I have developed a new protocol in packetbeat.
But in the packetbeat.yml file,I found we must set the ports[] item? cause,plugin interface has a function named GetPorts().
every packet requires lookup based on port-number. The lookup table is pre-computed on startup based on GetPorts().
so,I can't listen all ports? But,some protocols don't have stabled ports,so I can't set the item in the packetbeat.yml file.
currently GetPorts() requires you to return an array of ports to listen on. The plugin is totally free to return a huge array with some very big port-range.
e.g.
define port-range in your config
type PortRange [2]uint16
type Config struct {
...
Ports PortRange
}
And use PortRange to return a complete range via GetPorts:
func (p *plugin) GetPorts() []uint16 {
range := p.Config.PortRange
first := range[0]
last := range[1]
ports := make([]uint16, 0, last - first + 1)
for i := first; i <= last; i++ {
ports = append(ports, i)
}
return ports
}
When configuring your plugin, make sure the config does not overlap ports with other protocols, as packetbeat TCP layer can not tell where to route packets to if similar ports are used between multiple protocol plugins.
One can even extend the ports config idea like:
type PortsConfig struct {
Range *PortRangeConfig `config:"range"`
List *[]uint16 `config:"list"`
}
type Config struct {
Ports PortsConfig `config:"ports"`
}
Using this structure to configure your ports one can configure a protocol like:
packetbeat.protocols.myproto:
ports.range: [1000, 2000]
packetbeat.protocols.another_proto:
ports.list: [1,2,3,4,5]
1 Like
Thx!
This topic was automatically closed after 21 days. New replies are no longer allowed.