Network Packet Logging Hooks?

devanl
Posts: 11
Joined: Sat Jan 04, 2020 5:26 pm

Network Packet Logging Hooks?

Postby devanl » Tue Jan 07, 2020 8:09 pm

Hi,

Are there any official APIs I can use to hook into the network stack to log both transmitted and received packets at the IP layer?

My use case is that I want to record network traffic from the ESP32's point-of-view for debugging its communication behavior. Normally I would do an external packet capture, but since my application uses TLS (and I only control the device side, not the server), I need to dump the session keys in order to decode the traffic. I could create some ad-hoc means of dumping the session keys (every time the ESP32 establishes a new TLS session) and storing that into a file so that I can use it with Wireshark, but it involves a lot of moving parts.

My preferred approach, which I've implemented by adding hooks myself, is to have the ESP32 generate a PCAPNG file where it embeds the session keys into the file directly. Then I can either stream the file via semihosting/app-trace/what-have-you or dump it afterwards and I don't have to worry about figuring out which set of session keys belong with which packet capture.

From my first look over the IDF, I don't see a good place to get both received and transmitted packets:
  • LWIP has its LWIP_HOOK_IP4_INPUT mechanism, but that would only cover received packets, which would be missing half of the conversation that I'm trying to debug. Also, I'm not sure if I can actually provide a hook without modifying the LWIP component, since it operates by adding a new header file include to the LWIP stack.
  • There's also the promiscuous rx callback, which I haven't tried. It's a little lower level than I would like and I assume it has the same issue of only letting me capture received packets, not transmitted packets.
  • When I first looked at the netif API, I thought I would be able to create a wrapper netif that would let me log the packets before passing them through to the real LWIP netif implementation. I wasn't able to make any progress without modifying the LWIP component since the LWIP netif structures/functions are all hidden behind a private implementation such that I can't find a way to make a wrapper without duplicating the LWIP netif definitions entirely.
I ended up adding my own hooks to wlanif_input() and low_level_output() to get access to the packets with ethernet encapsulation.
While it works great for me as a one-off debugging test, the long-term maintainability is iffy, since I will have to reapply patches whenever the LWIP component is updated.

Does anybody know of any APIs that I could hook into to do this without modifying any of the ESP-IDF components, or if there are any plans to add any APIs in the future?

ESP_Sprite
Posts: 4003
Joined: Thu Nov 26, 2015 4:08 am

Re: Network Packet Logging Hooks?

Postby ESP_Sprite » Wed Jan 08, 2020 2:24 am

Not what you're looking for, but you may be better off with some man-in-the-middle approach, as you don't need to change the ESP32 code for that (smaller chance of Heisenbugs). Something like mitmproxy would be well-suited for this.

devanl
Posts: 11
Joined: Sat Jan 04, 2020 5:26 pm

Re: Network Packet Logging Hooks?

Postby devanl » Wed Jan 08, 2020 5:54 pm

Thanks, mitmproxy does look like it would work well for development.

I would still really like to be able to record packet captures on the ESP32 for field troubleshooting purposes, but I think I can get by with mitmproxy for development.

Who is online

Users browsing this forum: wereworm and 48 guests