dsct 0.2.8

LLM-friendly packet dissector CLI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

use std::collections::HashMap;

use packet_dissector_core::packet::Packet;

use super::helpers::{field_u16, sorted_top_n};
use super::{CountEntry, ProtocolStatsCollector};
use serde::Serialize;

/// Aggregated SCTP statistics.
#[derive(Debug, Clone, Serialize)]
pub struct SctpStats {
    pub total_packets: u64,
    pub top_src_ports: Vec<CountEntry>,
    pub top_dst_ports: Vec<CountEntry>,
    pub top_port_pairs: Vec<CountEntry>,
}

/// Collects SCTP port statistics.
#[derive(Debug)]
pub struct SctpStatsCollector {
    src_ports: HashMap<String, u64>,
    dst_ports: HashMap<String, u64>,
    port_pairs: HashMap<String, u64>,
    total_packets: u64,
}

impl Default for SctpStatsCollector {
    fn default() -> Self {
        Self::new()
    }
}

impl SctpStatsCollector {
    pub fn new() -> Self {
        Self {
            src_ports: HashMap::new(),
            dst_ports: HashMap::new(),
            port_pairs: HashMap::new(),
            total_packets: 0,
        }
    }

    pub fn process_packet(&mut self, packet: &Packet, _timestamp: Option<f64>) {
        let Some(sctp) = packet.layer_by_name("SCTP") else {
            return;
        };
        let fields = packet.layer_fields(sctp);
        self.total_packets += 1;

        let src_port = field_u16(fields, "src_port");
        let dst_port = field_u16(fields, "dst_port");

        if let Some(sp) = src_port {
            *self.src_ports.entry(sp.to_string()).or_insert(0) += 1;
        }
        if let Some(dp) = dst_port {
            *self.dst_ports.entry(dp.to_string()).or_insert(0) += 1;
        }
        if let (Some(sp), Some(dp)) = (src_port, dst_port) {
            *self.port_pairs.entry(format!("{sp}:{dp}")).or_insert(0) += 1;
        }
    }

    pub(super) fn finalize_stats(self, top_n: usize) -> SctpStats {
        SctpStats {
            total_packets: self.total_packets,
            top_src_ports: sorted_top_n(self.src_ports.into_iter(), top_n),
            top_dst_ports: sorted_top_n(self.dst_ports.into_iter(), top_n),
            top_port_pairs: sorted_top_n(self.port_pairs.into_iter(), top_n),
        }
    }
}

super::impl_protocol_stats_collector!(SctpStatsCollector, "sctp", SctpStats);

#[cfg(test)]
mod tests {
    use super::super::test_helpers::pkt;
    use super::*;
    use packet_dissector_core::field::FieldValue;
    use packet_dissector_core::packet::DissectBuffer;
    use packet_dissector_test_alloc::test_desc;

    fn build_sctp_buf(src_port: u16, dst_port: u16) -> DissectBuffer<'static> {
        let mut buf = DissectBuffer::new();
        buf.begin_layer("SCTP", None, &[], 0..12);
        buf.push_field(
            test_desc("src_port", "Source Port"),
            FieldValue::U16(src_port),
            0..2,
        );
        buf.push_field(
            test_desc("dst_port", "Destination Port"),
            FieldValue::U16(dst_port),
            2..4,
        );
        buf.end_layer();
        buf
    }

    fn build_dns_query_buf() -> DissectBuffer<'static> {
        let mut buf = DissectBuffer::new();
        buf.begin_layer("DNS", None, &[], 0..20);
        buf.push_field(test_desc("id", "Transaction ID"), FieldValue::U16(1), 0..2);
        buf.push_field(test_desc("qr", "QR"), FieldValue::U8(0), 2..3);
        buf.end_layer();
        buf
    }

    #[test]
    fn sctp_basic_counts() {
        let mut c = SctpStatsCollector::new();
        let b1 = build_sctp_buf(3868, 3868);
        c.process_packet(&pkt(&b1), Some(1.0));
        let b2 = build_sctp_buf(3868, 3868);
        c.process_packet(&pkt(&b2), Some(2.0));
        let b3 = build_sctp_buf(2905, 3868);
        c.process_packet(&pkt(&b3), Some(3.0));

        let stats = c.finalize_stats(10);
        assert_eq!(stats.total_packets, 3);
        assert_eq!(stats.top_src_ports[0].name, "3868");
        assert_eq!(stats.top_src_ports[0].count, 2);
        assert_eq!(stats.top_dst_ports[0].name, "3868");
        assert_eq!(stats.top_dst_ports[0].count, 3);
        assert_eq!(stats.top_port_pairs[0].name, "3868:3868");
        assert_eq!(stats.top_port_pairs[0].count, 2);
        assert_eq!(stats.top_port_pairs[1].name, "2905:3868");
        assert_eq!(stats.top_port_pairs[1].count, 1);
    }

    #[test]
    fn sctp_ignores_non_sctp_packets() {
        let mut c = SctpStatsCollector::new();
        let b = build_dns_query_buf();
        c.process_packet(&pkt(&b), Some(1.0));

        let stats = c.finalize_stats(10);
        assert_eq!(stats.total_packets, 0);
        assert!(stats.top_src_ports.is_empty());
    }

    #[test]
    fn sctp_protocol_stats_collector_key() {
        let c = SctpStatsCollector::new();
        let boxed: Box<dyn ProtocolStatsCollector> = Box::new(c);
        assert_eq!(boxed.key(), "sctp");
    }
}