Added support for multiple listen ports

Author: sandersaares

README.md

@@ -22,7 +22,7 @@ MikroTik RouterOS has [built-in support for TZSP packet capture](https://wiki.mi
 # Quick start
 
 1. Set up a TZSP packet stream to the server this app will be running on. Pick an arbitrary port number for the stream, for example 1234.
-1. Execute the app as `tzsp_packetstream_exporter --interface eth0 --port 1234` (see `--help` for more info).
+1. Execute the app as `tzsp_packetstream_exporter --interface eth0 --listen-port 1234` (see `--help` for more info).
 1. Navigate to http://hostname:9184/metrics to explore the available metrics.
 1. Register `hostname:9184` in your Prometheus configuration as a scrape target.
 1. If using Grafana, [install the template dashboard](https://grafana.com/grafana/dashboards/11609).
@@ -44,9 +44,7 @@ Only TCP and UDP are analyzed - other transport-level protocols are simply "unkn
 
 # How do I analyze multiple parallel packet streams?
 
-You could simply direct them at the same analyzer but this will lead to the results being merged.
-
-If you want the results separated in Prometheus, run a separate instance of the analyzer, accepting packets and publishing results on individual ports (`--listen-port` and `--publish-port`, respectively).
+You can direct multiple TZSP streams to the same analyzer, either on the same port or separate ports (using multiple `--listen-port` options). The output metrics carry a label indicating the listen port the data arrived on.
 
 # (Linux) On startup, I see "Failed to create directory ..." - what's wrong?
 

TzspPacketStreamExporter/ExporterLogic.cs

@@ -1,6 +1,7 @@
 using Axinom.Toolkit;
 using Prometheus;
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Net;
@@ -13,11 +14,13 @@ namespace TzspPacketStreamExporter
     sealed class ExporterLogic
     {
         public string ListenInterface { get; set; } = "";
-        public int ListenPort { get; set; }
+        public List<int> ListenPorts { get; set; } = new List<int>();
         public int PublishPort { get; set; } = Constants.DefaultPublishPort;
 
         private MetricServer? _metricServer;
 
+        private string MakeTsharkFilterString() => $"(dst port {string.Join(" or dst port ", ListenPorts)}) and udp";
+
         public async Task RunAsync(CancellationToken cancel)
         {
             await VerifyTshark(cancel);
@@ -46,6 +49,9 @@ void ConsumeStandardOutput(Stream stdout)
                 // 1. Hex string of packet bytes (starting with either outer UDP header or inner TZSP header)
                 // 2. A space character.
                 // 3. Type of the data ("eth:ethertype:ip:data" - UDP header, "eth:ethertype:ip:udp:data" - TZSP header)
+                // 4. A space character.
+                // 5. The destination UDP port of the TZSP protocol ("udp.dstport") but ONLY if type of data is TZSP header.
+                //    If type of data is UDP header, we need to parse the port ourselves.
 
                 try
                 {
@@ -64,8 +70,8 @@ void ConsumeStandardOutput(Stream stdout)
                         string packetType;
 
                         var parts = line.Split(' ');
-                        if (parts.Length != 2)
-                            throw new NotSupportedException("Output line did not have expected 2 components.");
+                        if (parts.Length != 3)
+                            throw new NotSupportedException("Output line did not have expected number of components.");
 
                         // On some systems there are colons. On others there are not!
                         // Language/version differences? Whatever, get rid of them.
@@ -82,7 +88,8 @@ void ConsumeStandardOutput(Stream stdout)
                             }
                             else if (packetType == "eth:ethertype:ip:udp:data")
                             {
-                                ProcessTzspPacket(packetBytes);
+                                var listenPort = ushort.Parse(parts[2]);
+                                ProcessTzspPacket(packetBytes, listenPort);
                             }
                             else
                             {
@@ -149,7 +156,7 @@ void ConsumeStandardError(Stream stderr)
             {
                 ExecutablePath = Constants.TsharkExecutableName,
                 ResultHeuristics = ExternalToolResultHeuristics.Linux,
-                Arguments = @$"-i ""{ListenInterface}"" -f ""dst port {ListenPort} and udp"" -p -T fields -e data.data -e frame.protocols -Eseparator=/s -Q",
+                Arguments = @$"-i ""{ListenInterface}"" -f ""{MakeTsharkFilterString()}"" -p -T fields -e data.data -e frame.protocols -e udp.dstport -Eseparator=/s -Q",
                 StandardOutputConsumer = ConsumeStandardOutput,
                 StandardErrorConsumer = ConsumeStandardError
             };
@@ -218,27 +225,35 @@ private static string DetermineIPv4AddressType(IPAddress address)
         
         // Starts with UDP header because it is incomplete (did not fit in 1500 Ethernet frame).
         // Identified by "frame.protocols": "eth:ethertype:ip:data"
+        // Given that UDP header is not parsed due to incomplete packet, we do not get "udp.dstport" value for this type of packet.
         // Inside is UDP multicast packet.
         const string IncompleteUdpPacketHex = "1535153505f50000010000010101005e28500100155d04eb0e0800450005da457340001f1198cbc0a87802ef2850019595138905c61d71000001e55e27e764000e2d69323334350000000030313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334";
 
         // Seems to start with TZSP header because it is complete.
         // Identified by "frame.protocols": "eth:ethertype:ip:udp:data"
+        // We get "udp.dstport" value for this because TShark can parse the full packet.
         // Inside is TCP packet.
         const string CompleteTcpPacketHex = "010000010100155d04eb0a00155d04eb0e080045000274655e40003f0661d0c0a87802c0a87902eba01451cf757cdc16f4d46680100480223300000101080acae8ac2922f45e949d2efd0c894fdee47ecc96c750f49ad526016ad8ff12a3a218d5d86dd9445876725583fba461df222d75e97e6983538f84bd6783d00a25e8dffd55b941ad2fb302b2aea6138dc84102b1bf6b3412fab8cf623b9f6c61884c5edd05a08b34538de70234fa8ffc3b92aefafde20cf89bdc5ad67bc637031296e117366c4c89f9338b2d2d1b2a69add863aaba70a2554cfc2cc7c363cbd5f9aced2f1839b9116c443f995f69020c4166b7fbd6595122567de919e0b4eeda60db097814c28a8007c91a66321c7373822a6e5883bf7ad93c64f21d18e1f779bc00f1d1c37b51ca446b307688a3e90acd58635117dd2a54411d715afe68d3ba68c48b2b40ddf5844826fbd0c9e4db973c3ee8541b12a85d2f19b72d818ae8e94e73158e500a1399300e69faf244912f8279839e8b2bfbbb44b2e8c53cd0ae8a44c31994ce2c2dfe3a97f82cdb895b5e02defc8e09f7494da93112e502c16f468488da52b40851ee9f491b7ad376d8d555d4635ecbacac74debe59e07fc926045100560608a7f4a7f10f22c486fa99dbcffd399aa9e50f87a4686723318d27838e7e8996257d3e168d60da135a74ee297127c41a0dd3a2b13b09d46d97fcf0257a79bb9ff6f9b683599096b40484dd75aca190b974326ab03b3e1dd23a0df7b486b3547cac0a00069a96ba9f1b9714c739a480add6ea5d12287ae46387dc170d8f6b8a3b758a411020fbaf3b93c302cc6882793e6cd750955135f8d9110fe6a07b70dbf0fa1d001b18af56ab735977dbdbf11948c86add199fd5f2b0e4d9505f492b504448505f6100b5";
 
         */
 
         private static void ProcessTzspPacketWithUdpHeader(byte[] packet)
         {
+            using var stream = new MemoryStream(packet);
+            using var reader = new MultiEndianBinaryReader(stream, ByteOrder.BigEndian);
+
             // source port (2)
             // destination port (2)
             // length (2)
             // checksum (2)
 
-            ProcessTzspPacket(packet.Skip(8).ToArray());
+            stream.Position = 2;
+            var listenPort = reader.ReadUInt16();
+
+            ProcessTzspPacket(packet.Skip(8).ToArray(), listenPort);
         }
 
-        private static void ProcessTzspPacket(byte[] packet)
+        private static void ProcessTzspPacket(byte[] packet, ushort listenPort)
         {
             // TZSP header
             // version (1) == 1
@@ -341,8 +356,8 @@ private static void ProcessTzspPacket(byte[] packet)
                 _ => "unknown"
             };
 
-            BytesBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName).Inc(totalPacketLengthIncludingIpHeader);
-            PacketsBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName).Inc();
+            BytesBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName, listenPort.ToString()).Inc(totalPacketLengthIncludingIpHeader);
+            PacketsBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName, listenPort.ToString()).Inc();
         }
 
         private static readonly Counter BytesBase = Metrics.CreateCounter("tzsp_observed_bytes_total", "Total number of bytes that have been observed in the captured packet stream.", new CounterConfiguration
@@ -353,7 +368,8 @@ private static void ProcessTzspPacket(byte[] packet)
                 "from_type",
                 "to",
                 "to_type",
-                "protocol"
+                "protocol",
+                "listen_port"
             }
         });
 
@@ -365,7 +381,8 @@ private static void ProcessTzspPacket(byte[] packet)
                 "from_type",
                 "to",
                 "to_type",
-                "protocol"
+                "protocol",
+                "listen_port"
             }
         });
 

TzspPacketStreamExporter/Program.cs

@@ -3,6 +3,7 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Linq;
 using System.Threading;
 
 namespace TzspPacketStreamExporter
@@ -70,11 +71,12 @@ private bool ParseArguments(string[] args)
             var options = new OptionSet
             {
                 GetVersionString(),
+                "Usage: --interface eth0 --listen-port 19345 --listen-port 19346",
                 "",
                 "General",
                 { "h|?|help", "Displays usage instructions.", val => showHelp = val != null },
                 { "interface=", "Name or number of the network interface (e.g. 1 or eth5 or \"Ethernet 3\"). Must match an entry in the 'tshark -D' list.", val => _logic.ListenInterface = val?.Trim('"') ?? "" },
-                { "listen-port|port=", "UDP port to listen on for an incoming TZSP packet stream.", (ushort val) => _logic.ListenPort = val },
+                { "listen-port|port=", "UDP port to listen on for an incoming TZSP packet stream. Use multiple times to listen on multiple ports.", (ushort val) => _logic.ListenPorts.Add(val) },
                 { "publish-port|publish=", $"TCP port to publish Prometheus metrics on. Defaults to {_logic.PublishPort}.", (ushort val) => _logic.PublishPort = val },
 
                 "",
@@ -101,6 +103,12 @@ private bool ParseArguments(string[] args)
                 if (_logic.ListenInterface.Contains('"'))
                     throw new OptionException("The network interface name must not contain the double quote character.", "interface");
 
+                if (_logic.ListenPorts.Count == 0)
+                    throw new OptionException("You must specify at least one port to listen on.", "listen-port");
+
+                if (_logic.ListenPorts.Count != _logic.ListenPorts.Distinct().Count())
+                    throw new OptionException("You have specified duplicate ports to listen on. Did you make a typo?", "listen-port");
+
                 if (string.IsNullOrWhiteSpace(_logic.ListenInterface))
                     throw new OptionException("The network interface name must be specified.", "interface");
             }
@@ -134,7 +142,9 @@ private Program()
             // We default to displaying Info or higher but allow this to be reconfiured later, if the user wishes.
             _filteringLogListener = new FilteringLogListener(new ConsoleLogListener())
             {
+#if !DEBUG
                 MinimumSeverity = LogEntrySeverity.Info
+#endif
             };
 
             Log.Default.RegisterListener(_filteringLogListener);

TzspPacketStreamExporter/Properties/launchSettings.json

@@ -2,7 +2,7 @@
   "profiles": {
     "TzspPacketStreamExporter": {
       "commandName": "Project",
-      "commandLineArgs": "--interface 1 --port 5429"
+      "commandLineArgs": "--interface 1 --port 5429 --port 5430"
     }
   }
 }