Skip to content

feat: Support in-place GZIP reads for PCAPNG files #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 10, 2024
Merged

feat: Support in-place GZIP reads for PCAPNG files #55

merged 1 commit into from
Apr 10, 2024

Conversation

wolveix
Copy link
Contributor

@wolveix wolveix commented Apr 4, 2024

Hey!

This adds support for GZIP-compressed PCAPNG files. This borrows heavily from @bramp's PCAP implementation (google/gopacket#213)

@mosajjal
Copy link
Contributor

mosajjal commented Apr 4, 2024

what does this add to the current method of leveraging io.reader() on the user's code?

@wolveix
Copy link
Contributor Author

wolveix commented Apr 4, 2024

@mosajjal Sorry, I'm not sure I follow what you mean. NgReader uses *bufio.Reader instead of the io.Reader used by Reader. I haven't modified any existing field types, I've just copied how GZIP decompression is handled from the Reader for use within the NgReader

@mosajjal
Copy link
Contributor

mosajjal commented Apr 6, 2024

what I mean is, since NewNgReader supports io.reader, something like this works, correct?

func main() {
        // open the gzip file as a io.reader
        f, err := os.Open("./test.pcapng.gz")
        if err != nil {
                log.Fatal(err)
        }
        defer f.Close()

        zipReader, err := gzip.NewReader(f)
        if err != nil {
                log.Fatal(err)
        }
        defer zipReader.Close()

        // read the file
        pcap, err := pcapgo.NewNgReader(zipReader, pcapgo.DefaultNgReaderOptions)
        if err != nil {
                log.Fatal(err)
        }

        // read the packets
        for {
                data, ci, err := pcap.ReadPacketData()
                if err != nil {
                        break
                }
                log.Println(ci.Timestamp, len(data))
        }

}

what does your PR add that above code doesn't provide?

@bramp
Copy link
Contributor

bramp commented Apr 6, 2024

Fly-by comment but it allows this:

func main() {
        // open the gzip file as a io.reader
        f, err := os.Open("./test.pcapng.gz")
        if err != nil {
                log.Fatal(err)
        }
        defer f.Close()

        // read the file
        pcap, err := pcapgo.NewNgReader(f, pcapgo.DefaultNgReaderOptions)
        if err != nil {
                log.Fatal(err)
        }

It transparency decompresses the pcap if it is gzip compressed. Thus behaving the same way as wireshark's wiretap library.

@wolveix
Copy link
Contributor Author

wolveix commented Apr 6, 2024

@mosajjal ah I see. Well, for one, gopacket already does this for .pcap files. If it supports it for those, it makes sense that it should also support it for .pcapng files.

Thanks @bramp!

@wolveix
Copy link
Contributor Author

wolveix commented Apr 10, 2024

Hey @mosajjal! I'm sure you're busy, but is there any chance we could get this merged? Or is there anything I can do to help? I really appreciate the work you've put into maintaining this fork!

@mosajjal mosajjal merged commit c4dd161 into gopacket:master Apr 10, 2024
@wolveix
Copy link
Contributor Author

wolveix commented Apr 10, 2024

Thank you!

@wolveix wolveix deleted the ng_gzip branch April 10, 2024 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wolveix @mosajjal @bramp