2024年最新gopacket源码分析_gopacket中tcpassembly源码解读(1)，Activity的6大难点你会几个

本文链接：https://blog.csdn.net/2401_84931693/article/details/138897855

网上学习资料一大堆，但如果学到的知识不成体系，遇到问题时只是浅尝辄止，不再深入研究，那么很难做到真正的技术提升。

一个人可以走的很快，但一群人才能走的更远！不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人，都欢迎加入我们的的圈子（技术交流、学习资源、职场吐槽、大厂内推、面试辅导），让我们一起学习成长！

}


### handle.LinkType


handle.LinkType()是源的链路层类型，一般是 LinkType 对应枚举 LinkTypeEthernet

func (p *Handle) LinkType() layers.LinkType {
return p.pcapDatalink()
}
func (p *Handle) pcapDatalink() layers.LinkType {
ret, _, _ := syscall.Syscall(pcapDatalinkPtr, 1, uintptr(p.cptr), 0, 0)
return layers.LinkType(ret)
}


LinkType

type LinkType uint8
func (a LinkType) Decode(data []byte, p gopacket.PacketBuilder) error {
return LinkTypeMetadata[a].DecodeWith.Decode(data, p)
}


那么 LinkTypeMetadata 数据是从那里呢？我们可以借助 IDE 的全局查找功能进行查找


[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-WESNx1yE-1659280486701)(assets/image-20220729111733-0mflbru.png)]


查找后我们可以在 layers.enums.go 大约 368 行看到 LinkTypeEthernet 的注册信息

LinkTypeMetadata[LinkTypeEthernet] = EnumMetadata{DecodeWith: gopacket.DecodeFunc(decodeEthernet), Name: “Ethernet”}


然后反推其调用链为 init->initActualTypeData

func init() {
initUnknownTypesForLinkType()
initUnknownTypesForEthernetType()
initUnknownTypesForPPPType()
initUnknownTypesForIPProtocol()
initUnknownTypesForSCTPChunkType()
initUnknownTypesForPPPoECode()
initUnknownTypesForFDDIFrameControl()
initUnknownTypesForEAPOLType()
initUnknownTypesForProtocolFamily()
initUnknownTypesForDot11Type()
initUnknownTypesForUSBTransportType()
initActualTypeData()
}

func initActualTypeData() {
…
LinkTypeMetadata[LinkTypeEthernet] = EnumMetadata{DecodeWith: gopacket.DecodeFunc(decodeEthernet), Name: “Ethernet”}
…
}


#### decodeEthernet

func decodeEthernet(data []byte, p gopacket.PacketBuilder) error {
eth := &Ethernet{}
err := eth.DecodeFromBytes(data, p)
if err != nil {
return err
}
p.AddLayer(eth)
p.SetLinkLayer(eth)
return p.NextDecoder(eth.EthernetType)
}


然后我们可以看到 ether 的解析过程

func (eth *Ethernet) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {
if len(data) < 14 {
return errors.New(“Ethernet packet too small”)
}
eth.DstMAC = net.HardwareAddr(data[0:6])
eth.SrcMAC = net.HardwareAddr(data[6:12])
eth.EthernetType = EthernetType(binary.BigEndian.Uint16(data[12:14]))
eth.BaseLayer = BaseLayer{data[:14], data[14:]}
eth.Length = 0
if eth.EthernetType < 0x0600 {
eth.Length = uint16(eth.EthernetType)
eth.EthernetType = EthernetTypeLLC
if cmp := len(eth.Payload) - int(eth.Length); cmp < 0 {
df.SetTruncated()
} else if cmp > 0 {
// Strip off bytes at the end, since we have too many bytes
eth.Payload = eth.Payload[:len(eth.Payload)-cmp]
}
// fmt.Println(eth)
}
return nil
}


## NextPacket

func (p *PacketSource) NextPacket() (Packet, error) {
data, ci, err := p.source.ReadPacketData()
if err != nil {
return nil, err
}
packet := NewPacket(data, p.decoder, p.DecodeOptions)
m := packet.Metadata()
m.CaptureInfo = ci
m.Truncated = m.Truncated || ci.CaptureLength < ci.Length
return packet, nil
}


### NewPacket

func NewPacket(data []byte, firstLayerDecoder Decoder, options DecodeOptions) Packet {
if !options.NoCopy {
dataCopy := make([]byte, len(data))
copy(dataCopy, data)
data = dataCopy
}
if options.Lazy {
p := &lazyPacket{
packet: packet{data: data, decodeOptions: options},
next: firstLayerDecoder,
}
p.layers = p.initialLayers[:0]
// Crazy craziness:
// If the following return statemet is REMOVED, and Lazy is FALSE, then
// eager packet processing becomes 17% FASTER. No, there is no logical
// explanation for this. However, it’s such a hacky micro-optimization that
// we really can’t rely on it. It appears to have to do with the size the
// compiler guesses for this function’s stack space, since one symptom is
// that with the return statement in place, we more than double calls to
// runtime.morestack/runtime.lessstack. We’ll hope the compiler gets better
// over time and we get this optimization for free. Until then, we’ll have
// to live with slower packet processing.
return p
}
p := &eagerPacket{
packet: packet{data: data, decodeOptions: options},