NTP检测使用golang,负载为空。

huangapple go评论86阅读模式
英文:

NTP detection using golang, payload coming up empty

问题

我正在使用golang和gopacket包来检测NTP。我正在使用从wireshark下载的pcap文件。我有以下代码来打开和处理PCAP文件:

func (d *DPI) readPCAP(pcapFile string) (*pcap.Handle, error) {
    // 打开文件而不是设备
    handle, err := pcap.OpenOffline(pcapFile)
    if err != nil {
        return nil, err
    }
    return handle, nil
}

这是我编写的用于执行实际检测的代码:

func TestNTP(t *testing.T) {
    dpi := newDPI()
    handle, _ := dpi.readPCAP("data/pcap/NTP_sync.pcap")

    var filter = "udp and port 123"
    dpi.setFilter(handle, filter)
    ntpPackets := 0

    for packet := range dpi.getPacketChan(handle) {
        fmt.Println("stuff: ", packet.ApplicationLayer().Payload())
        if dpi.detectNTP(packet) == 1 {
            ntpPackets++
        } else {
            fmt.Println(" Output : ", dpi.detectNTP(packet))
        }
    }
    fmt.Println(" Total ntp packets ", ntpPackets)
}

ApplicationLayer中的Payload内容为空,我无法弄清楚为什么会这样。

当我打印出ApplicationLayer本身时的示例截图:

https://i.gyazo.com/6257f298a09e7403bbc0be5b8ac84ccc.png

当我打印出Payload时的示例截图:

https://i.gyazo.com/7f4abd449025f5d65160fdbecffa8181.png

希望能帮助我找出问题所在。谢谢!

英文:

I'm working on detecting NTP using golang and the gopacket package. I'm using a pcap I downloaded from wireshark. I've got the following code for opening PCAPs and handling them :

func (d *DPI) readPCAP(pcapFile string) (*pcap.Handle, error) {
	// Open file instead of device
	handle, err := pcap.OpenOffline(pcapFile)
	if err != nil {
		return nil, err
	}
	return handle, nil
}

And this is the code I'm writing to perform the actual detection

func TestNTP(t *testing.T) {



	dpi := newDPI()
	handle, _ := dpi.readPCAP("data/pcap/NTP_sync.pcap")

	var filter = "udp and port 123"
	dpi.setFilter(handle,filter)
	ntpPackets := 0

	for packet := range dpi.getPacketChan(handle) {
		fmt.Println("stuff: ",packet.ApplicationLayer().Payload())
		if dpi.detectNTP(packet) == 1 {
			ntpPackets++
		} else {
			fmt.Println(" Output : ", dpi.detectNTP(packet))
		}
	}
	fmt.Println(" Total ntp packets ", ntpPackets)

	
}

The Payload content in the ApplicationLayer is coming up empty and I'm unable to figure out why this is happening.

Example screenshot when I print out the ApplicationLayer itself :

https://i.gyazo.com/6257f298a09e7403bbc0be5b8ac84ccc.png

Example screenshot when I print out the Payload :
https://i.gyazo.com/7f4abd449025f5d65160fdbecffa8181.png

Could use some help figuring out what I'm doing wrong.
Thanks!

答案1

得分: 1

阅读了golang源代码后,我发现了这段代码:

// NTP数据包不携带任何数据负载,因此返回一个空的字节切片。
// 在Go语言中,一个nil切片在功能上与一个空切片是相同的,所以我们
// 返回nil以避免堆分配。
func (d *NTP) Payload() []byte {
    return nil
}

所以,显然它不应该携带负载。我已经成功使用层进行了检测。

英文:

Reading through the golang soure code, I came across this :

// NTP packets do not carry any data payload, so the empty byte slice is retured.
// In Go, a nil slice is functionally identical to an empty slice, so we
// return nil to avoid a heap allocation.
func (d *NTP) Payload() []byte {
    return nil
}

So, apparently it's not supposed to carry a Payload. I've managed to perform the detection using layers.

huangapple
  • 本文由 发表于 2017年3月15日 14:56:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/42802969.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定