feat: Support in-place GZIP reads for PCAPNG files by wolveix · Pull Request #55 · gopacket/gopacket

wolveix · 2024-04-04T13:25:33Z

Hey!

This adds support for GZIP-compressed PCAPNG files. This borrows heavily from @bramp's PCAP implementation (google/gopacket#213)

mosajjal · 2024-04-04T20:14:15Z

what does this add to the current method of leveraging io.reader() on the user's code?

wolveix · 2024-04-04T20:22:07Z

@mosajjal Sorry, I'm not sure I follow what you mean. NgReader uses *bufio.Reader instead of the io.Reader used by Reader. I haven't modified any existing field types, I've just copied how GZIP decompression is handled from the Reader for use within the NgReader

mosajjal · 2024-04-06T08:00:49Z

what I mean is, since NewNgReader supports io.reader, something like this works, correct?

func main() {
        // open the gzip file as a io.reader
        f, err := os.Open("./test.pcapng.gz")
        if err != nil {
                log.Fatal(err)
        }
        defer f.Close()

        zipReader, err := gzip.NewReader(f)
        if err != nil {
                log.Fatal(err)
        }
        defer zipReader.Close()

        // read the file
        pcap, err := pcapgo.NewNgReader(zipReader, pcapgo.DefaultNgReaderOptions)
        if err != nil {
                log.Fatal(err)
        }

        // read the packets
        for {
                data, ci, err := pcap.ReadPacketData()
                if err != nil {
                        break
                }
                log.Println(ci.Timestamp, len(data))
        }

}

what does your PR add that above code doesn't provide?

bramp · 2024-04-06T15:11:57Z

Fly-by comment but it allows this:

func main() {
        // open the gzip file as a io.reader
        f, err := os.Open("./test.pcapng.gz")
        if err != nil {
                log.Fatal(err)
        }
        defer f.Close()

        // read the file
        pcap, err := pcapgo.NewNgReader(f, pcapgo.DefaultNgReaderOptions)
        if err != nil {
                log.Fatal(err)
        }

It transparency decompresses the pcap if it is gzip compressed. Thus behaving the same way as wireshark's wiretap library.

wolveix · 2024-04-06T18:28:46Z

@mosajjal ah I see. Well, for one, gopacket already does this for .pcap files. If it supports it for those, it makes sense that it should also support it for .pcapng files.

Thanks @bramp!

wolveix · 2024-04-10T14:22:12Z

Hey @mosajjal! I'm sure you're busy, but is there any chance we could get this merged? Or is there anything I can do to help? I really appreciate the work you've put into maintaining this fork!

wolveix · 2024-04-10T21:42:35Z

Thank you!

Support in-place GZIP reads for PCAPNG files

c49794a

mosajjal merged commit c4dd161 into gopacket:master Apr 10, 2024

wolveix deleted the ng_gzip branch April 10, 2024 21:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: Support in-place GZIP reads for PCAPNG files#55

feat: Support in-place GZIP reads for PCAPNG files#55
mosajjal merged 1 commit intogopacket:masterfrom
globalcyberalliance:ng_gzip

wolveix commented Apr 4, 2024

Uh oh!

mosajjal commented Apr 4, 2024

Uh oh!

wolveix commented Apr 4, 2024

Uh oh!

mosajjal commented Apr 6, 2024

Uh oh!

bramp commented Apr 6, 2024

Uh oh!

wolveix commented Apr 6, 2024

Uh oh!

wolveix commented Apr 10, 2024

Uh oh!

wolveix commented Apr 10, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

wolveix commented Apr 4, 2024

Uh oh!

mosajjal commented Apr 4, 2024

Uh oh!

wolveix commented Apr 4, 2024

Uh oh!

mosajjal commented Apr 6, 2024

Uh oh!

bramp commented Apr 6, 2024

Uh oh!

wolveix commented Apr 6, 2024

Uh oh!

wolveix commented Apr 10, 2024

Uh oh!

wolveix commented Apr 10, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants