I'm working on detecting NTP using golang and the gopacket package. I'm using a pcap I downloaded from wireshark. I've got the following code for opening PCAPs and handling them :
func (d *DPI) readPCAP(pcapFile string) (*pcap.Handle, error) {
// Open file instead of device
handle, err := pcap.OpenOffline(pcapFile)
if err != nil {
return nil, err
}
return handle, nil
}
And this is the code I'm writing to perform the actual detection
func TestNTP(t *testing.T) {
dpi := newDPI()
handle, _ := dpi.readPCAP("data/pcap/NTP_sync.pcap")
var filter = "udp and port 123"
dpi.setFilter(handle,filter)
ntpPackets := 0
for packet := range dpi.getPacketChan(handle) {
fmt.Println("stuff: ",packet.ApplicationLayer().Payload())
if dpi.detectNTP(packet) == 1 {
ntpPackets++
} else {
fmt.Println(" Output : ", dpi.detectNTP(packet))
}
}
fmt.Println(" Total ntp packets ", ntpPackets)
}
The Payload content in the ApplicationLayer is coming up empty and I'm unable to figure out why this is happening.
Example screenshot when I print out the ApplicationLayer itself :
https://i.gyazo.com/6257f298a09e7403bbc0be5b8ac84ccc.png
Example screenshot when I print out the Payload : https://i.gyazo.com/7f4abd449025f5d65160fdbecffa8181.png
Could use some help figuring out what I'm doing wrong. Thanks!
