net_parser_rs/lib.rs
1///! net-parser-rs
2///!
3///! Network packet parser, also capable of parsing packet capture files (e.g. libpcap) and the
4///! associated records.
5///!
6pub mod common;
7pub mod file;
8pub mod flow;
9pub mod global_header;
10pub mod layer2;
11pub mod layer3;
12pub mod layer4;
13pub mod errors;
14pub mod record;
15
16///
17/// Primary utility for parsing packet captures, either from file, bytes, or interfaces.
18///
19/// ```text
20/// use net_parser_rs;
21/// use std::*;
22///
23/// //Parse a file with global header and packet records
24/// let file_bytes = include_bytes!("capture.pcap");
25/// let records = net_parser_rs::parse(file_bytes).expect("Could not parse");
26///
27/// //Parse a sequence of one or more packet records
28/// let records = net_parser_rs::PcapRecords::parse(record_bytes).expect("Could not parse");
29///
30/// //Parse a single packet
31/// let packet = net_parser_rs::PcapRecord::parse(packet_bytes).expect("Could not parse");
32///
33/// //Convert a packet into stream information
34/// use net_parser_rs::flow::*;
35///
36/// let stream = Flow::try_from(packet).expect("Could not convert packet");
37///```
38///
39pub use errors::Error as Error;
40pub use file::CaptureFile as CaptureFile;
41pub use global_header::GlobalHeader as GlobalHeader;
42pub use record::{PcapRecord as PcapRecord, PcapRecords as PcapRecords};
43
44pub fn parse<'a>(data: &'a [u8]) -> Result<(&'a [u8], CaptureFile<'a>), Error> {
45 CaptureFile::parse(data)
46}
47
48#[cfg(test)]
49pub mod tests {
50 use crate::{flow::FlowExtraction, CaptureFile};
51 use nom::Endianness;
52 use std::io::prelude::*;
53 use std::path::PathBuf;
54
55
56 pub mod util {
57 use regex::Regex;
58
59 #[test]
60 fn test_hex_dump() {
61 let bytes = parse_hex_dump(r"
62 # Comment line
63 0090 34 35 36 37 4567
64 ").expect("Failed to parse bytes");
65 assert_eq!(bytes.len(), 4)
66 }
67
68 /// Parses a "Hex + ASCII Dump" from Wireshark to extract the payload bits.
69 /// Example:
70 /// ```rust
71 /// let bytes = parse_hex_dump(r##"
72 /// # Frame 3: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits) on interface 0
73 /// # Ethernet II, Src: CadmusCo_ae:4d:62 (08:00:27:ae:4d:62), Dst: CadmusCo_f2:1d:8c (08:00:27:f2:1d:8c)
74 /// # Internet Protocol Version 4, Src: 192.168.56.11, Dst: 192.168.56.12
75 /// # User Datagram Protocol, Src Port: 48134 (48134), Dst Port: 4789 (4789)
76 /// # Virtual eXtensible Local Area Network
77 /// # Ethernet II, Src: ba:09:2b:6e:f8:be (ba:09:2b:6e:f8:be), Dst: 4a:7f:01:3b:a2:71 (4a:7f:01:3b:a2:71)
78 /// # Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
79 /// # Internet Control Message Protocol
80 /// 0000 08 00 27 f2 1d 8c 08 00 27 ae 4d 62 08 00 45 00 ..'.....'.Mb..E.
81 /// 0010 00 86 d9 99 40 00 40 11 6f 65 c0 a8 38 0b c0 a8 ....@.@.oe..8...
82 /// 0020 38 0c bc 06 12 b5 00 72 00 00 08 00 00 00 00 00 8......r........
83 /// 0030 7b 00 4a 7f 01 3b a2 71 ba 09 2b 6e f8 be 08 00 {.J..;.q..+n....
84 /// 0040 45 00 00 54 2f 4f 40 00 40 01 f7 57 0a 00 00 01 E..T/O@.@..W....
85 /// 0050 0a 00 00 02 08 00 4c 8a 0d 3d 00 01 a3 8c 7c 57 ......L..=....|W
86 /// 0060 00 00 00 00 b5 80 0a 00 00 00 00 00 10 11 12 13 ................
87 /// 0070 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 ............ !"#
88 /// 0080 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 $%&'()*+,-./0123
89 /// 0090 34 35 36 37 4567
90 /// "##).unwrap();
91 /// assert_eq!(bytes.len(), 148);
92 /// ```
93 pub fn parse_hex_dump(input: &str) -> Result<Vec<u8>, hex::FromHexError> {
94 let hex_reg: Regex = Regex::new(r"(?m)^\s*[0-9a-fA-F]{3,}\s+((?:[0-9a-fA-F]{2}\s){1,16}).*?$").unwrap();
95
96 let mut response = vec!();
97 for cap in hex_reg.captures_iter(input) {
98 let c = Vec::from(cap[1].replace(" ", ""));
99
100 let mut decode = hex::decode(c)?;
101 response.append(&mut decode);
102 }
103 Ok(response)
104 }
105 }
106
107 const RAW_DATA: &'static [u8] = &[
108 0x4du8, 0x3c, 0x2b, 0x1au8, //magic number
109 0x00u8, 0x04u8, //version major, 4
110 0x00u8, 0x02u8, //version minor, 2
111 0x00u8, 0x00u8, 0x00u8, 0x00u8, //zone, 0
112 0x00u8, 0x00u8, 0x00u8, 0x04u8, //sig figs, 4
113 0x00u8, 0x00u8, 0x06u8, 0x13u8, //snap length, 1555
114 0x00u8, 0x00u8, 0x00u8, 0x02u8, //network, 2
115 //record
116 0x5Bu8, 0x11u8, 0x6Du8, 0xE3u8, //seconds, 1527868899
117 0x00u8, 0x02u8, 0x51u8, 0xF5u8, //microseconds, 152053
118 0x00u8, 0x00u8, 0x00u8,
119 0x56u8, //actual length, 86: 14 (ethernet) + 20 (ipv4 header) + 20 (tcp header) + 32 (tcp payload)
120 0x00u8, 0x00u8, 0x04u8, 0xD0u8, //original length, 1232
121 //ethernet
122 0x01u8, 0x02u8, 0x03u8, 0x04u8, 0x05u8, 0x06u8, //dst mac 01:02:03:04:05:06
123 0xFFu8, 0xFEu8, 0xFDu8, 0xFCu8, 0xFBu8, 0xFAu8, //src mac FF:FE:FD:FC:FB:FA
124 0x08u8, 0x00u8, //ipv4
125 //ipv4
126 0x45u8, //version and header length
127 0x00u8, //tos
128 0x00u8, 0x48u8, //length, 20 bytes for header, 52 bytes for ethernet
129 0x00u8, 0x00u8, //id
130 0x00u8, 0x00u8, //flags
131 0x64u8, //ttl
132 0x06u8, //protocol, tcp
133 0x00u8, 0x00u8, //checksum
134 0x01u8, 0x02u8, 0x03u8, 0x04u8, //src ip 1.2.3.4
135 0x0Au8, 0x0Bu8, 0x0Cu8, 0x0Du8, //dst ip 10.11.12.13
136 //tcp
137 0xC6u8, 0xB7u8, //src port, 50871
138 0x00u8, 0x50u8, //dst port, 80
139 0x00u8, 0x00u8, 0x00u8, 0x01u8, //sequence number, 1
140 0x00u8, 0x00u8, 0x00u8, 0x02u8, //acknowledgement number, 2
141 0x50u8, 0x00u8, //header and flags, 0
142 0x00u8, 0x00u8, //window
143 0x00u8, 0x00u8, //check
144 0x00u8, 0x00u8, //urgent
145 //no options
146 //payload
147 0x01u8, 0x02u8, 0x03u8, 0x04u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8,
148 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8,
149 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0x00u8, 0xfcu8, 0xfdu8, 0xfeu8,
150 0xffu8, //payload, 8 words
151 ];
152
153 #[test]
154 fn file_bytes_parse() {
155 let _ = env_logger::try_init();
156
157 let (rem, f) =
158 CaptureFile::parse(RAW_DATA).expect("Failed to parse");
159
160 assert!(rem.is_empty());
161
162 assert_eq!(f.global_header.endianness, Endianness::Big);
163 assert_eq!(f.records.len(), 1);
164 }
165
166 #[test]
167 fn convert_packet() {
168 let _ = env_logger::try_init();
169
170 let (rem, f) =
171 CaptureFile::parse(RAW_DATA).expect("Failed to parse");
172
173 assert!(rem.is_empty());
174
175 let record = f.records.into_inner().pop().unwrap();
176 let flow = record.extract_flow().expect("Failed to extract flow");
177
178 assert_eq!(flow.source.port, 50871);
179 assert_eq!(flow.destination.port, 80);
180 }
181
182 #[test]
183 fn file_parse() {
184 let _ = env_logger::try_init();
185
186 let pcap_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
187 .join("resources")
188 .join("4SICS-GeekLounge-151020.pcap");
189
190 let pcap_reader = std::fs::File::open(pcap_path.clone())
191 .expect(&format!("Failed to open pcap path {:?}", pcap_path));
192
193 let bytes = pcap_reader
194 .bytes()
195 .map(|b| b.unwrap())
196 .collect::<std::vec::Vec<u8>>();
197
198 let (_, f) = CaptureFile::parse(&bytes).expect("Failed to parse");
199
200 assert_eq!(f.global_header.endianness, Endianness::Little);
201 assert_eq!(f.records.len(), 246137);
202 }
203}