6 个版本
| 0.1.5 | 2021 年 9 月 28 日 |
|---|---|
| 0.1.4 | 2021 年 9 月 2 日 |
#23 in #ethernet
49KB
559 行
wirestripper
简介
该 crate 中的 wirestripper 命令行工具(及相关库)提供了解析和验证以太网数据包(即 Hilscher netANALYZER 透明模式 PCAP 链接类型/原始以太网 PHY 级别)的功能。它可以从这些文件中提取以太网帧,并将它们写入正常的 PCAP(以太网链接类型)文件。
802.3 数据包
在 IEEE 802.3 规范中,一个“帧”是系统和网络人员通常所认为的以太网帧(第二层有效负载),在末尾还有一个 4 字节的后缀 CRC32 校验和(FCS - 帧校验序列)。但这只是以太网的一个不完整图景。
以太网的精确线缆表示取决于媒体/速度,并受各种编码器和解码器的影响,这些编码器和解码器将以太网比特流转换为适合物理链路的形式。在以太网交换机或网络接口中,PHY(面向 MAC)提供了以太网流量的最低级 标准化 视图,这包括 7 字节的预同步码和 1 字节帧起始符(SFD)。
下面的图示显示了这种布局(改编自 802.3 规范的 3.1.1 部分)
+---------------------------+ <-
7 OCTETS | PREAMBLE | |
+---------------------------+ |
1 OCTET | SFD | |
+---------------------------+ | <- <-
6 OCTETS | DESTINATION ADDRESS | | | |
+---------------------------+ | | |
6 OCTETS | SOURCE ADDRESS | | | |
+---------------------------+ | | |
2 OCTETS | LENGTH/TYPE | | | |
+---------------------------+ | | |
48 to N OCTETS | MAC CLIENT DATA + PADDING | | | |
+---------------------------+ | | <-
4 OCTETS | FRAME CHECK SEQUENCE | | | |
+---------------------------+ <- <- |
| | +-- "Layer-2, as you know and love it."
| |
| +-- FRAME
|
+-- PACKET
注意术语
FRAME对应于以太网帧(包括 FCS)PACKET是从 PHY 收到的完整/原始消息
我被告知,“数据包”指的是第三层,而“帧”是第二层,但这是明显错误的!为了避免混淆,wirestripper 使用上述术语,并且还使用术语“记录”来描述 PCAP 文件中的条目。
因此,最小 数据包 长度为 72 字节(7+1+6+6+2+46+4),最小 帧 长度为 64。
netANALYZER PCAP 链接类型
PCAP 以太网链接类型记录严格包含 802.3“帧”,并且可选地包括 FCS。唯一(据我所知)表示以太网“数据包”的 PCAP 文件中的方法是通过 netANALYZER 链接类型。
wirestripper 解码和操作此类 PCAP 文件。
原理
wirestripper最初是一个工具,用于从netANALYZER PCAP文件中提取以太网帧并将其写入普通以太网PCAP文件。wireshark 特别不解析透明模式netANALYZER PCAP文件中嵌入的帧。非透明模式的netANALYZER模式并不有趣(因为这些记录等同于包含FCS的以太网链路层记录)。
虽然使用editcap 工具指定固定偏移量(4字节)来做这项任务很简单,但是这种方法不适用于带有短或长前导的包,而这些包可能是有趣的(否则为什么要费心做物理层/“包”表示法?)。
相反,wirestripper解码netANALYZER头,并对其进行合理性检查,然后搜索SFD以找到帧的起始位置。
构建
要安装wirestripper的最新版本,请确保您已安装Rust工具链,然后运行
cargo install wirestripper
或者,从源代码构建(二进制文件位于target/release/wirestripper)
cargo build --release
用法
wirestripper有两种模式/子命令
strip将以太网帧提取到新的PCAP文件中(可选地跳过那些具有无效头部的帧);check验证netANALYZER头部(并可选地列出与每个包相关的有效错误)
有关详细信息,请运行wirestripper --help。
以下是一些使用示例输入文件(包含在sample_pcap/full.pcap中)的示例运行
$ tshark -r sample_pcap/full.pcap
1 0.000000 → netANALYZER 76 Frame captured in transparent mode
2 0.006093 → netANALYZER 72 Frame captured in transparent mode
3 0.006191 → netANALYZER 114 Frame captured in transparent mode
4 0.012506 → netANALYZER 110 Frame captured in transparent mode
5 0.201069 → netANALYZER 55 Frame captured in transparent mode
6 1.001812 → netANALYZER 114 Frame captured in transparent mode
7 1.004180 → netANALYZER 110 Frame captured in transparent mode
8 1.795137 → netANALYZER 55 Frame captured in transparent mode
9 2.003375 → netANALYZER 114 Frame captured in transparent mode
10 2.005742 → netANALYZER 110 Frame captured in transparent mode
$ wirestripper --input-file sample_pcap/full.pcap strip --output-file /tmp/demo.pcap
Processed 10 records with 0 errors.
$ tshark -r /tmp/demo.pcap
1 0.000000000 0e:2b:7c:ff:d4:b2 → Broadcast ARP 64 Who has 192.168.7.4? Tell 192.168.7.1
2 0.006093000 12:55:55:00:01:2d → 0e:2b:7c:ff:d4:b2 ARP 64 192.168.7.4 is at 12:55:55:00:01:2d
3 0.006191000 192.168.7.1 → 192.168.7.4 ICMP 102 Echo (ping) request id=0x0816, seq=7/1792, ttl=64
4 0.012506000 192.168.7.4 → 192.168.7.1 ICMP 102 Echo (ping) reply id=0x0816, seq=7/1792, ttl=32 (request in 3)
5 0.201069000 7a:4d:94:fa:87:61 → Broadcast ARP 46 Who has 192.168.7.1? Tell 192.168.7.13
6 1.001812000 192.168.7.1 → 192.168.7.4 ICMP 102 Echo (ping) request id=0x0816, seq=8/2048, ttl=64
7 1.004180000 192.168.7.4 → 192.168.7.1 ICMP 102 Echo (ping) reply id=0x0816, seq=8/2048, ttl=32 (request in 6)
8 1.795137000 7a:4d:94:fa:87:61 → Broadcast ARP 46 Who has 192.168.7.1? Tell 192.168.7.13
9 2.003375000 192.168.7.1 → 192.168.7.4 ICMP 102 Echo (ping) request id=0x0816, seq=9/2304, ttl=64
10 2.005742000 192.168.7.4 → 192.168.7.1 ICMP 102 Echo (ping) reply id=0x0816, seq=9/2304, ttl=32 (request in 9)
$ wirestripper --input-file sample_pcap/full.pcap strip --output-file /tmp/demo.pcap --strict
Record 1 is OK, will strip it normally.
Skipping record 2 due to netANALYZER record header validation error, re-run with "check" subcommand for details.
Record 3 is OK, will strip it normally.
Skipping record 4 due to netANALYZER record header validation error, re-run with "check" subcommand for details.
Skipping record 5 due to netANALYZER record header validation error, re-run with "check" subcommand for details.
Record 6 is OK, will strip it normally.
Skipping record 7 due to netANALYZER record header validation error, re-run with "check" subcommand for details.
Skipping record 8 due to netANALYZER record header validation error, re-run with "check" subcommand for details.
Record 9 is OK, will strip it normally.
Skipping record 10 due to netANALYZER record header validation error, re-run with "check" subcommand for details.
Processed 10 records with 6 errors.
$ tshark -r /tmp/demo.pcap
1 0.000000000 0e:2b:7c:ff:d4:b2 → Broadcast ARP 64 Who has 192.168.7.4? Tell 192.168.7.1
2 0.006191000 192.168.7.1 → 192.168.7.4 ICMP 102 Echo (ping) request id=0x0816, seq=7/1792, ttl=64
3 1.001812000 192.168.7.1 → 192.168.7.4 ICMP 102 Echo (ping) request id=0x0816, seq=8/2048, ttl=64
4 2.003375000 192.168.7.1 → 192.168.7.4 ICMP 102 Echo (ping) request id=0x0816, seq=9/2304, ttl=64
$ wirestripper --input-file sample_pcap/full.pcap check
Record 2 is invalid, here are the issues:
- Header preamble-too-short error flag is false, but preamble is 3 bytes long (normal is 7 bytes)
Header: Header {
reserved: 0,
frame_length: 68,
port_number: 1,
header_version: 1,
transparent_mode: true,
port_type: Ethernet,
errors: ErrorFlags {
preamble_too_long: false,
preamble_too_short: false,
frame_too_short: false,
sfd_not_found: false,
frame_too_long: false,
fcs_incorrect: false,
alignment_problem: false,
mii_receive_error: false,
},
}
PCAP record contents:
Length: 72 (0x48) bytes
0000: 00 46 44 00 55 55 55 d5 0e 2b 7c ff d4 b2 12 55 .FD.UUU..+|....U
0010: 55 00 01 2d 08 06 00 01 08 00 06 04 00 02 12 55 U..-...........U
0020: 55 00 01 2d c0 a8 07 04 0e 2b 7c ff d4 b2 c0 a8 U..-.....+|.....
0030: 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 e6 0b 7d 1e ......}.
<snip>
Processed 10 records with 6 errors.
如果我们创建一个记录(上面第1条记录的副本,包含在sample_pcap/record1.pcap中),但损坏FCS并设置FCS错误标志,那么check命令会找到记录是有效的
$ wirestripper --input-file sample_pcap/record1.pcap check
Processed 1 records with 0 errors.
为了正确列出指示的错误,我们可以将--verbose标志传递给check
$ wirestripper --input-file sample_pcap/record1.pcap check --verbose
Record 1 is valid.
Here are known errors in the packet:
- fcs incorrect
Processed 1 records with 0 errors.
最后,如果我们strip这个记录,tshark会同意FCS是不正确的
$ wirestripper --input-file sample_pcap/record1.pcap strip --output-file /tmp/demo1.pcap
Processed 1 records with 0 errors.
$ tshark -r /tmp/demo1.pcap
1 0.000000000 0e:2b:7c:ff:d4:b2 → Broadcast ARP 64 Who has 192.168.7.4? Tell 192.168.7.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
限制
wirestripper不支持
- netANALYZER非透明模式
- netANALYZER版本2头部
- netANALYZER GPIO捕获模式
PCAP样本以及所有用于测试和开发的输入都是使用一个(目前未公开)的C++程序生成的。我没有访问Hilscher netANALYZER硬件或软件。如果您在使用netANALYZER本身时使用wirestripper,请让我知道您的使用情况!
我很乐意接受PRs,以及PCAP跟踪或硬件 😏
许可和归属
wirestripper受Mozilla公共许可证2.0的许可。请参阅LICENSE以获取详细信息。
线剥工具图像由Tiia Monto版权所有,并在此根据本许可重新发布。
依赖关系
~3MB
~56K SLoC