Merge pull request #12 from hallelujah-shih/feature-dump-pkg-and-add-…

…bpf-filter

add dump pkg support & bpf filter support

cmd/main.go

@@ -23,20 +23,22 @@ import (
 )
 
 var (
-	flagJSON      = flag.Bool("json", true, "print as JSON array")
-	flagCSV       = flag.Bool("csv", false, "print as CSV")
-	flagTSV       = flag.Bool("tsv", false, "print as TAB separated values")
-	flagSeparator = flag.String("separator", ",", "set a custom separator")
-	flagInput     = flag.String("read", "", "read PCAP file")
-	flagDebug     = flag.Bool("debug", false, "toggle debug mode")
-	flagInterface = flag.String("iface", "", "specify network interface to read packets from")
-	flagJa3S      = flag.Bool("ja3s", true, "include ja3 server hashes (ja3s)")
-	flagOnlyJa3S  = flag.Bool("ja3s-only", false, "dump ja3s only")
-	flagSnaplen   = flag.Int("snaplen", 1514, "default snap length for ethernet frames")
-	flagPromisc   = flag.Bool("promisc", true, "capture in promiscuous mode (requires root)")
+	flagJSON        = flag.Bool("json", true, "print as JSON array")
+	flagCSV         = flag.Bool("csv", false, "print as CSV")
+	flagTSV         = flag.Bool("tsv", false, "print as TAB separated values")
+	flagSeparator   = flag.String("separator", ",", "set a custom separator")
+	flagInput       = flag.String("read", "", "read PCAP file")
+	flagDebug       = flag.Bool("debug", false, "toggle debug mode")
+	flagInterface   = flag.String("iface", "", "specify network interface to read packets from")
+	flagJa3S        = flag.Bool("ja3s", true, "include ja3 server hashes (ja3s)")
+	flagOnlyJa3S    = flag.Bool("ja3s-only", false, "dump ja3s only")
+	flagSnaplen     = flag.Int("snaplen", 1514, "default snap length for ethernet frames")
+	flagPromisc     = flag.Bool("promisc", true, "capture in promiscuous mode (requires root)")
+	flagFilter      = flag.String("bpf", "(tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && ((tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01) || (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x02))", "BPF filter for pcap, only support on live")
+	flagDumpPackets = flag.String("dump", "", "dump pcap file name, only support on live")
 	// https://godoc.org/github.com/google/gopacket/pcap#hdr-PCAP_Timeouts
-	flagTimeout   = flag.Duration("timeout", pcap.BlockForever, "timeout for collecting packet batches")
-	flagVersion   = flag.Bool("version", false, "display version and exit")
+	flagTimeout = flag.Duration("timeout", pcap.BlockForever, "timeout for collecting packet batches")
+	flagVersion = flag.Bool("version", false, "display version and exit")
 )
 
 const version = "v1.0.2"
@@ -53,7 +55,7 @@ func main() {
 	ja3.Debug = *flagDebug
 
 	if *flagInterface != "" {
-		ja3.ReadInterface(*flagInterface, os.Stdout, *flagSeparator, *flagJa3S, *flagJSON, *flagSnaplen, *flagPromisc, *flagTimeout)
+		ja3.ReadInterface(*flagInterface, *flagFilter, *flagDumpPackets, os.Stdout, *flagSeparator, *flagJa3S, *flagJSON, *flagSnaplen, *flagPromisc, *flagTimeout)
 		return
 	}
 

gopacket.go

@@ -19,9 +19,9 @@ import (
 	"encoding/hex"
 	"fmt"
 
+	"github.com/dreadl0ck/tlsx"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
-	"github.com/dreadl0ck/tlsx"
 )
 
 // DigestPacket returns the Ja3 digest

ja3_test.go

@@ -20,9 +20,9 @@ import (
 	"io/ioutil"
 	"testing"
 
+	"github.com/dreadl0ck/tlsx"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
-	"github.com/dreadl0ck/tlsx"
 )
 
 var tlsPacket = []byte{

live.go

@@ -4,7 +4,9 @@ import (
 	"encoding/binary"
 	"encoding/json"
 	"fmt"
+	"github.com/google/gopacket/pcapgo"
 	"io"
+	"os"
 	"strings"
 	"time"
 
@@ -16,14 +18,31 @@ import (
 // ReadInterface reads packets from the named interface
 // if asJSON is true the results will be dumped as newline separated JSON objects
 // otherwise CSV will be printed to the supplied io.Writer.
-func ReadInterface(iface string, out io.Writer, separator string, ja3s bool, asJSON bool, snaplen int, promisc bool, timeout time.Duration) {
-
+func ReadInterface(iface, bpfFilter, dumpPkg string, out io.Writer, separator string, ja3s bool, asJSON bool, snaplen int, promisc bool, timeout time.Duration) {
 	h, err := pcap.OpenLive(iface, int32(snaplen), promisc, timeout)
 	if err != nil {
 		panic(err)
 	}
 	defer h.Close()
 
+	if strings.TrimSpace(bpfFilter) != "" {
+		if err := h.SetBPFFilter(bpfFilter); err != nil {
+			panic(err)
+		}
+	}
+
+	var dumpFileHandle *os.File
+	var pcapWriter *pcapgo.Writer
+	if dumpPkg != "" {
+		dumpFileHandle, err = os.OpenFile(dumpPkg, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)
+		if err != nil {
+			panic(err)
+		}
+		defer dumpFileHandle.Close()
+		pcapWriter = pcapgo.NewWriter(dumpFileHandle)
+		pcapWriter.WriteFileHeader(uint32(snaplen), h.LinkType())
+	}
+
 	if !asJSON {
 		columns := []string{"timestamp", "source_ip", "source_port", "destination_ip", "destination_port", "ja3_digest"}
 
@@ -60,9 +79,12 @@ func ReadInterface(iface string, out io.Writer, separator string, ja3s bool, asJ
 
 		// check if we got a result
 		if len(bare) > 0 {
-
 			count++
 
+			if pcapWriter != nil {
+				pcapWriter.WritePacket(ci, data)
+			}
+
 			var (
 				b  strings.Builder
 				nl = p.NetworkLayer()

utils.go

@@ -23,8 +23,8 @@ func openPcap(file string) (PacketSource, *os.File, layers.LinkType, error) {
 	}
 
 	var (
-		reader       PacketSource
-		linkType     layers.LinkType
+		reader   PacketSource
+		linkType layers.LinkType
 	)
 
 	// try to create pcap reader