search

sipcapture / heplify

Portable and Lightweight HEP Capture Agent for HOMER
https://sipcapture.org
GNU Affero General Public License v3.0
181 stars 65 forks source link

PPPoE and VLAN encapsulated SIP traffic #211

Closed faser2k closed 2 months ago

faser2k commented 3 years ago

Hi, I have a PCAP with VLAN and PPPoE encapsulated SIP traffic which I want to analyse. Is this supported by heplify?

From what I see there is no filtering foreseen in the sniffer.bpf filter for PPPoE towards gopacket.PacketDataSource. Even when I set this to an empty, string d.decodedLayers in decoder.do:183 only contains []gopacket.LayerType=[Ethernet Dot1Q]. I guess afterwards there is no more processing.

faser2k commented 3 years ago

pppoe_vlan_sip.pcap.gz

faser2k commented 3 years ago

I was able to analyse the PPPoE encapsulated stuff. I openend a pull request for gopacket https://github.com/google/gopacket/pull/876

If this is merged into master you can add the PPPoE and PPP decoding layer


diff --git a/decoder/decoder.go b/decoder/decoder.go
index afd9825..c9580af 100644
--- a/decoder/decoder.go
+++ b/decoder/decoder.go
@@ -42,6 +42,8 @@ type Decoder struct {
        udp           layers.UDP
        dns           layers.DNS
        sctp          layers.SCTP
+       pppoe         layers.PPPoE
+       ppp           layers.PPP
        payload       gopacket.Payload
        dedupCache    *freecache.Cache
        filter        []string
@@ -106,6 +108,8 @@ func NewDecoder(datalink layers.LinkType) *Decoder {
        dlp.SetDecodingLayerContainer(gopacket.DecodingLayerSparse(nil))
        dlp.AddDecodingLayer(&d.sll)
        dlp.AddDecodingLayer(&d.d1q)
+       dlp.AddDecodingLayer(&d.pppoe)
+       dlp.AddDecodingLayer(&d.ppp)
        dlp.AddDecodingLayer(&d.gre)
        dlp.AddDecodingLayer(&d.eth)
        dlp.AddDecodingLayer(&d.vxl)
faser2k commented 3 years ago

I was playing around with the bpf but didnt get it working with "pppoes and vlan" as I got an error string which I wasn't able to find out which library is doing that.

ritical: SetBPFFilter '(tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc) or (vlan and ((tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc))) or (pppoes and ((tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc) or (vlan and ((tcp or sctp) and greater 42 and portrange 5060-5090 or (udp and greater 128 and portrange 5060-5090 or ip[6:2] & 0x1fff != 0 or ip6[6]=44) or (ip and ip[6] & 0x2 = 0 and ip[6:2] & 0x1fff = 0 and udp and udp[8] & 0xc0 = 0x80 and udp[9] >= 0xc8 && udp[9] <= 0xcc)))))' for ReadFile pcap: no VLAN support for PPP

My workaround was using a custom bpf with " " as my PCAP only contain SIP related stuff anyways.

kYroL01 commented 1 year ago

@faser2k Let's hope google update your PR for gopacket soon so we can do a PR for this. Thanks!