In the previous chapter, you learned about building networking tools using the Go standard library. In this chapter, you will go further and investigate an open source library network library from Google called gopacket. The library source code can be found at https://github.com/google/gopacket and the library documentation can be found at https://pkg.go.dev/github.com/google/gopacket. The source branch that you will be looking at in this chapter is the master branch.
How gopacket works
How to use gopacket to write a network traffic sniffer
About network capture files
Source Code
The source code for this chapter is available from the https://github.com/Apress/Software-Development-Go repository.
gopacket
In this section, you will explore gopacket and learn about the main part of the library to understand how it works. This library provides the capability to write applications that need to capture and analyze network traffic. The library does the heavy lifting of communicating with the kernel to obtain all the network data and parse it and make it available to applications. gopacket uses a packet capture Linux library that has been part of the Linux toolbox for a long time called libpcap. More information can be found at www.tcpdump.org/index.html.
The libpcap library provides functionality to grab network packets from the network cards, which in turn are parsed and converted to the relevant protocols that are easily used by applications. gopacket provides two major types of data structures that applications can work with, namely Packet and Layer, which will be explored more in detail next.
Layer
LayerContents contains the bytes representing a particular layer. For example, if this is an Ethernet layer, then it will contain bytes that make up the Ethernet frame, while LayerPayload will contain the bytes representing the Ethernet protocol.
![](https://imgdetail.ebookreading.net/2023/10/9781484287316/9781484287316__9781484287316__files__images__527551_1_En_11_Chapter__527551_1_En_11_Fig1_HTML.jpg)
A screeshot represent different protocols using the layer interface in the layer directory.
Layer struct implementation
The source code inside the layers directory contains implementations of each protocol and how to read them from the raw bytes obtained from the kernel.
TCP Layer
Going through each of the protocol source files, you will see the implementation of the different protocols that are supported by the library.
Packet
The ApplicationLayer is an interface that holds the Layer type and the Payload() function that will return the original bytes relevant from the network capture for this particular layer. You will look at an example in the next section on how to use the different functions inside the Packet.
Using gopacket
In this section, you will look at examples of how to use gopacket. They will give you ideas of how to use the library and also show the library capabilities in reading network protocols.
pcap
Let’s take a moment to understand pcap. It stands for packet capture. Linux has tools that allow a developer or sysadmin to perform network troubleshooting, and one of those tools is a packet capture tool. The packet capture tools allow Linux root users to capture network traffic in the machine.
The traffic data can be saved into a file and later read to be analyzed. This kind of capability is super useful for performing auditing plus security and network troubleshooting in a cloud or local environment. In this chapter, you will capture and analyze the pcap file.
Installing libpcap
You will need to reboot your machine once it is successfully installed.
Networking Sniffer
IPv4 information
DNS information
TCP information
UDP information
Application layer protocol information
Code Walkthrough
The pcap.OpenLive function calls gopacket to open the network device and the true parameter sent indicates to the library that you want to open it in promiscuous mode.
As mentioned in the “Packet” section, the application interacts with the network data via the Packet type. In the sample code case, you create a new PacketSource that the app can use in a for .. range to extract all the incoming packets and process them inside the printPacketInfo(..) function. So far, you have successfully initialized and received the packet; now let’s dig further into how to use the information made available inside the Packet struct.
The code uses the ApplicationLayer() function that instructs gopacket to return a layer that corresponds to the application layer, which corresponds to Layer 7 of the OSI network model. Once obtained, it will check whether the layer data is an HTTP request by checking for an HTTP string.
This shows the powerful functionality the library can provide when accessing the different network layers that are made available via the Packet struct.
Analyzing pcap Manually
The sample code not only prints out the capture network layers; it also stores them inside a file called test.pcap. The file is generated in the directory where you run the sample code; in this example, it is stored inside the gopacket/sniffer directory.
This shows that the raw captured files are compatible with other raw network analyzers that are available.
Analyzing pcap Using WireShark
![](https://imgdetail.ebookreading.net/2023/10/9781484287316/9781484287316__9781484287316__files__images__527551_1_En_11_Chapter__527551_1_En_11_Fig2_HTML.jpg)
A screenshot of the user interface of Wireshark software represents tools named file, edit, view, go capture, analysis, statistics, and help. A popup window of welcome to Wireshark.
Wireshark UI
![](https://imgdetail.ebookreading.net/2023/10/9781484287316/9781484287316__9781484287316__files__images__527551_1_En_11_Chapter__527551_1_En_11_Fig3_HTML.png)
A user interface of Wireshark software represents tools named file, edit, view, go capture, analysis, statistics, and help. A popup window represents open capture file names.
Wireshark open file selection
![](https://imgdetail.ebookreading.net/2023/10/9781484287316/9781484287316__9781484287316__files__images__527551_1_En_11_Chapter__527551_1_En_11_Fig4_HTML.jpg)
A user interface of the test dot pcap represents tools named file, edit, view, go capture, analysis, statistics, and help.
test.pcap inside Wireshark
In this section, you proved that the network capture performed by gopacket can be successfully read using two different tools. In the next section, you will look at how to use BPF (Berkeley Packet Filter) to filter the network traffic that you are interested in.
Capturing With BPF
gopacket provides the ability to filter network traffic that applications are interested in, and this is possible by using BPF. BPF stands for Berkeley Packet Filter and it allows an application to attach a filter to allow or disallow certain types of data through a socket. More detail information can be found at www.kernel.org/doc/html/latest/networking/filter.html.
The filter variable contains a simple English-like filter rule, tcp and dst port 80, which means it is only interested in TCP traffic that is accessing port 80. Here is a link to more information about the different filters you can write: www.ibm.com/docs/en/qsip/7.4?topic=queries-berkeley-packet-filters.
Summary
In this chapter, you learned about capturing raw networks using the open source gopacket project. The library provides a lot of functionality made available through its simple public API. You learned how to write applications using the library and use the information provided in the different structures.
You looked at BPF (Berkeley Packet Filter) and learned to use it inside your code to filter network captures using gopacket. Using BPF allows an application to process only the network capture that it is interested in rather than spending time processing all incoming traffic. This makes it easier to develop apps targeted for specific traffic.