Ejemplo n.º 1
0
/**
 * Install filter for hijacked connection
 *
 */
static int hijack_install_filter ( struct hijack *hijack,
                                   char *filter ) {
    struct bpf_program program;

    /* Compile filter */
    if ( pcap_compile ( hijack->pcap, &program, filter, 1, 0 ) < 0 ) {
        logmsg ( LOG_ERR, "could not compile filter \"%s\": %s\n",
                 filter, pcap_geterr ( hijack->pcap ) );
        goto err_nofree;
    }

    /* Install filter */
    if ( pcap_setfilter ( hijack->pcap, &program ) < 0 ) {
        logmsg ( LOG_ERR, "could not install filter \"%s\": %s\n",
                 filter, pcap_geterr ( hijack->pcap ) );
        goto err;
    }

    logmsg ( LOG_INFO, "using filter \"%s\"\n", filter );

    pcap_freecode ( &program );
    return 0;

err:
    pcap_freecode ( &program );
err_nofree:
    return -1;
}
Ejemplo n.º 2
0
PyObject *
captureObject_filter(captureObject *self, PyObject *args)
{
    char *filter = NULL;
    int optimize = 0;
    unsigned int netmask = 0xffffffff;
    struct bpf_program prog;
    
    if (! PyArg_ParseTuple(args, "s|i:filter", &filter, &optimize))
        return NULL;

    if (pcap_compile(self->pcap, &prog, filter, optimize, netmask))
    {
        PyErr_SetString(ErrorObject, pcap_geterr(self->pcap));
        return NULL;
    }
    if (pcap_setfilter(self->pcap, &prog))
    {
        pcap_freecode(&prog);
        PyErr_SetString(ErrorObject, pcap_geterr(self->pcap));
        return NULL;
    }
    pcap_freecode(&prog);
    return Py_BuildValue("");
}
Ejemplo n.º 3
0
int
tc_pcap_socket_in_init(pcap_t **pd, char *device, 
        int snap_len, int buf_size, char *pcap_filter)
{
    int         fd;
    char        ebuf[PCAP_ERRBUF_SIZE]; 
    struct      bpf_program fp;
    bpf_u_int32 net, netmask;      

    if (device == NULL) {
        return TC_INVALID_SOCK;
    }

    tc_log_info(LOG_NOTICE, 0, "pcap open,device:%s", device);

    *ebuf = '\0';

    if (tc_pcap_open(pd, device, snap_len, buf_size) == TC_ERR) {
        return TC_INVALID_SOCK;
    }

    if (pcap_lookupnet(device, &net, &netmask, ebuf) < 0) {
        net = 0;
        netmask = 0;
        tc_log_info(LOG_WARN, 0, "lookupnet:%s", ebuf);
        return TC_INVALID_SOCK;
    }

    if (pcap_compile(*pd, &fp, pcap_filter, 0, netmask) == -1) {
        tc_log_info(LOG_ERR, 0, "couldn't parse filter %s: %s", 
                pcap_filter, pcap_geterr(*pd));
        return TC_INVALID_SOCK;
    }

    if (pcap_setfilter(*pd, &fp) == -1) {
        tc_log_info(LOG_ERR, 0, "couldn't install filter %s: %s",
                pcap_filter, pcap_geterr(*pd));
        pcap_freecode(&fp);
        return TC_INVALID_SOCK;
    }

    pcap_freecode(&fp);

    if (pcap_get_selectable_fd(*pd) == -1) {
        tc_log_info(LOG_ERR, 0, "pcap_get_selectable_fd fails"); 
        return TC_INVALID_SOCK;
    }

    if (pcap_setnonblock(*pd, 1, ebuf) == -1) {
        tc_log_info(LOG_ERR, 0, "pcap_setnonblock failed: %s", ebuf);
        return TC_INVALID_SOCK;
    }

    fd = pcap_get_selectable_fd(*pd);

    return fd;
}
Ejemplo n.º 4
0
/*
 * privileged part of priv_pcap_setfilter, compile the filter
 * expression, and return it to the parent. Note that we fake an hpcap
 * and use it to capture the error messages, and pass the error back
 * to client.
 */
int
setfilter(int bpfd, int sock, char *filter)
{
	struct bpf_program fcode;
	int oflag, snap, link;
	u_int32_t netmask;
	pcap_t hpcap;

	must_read(sock, &oflag, sizeof(oflag));
	must_read(sock, &netmask, sizeof(netmask));
	must_read(sock, &snap, sizeof(snap));
	must_read(sock, &link, sizeof(link));

	if (snap < 0) {
		snprintf(hpcap.errbuf, PCAP_ERRBUF_SIZE, "invalid snaplen");
		goto err;
	}

	/* fake hpcap, it only needs errbuf, snaplen, and linktype to
	 * compile a filter expression */
	/* XXX messing with pcap internals */
	hpcap.snapshot = snap;
	hpcap.linktype = link;
	if (pcap_compile(&hpcap, &fcode, filter, oflag, netmask))
		goto err;

	/* if bpf descriptor is open, set the filter XXX check oflag? */
	if (bpfd >= 0 && ioctl(bpfd, BIOCSETF, &fcode)) {
		snprintf(hpcap.errbuf, PCAP_ERRBUF_SIZE,
		    "ioctl: BIOCSETF: %s", strerror(errno));
		pcap_freecode(&fcode);
		goto err;
	}
	if (fcode.bf_len > 0) {
		/* write the filter */
		must_write(sock, &fcode.bf_len, sizeof(fcode.bf_len));
		must_write(sock, fcode.bf_insns,
		    fcode.bf_len * sizeof(struct bpf_insn));
	} else {
		snprintf(hpcap.errbuf, PCAP_ERRBUF_SIZE, "Invalid filter size");
		pcap_freecode(&fcode);
		goto err;
	}


	pcap_freecode(&fcode);
	return (0);

 err:
	fcode.bf_len = 0;
	must_write(sock, &fcode.bf_len, sizeof(fcode.bf_len));

	/* write back the error string */
	write_string(sock, hpcap.errbuf);
	return (1);
}
Ejemplo n.º 5
0
void startSniffer(char *filter)
{
	struct in_addr in;

	if (dev == NULL)
		if ((dev = pcap_lookupdev(errbuf)) == NULL) {
			fprintf(stderr, "startSniffer: couldn't find a device to sniff: %s\n", errbuf);
			exit(1);
		}

	printf("\n\n%s starting: listening on device: %s\n", VERSION, dev);

	if ((pd = pcap_open_live(dev, SNAPLEN, promisc, readtimeout, errbuf)) == NULL) {
		fprintf(stderr, "startSniffer: pcap_open_live failed: %s\n", errbuf);
		exit(1);
	}


	pcap_lookupnet(dev, &netp, &maskp, errbuf);
	in.s_addr = netp;
	printf("%s (%s/", dev, inet_ntoa(in));
	in.s_addr = maskp;
	printf("%s) opened successfully in %spromiscuous mode\n", inet_ntoa(in), (promisc ? "" : "non-"));

	if (filter != NULL) {
		pcap_compile(pd, &fprog, filter, 0, netp);
		if ((pcap_setfilter(pd, &fprog)) == -1) {
			fprintf(stderr, "startSniffer: pcap_setfilter: cannot set filter\n");
			exit(1);
		}
		pcap_freecode(&fprog);
	}
}
Ejemplo n.º 6
0
Archivo: rules.c Proyecto: aihua/moloch 
/* Called at the start on main thread or each time a new file is open on single thread */
void moloch_rules_recompile()
{
    int t, r;

    if (deadPcap)
        pcap_close(deadPcap);

    deadPcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
    MolochRule_t *rule;
    for (t = 0; t < MOLOCH_RULE_TYPE_NUM; t++) {
        for (r = 0; (rule = current.rules[t][r]); r++) {
            if (!rule->bpf)
                continue;

            pcap_freecode(&rule->bpfp);
            if (pcapFileHeader.linktype != 239) {
                if (pcap_compile(deadPcap, &rule->bpfp, rule->bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
                    LOGEXIT("ERROR - Couldn't compile filter %s: '%s' with %s", rule->filename, rule->bpf, pcap_geterr(deadPcap));
                }
            } else {
                rule->bpfp.bf_len = 0;
            }
        }
    }
}
Ejemplo n.º 7
0
int set_raw_filter(unsigned int loc_idx, char *filter) {

        struct bpf_program raw_filter;
        //uint16_t snaplen = 65535;
        int linktype;
        //struct pcap_t *aa;
        int fd = -1;
                
        LERR("APPLY FILTER [%d]\n", loc_idx);        
        if(loc_idx >= MAX_SOCKETS || sniffer_proto[loc_idx] == NULL) return 0;         

        fd = pcap_get_selectable_fd(sniffer_proto[loc_idx]);

        linktype  = profile_socket[loc_idx].link_type ? profile_socket[loc_idx].link_type : DLT_EN10MB;

        if (pcap_compile_nopcap(profile_socket[loc_idx].snap_len ? profile_socket[loc_idx].snap_len : 0xffff, linktype, &raw_filter, filter, 1, 0) == -1) {
                LERR("Failed to compile filter '%s'", filter);
                return -1;
        }

#if ( defined (OS_LINUX) || defined (OS_SOLARIS) )
        if(setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &raw_filter, sizeof(raw_filter)) < 0 ) {
                LERR(" setsockopt filter: [%s] [%d]", strerror(errno), errno);
                return -1;
        }
#endif

        //free(BPF_code);
        pcap_freecode( (struct bpf_program *) &raw_filter);

        return 1;

}
Ejemplo n.º 8
0
static int l2_packet_init_libpcap(struct l2_packet_data *l2,
                                  unsigned short protocol)
{
        bpf_u_int32 pcap_maskp, pcap_netp;
        char pcap_filter[200], pcap_err[PCAP_ERRBUF_SIZE];
        struct bpf_program pcap_fp;

        pcap_lookupnet(l2->ifname, &pcap_netp, &pcap_maskp, pcap_err);
        l2->pcap = pcap_open_live(l2->ifname, 2500, 0, 1, pcap_err);
        if (l2->pcap == NULL) {
                fprintf(stderr, "pcap_open_live: %s\n", pcap_err);
                fprintf(stderr, "ifname='%s'\n", l2->ifname);
                return -1;
        }
        os_snprintf(pcap_filter, sizeof(pcap_filter),
                    "not ether src " MACSTR " and "
                    "( ether dst " MACSTR " or ether dst " MACSTR " ) and "
                    "ether proto 0x%x",
                    MAC2STR(l2->own_addr), /* do not receive own packets */
                    MAC2STR(l2->own_addr), MAC2STR(pae_group_addr),
                    protocol);
        if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) {
                fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap));
                return -1;
        }

        if (pcap_setfilter(l2->pcap, &pcap_fp) < 0) {
                fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(l2->pcap));
                return -1;
        }

        pcap_freecode(&pcap_fp);

        return 0;
}
Ejemplo n.º 9
0
/*-
-- cap = cap:set_filter(filter, nooptimize)

- filter is the filter string, see tcpdump or pcap-filter man page.
- nooptimize can be true if you don't want the filter optimized during compile
  (the default is to optimize).
*/
static int lpcap_set_filter(lua_State* L)
{
    pcap_t* cap = checkpcap(L);
    const char* filter = luaL_checkstring(L, 2);
    int optimize = !lua_toboolean(L, 3);
    bpf_u_int32 netmask = PCAP_NETMASK_UNKNOWN; /* TODO get device from registry, and call pcap_lookup_net()*/
    int ret = 0;
    struct bpf_program program = { 0 };

    ret = pcap_compile(cap, &program, filter, optimize, netmask);

    if(ret < 0) {
        return pusherr(L, cap);
    }

    ret = pcap_setfilter(cap, &program);

    pcap_freecode(&program);

    if(ret < 0) {
        return pusherr(L, cap);
    }

    lua_settop(L, 1);

    return 1;
}
Ejemplo n.º 10
0
Archivo: main.c Proyecto: almorel/lab 
void init_pcap(void){
	pcap_t 	* handle;		//Handle de capture
	struct bpf_program fp;
	char	* device;		//Périphérique pour sniffer
	struct devInfo myDevInfo;
	char errbuf[PCAP_ERRBUF_SIZE];
	int num_packets = 10;

	getDevice(&myDevInfo);
#ifdef DEBUG
	displayInformationDevice(&myDevInfo); // affiche ip/mask/peripherique
#endif
	DEBUGMSG(1)("Ouverture interface"); 
	 handle = pcap_open_live(myDevInfo.dev, BUFSIZ, 1, 1000, errbuf);
	 if (handle == NULL) {
		 fprintf(stderr, "Couldn't open device %s: %s\n", "eth0", errbuf);
		 exit(EXIT_FAILURE);
	 }
	DEBUGMSG(1)("compilation du filtre"); 
	if (pcap_compile(handle, &fp, FILTRE, 0, myDevInfo.net) == -1){
		fprintf(stderr, "Couldn't parse filter %s: %s\n", FILTRE, pcap_geterr(handle));
		exit(EXIT_FAILURE);
	}
	DEBUGMSG(1)("Activation du filtre"); 
	if (pcap_setfilter(handle, &fp) == -1) {
		fprintf(stderr, "Couldn't install filter %s: %s\n", FILTRE, pcap_geterr(handle));
		exit(EXIT_FAILURE);
	}
	DEBUGMSG(1)("Sniffing ... listen packets"); 
	pcap_loop(handle, num_packets, got_packet, NULL);
	DEBUGMSG(1)("cleaning and stopping... bye"); 
	pcap_freecode(&fp);
	pcap_close(handle);

}
Ejemplo n.º 11
0
void reader_pfring_start() {
    int dlt_to_linktype(int dlt);

    pcapFileHeader.linktype = 1;
    pcapFileHeader.snaplen = MOLOCH_SNAPLEN;


    pcap_t *pcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
    if (config.dontSaveBPFs) {
        int i;
        if (bpf_programs) {
            for (i = 0; i < config.dontSaveBPFsNum; i++) {
                pcap_freecode(&bpf_programs[i]);
            }
        } else {
            bpf_programs = malloc(config.dontSaveBPFsNum*sizeof(struct bpf_program));
        }
        for (i = 0; i < config.dontSaveBPFsNum; i++) {
            if (pcap_compile(pcap, &bpf_programs[i], config.dontSaveBPFs[i], 0, PCAP_NETMASK_UNKNOWN) == -1) {
                LOG("ERROR - Couldn't compile filter: '%s' with %s", config.dontSaveBPFs[i], pcap_geterr(pcap));
                exit(1);
            }
        }
        moloch_reader_should_filter = reader_pfring_should_filter;
    }
    pcap_close(pcap);

    int i;
    for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) {
        char name[100];
        snprintf(name, sizeof(name), "moloch-pfring%d", i);
        g_thread_new(name, &reader_pfring_thread, rings[i]);
    }
}
Ejemplo n.º 12
0
bool us_rawnet_join_multicast( us_rawnet_context_t *self, const uint8_t multicast_mac[6] )
{
    bool r = false;
    struct bpf_program fcode;
    pcap_t *p = (pcap_t *)self->m_pcap;
    char filter[1024];
    /* TODO: add multicast address to pcap filter here if multicast_mac is not null*/
    (void)multicast_mac;
    sprintf( filter, "ether proto 0x%04x", self->m_ethertype );

    if ( pcap_compile( p, &fcode, filter, 1, 0xffffffff ) < 0 )
    {
        pcap_close( p );
        us_log_error( "Unable to pcap_compile: '%s'", filter );
    }
    else
    {
        if ( pcap_setfilter( p, &fcode ) < 0 )
        {
            pcap_close( p );
            us_log_error( "Unable to pcap_setfilter" );
        }
        else
        {
            r = true;
        }
        pcap_freecode( &fcode );
    }
    return r;
}
Ejemplo n.º 13
0
 void apply_bpf_filters()
{
	struct bpf_program bpf_filter;
	char *str = "(src host 139.91.70.42 or src host 1.1.1.2) " 
		    "and (dst host 139.91.70.43 or dst host 1.1.1.3) "
		    "and (dst port 22 or dst port 23)";
	
	printf("Constructing filter : %s\n",str);
	
	if(pcap_compile(p,&bpf_filter,str,1,0xFFFFFF00))
	{
		pcap_perror(p,"pcap_compile");
		
		exit(1);
	}

	if(pcap_setfilter(p,&bpf_filter))
	{
		pcap_perror(p,"pcap_setfilter");
		
		exit(1);
	}
	
	pcap_freecode(&bpf_filter);
}
Ejemplo n.º 14
0
void reader_snf_start() {
    pcapFileHeader.linktype = DLT_EN10MB;
    pcapFileHeader.snaplen = MOLOCH_SNAPLEN;
    pcap_t *dpcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
    int t;
    for (t = 0; t < MOLOCH_FILTER_MAX; t++) {
        if (config.bpfsNum[t]) {
            int i;
            if (bpf_programs[t]) {
                for (i = 0; i < config.bpfsNum[t]; i++) {
                    pcap_freecode(&bpf_programs[t][i]);
                }
            } else {
                bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program));
            }
            for (i = 0; i < config.bpfsNum[t]; i++) {
                if (pcap_compile(dpcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) {
                    LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(dpcap));
                    exit(1);
                }
            }
            moloch_reader_should_filter = reader_snf_should_filter;
        }
    }

    int i, r;
    for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) {
        for (r = 0; r < snfNumRings; r++) {
            char name[100];
            snprintf(name, sizeof(name), "moloch-snf%d-%d", i, r);
            g_thread_new(name, &reader_snf_thread, rings[i][r]);
        }
        snf_start(handles[i]);
    }
}
Ejemplo n.º 15
0
/* Find and prepare ethernet device for capturing */
pcap_t *prepare_capture(char *interface, int promisc, char *capfilter) {
    char errbuf[PCAP_ERRBUF_SIZE];
    pcap_t *pcap_hnd;
    char *dev = NULL;
    bpf_u_int32 net, mask;
    struct bpf_program filter;


    /* Starting live capture, so find and open network device */
    if (!interface) {
        dev = pcap_lookupdev(errbuf);
        if (dev == NULL)
            LOG_DIE("Cannot find a valid capture device: %s", errbuf);
    } else {
        dev = interface;
    }

    if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) net = 0;

    pcap_hnd = pcap_open_live(dev, BUFSIZ, promisc, 0, errbuf);
    if (pcap_hnd == NULL)
        LOG_DIE("Cannot open live capture on '%s': %s", dev, errbuf);

    set_link_header_offset(pcap_datalink(pcap_hnd));

    /* Compile capture filter and apply to handle */
    if (pcap_compile(pcap_hnd, &filter, capfilter, 0, net) == -1)
        LOG_DIE("Cannot compile capture filter '%s': %s", capfilter, pcap_geterr(pcap_hnd));

    if (pcap_setfilter(pcap_hnd, &filter) == -1)
        LOG_DIE("Cannot apply capture filter: %s", pcap_geterr(pcap_hnd));

    pcap_freecode(&filter);
    return pcap_hnd;
}
Ejemplo n.º 16
0
bool Pcap::setBPF(const std::string &filter, std::string *error)
{
    std::lock_guard<std::mutex> lock(d->mutex);
    if (d->active)
        return false;

    char err[PCAP_ERRBUF_SIZE] = {'\0'};
    pcap_t *pcap = pcap_open_live(d->interface.c_str(), d->snaplen, d->promisc, 500, err);
    if (!pcap) {
        if (error)
            error->assign(err);
        return false;
    }

    pcap_freecode(&d->bpf);
    d->bpf.bf_len = 0;
    d->bpf.bf_insns = nullptr;

    if (pcap_compile(pcap, &d->bpf, filter.c_str(), true, PCAP_NETMASK_UNKNOWN) < 0) {
        if (error)
            error->assign(pcap_geterr(pcap));
        pcap_close(pcap);
        return false;
    }

    pcap_close(pcap);
    return true;
}
Ejemplo n.º 17
0
static int openPcap()
{
	char buf[PCAP_ERRBUF_SIZE], *fmt;
	struct bpf_program fcode;
	if ((hPcap = pcap_open_live(nic, 2048, 1, 1000, buf)) == NULL)
	{
//		printf("!! 打开网卡%s失败: %s\n", nic, buf);
		return -1;
	}
	fmt = formatHex(localMAC, 6);
#ifndef NO_ARP
	sprintf(buf, "((ether proto 0x888e and (ether dst %s or ether dst 01:80:c2:00:00:03)) "
			"or ether proto 0x0806) and not ether src %s", fmt, fmt);
#else
	sprintf(buf, "ether proto 0x888e and (ether dst %s or ether dst 01:80:c2:00:00:03) "
			"and not ether src %s", fmt, fmt);
#endif
	if (pcap_compile(hPcap, &fcode, buf, 0, 0xffffffff) == -1
			|| pcap_setfilter(hPcap, &fcode) == -1)
	{
//		printf("!! 设置pcap过滤器失败: %s\n", pcap_geterr(hPcap));
		return -1;
	}
	pcap_freecode(&fcode);
	return 0;
}
Ejemplo n.º 18
0
static int l2_packet_init_libpcap(struct l2_packet_data *l2,
				  unsigned short protocol)
{
	bpf_u_int32 pcap_maskp, pcap_netp;
	char pcap_filter[200], pcap_err[PCAP_ERRBUF_SIZE];
	struct bpf_program pcap_fp;

	pcap_lookupnet(l2->ifname, &pcap_netp, &pcap_maskp, pcap_err);
	l2->pcap = pcap_open_live(l2->ifname, 2500, 0, 10, pcap_err);
	if (l2->pcap == NULL) {
		fprintf(stderr, "pcap_open_live: %s\n", pcap_err);
		fprintf(stderr, "ifname='%s'\n", l2->ifname);
		return -1;
	}
	if (pcap_datalink(l2->pcap) != DLT_EN10MB &&
	    pcap_set_datalink(l2->pcap, DLT_EN10MB) < 0) {
		fprintf(stderr, "pcap_set_datalink(DLT_EN10MB): %s\n",
			pcap_geterr(l2->pcap));
		return -1;
	}
	os_snprintf(pcap_filter, sizeof(pcap_filter),
		    "not ether src " MACSTR " and "
		    "( ether dst " MACSTR " or ether dst " MACSTR " ) and "
		    "ether proto 0x%x",
		    MAC2STR(l2->own_addr), /* do not receive own packets */
		    MAC2STR(l2->own_addr), MAC2STR(pae_group_addr),
		    protocol);
	if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) {
		fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap));
		return -1;
	}

	if (pcap_setfilter(l2->pcap, &pcap_fp) < 0) {
		fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(l2->pcap));
		return -1;
	}

	pcap_freecode(&pcap_fp);
#ifndef __sun__
	/*
	 * When libpcap uses BPF we must enable "immediate mode" to
	 * receive frames right away; otherwise the system may
	 * buffer them for us.
	 */
	{
		unsigned int on = 1;
		if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) {
			fprintf(stderr, "%s: cannot enable immediate mode on "
				"interface %s: %s\n",
				__func__, l2->ifname, strerror(errno));
			/* XXX should we fail? */
		}
	}
#endif /* __sun__ */

	eloop_register_read_sock(pcap_get_selectable_fd(l2->pcap),
				 l2_packet_receive, l2, l2->pcap);

	return 0;
}
Ejemplo n.º 19
0
struct iface_config *del_iface(struct iface_config *ifc)
{
	struct iface_config	*next;
	int	i;

	next = ifc->next;

#if HAVE_LIBEVENT2
	event_free(ifc->event);
#endif
	pcap_freecode(&ifc->pcap_filter);
	pcap_close(ifc->pcap_handle);

	log_msg(LOG_DEBUG, "Closed interface %s", ifc->name);

	if (ifc->cache) {
		for (i = 0; i < cfg.hashsize; i++)
			if (*(ifc->cache + i))
				cache_prune(*(ifc->cache+i), ifc->cache+i);
		free(ifc->cache);
	}

	free(ifc);
	
	return next;

}
Ejemplo n.º 20
0
void bsf_destroy(bsf_t *bsf_desc)
{
	pcap_freecode(bsf_desc->bpf_prog);
	free(bsf_desc->bpf_prog);
	free(bsf_desc);
	return;
}
Ejemplo n.º 21
0
NetworkInterface::~NetworkInterface()
{
  if(m_pFilter)
    pcap_freecode(m_pFilter);
  if(m_pHandler)
    pcap_close(m_pHandler);
}
Ejemplo n.º 22
0
/*
 * Make a copy of a BPF program and put it in the "fcode" member of
 * a "pcap_t".
 *
 * If we fail to allocate memory for the copy, fill in the "errbuf"
 * member of the "pcap_t" with an error message, and return -1;
 * otherwise, return 0.
 */
int
install_bpf_program(pcap_t *p, struct bpf_program *fp)
{
	size_t prog_size;

	/*
	 * Validate the program.
	 */
	if (!bpf_validate(fp->bf_insns, fp->bf_len)) {
		snprintf(p->errbuf, sizeof(p->errbuf),
			"BPF program is not valid");
		return (-1);
	}

	/*
	 * Free up any already installed program.
	 */
	pcap_freecode(&p->fcode);

	prog_size = sizeof(*fp->bf_insns) * fp->bf_len;
	p->fcode.bf_len = fp->bf_len;
	p->fcode.bf_insns = (struct bpf_insn *)malloc(prog_size);
	if (p->fcode.bf_insns == NULL) {
		snprintf(p->errbuf, sizeof(p->errbuf),
			 "malloc: %s", pcap_strerror(errno));
		return (-1);
	}
	memcpy(p->fcode.bf_insns, fp->bf_insns, prog_size);
	return (0);
}
Ejemplo n.º 23
0
static void apply_bpf_filters()
{
	struct bpf_program bpf_filters[PORTS_NR];
	char str[50];
	int i;
	
	for( i = 0 ; i < PORTS_NR ; i++)
	{
		sprintf(str,"port %u",monitored_ports[i]);
		
		printf("Constructing filter : %s\n",str);
		
		if(pcap_compile(p[i],&bpf_filters[i],str,1,0xFFFFFF00))
		{
			pcap_perror(p[i],"pcap_compile");
			
			exit(1);
		}
	}

	for( i = 0 ; i < PORTS_NR ; i++)
	{
		if(pcap_setfilter(p[i],&bpf_filters[i]))
		{
			pcap_perror(p[i],"pcap_setfilter");
			
			exit(1);
		}
	}
	
	for( i = 0 ; i < PORTS_NR ; i++)
	{
		pcap_freecode(&bpf_filters[i]);
	}
}
Ejemplo n.º 24
0
int
pcap_setfilter(pcap_t *p, struct bpf_program *fp)
{
	size_t buflen;
	/*
	 * It looks that BPF code generated by gen_protochain() is not
	 * compatible with some of kernel BPF code (for example BSD/OS 3.1).
	 * Take a safer side for now.
	 */
	if (no_optimize || (p->sf.rfile != NULL)){
		if (p->fcode.bf_insns != NULL)
			pcap_freecode(&p->fcode);
		buflen = sizeof(*fp->bf_insns) * fp->bf_len;
		p->fcode.bf_len = fp->bf_len;
		p->fcode.bf_insns = malloc(buflen);
		if (p->fcode.bf_insns == NULL) {
			snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s",
			    pcap_strerror(errno));
			return (-1);
		}
		memcpy(p->fcode.bf_insns, fp->bf_insns, buflen);
	} else if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
		    pcap_strerror(errno));
		return (-1);
	}
	return (0);
}
Ejemplo n.º 25
0
void bpf_try_compile(const char *rulefile, struct sock_fprog *bpf, uint32_t link_type)
{
	int i, ret;
	const struct bpf_insn *ins;
	struct sock_filter *out;
	struct bpf_program _bpf;

	ret = pcap_compile_nopcap(65535, link_type, &_bpf, rulefile, 1, 0xffffffff);
	if (ret < 0)
		panic("Cannot compile filter %s\n", rulefile);

	bpf->len = _bpf.bf_len;
	bpf->filter = xrealloc(bpf->filter, 1, bpf->len * sizeof(*out));

	for (i = 0, ins = _bpf.bf_insns, out = bpf->filter; i < bpf->len; ++i, ++ins, ++out) {

		out->code = ins->code;
		out->jt = ins->jt;
		out->jf = ins->jf;
		out->k = ins->k;

		if (out->code == 0x06 && out->k > 0)
			out->k = 0xFFFFFFFF;
	}

	pcap_freecode(&_bpf);

	if (__bpf_validate(bpf) == 0)
		panic("This is not a valid BPF program!\n");
}
Ejemplo n.º 26
0
void
parse_bpf(ipfw_insn **cmd, int *ac, char **av[])
{
	struct bpf_program program;
	ipfw_insn_bpf *bpf;
	int avlen;

	NEXT_ARG1;
	(*cmd)->opcode = O_LAYER4_BPF;
	(*cmd)->module = MODULE_LAYER4_ID;

	avlen = strlen(**av);
	if (avlen > 256)
		errx(EX_DATAERR, "bpf \"%s\" too long (max 256)", **av);
	bpf = (ipfw_insn_bpf *)(*cmd);
	strcpy(bpf->bf_str, **av);
	if (pcap_compile_nopcap(65535, DLT_RAW, &program, **av, 1,
			PCAP_NETMASK_UNKNOWN))
		errx(EX_DATAERR, "bpf \"%s\" compilation error", **av);
	bpf->bf_len = program.bf_len;

	memcpy(&bpf->bf_insn, program.bf_insns,
			sizeof(struct bpf_insn) * program.bf_len);
	(*cmd)->len |= (sizeof(ipfw_insn_bpf) +
			sizeof(struct bpf_insn) * (bpf->bf_len - 1)) /
			sizeof(uint32_t);

	pcap_freecode(&program);
	NEXT_ARG1;
}
Ejemplo n.º 27
0
bool BaseSniffer::set_filter(const std::string &filter) {
    bpf_program prog;
    if(pcap_compile(handle, &prog, filter.c_str(), 0, mask) == -1)
        return false;
    bool result = pcap_setfilter(handle, &prog) != -1;
    pcap_freecode(&prog);
    return result;
}
Ejemplo n.º 28
0
void stop_capture(int sig)
{
    printf("send SIGINT signal to terminate packet capture\n");
    //free resources
    pcap_freecode(&fp);
    pcap_close(handle);
    exit(0);
}
Ejemplo n.º 29
0
void cleanup(void)
{
   pcap_freecode(&fp);
   pcap_close(handle);

   if(buff_frag) free(buff_frag);
   free_tags();
}
Ejemplo n.º 30
0
static void ulink_recv_close(ulink_recv_t *t)
{
    pcap_freecode(&t->bpf);
    pcap_close(t->pcap_handle);
    LOG_("ulink_recv_close: %p", t);
    free(t);
    return;
}