使用gopacket作为入门学习Golang

我最近(一月)开始学习高郎。我正试图在Go中重现我们内部使用Python编写的工具。

所以我有一个完全适用于DNS UDP解码的工具，然而我已经挣扎了一周，试图获得基于TCP的DNS解码。我的目标是记录每一个到达我们DNS服务器的数据包的DNS源、目的地、查询和答案。然而，与dnstap的做法类似，我们目前有一个内部解决方案，使用Python来适应我们内部的自定义日志记录和事件关联系统。

func Listen(h *pcap.Handle, c *Config, logger chan<- *dnslog) {
qType := decodeQuery()
OpCode := decodeOpCode()
parser := gopacket.NewDecodingLayerParser(
layers.LayerTypeEthernet,
&eth,
&ip4,
&ip6,
&tcp,
&udp,
&dns,
)
decoded := make([]gopacket.LayerType, 0, 10)
for {
data, _, err := h.ZeroCopyReadPacketData()
if err != nil {
log.Println("Error reading packet data ", err)
continue
}
dnslog := &dnslog{}
err = parser.DecodeLayers(data, &decoded)
for _, layer := range decoded {
switch layer {
case layers.LayerTypeIPv4:
dnslog.Dst = ip4.DstIP.String()
dnslog.Src = ip4.SrcIP.String()
case layers.LayerTypeIPv6:
dnslog.Dst = ip6.DstIP.String()
dnslog.Src = ip6.SrcIP.String()
case layers.LayerTypeTCP:
dnslog.Srcport = fmt.Sprintf("%d", tcp.SrcPort)
dnslog.Dstport = fmt.Sprintf("%d", tcp.DstPort)
case layers.LayerTypeUDP:
dnslog.Srcport = fmt.Sprintf("%d", udp.SrcPort)
dnslog.Dstport = fmt.Sprintf("%d", udp.DstPort)
case layers.LayerTypeDNS:
dnslog.Truncated = dns.TC
for _, q := range dns.Questions {
dnslog.OpCode = OpCode[uint8(dns.OpCode)]
dnslog.QueryCount = dns.QDCount
dnslog.AnswerCount = dns.ANCount
}
}
}
logger <- dnslog
}

我试图强制layers/tcp.中的NextLayerType转到DNS Layertype等，试图找到我缺少的内容。到目前为止没有运气。任何建议都是一流的。UDP的输出如下。(pprint-json编码输出)

[{ "src": "172.10.56.23", "src_port": "52464", "dst": "172.10.16.120", "dst_port": "53", "bytes": 63, "transport": "UDP", "reply_code": "Query", "query_count": 1, "answer_count": 0, "question": ["helposx.apple.com"], "query_type": "A", "answer": null, "truncated": false }, { "src": "172.10.16.120", "src_port": "53", "dst": "172.10.56.23", "dst_port": "52464", "bytes": 156, "transport": "UDP", "reply_code": "Query", "query_count": 1, "answer_count": 3, "question": ["helposx.apple.com"], "query_type": "A", "answer": [{ "response-name": "helposx.apple.com", "response-query_type": "CNAME", "response-ttl": 4607, "response-bytes": 31, "response-cname": "helposx.apple.com.edgekey.net", "response-soa": {}, "response-srv": {}, "response-mx": {} }, { "response-name": "helposx.apple.com.edgekey.net", "response-query_type": "CNAME", "response-ttl": 33, "response-bytes": 22, "response-cname": "e3167.e9.akamaiedge.net", "response-soa": {}, "response-srv": {}, "response-mx": {} }, { "response-name": "e3167.e9.akamaiedge.net", "response-query_type": "A", "response-ttl": 13, "response-bytes": 4, "response-ip": "104.98.20.77", "response-soa": {}, "response-srv": {}, "response-mx": {} }], "truncated": false }]

如果我现在使用dig+tcp(强制tcp)执行完全相同的查询，我会得到以下输出。

[{ "src": "172.10.56.23", "src_port": "57188", "dst": "172.10.16.120", "dst_port": "53", "bytes": 64, "transport": "TCP", "reply_code": "", "query_count": 0, "answer_count": 0, "question": null, "query_type": "", "answer": null, "truncated": false }, { "src": "172.10.16.120", "src_port": "53", "dst": "172.10.56.23", "dst_port": "57188", "bytes": 60, "transport": "TCP", "reply_code": "", "query_count": 0, "answer_count": 0, "question": null, "query_type": "", "answer": null, "truncated": false }, { "src": "172.10.56.23", "src_port": "57188", "dst": "172.10.16.120", "dst_port": "53", "bytes": 52, "transport": "TCP", "reply_code": "", "query_count": 0, "answer_count": 0, "question": null, "query_type": "", "answer": null, "truncated": false }, { "src": "172.10.56.23", "src_port": "57188", "dst": "172.10.16.120", "dst_port": "53", "bytes": 86, "transport": "TCP", "reply_code": "", "query_count": 0, "answer_count": 0, "question": null, "query_type": "", "answer": null, "truncated": false }, { "src": "172.10.16.120", "src_port": "53", "dst": "172.10.56.23", "dst_port": "57188", "bytes": 102, "transport": "TCP", "reply_code": "", "query_count": 0, "answer_count": 0, "question": null, "query_type": "", "answer": null, "truncated": false }, { "src": "172.10.56.23", "src_port": "57188", "dst": "172.10.16.120", "dst_port": "53", "bytes": 52, "transport": "TCP", "reply_code": "", "query_count": 0, "answer_count": 0, "question": null, "query_type": "", "answer": null, "truncated": false }] 通过查看wireshark中的相同数据包，我可以看到这些不同的数据包是TCP握手，然后是响应。未解码。

当我添加fmt时。Println(layer)后的for _，layer:=范围解码行我得到如下。

以太网IPv4TCP<lt；JSON输出。

与

以太网IPv4UDPDNS

正如您所看到的，基于TCP的DNS永远不会有下一个解码器。它只是在TCP上停止。我不确定解决方案是什么。阅读上游图书馆看起来应该有效。然而，事实并非如此，我对自己应该去哪里寻找感到困惑。作为Go的新手，它让我陷入了困境。