collector

package
v0.7.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 25, 2025 License: BSD-3-Clause, GPL-3.0 Imports: 60 Imported by: 2

Documentation

Overview

Package collector provides a mechanism to collect network packets from a network interface on macOS, linux and windows

Index

Constants

This section is empty.

Variables

View Source 
var DefaultConfig = Config{
	Workers:             1000,
	PacketBufferSize:    100,
	WriteUnknownPackets: false,
	Promisc:             false,
	SnapLen:             defaults.SnapLen,
	DPI:                 false,
	BaseLayer:           utils.GetBaseLayer("ethernet"),
	DecodeOptions:       utils.GetDecodeOptions("datagrams"),
	DecoderConfig:       config.DefaultConfig,
	ResolverConfig:      resolvers.DefaultConfig,
	Timeout:             pcap.BlockForever,
	LogErrors:           false,
}

DefaultConfig is a sane example configuration.

View Source 
var DefaultConfigDPI = Config{
	Workers:             1000,
	PacketBufferSize:    100,
	WriteUnknownPackets: false,
	Promisc:             false,
	SnapLen:             defaults.SnapLen,
	DPI:                 true,
	BaseLayer:           utils.GetBaseLayer("ethernet"),
	DecodeOptions:       utils.GetDecodeOptions("datagrams"),
	DecoderConfig:       config.DefaultConfig,
	ResolverConfig:      resolvers.DefaultConfig,
	LogErrors:           false,
}

DefaultConfigDPI is a sane example configuration for use with Deep Packet Inspection.

Functions

func IsPcap 

func IsPcap(file string) (bool, error)

IsPcap checks whether a file is a PCAP file.

func OpenPCAP added in v0.6.6 

func OpenPCAP(file string) (*pcapgo.Reader, *os.File, error)

OpenPCAP opens a Packet Capture file.

func ResetHeaderPrinted added in v0.7.5 

func ResetHeaderPrinted()

ResetHeaderPrinted resets the flag that tracks whether the netcap header has been printed. This is useful when starting a new batch of processing or in testing scenarios.

Types

type BatchInfo 

type BatchInfo struct {
	Type types.Type
	Chan <-chan []byte
}

BatchInfo contains information about a Batch source.

type Collector 

type Collector struct {
	InputFile string
	PrintTime bool
	Bpf       string

	Epochs int
	// contains filtered or unexported fields
}

Collector provides an interface to collect data from PCAP or a network interface. this structure has an optimized field order to avoid excessive padding.

func New 

func New(config Config) *Collector

New returns a new Collector instance.

func (*Collector) CloseFileHandleOnShutdown added in v0.6.6 

func (c *Collector) CloseFileHandleOnShutdown(f *os.File)

CloseFileHandleOnShutdown allows to register file handles for close on shutdown.

func (*Collector) CollectBPF 

func (c *Collector) CollectBPF(path, bpf string) error

CollectBPF open the named PCAP file and sets the specified BPF filter.

func (*Collector) CollectLive 

func (c *Collector) CollectLive(i string, bpf string, ctx context.Context) error

CollectLive starts collection of data from the given interface. optionally a BPF can be supplied. this is the linux version that uses the pure go version from pcapgo to fetch packets live.

func (*Collector) CollectPcap 

func (c *Collector) CollectPcap(path string) error

CollectPcap implements parallel decoding of incoming packets.

func (*Collector) CollectPcapNG 

func (c *Collector) CollectPcapNG(path string) error

CollectPcapNG implements parallel decoding of incoming packets.

func (*Collector) FlushAssemblers added in v0.7.6 

func (c *Collector) FlushAssemblers()

FlushAssemblers flushes all TCP assemblers to release their pageCaches This is critical for multi-file processing to prevent unbounded memory growth PageCaches grow to handle traffic and NEVER SHRINK, causing memory leaks

func (*Collector) GetNumPackets added in v0.4.0 

func (c *Collector) GetNumPackets() int64

GetNumPackets returns the current number of processed packets.

func (*Collector) GetTotalAuditRecords added in v0.7.6 

func (c *Collector) GetTotalAuditRecords() int64

GetTotalAuditRecords returns the total number of audit records generated.

func (*Collector) GetTotalBytesWritten added in v0.7.6 

func (c *Collector) GetTotalBytesWritten() int64

GetTotalBytesWritten returns the total bytes written to disk.

func (*Collector) Init 

func (c *Collector) Init() (err error)

Init sets up the collector and starts the configured number of workers must be called prior to usage of the collector instance.

func (*Collector) InitBatching 

func (c *Collector) InitBatching(bpf string, in string) ([]BatchInfo, *pcap.Handle, error)

InitBatching initializes batching mode and returns an array of Batchinfos and the pcap handle closing the handle must be done by the caller.

func (*Collector) PrintConfiguration added in v0.4.5 

func (c *Collector) PrintConfiguration()

PrintConfiguration dumps the current collector config to stdout.

func (*Collector) RenderPacketsPerSecond added in v0.6.6 

func (c *Collector) RenderPacketsPerSecond(inputFile string, out string)

RenderPacketsPerSecond will render a html chart for the packet ingestion rate of the collector over time. Do not call while the collector is running, the access to the pps map is not synchronized. If you need runtime metrics, use prometheus.

func (*Collector) Stop added in v0.6.6 

func (c *Collector) Stop()

Stop will halt packet collection and wait for all processing to finish.

type Config 

type Config struct {

	// Decoder configuration
	DecoderConfig *config.Config

	// Baselayer to start decoding from
	BaseLayer gopacket.LayerType

	// Number of workers to use
	Workers int

	// Size of the input buffer channels for the workers
	PacketBufferSize int

	// Ethernet frame snaplength for live capture
	SnapLen int

	// Can be used to periodically free OS memory
	FreeOSMem int

	// Permissions for output directory
	OutDirPermission os.FileMode

	// Attach in promiscuous mode for live capture
	Promisc bool

	// Controls whether packets that had an unknown layer will get written into a separate file
	WriteUnknownPackets bool

	// Resolver configuration
	ResolverConfig resolvers.Config

	// Decoding options for gopacket
	DecodeOptions gopacket.DecodeOptions

	// Enable deep packet inspection
	DPI bool

	// DPI modules to use (comma-separated: lpi, ndpi, go)
	// If empty and DPI is enabled, all modules will be used
	DPIModules string

	// Use TCP reassembly
	ReassembleConnections bool

	// LogErrors will log verbose packet decoding errors into the errors.log file
	LogErrors bool

	// NoPrompt will disable all human interaction prompts
	NoPrompt bool

	// HTTPShutdownEndpoint will run a HTTP service on localhost:60589
	// sending a GET request there can be used to trigger teardown and audit record flushing
	// which can be used as alternative to using OS signals
	HTTPShutdownEndpoint bool

	// Timeout for live capture
	// if you set this to 0, the pcap.BlockForever option will be used
	// From the macOS docs on libpcap:
	//   The read timeout is used to arrange that the read not necessarily return
	//   immediately when a packet is seen, but that it wait for some amount of time
	//   to allow more packets to arrive and to read multiple packets from the OS
	//   kernel in one operation.
	Timeout time.Duration

	// Labels is a filesystem path to the labels file on disk
	// that contains the attack mappings
	Labels string

	// Generate scatter chart for the applied labels during labeling.
	Scatter bool

	// ScatterDuration is the interval for data used in the scatter plot.
	ScatterDuration time.Duration
}

Config contains configuration parameters for the Collector instance. this structure has an optimized field order to avoid excessive padding.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.