search

virtalabs / tapirx

Free and open-source medical device discovery and identification
GNU General Public License v3.0
28 stars 8 forks source link

DICOM parser fails to emit IP address information #4

Open ransford opened 5 years ago

ransford commented 5 years ago

Describe the bug IP address information should be included in DICOM message summaries.

$ tapirx -pcap testdata/dicom_arq_4_get_bogus_local.pcap -verbose | jq
{
  "ipv4_address": "",
  "ipv6_address": "",
  "open_port_tcp": "",
  "connect_port_tcp": "",
  "mac_address": "40:00:00:00:40:00",
  "identifier": "testclient",
  "provenance": "DICOM",
  "last_seen": "2019-02-13T12:55:40.737102-08:00",
  "client_id": ""
}

... should look similar to

$ tapirx -pcap testdata/HL7-ADT-UDI-OBX.pcap -verbose | jq
{
  "ipv4_address": "10.0.0.155",
  "ipv6_address": "",
  "open_port_tcp": "",
  "connect_port_tcp": "",
  "mac_address": "00:03:b1:b5:b6:48",
  "identifier": "Hospira Plum A+",
  "provenance": "HL7 OBX-18",
  "last_seen": "2019-02-13T12:56:04.895568-08:00",
  "client_id": ""
}

Platform (please complete the following information):

ransford commented 5 years ago

This specific problem is tickled only on loopback traffic, which doesn't use Ethernet framing. That's why it fails on the testdata data. The gopacket decoding stack we're using (see packet.go) pukes when it doesn't understand a layer, so after encountering the loopback layer, it doesn't find the IP or TCP layers.

It's easy to make a decoding stack that includes a loopback decoder below other layers, but less easy to set up a decoding stack that is alive to Ethernet and loopback packets at once, since we currently hard-code the decoding stack's first layer to Ethernet.

Options to fix this include:

How we'll know when we're done: we can correctly extract IP address information for localhost from testdata/*dicom*.pcap, and also from other pcap files that include DICOM traffic not to/from localhost.