dpkt icon indicating copy to clipboard operation
dpkt copied to clipboard

Published 20 hours ago verified publisher icon kbandla

JMirror encapsulation

Open brightpinefield opened this issue 4 years ago • 3 comments

Is it possible for dpkt to read JMirror encapsulated packets, given the known JMirror UDP port? For example. In Wireshark, if I don't specify the JMirror port as UDP port 6502 this is what I see:

Screen Shot 2020-12-14 at 11 17 50 AM

When I decode the UDP Port 6502 as JMirror , I get this:

Screen Shot 2020-12-14 at 11 17 19 AM

I've attached a sample pcap if it helps... Thank you! jmirror_ip.pcap.zip

brightpinefield avatar Dec 14 '20 16:12 brightpinefield

It's possible to decode the encapsulated IP layer (in this case) by manually applying it to the underlying UDP data, and skipping the 8 bytes of JMirror header. E.g. for the 1st packet of this pcap:

>> dpkt.ip.IP(dpkt.ethernet.Ethernet(buf).ip.udp.data[8:])

IP(len=60, id=22676, ttl=126, p=1, sum=48995, src=b'E\x9e\xc0N', dst=b'CF\xdb\x96', opts=b'', 
   data=ICMP(sum=55054, data=Echo(id=512, seq=29773, data=b'abcdefghijklmnopqrstuvwabcdefghi')))

obormot avatar Dec 15 '20 18:12 obormot

@obormot thank you for this! will try it out.. so that will work for the IP layer... is there a way to get to the application layer as well?

brightpinefield avatar Dec 15 '20 23:12 brightpinefield

@brightpinefield dpkt will auto-decode layers if they are linked (in this example IP -> ICMP -> ICMP Echo were auto-decoded). For application layer usually one would need to specify the decoder to apply.

(Leaving the issue open since dpkt doesn't support JMirror encapsulation).

obormot avatar Dec 27 '20 04:12 obormot