Skip to content

Commit 6151571

Browse files
ceshercesher
authored
Log the type of parsed network traffic (#105)
Latest experiment indicates that pcap is not the issue, packets are getting non-zero timestamps. The question then becomes: How is it possible to observed parsed network traffic where both the first packet and last packet timestamps are zero if we can definitely see that pcap timestamped each packet correctly? I think this indicates that the zero timestamp issue must be coming from within the the assembler or within the `stream.go` file. The following change will confirm which of the two. Either: - The assembler does indeed manipulate the timestamps, somehow setting them to zero. - The parsed network traffic we observe with zero timestamps is actually `DroppedBytes`.
1 parent 757f348 commit 6151571

File tree

1 file changed

+14
-2
lines changed

1 file changed

+14
-2
lines changed

pcap/stream.go

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -230,9 +230,21 @@ func (f *tcpFlow) reassemblyComplete() {
230230
func (f *tcpFlow) toPNT(firstPacketTime time.Time, lastPacketTime time.Time,
231231
c akinet.ParsedNetworkContent,
232232
) akinet.ParsedNetworkTraffic {
233+
pncType := func() string {
234+
switch c.(type) {
235+
case akinet.HTTPRequest:
236+
return "request"
237+
case akinet.HTTPResponse:
238+
return "response"
239+
case akinet.DroppedBytes:
240+
return "dropped_bytes"
241+
default:
242+
return "unknown"
243+
}
244+
}
233245
if firstPacketTime.IsZero() || lastPacketTime.IsZero() {
234246
now := f.clock.Now()
235-
printer.V(6).Infof("ParsedNetworkTraffic with zero value packet timestamps. first: %v last: %v now: %v", firstPacketTime, lastPacketTime, now)
247+
printer.V(6).Infof("ParsedNetworkTraffic with zero value packet timestamps. type: %v first: %v last: %v now: %v", pncType(), firstPacketTime, lastPacketTime, now)
236248
atomic.AddUint64(&CountZeroValuePacketTimestamp, 1)
237249

238250
if firstPacketTime.IsZero() {
@@ -243,7 +255,7 @@ func (f *tcpFlow) toPNT(firstPacketTime time.Time, lastPacketTime time.Time,
243255
}
244256
}
245257
if lastPacketTime.Before(firstPacketTime) {
246-
printer.V(6).Infof("ParsedNetworkTraffic with last packet before first packet. first: %v last: %v", firstPacketTime, lastPacketTime)
258+
printer.V(6).Infof("ParsedNetworkTraffic with last packet before first packet. type: %v first: %v last: %v", pncType(), firstPacketTime, lastPacketTime)
247259
atomic.AddUint64(&CountLastPacketBeforeFirstPacket, 1)
248260

249261
lastPacketTime = firstPacketTime

0 commit comments

Comments
 (0)