(feat/webrtc-sniffer): use secret key for DTLS

vlad9486 · vlad9486 · commit ace1bf5d61d0 · 2025-02-20T13:27:55.000+01:00
diff --git a/tools/webrtc-sniffer/Cargo.toml b/tools/webrtc-sniffer/Cargo.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-clap = { version = "4.5", features = ["derive"] }
+clap = { version = "4.5", features = ["derive", "env"] }
 env_logger = { version = "0.11.6" }
 log = { version = "0.4.25" }
 pcap = { version = "2.2" }
@@ -13,3 +13,5 @@ sudo = { version = "0.6.0" }
 hex = { version = "0.4.3" }
 etherparse = { version = "0.17.0" }
 thiserror = { version = "2.0" }
+
+p2p = { path = "../../p2p" }
diff --git a/tools/webrtc-sniffer/src/bin/sniffer.rs b/tools/webrtc-sniffer/src/bin/sniffer.rs
@@ -3,7 +3,9 @@ use std::path::PathBuf;
 use clap::Parser;
 use pcap::{Capture, ConnectionStatus, Device, IfFlags};
 
-// cargo run --release --bin sniffer -- --interface auto --port 443 --path target/test.pcap
+use p2p::identity::SecretKey;
+
+// cargo run --release --bin sniffer -- --interface auto --path target/test.pcap
 
 #[derive(Parser)]
 struct Cli {
@@ -12,14 +14,26 @@ struct Cli {
         help = "name of the interface, use `auto` to determine automatically"
     )]
     interface: Option<String>,
-    #[arg(long, help = "filter by the port")]
-    port: u16,
     #[arg(
         long,
         help = "if `interface` is set, the packets will be written to the `pcap` file, \
                 otherwise the file will be a source of packets"
     )]
     path: PathBuf,
+
+    /// Peer secret key
+    #[arg(long, short = 's', env = "OPENMINA_P2P_SEC_KEY")]
+    pub p2p_secret_key: Option<SecretKey>,
+
+    // warning, this overrides `OPENMINA_P2P_SEC_KEY`
+    /// Compatibility with OCaml Mina node
+    #[arg(long)]
+    pub libp2p_keypair: Option<String>,
+
+    // warning, this overrides `OPENMINA_P2P_SEC_KEY`
+    /// Compatibility with OCaml Mina node
+    #[arg(env = "MINA_LIBP2P_PASS")]
+    pub libp2p_password: Option<String>,
 }
 
 fn init_logger_std() -> Box<dyn log::Log> {
@@ -36,9 +50,30 @@ fn main() {
 
     let Cli {
         interface,
-        port,
         path,
+        p2p_secret_key,
+        libp2p_keypair,
+        libp2p_password,
     } = Cli::parse();
+
+    let secret_key = if let Some(v) = p2p_secret_key {
+        v
+    } else {
+        let (Some(libp2p_keypair), Some(libp2p_password)) = (libp2p_keypair, libp2p_password)
+        else {
+            log::error!("no secret key specified");
+            return;
+        };
+
+        match SecretKey::from_encrypted_file(libp2p_keypair, &libp2p_password) {
+            Ok(v) => v,
+            Err(err) => {
+                log::error!("cannot read secret key {err}");
+                return;
+            }
+        }
+    };
+
     if let Some(name) = interface {
         sudo::escalate_if_needed().unwrap();
 
@@ -70,13 +105,12 @@ fn main() {
             log::info!("will use: {device:?}");
             let res = Ok(()).and_then(|()| {
                 let mut capture = Capture::from_device(device)?.open()?;
-                let filter = format!("udp port {port}");
                 capture
-                    .filter(&filter, true)
+                    .filter("udp and not port 443", true)
                     .expect("Failed to apply filter");
                 let savefile = capture.savefile(&path)?;
 
-                webrtc_sniffer::run(capture, Some(savefile))
+                webrtc_sniffer::run(capture, Some(savefile), secret_key)
             });
             if let Err(err) = res {
                 log::error!("{err}");
@@ -88,7 +122,7 @@ fn main() {
         log::info!("use file");
         let res = Ok(()).and_then(|()| {
             let capture = Capture::from_file(&path)?;
-            webrtc_sniffer::run(capture, None)
+            webrtc_sniffer::run(capture, None, secret_key)
         });
         if let Err(err) = res {
             log::error!("{err}");
diff --git a/tools/webrtc-sniffer/src/lib.rs b/tools/webrtc-sniffer/src/lib.rs
@@ -1,11 +1,16 @@
 mod net;
 
+use p2p::identity::SecretKey;
+
 use pcap::{Activated, Capture, Savefile};
 
 pub fn run<T: Activated + ?Sized>(
     capture: Capture<T>,
     file: Option<Savefile>,
+    secret_key: SecretKey,
 ) -> Result<(), net::DissectError> {
+    let _ = secret_key;
+
     for item in net::UdpIter::new(capture, file) {
         let (src, dst, data) = item?;
         log::info!(
@@ -17,3 +22,39 @@ pub fn run<T: Activated + ?Sized>(
 
     Ok(())
 }
+
+pub fn handle(packet: pcap::Packet) {
+    use std::net::{IpAddr, SocketAddr};
+
+    use etherparse::{NetSlice, SlicedPacket, TransportSlice};
+
+    let eth = SlicedPacket::from_ethernet(packet.data).unwrap();
+    if let (Some(net), Some(transport)) = (eth.net, eth.transport) {
+        let (src_ip, dst_ip) = match net {
+            NetSlice::Ipv4(ip) => (
+                IpAddr::V4(ip.header().source().into()),
+                IpAddr::V4(ip.header().destination().into()),
+            ),
+            NetSlice::Ipv6(ip) => (
+                IpAddr::V6(ip.header().source().into()),
+                IpAddr::V6(ip.header().destination().into()),
+            ),
+            NetSlice::Arp(_) => return,
+        };
+        let (src_port, dst_port, slice) = match transport {
+            TransportSlice::Udp(udp) => (udp.source_port(), udp.destination_port(), udp.payload()),
+            _ => return,
+        };
+
+        let (src, dst, data) = (
+            SocketAddr::new(src_ip, src_port),
+            SocketAddr::new(dst_ip, dst_port),
+            slice,
+        );
+        log::info!(
+            "{src} -> {dst}: {} {}",
+            data.len(),
+            hex::encode(&data[..data.len().min(12)])
+        );
+    }
+}
diff --git a/tools/webrtc-sniffer/src/net.rs b/tools/webrtc-sniffer/src/net.rs
@@ -28,11 +28,18 @@ impl<S: Activated + ?Sized> Iterator for UdpIter<S> {
     type Item = Result<(SocketAddr, SocketAddr, Box<[u8]>), DissectError>;
 
     fn next(&mut self) -> Option<Self::Item> {
-        self.inner
-            .next()?
-            .map_err(DissectError::Cap)
-            .and_then(|x| x)
-            .transpose()
+        loop {
+            match self
+                .inner
+                .next()?
+                .map_err(DissectError::Cap)
+                .and_then(|x| x)
+                .transpose()
+            {
+                Some(v) => break Some(v),
+                None => continue,
+            }
+        }
     }
 }
 
