MCPcopy
hub / github.com/dreadl0ck/netcap / ProcessPacket

Method ProcessPacket

injection/engine.go:138–225  ·  view source on GitHub ↗

ProcessPacket evaluates all rules against a packet and returns actions to perform.

(pkt gopacket.Packet, iface string)

Source from the content-addressed store, hash-verified

136
137// ProcessPacket evaluates all rules against a packet and returns actions to perform.
138func (e *Engine) ProcessPacket(pkt gopacket.Packet, iface string) ([]*ActionResult, error) {
139 e.mu.RLock()
140 defer e.mu.RUnlock()
141
142 // Update stats (atomic - no lock needed)
143 e.stats.PacketsProcessed.Add(1)
144
145 // Create injection context
146 ctx := NewInjectionContext(pkt, iface)
147
148 var results []*ActionResult
149
150 // Evaluate each rule
151 for _, rule := range e.config.Rules {
152 if !rule.Enabled || !rule.IsCompiled() {
153 continue
154 }
155
156 // Determine record type for this rule
157 recordType, err := parseRecordType(rule.Type)
158 if err != nil {
159 continue // Skip rules with invalid types
160 }
161
162 // Create audit record for expression evaluation
163 record := e.createAuditRecord(ctx, recordType)
164 if record == nil {
165 continue
166 }
167
168 // Evaluate expression
169 match, err := filter.EvaluateExpression(rule.GetCompiled(), record)
170 if err != nil {
171 e.stats.Errors.Add(1)
172 continue
173 }
174
175 if !match {
176 continue
177 }
178
179 // Rule matched (atomic for counter, mutex for map)
180 e.stats.PacketsMatched.Add(1)
181 e.stats.mu.Lock()
182 e.stats.RuleMatches[rule.Name]++
183 e.stats.mu.Unlock()
184
185 ctx.MatchedRules = append(ctx.MatchedRules, rule.Name)
186
187 // Execute action
188 result, err := e.executeAction(ctx, rule)
189 if err != nil {
190 e.stats.Errors.Add(1)
191
192 if e.eConfig.Verbose {
193 fmt.Printf("Error executing action for rule %s: %v\n", rule.Name, err)
194 }
195 continue

Callers 1

handlePacketMethod · 0.80

Calls 8

createAuditRecordMethod · 0.95
executeActionMethod · 0.95
logActionMethod · 0.95
EvaluateExpressionFunction · 0.92
NewInjectionContextFunction · 0.85
IsCompiledMethod · 0.80
GetCompiledMethod · 0.80
parseRecordTypeFunction · 0.70

Tested by

no test coverage detected