Extension
Implementing new audit records and features
To add support for a new protocol or custom abstraction the following steps need to be performed.
First, a type definition of the new audit record type must be added to the AuditRecord protocol buffers definitions, as well as a Type enumeration following the naming convention with the NC prefix.
First, make sure you have code generator plugin(s) that NETCAP is using to accelerate the protocol buffer en- and decoding. Get the plugins with:
$ go get github.com/gogo/protobuf/...
The framework for this can be found here:
Recompile the protocol buffers with:
$ zeus gen-proto-dev
This will create the type definitions for your new audit record in the types package.
After recompiling the protocol buffers, a file for the new encoder named after the protocol must be created in the encoder package. The new file must contain a variable created with CreateLayerEncoder or CreateCustomEncoder depending on the desired encoder type.
Lets take a brief look at a very simple LayerEncoder, for example for the ARP protocol:
package encoder
import (
"github.com/dreadl0ck/gopacket"
"github.com/dreadl0ck/gopacket/layers"
"github.com/dreadl0ck/netcap/types"
"github.com/golang/protobuf/proto"
)
var arpEncoder = CreateLayerEncoder(
types.Type_NC_ARP,
layers.LayerTypeARP,
func(layer gopacket.Layer, timestamp string) proto.Message {
if arp, ok := layer.(*layers.ARP); ok {
return &types.ARP{
Timestamp: timestamp,
AddrType: int32(arp.AddrType),
Protocol: int32(arp.Protocol),
HwAddressSize: int32(arp.HwAddressSize),
ProtAddressSize: int32(arp.ProtAddressSize),
Operation: int32(arp.Operation),
SrcHwAddress: arp.SourceHwAddress,
SrcProtAddress: arp.SourceProtAddress,
DstHwAddress: arp.DstHwAddress,
DstProtAddress: arp.DstProtAddress,
}
}
return nil
}
)