support direct sniffing on gre interface (#884)

dmachard · Nov 29, 2024 · 466760d · 466760d
1 parent f2e3c77
commit 466760d
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ GO_DNSTAP_PROTOBUF := 1.2.0
 GO_FRAMESTREAM := 1.0.1
 GO_CLIENTSYSLOG := 1.0.1
 GO_TOPMAP := 1.0.2
-GO_NETUTILS := 1.3.0
+GO_NETUTILS := 1.5.0
 
 BUILD_TIME := $(shell LANG=en_US date +"%F_%T_%z")
 COMMIT := $(shell git rev-parse --short HEAD)

diff --git a/docs/collectors/collector_afpacket.md b/docs/collectors/collector_afpacket.md
@@ -21,6 +21,9 @@ Options:
 * `device` (str)
   > Interface name to sniff. If value is empty, bind on all interfaces.
 
+* `enable-rawip` (bool)
+  > Enable the decoding of raw IP traffic (without ethernet layer), enable this option to sniff gre interface
+
 * `enable-gre` (bool)
   > Enable GRE decoding protocol support
 
@@ -31,14 +34,36 @@ Options:
   > Specifies the maximum number of packets that can be buffered before discard additional packets.
   > Set to zero to use the default global value.
 
-Defaults:
+Defaults values:
 
 ```yaml
 - name: sniffer
   afpacket-sniffer:
     port: 53
     device: wlp2s0
+    enable-rawip: false
     enable-gre: false
     enable-defrag-ip: true
     chan-buffer-size: 0
 ```
+
+This configuration is designed to enable traffic capture on a GRE interface (e.g., gre1) in Raw IP mode, 
+meaning Ethernet headers will not be present.
+
+```yaml
+- name: sniffer_gre
+  afpacket-sniffer:
+    port: 53
+    device: gre1
+    enable-rawip: true
+```
+
+This configuration is used to capture and decode GRE traffic passing through a physical interface:
+
+```yaml
+- name: sniffer_gre
+  afpacket-sniffer:
+    port: 53
+    device: wlp2s0
+    enable-gre: true
+```
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/dmachard/go-dnstap-protobuf v1.2.0
 	github.com/dmachard/go-framestream v1.0.1
 	github.com/dmachard/go-logger v1.1.1
-	github.com/dmachard/go-netutils v1.3.0
+	github.com/dmachard/go-netutils v1.5.0
 	github.com/dmachard/go-powerdns-protobuf v1.3.0
 	github.com/dmachard/go-topmap v1.0.2
 	github.com/farsightsec/golang-framestream v0.3.0

diff --git a/go.sum b/go.sum
@@ -109,8 +109,8 @@ github.com/dmachard/go-framestream v1.0.1 h1:/v93w0No5g+CTdwhlbiLbopvnKUdc9kDscK
 github.com/dmachard/go-framestream v1.0.1/go.mod h1:p0gyuQSA4IfiyyhSy2grFc1oR8Tk5ewNvTMcQHzcnGs=
 github.com/dmachard/go-logger v1.1.1 h1:H4mQAAyhZ6u1E8kFezz7o6PsDqhsdFbO5pZGnoNuRYI=
 github.com/dmachard/go-logger v1.1.1/go.mod h1:vg6cMQBmx+SgH45XsqEyqScXp9eJhS6yuvvJZOgBbvU=
-github.com/dmachard/go-netutils v1.3.0 h1:KA6NRYvJ0wqqFWvWFsO7+I1I+GHFX4MJD00GIPOS0Bs=
-github.com/dmachard/go-netutils v1.3.0/go.mod h1:q7HROzGkcEONODNNAtxOtrUxVY/MACLAVzsvmyYAAMo=
+github.com/dmachard/go-netutils v1.5.0 h1:JVDz3g0JhTGMf7iTrMQh0CcMI/sJK88JSWT2KnXBAdw=
+github.com/dmachard/go-netutils v1.5.0/go.mod h1:q7HROzGkcEONODNNAtxOtrUxVY/MACLAVzsvmyYAAMo=
 github.com/dmachard/go-powerdns-protobuf v1.3.0 h1:NlCNXNUukZjklzpvihRLMY40fDmLtYOsAkg48ozYOA0=
 github.com/dmachard/go-powerdns-protobuf v1.3.0/go.mod h1:KAQfdV6BE2gI19aRv3HNBQzzGGCnNFwgCWMg1o6TpH8=
 github.com/dmachard/go-topmap v1.0.2 h1:ph4qBu2qoiA6l5hrYjkyYFTFGHO/8/NE49IHME2u068=

diff --git a/pkgconfig/collectors.go b/pkgconfig/collectors.go
@@ -57,6 +57,7 @@ type ConfigCollectors struct {
 		ChannelBufferSize int    `yaml:"chan-buffer-size" default:"0"`
 		FragmentSupport   bool   `yaml:"enable-defrag-ip" default:"true"`
 		GreSupport        bool   `yaml:"enable-gre" default:"false"`
+		RawIPSupport      bool   `yaml:"enable-rawip" default:"false"`
 	} `yaml:"afpacket-sniffer"`
 	XdpLiveCapture struct {
 		Enable            bool   `yaml:"enable" default:"false"`

diff --git a/workers/sniffer_afpacket_linux.go b/workers/sniffer_afpacket_linux.go
@@ -68,10 +68,14 @@ func (w *AfpacketSniffer) Listen() error {
 	}
 
 	var filter []bpf.Instruction
+	isEthernet := true
+	if w.GetConfig().Collectors.AfpacketLiveCapture.RawIPSupport {
+		isEthernet = false
+	}
+	filter, err = netutils.GetBpfDnsFilterPort(w.GetConfig().Collectors.AfpacketLiveCapture.Port, isEthernet)
+
 	if w.GetConfig().Collectors.AfpacketLiveCapture.GreSupport {
 		filter, err = netutils.GetBpfGreDnsFilterPort(w.GetConfig().Collectors.AfpacketLiveCapture.Port)
-	} else {
-		filter, err = netutils.GetBpfDnsFilterPort(w.GetConfig().Collectors.AfpacketLiveCapture.Port)
 	}
 	if err != nil {
 		return err
@@ -113,7 +117,12 @@ func (w *AfpacketSniffer) StartCollect() {
 	fragIP4Chan := make(chan gopacket.Packet)
 	fragIP6Chan := make(chan gopacket.Packet)
 
-	netDecoder := &netutils.NetDecoder{}
+	var netDecoder netutils.PacketDecoder
+	if w.GetConfig().Collectors.AfpacketLiveCapture.RawIPSupport {
+		netDecoder = &netutils.RawIPDecoder{}
+	} else {
+		netDecoder = &netutils.NetDecoder{}
+	}
 
 	// defrag ipv4
 	go netutils.IPDefragger(fragIP4Chan, udpChan, tcpChan, w.GetConfig().Collectors.AfpacketLiveCapture.Port)