static void decode_packet(unsigned char *buf, int len)
{
struct ether_header *eh = (void *) buf;
char src[18], dst[18];
uint16_t type;
snprintf(dst, sizeof(dst), "%02x:%02x:%02x:%02x:%02x:%02x",
eh->ether_dhost[0], eh->ether_dhost[1],
eh->ether_dhost[2], eh->ether_dhost[3],
eh->ether_dhost[4], eh->ether_dhost[5]);
snprintf(src, sizeof(src), "%02x:%02x:%02x:%02x:%02x:%02x",
eh->ether_shost[0], eh->ether_shost[1],
eh->ether_shost[2], eh->ether_shost[3],
eh->ether_shost[4], eh->ether_shost[5]);
type = ntohs(eh->ether_type);
printf("> type 0x%04x src %s dst %s <\n", type, src, dst);
switch (type) {
case ETHERTYPE_IP:
decode_ip(buf + 14, len - 14);
break;
case ETHERTYPE_LOOPBACK:
dump_packet(buf, len);
break;
}
}
// 包处理回调函数,对于每个嗅探到的数据包
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
ip_header *ih;
u_int ip_len;
// 返回IP首部的位置
ih = (ip_header *) (pkt_data +
14); //以太网的首部长度是14
// IP首部长度
ip_len = (ih->ver_ihl & 0xf) * 4;
printf("%s ",check_protocol(ih->proto));
// 输出源地址IP和目的地址IP
printf("%d.%d.%d.%d -> %d.%d.%d.%d ",
ih->saddr.byte1,
ih->saddr.byte2,
ih->saddr.byte3,
ih->saddr.byte4,
ih->daddr.byte1,
ih->daddr.byte2,
ih->daddr.byte3,
ih->daddr.byte4
);
decode_ip((char*)(pkt_data+14+ip_len),ih->proto);
printf("\n");
}
static void m_nick( char *origin, char **argv, int argc, int srv )
{
if( !srv )
{
if( ircd_srv.protocol & PROTOCOL_NICKv2 )
{
if( ircd_srv.protocol & PROTOCOL_NICKIP )
{
char ip[25];
ircsnprintf( ip, 25, "%d", ntohl( decode_ip( argv[9] ) ) );
do_nick( argv[0], argv[1], argv[2], argv[3], argv[4], argv[5],
ip, argv[6], argv[7], argv[8], argv[10], NULL, NULL );
}
else
{
do_nick( argv[0], argv[1], argv[2], argv[3], argv[4], argv[5],
NULL, argv[6], argv[7], argv[8], argv[9], NULL, NULL );
}
}
else
{
do_nick( argv[0], argv[1], argv[2], argv[3], argv[4], argv[5],
NULL, argv[6], NULL, NULL, argv[9], NULL, NULL );
}
}
else
{
do_nickchange( origin, argv[0], NULL );
}
}
static void decode_icmp(const uint8_t *packet, size_t pk_len, int pk_layer) {
union {
const struct myicmphdr *i;
const uint8_t *d;
} ic_u; /* ;] */
uint8_t type=0, code=0;
uint16_t chksum=0;
ic_u.d=packet;
if (pk_len < 4) {
ERR("short icmp header");
return;
}
type=ic_u.i->type;
code=ic_u.i->code;
chksum=ntohs(ic_u.i->checksum);
if (ISDBG(M_PKT) || GET_SNIFF()) {
INF("ICMP: type %u code %u chksum %04x%s", type, code, chksum, "[?]");
}
if (type == 3 || type == 5 || type == 11) {
/*
* dest unreachable, the packet that generated this error should be after the icmpheader
* redirect message, same as with unreachable
* time exceeded, same as with above
*/
if (pk_len > sizeof(struct myicmphdr)) { /* there _could_ be data there, try to process it */
const uint8_t *newpacket=NULL;
size_t newpk_len=0;
newpacket=packet + sizeof(struct myicmphdr);
newpk_len=pk_len - sizeof(struct myicmphdr);
decode_ip(newpacket, newpk_len, (pk_layer + 1));
}
}
else if (type == 0 || type == 8) {
/* pings ignore */
DBG(M_PKT, "Ignoring ping request or response");
}
if (pk_layer == 2) {
r_u.i.type=type;
r_u.i.subtype=code;
report_push();
}
return;
}
void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) {
int tcp_header_length, total_header_size, pkt_data_len;
u_char *pkt_data;
int total_header_size2;
//structs of the packet (different protocol headers)
struct ether_header *ETHERheader;
struct ip *IPheader;
struct tcphdr *TCPheader;
//copy of the packet
char * packet_copy;
packet_copy = malloc(cap_header->len);
if (packet_copy <= 0 )
exit(-1);
memcpy(packet_copy,packet,cap_header->len);
printf("==== Got a %d byte packet ====\n", cap_header->len);
decode_ethernet(packet,ETHERheader,packet_copy);
decode_ip(packet+ETHER_HDR_LEN,IPheader,packet_copy+ETHER_HDR_LEN);
tcp_header_length = decode_tcp(packet+ETHER_HDR_LEN+sizeof(struct ip_hdr),TCPheader, packet_copy+ETHER_HDR_LEN+sizeof(struct ip));
total_header_size = ETHER_HDR_LEN+sizeof(struct ip_hdr)+tcp_header_length;
total_header_size2 = ETHER_HDR_LEN+sizeof(struct ip)+tcp_header_length;
printf("total_header_size:%d \n total_header_size2:%d \n",total_header_size,total_header_size2);
pkt_data = (u_char *)packet + total_header_size; // pkt_data points to the data portion
pkt_data_len = cap_header->len - total_header_size;
if(pkt_data_len > 0) {
printf("\t\t\t%u bytes of packet data\n", pkt_data_len);
//dump(pkt_data, pkt_data_len);
dump(packet, cap_header->len);
} else {
printf("\t\t\tNo Packet Data\n");
dump(packet, cap_header->len);
}
printf("before ipspoof3\n");
//ipspoof3( inet_ntoa(IPheader->ip_src), inet_ntoa(IPheader->ip_dst), "0022433967e9",ETHERheader,IPheader,TCPheader,(u_char *)packet_copy + total_header_size, pkt_data_len);
ipspoof4( "", "192.168.1.13", "701a04d83403", (char *)packet, cap_header->len);
printf(" after ipspoof3 \n");
free(packet_copy);
}
void parse_packet(uint8_t *notused, const struct pcap_pkthdr *phdr, const uint8_t *packet) {
size_t pk_len=0;
int pk_layer=0;
extern pcap_dumper_t *pdump;
if (packet == NULL || phdr == NULL) {
ERR("%s is null", packet == NULL ? "packet" : "pcap header");
return;
}
/* when you forget to put this here, it makes for really dull pcap log files */
if (s->pcap_dumpfile) {
pcap_dump((uint8_t *)pdump, phdr, packet);
}
pk_len=phdr->caplen;
if (pk_len <= s->ss->header_len) {
ERR("this packet is too short " STFMT ", header length is %u", pk_len, s->ss->header_len);
return;
}
if (ISDBG(M_PKT) || GET_SNIFF()) {
INF("got packet with length %u (cap %u) with header length at %u", phdr->len, phdr->caplen, s->ss->header_len);
}
pk_len -= s->ss->header_len;
packet += s->ss->header_len;
pk_layer++;
switch (s->ss->mode) {
case MODE_ARPSCAN:
report_init(REPORT_TYPE_ARP, &phdr->ts);
packet_init(packet, pk_len);
decode_arp(packet, pk_len, pk_layer); /* the pcap filter should be arp only */
break;
case MODE_TCPSCAN:
case MODE_UDPSCAN:
case MODE_ICMPSCAN:
case MODE_IPSCAN:
report_init(REPORT_TYPE_IP, &phdr->ts);
packet_init(packet, pk_len);
decode_ip(packet, pk_len, pk_layer); /* the pcap filter should be ip only */
break;
}
return;
}
static void slice_icmp(const uint8_t *packet, size_t pk_len, packetlayers_t *plz, int pk_layer) {
union {
const struct myicmphdr *i;
const uint8_t *d;
} ic_u; /* ;] */
uint8_t type=0, code=0;
uint16_t chksum=0;
assert(plz != NULL);
assert(packet != NULL);
ic_u.d=packet;
if (pk_len < 4) {
return;
}
type=ic_u.i->type;
code=ic_u.i->code;
chksum=ntohs(ic_u.i->checksum);
if (type == 3 || type == 5 || type == 11) {
/* dest unreachable, the packet that generated this error should be after the icmpheader */
/* redirect message, same as with unreachable */
/* time exceeded, same as with above */
if (pk_len > sizeof(struct myicmphdr)) { /* there _could_ be data there, try to process it */
const uint8_t *newpacket=NULL;
size_t newpk_len=0;
newpacket=packet + sizeof(struct myicmphdr);
newpk_len=pk_len - sizeof(struct myicmphdr);
decode_ip(newpacket, newpk_len, (pk_layer + 1));
}
}
else if (type == 0 || type == 8) {
/* pings ignore */
}
if (pk_layer == 2) {
r_u.i.type=type;
r_u.i.subtype=code;
report_push();
}
return;
}
static inline int
bind_dlt_raw(int proto, const unsigned char *pkt, unsigned len,
Packet *packet)
{
int ret = -1;
switch (proto) {
case DLT_RAW_IP4:
ret = decode_ip(pkt, len, packet);
break;
case DLT_RAW_IP6:
ret = decode_ip6(pkt, len, packet);
break;
}
return ret;
}
static int cmd_syslog(const char *args[])
{
char b1[32], b2[32];
if (args[0] && !strcmp(args[0], "off")) {
syslog_addr.daddr = 0;
return 0;
}
if (!args[1]) {
pp_printf("use: syslog <ipaddr> <macaddr> (or just \"off\"\n");
return -1;
}
decode_ip(args[0], (void *)&syslog_addr.daddr);
decode_mac(args[1], syslog_mac);
pp_printf("Syslog parameters: %s, %s\n",
format_ip(b1, (void *)&syslog_addr.daddr),
format_mac(b2, syslog_mac));
tics = 0; /* send the first frame immediately to the new host */
return 0;
}
void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) {
int tcp_header_length, total_header_size, pkt_data_len;
u_char *pkt_data;
printf("==== %d バイトのパケットを取得しました ====\n", cap_header->len);
decode_ethernet(packet);
decode_ip(packet+ETHER_HDR_LEN);
tcp_header_length = decode_tcp(packet+ETHER_HDR_LEN+sizeof(struct ip_hdr));
total_header_size = ETHER_HDR_LEN+sizeof(struct ip_hdr)+tcp_header_length;
pkt_data = (u_char *)packet + total_header_size; // pkt_dataはデータ部分を指す
pkt_data_len = cap_header->len - total_header_size;
if(pkt_data_len > 0) {
printf("\t\t\t%u バイトのパケットデータ\n", pkt_data_len);
dump(pkt_data, pkt_data_len);
} else
printf("\t\t\tパケットデータがありません\n");
}
/* main processing function */
void proc_packet(const u_char *data, u_int size)
{
struct ip_stat istat;
u_int data_offs;
u_int tcp_hdr_sz;
u_int udp_hdr_sz;
/* print captured bytes */
printf("\n\nBytes Captured = [ %d ]\n", size);
/* print L2 information */
decode_ethernet(data);
/* obtain IP protocol number for further decoding */
decode_ip(data + ETHER_HDR_LEN, &istat);
switch(istat.ip_prot) {
case 1:
decode_icmp(data + ETHER_HDR_LEN + istat.ip_len);
data_offs = ETHER_HDR_LEN + istat.ip_len;
break;
case 6:
tcp_hdr_sz = decode_tcp(data + ETHER_HDR_LEN + istat.ip_len);
data_offs = ETHER_HDR_LEN + istat.ip_len + tcp_hdr_sz;
break;
case 17:
udp_hdr_sz = decode_udp(data + ETHER_HDR_LEN + istat.ip_len);
data_offs = ETHER_HDR_LEN + istat.ip_len + udp_hdr_sz;
break;
default:
break;
}
/* print raw encapsulated data */
praw(data + data_offs, size);
}
