAN and PPPoE encapsulated SIP traffic which I want to analyse. Is this supported by heplify?
From what I see there is no filtering foreseen in the sniffer.bpf filter for PPPoE towards gopacket.PacketDataSource. Even when I set this to an empty, string d.decodedLayers in decoder.do:183 only contains []gopacket.LayerType=[Ethernet Dot1Q]. I guess afterwards there is no more processing.