Merge pull request #31 from negbie/master

Decode erspan

Author: negbie

config/config.go

@@ -29,6 +29,7 @@ type InterfacesConfig struct {
 	RotationTime int    `config:"rotation_time"`
 	PortRange    string `config:"port_range"`
 	WithVlan     bool   `config:"with_vlan"`
+	WithErspan   bool   `config:"with_erspan"`
 	Snaplen      int    `config:"snaplen"`
 	BufferSizeMb int    `config:"buffer_size_mb"`
 	ReadSpeed    bool   `config:"top_speed"`

decoder/decoder.go

@@ -131,6 +131,20 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 	packet := gopacket.NewPacket(data, d.LayerType, gopacket.DecodeOptions{Lazy: true, NoCopy: true})
 	logp.Debug("layer", "\n%v", packet)
 
+	if greLayer := packet.Layer(layers.LayerTypeGRE); greLayer != nil {
+		gre, ok := greLayer.(*layers.GRE)
+		if !ok {
+			return nil, nil
+		}
+
+		if config.Cfg.Iface.WithErspan {
+			packet = gopacket.NewPacket(gre.Payload[8:], d.LayerType, gopacket.DecodeOptions{Lazy: true, NoCopy: true})
+		} else {
+			packet = gopacket.NewPacket(gre.Payload, d.LayerType, gopacket.DecodeOptions{Lazy: true, NoCopy: true})
+		}
+		logp.Debug("layer", "\nlayer inside GRE\n%v", packet)
+	}
+
 	if dot1qLayer := packet.Layer(layers.LayerTypeDot1Q); dot1qLayer != nil {
 		dot1q, ok := dot1qLayer.(*layers.Dot1Q)
 		if !ok {
@@ -205,7 +219,9 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 			return nil, nil
 		}
 
-		pkt.ProtoType = 1
+		if bytes.Contains(udp.Payload, []byte("sip")) {
+			pkt.ProtoType = 1
+		}
 		pkt.SrcPort = uint16(udp.SrcPort)
 		pkt.DstPort = uint16(udp.DstPort)
 		pkt.Payload = udp.Payload
@@ -254,7 +270,9 @@ func (d *Decoder) Process(data []byte, ci *gopacket.CaptureInfo) (*Packet, error
 			return nil, nil
 		}
 
-		pkt.ProtoType = 1
+		if bytes.Contains(tcp.Payload, []byte("sip")) {
+			pkt.ProtoType = 1
+		}
 		pkt.SrcPort = uint16(tcp.SrcPort)
 		pkt.DstPort = uint16(tcp.DstPort)
 		pkt.Payload = tcp.Payload

main.go

@@ -36,7 +36,8 @@ func parseFlags() {
 	flag.BoolVar(&ifaceConfig.ReadSpeed, "rs", false, "Maximum pcap read speed. Doesn't use packet timestamps")
 	flag.IntVar(&ifaceConfig.Snaplen, "s", 16384, "Snaplength")
 	flag.StringVar(&ifaceConfig.PortRange, "pr", "5060-5090", "Portrange to capture SIP")
-	flag.BoolVar(&ifaceConfig.WithVlan, "vl", false, "Vlan")
+	flag.BoolVar(&ifaceConfig.WithVlan, "vlan", false, "vlan")
+	flag.BoolVar(&ifaceConfig.WithErspan, "erspan", false, "erspan")
 	flag.IntVar(&ifaceConfig.BufferSizeMb, "b", 32, "Interface buffersize (MB)")
 	flag.StringVar(&logging.Level, "l", "info", "Log level [debug, info, warning, error]")
 	flag.BoolVar(&ifaceConfig.OneAtATime, "o", false, "Read packet for packet")

sniffer/sniffer.go

@@ -109,6 +109,9 @@ func (sniffer *SnifferSetup) setFromConfig() error {
 	if sniffer.config.WithVlan {
 		sniffer.filter = fmt.Sprintf("%s or (vlan and (%s))", sniffer.filter, sniffer.filter)
 	}
+	if sniffer.config.WithErspan {
+		sniffer.filter = fmt.Sprintf("%s or proto GRE", sniffer.filter)
+	}
 
 	logp.Info("Sniffer [type:%s, device:%s, mode:%s] OS [type:%s, arch:%s]",
 		sniffer.config.Type, sniffer.config.Device, sniffer.mode, runtime.GOOS, runtime.GOARCH)