void
ip_demux(const struct timeval& t, WifipcapCallbacks *cbs, ip4_hdr_t *hdr, struct ip_print_demux_state *ipds, int len)
{
//struct protoent *proto;
//again:
switch (ipds->nh) {
case IPPROTO_TCP:
/* pass on the MF bit plus the offset to detect fragments */
handle_tcp(t, cbs, ipds->cp, ipds->len, hdr, NULL,
ipds->off & (IP_MF|IP_OFFMASK));
break;
case IPPROTO_UDP:
/* pass on the MF bit plus the offset to detect fragments */
handle_udp(t, cbs, ipds->cp, ipds->len, hdr, NULL,
ipds->off & (IP_MF|IP_OFFMASK));
break;
case IPPROTO_ICMP:
/* pass on the MF bit plus the offset to detect fragments */
handle_icmp(t, cbs, ipds->cp, ipds->len, hdr, NULL,
ipds->off & (IP_MF|IP_OFFMASK));
break;
case IPPROTO_IPV4:
/* DVMRP multicast tunnel (ip-in-ip encapsulation) */
//handle_ip(t, cbs, ipds->cp, ipds->len);
//break;
case IPPROTO_IPV6:
/* ip6-in-ip encapsulation */
//handle_ip6(t, cbs, ipds->cp, ipds->len);
//break;
///// Jeff: XXX Some day handle these maybe (see tcpdump code)
case IPPROTO_AH:
/*
ipds->nh = *ipds->cp;
ipds->advance = ah_print(ipds->cp);
if (ipds->advance <= 0)
break;
ipds->cp += ipds->advance;
ipds->len -= ipds->advance;
goto again;
*/
case IPPROTO_ESP:
{
/*
int enh, padlen;
ipds->advance = esp_print(ndo, ipds->cp, ipds->len,
(const u_char *)ipds->ip,
&enh, &padlen);
if (ipds->advance <= 0)
break;
ipds->cp += ipds->advance;
ipds->len -= ipds->advance + padlen;
ipds->nh = enh & 0xff;
goto again;
*/
}
case IPPROTO_IPCOMP:
{
/*
int enh;
ipds->advance = ipcomp_print(ipds->cp, &enh);
if (ipds->advance <= 0)
break;
ipds->cp += ipds->advance;
ipds->len -= ipds->advance;
ipds->nh = enh & 0xff;
goto again;
*/
}
case IPPROTO_SCTP:
/*
sctp_print(ipds->cp, (const u_char *)ipds->ip, ipds->len);
break;
*/
case IPPROTO_DCCP:
/*
dccp_print(ipds->cp, (const u_char *)ipds->ip, ipds->len);
break;
*/
case IPPROTO_PIGP:
/*
* XXX - the current IANA protocol number assignments
* page lists 9 as "any private interior gateway
* (used by Cisco for their IGRP)" and 88 as
* "EIGRP" from Cisco.
*
* Recent BSD <netinet/in.h> headers define
* IP_PROTO_PIGP as 9 and IP_PROTO_IGRP as 88.
* We define IP_PROTO_PIGP as 9 and
* IP_PROTO_EIGRP as 88; those names better
* match was the current protocol number
* assignments say.
*/
/*
igrp_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
break;
*/
case IPPROTO_EIGRP:
/*
eigrp_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_ND:
/*
ND_PRINT((ndo, " nd %d", ipds->len));
break;
*/
case IPPROTO_EGP:
/*
egp_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_OSPF:
/*
ospf_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
break;
*/
case IPPROTO_IGMP:
/*
igmp_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_RSVP:
/*
rsvp_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_GRE:
/* do it */
/*
gre_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_MOBILE:
/*
mobile_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_PIM:
/*
pim_print(ipds->cp, ipds->len);
break;
*/
case IPPROTO_VRRP:
/*
vrrp_print(ipds->cp, ipds->len, ipds->ip->ip_ttl);
break;
*/
case IPPROTO_PGM:
/*
pgm_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
break;
*/
default:
/*
if ((proto = getprotobynumber(ipds->nh)) != NULL)
ND_PRINT((ndo, " %s", proto->p_name));
else
ND_PRINT((ndo, " ip-proto-%d", ipds->nh));
ND_PRINT((ndo, " %d", ipds->len));
*/
cbs->HandleL3Unknown(t, hdr, NULL, ipds->cp, ipds->len);
break;
}
}
void handle_ip(const struct arguments *args,
const uint8_t *pkt, const size_t length,
const int epoll_fd,
int sessions, int maxsessions) {
uint8_t protocol;
void *saddr;
void *daddr;
char source[INET6_ADDRSTRLEN + 1];
char dest[INET6_ADDRSTRLEN + 1];
char flags[10];
int flen = 0;
uint8_t *payload;
// Get protocol, addresses & payload
uint8_t version = (*pkt) >> 4;
if (version == 4) {
if (length < sizeof(struct iphdr)) {
log_android(ANDROID_LOG_WARN, "IP4 packet too short length %d", length);
return;
}
struct iphdr *ip4hdr = (struct iphdr *) pkt;
protocol = ip4hdr->protocol;
saddr = &ip4hdr->saddr;
daddr = &ip4hdr->daddr;
if (ip4hdr->frag_off & IP_MF) {
log_android(ANDROID_LOG_ERROR, "IP fragment offset %u",
(ip4hdr->frag_off & IP_OFFMASK) * 8);
return;
}
uint8_t ipoptlen = (uint8_t) ((ip4hdr->ihl - 5) * 4);
payload = (uint8_t *) (pkt + sizeof(struct iphdr) + ipoptlen);
if (ntohs(ip4hdr->tot_len) != length) {
log_android(ANDROID_LOG_ERROR, "Invalid length %u header length %u",
length, ntohs(ip4hdr->tot_len));
return;
}
if (loglevel < ANDROID_LOG_WARN) {
if (!calc_checksum(0, (uint8_t *) ip4hdr, sizeof(struct iphdr))) {
log_android(ANDROID_LOG_ERROR, "Invalid IP checksum");
return;
}
}
}
else if (version == 6) {
if (length < sizeof(struct ip6_hdr)) {
log_android(ANDROID_LOG_WARN, "IP6 packet too short length %d", length);
return;
}
struct ip6_hdr *ip6hdr = (struct ip6_hdr *) pkt;
// Skip extension headers
uint16_t off = 0;
protocol = ip6hdr->ip6_nxt;
if (!is_upper_layer(protocol)) {
log_android(ANDROID_LOG_WARN, "IP6 extension %d", protocol);
off = sizeof(struct ip6_hdr);
struct ip6_ext *ext = (struct ip6_ext *) (pkt + off);
while (is_lower_layer(ext->ip6e_nxt) && !is_upper_layer(protocol)) {
protocol = ext->ip6e_nxt;
log_android(ANDROID_LOG_WARN, "IP6 extension %d", protocol);
off += (8 + ext->ip6e_len);
ext = (struct ip6_ext *) (pkt + off);
}
if (!is_upper_layer(protocol)) {
off = 0;
protocol = ip6hdr->ip6_nxt;
log_android(ANDROID_LOG_WARN, "IP6 final extension %d", protocol);
}
}
saddr = &ip6hdr->ip6_src;
daddr = &ip6hdr->ip6_dst;
payload = (uint8_t *) (pkt + sizeof(struct ip6_hdr) + off);
// TODO checksum
}
else {
log_android(ANDROID_LOG_ERROR, "Unknown version %d", version);
return;
}
inet_ntop(version == 4 ? AF_INET : AF_INET6, saddr, source, sizeof(source));
inet_ntop(version == 4 ? AF_INET : AF_INET6, daddr, dest, sizeof(dest));
// Get ports & flags
int syn = 0;
uint16_t sport = 0;
uint16_t dport = 0;
if (protocol == IPPROTO_ICMP || protocol == IPPROTO_ICMPV6) {
if (length - (payload - pkt) < sizeof(struct icmp)) {
log_android(ANDROID_LOG_WARN, "ICMP packet too short");
return;
}
struct icmp *icmp = (struct icmp *) payload;
// http://lwn.net/Articles/443051/
sport = ntohs(icmp->icmp_id);
dport = ntohs(icmp->icmp_id);
} else if (protocol == IPPROTO_UDP) {
if (length - (payload - pkt) < sizeof(struct udphdr)) {
log_android(ANDROID_LOG_WARN, "UDP packet too short");
return;
}
struct udphdr *udp = (struct udphdr *) payload;
sport = ntohs(udp->source);
dport = ntohs(udp->dest);
// TODO checksum (IPv6)
}
else if (protocol == IPPROTO_TCP) {
if (length - (payload - pkt) < sizeof(struct tcphdr)) {
log_android(ANDROID_LOG_WARN, "TCP packet too short");
return;
}
struct tcphdr *tcp = (struct tcphdr *) payload;
sport = ntohs(tcp->source);
dport = ntohs(tcp->dest);
if (tcp->syn) {
syn = 1;
flags[flen++] = 'S';
}
if (tcp->ack)
flags[flen++] = 'A';
if (tcp->psh)
flags[flen++] = 'P';
if (tcp->fin)
flags[flen++] = 'F';
if (tcp->rst)
flags[flen++] = 'R';
// TODO checksum
}
else if (protocol != IPPROTO_HOPOPTS && protocol != IPPROTO_IGMP && protocol != IPPROTO_ESP)
report_error(args, 1, "Unknown protocol %d", protocol);
flags[flen] = 0;
// Limit number of sessions
if (sessions >= maxsessions) {
if ((protocol == IPPROTO_ICMP || protocol == IPPROTO_ICMPV6) ||
(protocol == IPPROTO_UDP && !has_udp_session(args, pkt, payload)) ||
(protocol == IPPROTO_TCP && syn)) {
log_android(ANDROID_LOG_ERROR,
"%d of max %d sessions, dropping version %d protocol %d",
sessions, maxsessions, protocol, version);
return;
}
}
// Get uid
jint uid = -1;
if (protocol == IPPROTO_ICMP || protocol == IPPROTO_ICMPV6 ||
(protocol == IPPROTO_UDP && !has_udp_session(args, pkt, payload)) ||
(protocol == IPPROTO_TCP && syn))
uid = get_uid_retry(version, protocol, saddr, sport);
log_android(ANDROID_LOG_DEBUG,
"Packet v%d %s/%u > %s/%u proto %d flags %s uid %d",
version, source, sport, dest, dport, protocol, flags, uid);
// Check if allowed
int allowed = 0;
struct allowed *redirect = NULL;
if (protocol == IPPROTO_UDP && has_udp_session(args, pkt, payload))
allowed = 1; // could be a lingering/blocked session
else if (protocol == IPPROTO_TCP && !syn)
allowed = 1; // assume existing session
else {
jobject objPacket = create_packet(
args, version, protocol, flags, source, sport, dest, dport, "", uid, 0);
redirect = is_address_allowed(args, objPacket);
allowed = (redirect != NULL);
if (redirect != NULL && (*redirect->raddr == 0 || redirect->rport == 0))
redirect = NULL;
}
// Handle allowed traffic
if (allowed) {
if (protocol == IPPROTO_ICMP || protocol == IPPROTO_ICMPV6)
handle_icmp(args, pkt, length, payload, uid, epoll_fd);
else if (protocol == IPPROTO_UDP)
handle_udp(args, pkt, length, payload, uid, redirect, epoll_fd);
else if (protocol == IPPROTO_TCP)
handle_tcp(args, pkt, length, payload, uid, redirect, epoll_fd);
}
else {
if (protocol == IPPROTO_UDP)
block_udp(args, pkt, length, payload, uid);
log_android(ANDROID_LOG_WARN, "Address v%d p%d %s/%u syn %d not allowed",
version, protocol, dest, dport, syn);
}
}
/***************************************************************************
*
* Asynchronous receive thread
*
* The transmit and receive threads run independently of each other. There
* is no record what was transmitted. Instead, the transmit thread sets a
* "SYN-cookie" in transmitted packets, which the receive thread will then
* use to match up requests with responses.
***************************************************************************/
static void
receive_thread(void *v)
{
struct ThreadPair *parms = (struct ThreadPair *)v;
const struct Masscan *masscan = parms->masscan;
struct Output *out;
struct DedupTable *dedup;
struct PcapFile *pcapfile = NULL;
struct TCP_ConnectionTable *tcpcon = 0;
LOG(1, "recv: start receive thread #%u\n", parms->nic_index);
/* Lock this thread to a CPU. Transmit threads are on even CPUs,
* receive threads on odd CPUs */
if (pixie_cpu_get_count() > 1) {
unsigned cpu_count = pixie_cpu_get_count();
unsigned cpu = parms->nic_index * 2 + 1;
while (cpu >= cpu_count) {
cpu -= cpu_count;
cpu++;
}
pixie_cpu_set_affinity(cpu);
}
/*
* If configured, open a --pcap file for saving raw packets. This is
* so that we can debug scans, but also so that we can look at the
* strange things people send us. Note that we don't record transmitted
* packets, just the packets we've received.
*/
/*if (masscan->pcap_filename[0])
pcapfile = pcapfile_openwrite(masscan->pcap_filename, 1);*/
/*
* Open output. This is where results are reported when saving
* the --output-format to the --output-filename
*/
out = output_create(masscan);
/*
* Create deduplication table. This is so when somebody sends us
* multiple responses, we only record the first one.
*/
dedup = dedup_create();
/*
* Create a TCP connection table for interacting with live
* connections when doing --banners
*/
if (masscan->is_banners) {
tcpcon = tcpcon_create_table(
(size_t)((masscan->max_rate/5) / masscan->nic_count),
parms->transmit_queue,
parms->packet_buffers,
&parms->tmplset->pkts[Proto_TCP],
output_report_banner,
out,
masscan->tcb.timeout
);
}
if (masscan->is_offline) {
while (!control_c_pressed_again)
pixie_usleep(10000);
parms->done_receiving = 1;
return;
}
/*
* Receive packets. This is where we catch any responses and print
* them to the terminal.
*/
LOG(1, "begin receive thread\n");
while (!control_c_pressed_again) {
int status;
unsigned length;
unsigned secs;
unsigned usecs;
const unsigned char *px;
int err;
unsigned x;
struct PreprocessedInfo parsed;
unsigned ip_me;
unsigned ip_them;
unsigned seqno_them;
unsigned seqno_me;
/*
* RECIEVE
*
* This is the boring part of actually receiving a packet
*/
err = rawsock_recv_packet(
parms->adapter,
&length,
&secs,
&usecs,
&px);
if (err != 0)
continue;
/*
* Do any TCP event timeouts based on the current timestamp from
* the packet. For example, if the connection has been open for
* around 10 seconds, we'll close the connection. (--banners)
*/
if (tcpcon) {
tcpcon_timeouts(tcpcon, secs, usecs);
}
if (length > 1514)
continue;
/*
* "Preprocess" the response packet. This means to go through and
* figure out where the TCP/IP headers are and the locations of
* some fields, like IP address and port numbers.
*/
x = preprocess_frame(px, length, 1, &parsed);
if (!x)
continue; /* corrupt packet */
ip_me = parsed.ip_dst[0]<<24 | parsed.ip_dst[1]<<16
| parsed.ip_dst[2]<< 8 | parsed.ip_dst[3]<<0;
ip_them = parsed.ip_src[0]<<24 | parsed.ip_src[1]<<16
| parsed.ip_src[2]<< 8 | parsed.ip_src[3]<<0;
seqno_them = TCP_SEQNO(px, parsed.transport_offset);
seqno_me = TCP_ACKNO(px, parsed.transport_offset);
/* verify: my IP address */
if (parms->adapter_ip != ip_me)
continue;
/*
* Handle non-TCP protocols
*/
switch (parsed.found) {
case FOUND_ARP:
/* OOPS: handle arp instead. Since we may completely bypass the TCP/IP
* stack, we may have to handle ARPs ourself, or the router will
* lose track of us. */
LOGip(2, ip_them, 0, "-> ARP [%u] \n", px[parsed.found_offset]);
arp_response( parms->adapter_ip,
parms->adapter_mac,
px, length,
parms->packet_buffers,
parms->transmit_queue);
continue;
case FOUND_UDP:
case FOUND_DNS:
if (!is_my_port(masscan, parsed.port_dst))
continue;
handle_udp(out, px, length, &parsed);
continue;
case FOUND_ICMP:
handle_icmp(out, px, length, &parsed);
continue;
case FOUND_TCP:
/* fall down to below */
break;
default:
continue;
}
/* verify: my port number */
if (parms->adapter_port != parsed.port_dst)
continue;
/* Save raw packet in --pcap file */
if (pcapfile) {
pcapfile_writeframe(
pcapfile,
px,
length,
length,
secs,
usecs);
}
{
char buf[64];
LOGip(5, ip_them, parsed.port_src, "-> TCP ackno=0x%08x flags=0x%02x(%s)\n",
seqno_me,
TCP_FLAGS(px, parsed.transport_offset),
reason_string(TCP_FLAGS(px, parsed.transport_offset), buf, sizeof(buf)));
}
/* If recording --banners, create a new "TCP Control Block (TCB)" */
if (tcpcon) {
struct TCP_Control_Block *tcb;
/* does a TCB already exist for this connection? */
tcb = tcpcon_lookup_tcb(tcpcon,
ip_me, ip_them,
parsed.port_dst, parsed.port_src);
if (TCP_IS_SYNACK(px, parsed.transport_offset)) {
if (syn_hash(ip_them, parsed.port_src) != seqno_me - 1) {
LOG(2, "%u.%u.%u.%u - bad cookie: ackno=0x%08x expected=0x%08x\n",
(ip_them>>24)&0xff, (ip_them>>16)&0xff, (ip_them>>8)&0xff, (ip_them>>0)&0xff,
seqno_me-1, syn_hash(ip_them, parsed.port_src));
continue;
}
if (tcb == NULL) {
tcb = tcpcon_create_tcb(tcpcon,
ip_me, ip_them,
parsed.port_dst,
parsed.port_src,
seqno_me, seqno_them+1);
}
tcpcon_handle(tcpcon, tcb, TCP_WHAT_SYNACK,
0, 0, secs, usecs, seqno_them+1);
} else if (tcb) {
/* If this is an ACK, then handle that first */
if (TCP_IS_ACK(px, parsed.transport_offset)) {
tcpcon_handle(tcpcon, tcb, TCP_WHAT_ACK,
0, seqno_me, secs, usecs, seqno_them);
}
/* If this contains payload, handle that */
if (parsed.app_length) {
tcpcon_handle(tcpcon, tcb, TCP_WHAT_DATA,
px + parsed.app_offset, parsed.app_length,
secs, usecs, seqno_them);
}
/* If this is a FIN, handle that. Note that ACK +
* payload + FIN can come together */
if (TCP_IS_FIN(px, parsed.transport_offset)
&& !TCP_IS_RST(px, parsed.transport_offset)) {
tcpcon_handle(tcpcon, tcb, TCP_WHAT_FIN,
0, 0, secs, usecs, seqno_them);
}
/* If this is a RST, then we'll be closing the connection */
if (TCP_IS_RST(px, parsed.transport_offset)) {
tcpcon_handle(tcpcon, tcb, TCP_WHAT_RST,
0, 0, secs, usecs, seqno_them);
}
} else if (TCP_IS_FIN(px, parsed.transport_offset)) {
/*
* NO TCB!
* This happens when we've sent a FIN, deleted our connection,
* but the other side didn't get the packet.
*/
if (!TCP_IS_RST(px, parsed.transport_offset))
tcpcon_send_FIN(
tcpcon,
ip_me, ip_them,
parsed.port_dst, parsed.port_src,
seqno_them, seqno_me);
}
}
