Adding support for UDP Based Protocols

Elastic Stack Beats
1

In order to add support for application layer protocols that operate over UDP packetbeat first needs to add support for UDP. Is anyone currently working on adding UDP support? Let’s discuss the changes necessary to add UDP support.

I will float some ideas to start the discussion.

Currently the ProtocolPlugin interface is specific to TCP and will require changes to support UDP. It seems to me that it would be good to separate the methods for parsing UDP and TCP into separate interfaces. Plugins can then implement one or both of the interfaces depending on their needs. This also gives a path forward if other transport protocols need to be supported in the future. For example I was thinking something like this . . .

type ProtocolPlugin interface {
    Init(…)
    GetPorts(…)
}   

type TcpProtocolPlugin interface {
    ProtocolPlugin
    ParseTcp(…) // renamed from Parse()
    ReceivedFin(…)
    GapInStream(…)
}   

type UdpProtocolPlugin interface {
    ProtocolPlugin
    ParseUdp(…)
}

The packet decoder used in the SnifferSetup is provided by the TCP protocol plugin. I’m thinking most of the decoder logic should be separated from the TCP protocol plugin so that support for UDP (and possibly other transports) can be added.

2

Hi,

Thanks for opening the discussion. This interface proposal looks clean to me, we'd maybe just need a way to get if the protocol is TCP or UDP without having to use reflection.

From the implementation POV, yes, we need to take out the decoder stuff out of tcp package, it could go in the upper protos package for example. We can rely on the gopacket library to do the UDP headers decoding, so the udp layer will almost be a noop.

Just curious, what UDP based protocol are you looking at?

3

I agree we will need a way to determine whether the plugin supports TCP or UDP or both without using reflection. Currently I have it pieced together with reflection (knowing it would need to change). I’ll look at moving the decoder logic over to the protos package; that sounds like the right place.

DNS is the protocol. I plan on using gopacket within the PluginProtocol implementation to do the low level packet parsing.

Thanks for the direction.