英文:
NTP detection using golang, payload coming up empty
问题
我正在使用golang和gopacket包来检测NTP。我正在使用从wireshark下载的pcap文件。我有以下代码来打开和处理PCAP文件:
func (d *DPI) readPCAP(pcapFile string) (*pcap.Handle, error) {
// 打开文件而不是设备
handle, err := pcap.OpenOffline(pcapFile)
if err != nil {
return nil, err
}
return handle, nil
}
这是我编写的用于执行实际检测的代码:
func TestNTP(t *testing.T) {
dpi := newDPI()
handle, _ := dpi.readPCAP("data/pcap/NTP_sync.pcap")
var filter = "udp and port 123"
dpi.setFilter(handle, filter)
ntpPackets := 0
for packet := range dpi.getPacketChan(handle) {
fmt.Println("stuff: ", packet.ApplicationLayer().Payload())
if dpi.detectNTP(packet) == 1 {
ntpPackets++
} else {
fmt.Println(" Output : ", dpi.detectNTP(packet))
}
}
fmt.Println(" Total ntp packets ", ntpPackets)
}
ApplicationLayer中的Payload内容为空,我无法弄清楚为什么会这样。
当我打印出ApplicationLayer本身时的示例截图:
https://i.gyazo.com/6257f298a09e7403bbc0be5b8ac84ccc.png
当我打印出Payload时的示例截图:
https://i.gyazo.com/7f4abd449025f5d65160fdbecffa8181.png
希望能帮助我找出问题所在。谢谢!
英文:
I'm working on detecting NTP using golang and the gopacket package. I'm using a pcap I downloaded from wireshark. I've got the following code for opening PCAPs and handling them :
func (d *DPI) readPCAP(pcapFile string) (*pcap.Handle, error) {
// Open file instead of device
handle, err := pcap.OpenOffline(pcapFile)
if err != nil {
return nil, err
}
return handle, nil
}
And this is the code I'm writing to perform the actual detection
func TestNTP(t *testing.T) {
dpi := newDPI()
handle, _ := dpi.readPCAP("data/pcap/NTP_sync.pcap")
var filter = "udp and port 123"
dpi.setFilter(handle,filter)
ntpPackets := 0
for packet := range dpi.getPacketChan(handle) {
fmt.Println("stuff: ",packet.ApplicationLayer().Payload())
if dpi.detectNTP(packet) == 1 {
ntpPackets++
} else {
fmt.Println(" Output : ", dpi.detectNTP(packet))
}
}
fmt.Println(" Total ntp packets ", ntpPackets)
}
The Payload content in the ApplicationLayer is coming up empty and I'm unable to figure out why this is happening.
Example screenshot when I print out the ApplicationLayer itself :
https://i.gyazo.com/6257f298a09e7403bbc0be5b8ac84ccc.png
Example screenshot when I print out the Payload :
https://i.gyazo.com/7f4abd449025f5d65160fdbecffa8181.png
Could use some help figuring out what I'm doing wrong.
Thanks!
答案1
得分: 1
阅读了golang源代码后,我发现了这段代码:
// NTP数据包不携带任何数据负载,因此返回一个空的字节切片。
// 在Go语言中,一个nil切片在功能上与一个空切片是相同的,所以我们
// 返回nil以避免堆分配。
func (d *NTP) Payload() []byte {
return nil
}
所以,显然它不应该携带负载。我已经成功使用层进行了检测。
英文:
Reading through the golang soure code, I came across this :
// NTP packets do not carry any data payload, so the empty byte slice is retured.
// In Go, a nil slice is functionally identical to an empty slice, so we
// return nil to avoid a heap allocation.
func (d *NTP) Payload() []byte {
return nil
}
So, apparently it's not supposed to carry a Payload. I've managed to perform the detection using layers.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论