Documentation
¶
Index ¶
- type ConversationInfo
- type DataFragments
- type DecoderAPI
- type StreamData
- func (s *StreamData) CaptureInfo() gopacket.CaptureInfo
- func (s *StreamData) Context() reassembly.AssemblerContext
- func (s *StreamData) Direction() reassembly.TCPFlowDirection
- func (s *StreamData) Network() gopacket.Flow
- func (s *StreamData) Raw() []byte
- func (s *StreamData) SetDirection(d reassembly.TCPFlowDirection)
- func (s *StreamData) Transport() gopacket.Flow
- type StreamDecoderAPI
- type StreamDecoderFactory
- type StreamDecoderInterface
- type TransportProtocol
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ConversationInfo ¶
type ConversationInfo struct {
Data DataFragments
Ident string
FirstClientPacket time.Time
FirstServerPacket time.Time
ClientIP string
ServerIP string
ClientPort int32
ServerPort int32
// CommunityID is the Corelight Community ID v1 for this stream.
// This provides a standardized flow identifier compatible with
// Zeek, Suricata, and other network monitoring tools.
// See: https://github.com/corelight/community-id-spec
CommunityID string
}
ConversationInfo is wrapper structure for traffic sent over a Transport protocol to allow Transport agnostic decoding of data streams.
type DataFragments ¶
type DataFragments []dataFragment
DataFragments implements sort.Interface to sort data fragments based on their timestamps.
func (DataFragments) First ¶
func (d DataFragments) First() []byte
First returns the first fragment.
func (DataFragments) Less ¶
func (d DataFragments) Less(i, j int) bool
Less will check if the value at index i is less than the one at index j.
func (DataFragments) Size ¶
func (d DataFragments) Size() int
Size returns the fragments total data size.
func (DataFragments) SourceIP ¶ added in v0.9.0
func (d DataFragments) SourceIP() string
SourceIP returns the source IP address from the first fragment's network layer. Returns empty string if no fragments are available.
type DecoderAPI ¶
type DecoderAPI interface {
// PostInitFunc is called after the decoder has been initialized
PostInitFunc() error
// DeInitFunc is called prior to teardown
DeInitFunc() error
// GetName returns the name of the decoder
GetName() string
// SetWriter sets the netcap writer to use for the decoder
SetWriter(io.AuditRecordWriter)
// GetWriter returns the current writer
GetWriter() io.AuditRecordWriter
// GetType returns the netcap type of the decoder
GetType() types.Type
// GetDescription returns the description of the decoder
GetDescription() string
// GetChan returns a channel to receive serialized audit records from the decoder
GetChan() <-chan []byte
// Destroy initiates teardown
Destroy() (string, int64)
// NumRecords returns the number of processed audit records
NumRecords() int64
// FlushCurrentState writes the current state of accumulating records to disk
// without clearing the in-memory state. This is used during live capture
// to periodically make data visible while continuing to track state.
// Returns the number of records flushed.
FlushCurrentState() int64
}
DecoderAPI describes functionality of a decoder.
type StreamData ¶
type StreamData struct {
// raw binary data
RawData []byte
// tcp specific fields
AssemblerContext reassembly.AssemblerContext
Dir reassembly.TCPFlowDirection
// udp specific fields
CaptureInformation gopacket.CaptureInfo
Net gopacket.Flow
Trans gopacket.Flow
}
StreamData is a payload fragment of data we received from a streamReader its contains the raw bytes as well an assembler context with timestamp information.
func (*StreamData) CaptureInfo ¶
func (s *StreamData) CaptureInfo() gopacket.CaptureInfo
CaptureInfo returns the capture information from gopacket
func (*StreamData) Context ¶
func (s *StreamData) Context() reassembly.AssemblerContext
Context returns the assembler context.
func (*StreamData) Direction ¶
func (s *StreamData) Direction() reassembly.TCPFlowDirection
Direction returns the direction of the flow.
func (*StreamData) Network ¶
func (s *StreamData) Network() gopacket.Flow
Network returns the network layer
func (*StreamData) Raw ¶
func (s *StreamData) Raw() []byte
Raw returns the raw byte slice that makes up the data fragment.
func (*StreamData) SetDirection ¶
func (s *StreamData) SetDirection(d reassembly.TCPFlowDirection)
SetDirection will update the flow direction.
func (*StreamData) Transport ¶
func (s *StreamData) Transport() gopacket.Flow
Transport returns the transport layer
type StreamDecoderAPI ¶
type StreamDecoderAPI interface {
DecoderAPI
// CanDecodeStream determines if this decoder can understand the protocol used
CanDecodeStream(client []byte, server []byte) bool
// GetReaderFactory returns a factory for processing streams of the current decoder
GetReaderFactory() StreamDecoderFactory
Transport() TransportProtocol
}
StreamDecoderAPI describes an interface that all stream decoders need to implement this allows to supply a custom structure and maintain state for advanced protocol analysis.
type StreamDecoderFactory ¶
type StreamDecoderFactory interface {
// New StreamDecoderInterface
New(conversation *ConversationInfo) StreamDecoderInterface
}
StreamDecoderFactory produces stream decoder instances.
type StreamDecoderInterface ¶
type StreamDecoderInterface interface {
// Decode parses the stream according to the identified protocol.
Decode()
}
StreamDecoderInterface is the interface for processing a bi-directional network connection.
type TransportProtocol ¶
type TransportProtocol int
TransportProtocol is a layer 4 protocol from the OSI model
const ( // TCP protocol TCP TransportProtocol = iota // UDP protocol UDP // All will invoke decoder for all transport protocols All )
Source Files