int main(int argc, char **argv) {
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_pkthdr header;
const uint8_t *packet;
handle = pcap_open_offline(FILENAME, errbuf);
if (handle == NULL) {
printf("Could not open file %s: %s\n", FILENAME, errbuf);
exit(-1);
}
while(packet = pcap_next(handle, &header)) {
printf("got one packet\n");
}
pcap_close(handle);
return 0;
}
void read_from_pcapfile(char *filename) {
struct pcap_pkthdr header; // The header that pcap gives us
u_char *packet; // The actual packet
//open the pcap file
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE]; //not sure what to do with this, oh well
handle = pcap_open_offline(filename, errbuf); //call pcap library function
if (handle == NULL) {
fprintf(stderr,"Couldn't open pcap file %s: %s\n", filename, errbuf);
exit(1);
}
while ((packet = (u_char *)pcap_next(handle,&header))) {
uint8_t size;
// header contains information about the packet (e.g. timestamp)
u_char *pkt_ptr;
/* check if packet looks like USB comms to watch */
/* USBPcap in windows captures 91 byte packets,
* must check Linux */
if (header.caplen == 91 &&
// usbpcap magic bytes
packet[0] == 0x1b &&
packet[1] == 0x00 &&
// watch i/o endpoints:
(packet[21] == 0x05 || packet[21] == 0x84)) {
pkt_ptr = &packet[27]; // start of usb data
size = packet[28] + 2;
print_packet(pkt_ptr, size);
}
}
pcap_close(handle); //close the pcap file
}
int handle_pcap_file(char* filename){
initialize_default_interface();
struct pcap_pkthdr* header = (struct pcap_pkthdr*)malloc(sizeof(struct pcap_pkthdr));
const u_char *packet; // The actual packet
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
handle = pcap_open_offline(filename, errbuf); //call pcap library function
if (handle == NULL) {
printf("Couldn't open pcap file %s: \n", filename);
return 0;
}
struct network_interface* interface =
get_network_interface("wlan0","6c:71:d9:6a:74:45");
struct pcap_handler_argument arg;
arg.source = interface;
arg.dest = NULL;
arg.is_pcap = 1; //setting pcap mode on
char* ofilename = (char*)malloc(256);
strcpy(ofilename, "outdump");
//pcap_t* pd = pcap_open_dead(DLT_EN10MB, 65535);
if (ofilename != NULL){
dumpfile=pcap_dump_open(handle, ofilename);
if(dumpfile==NULL){
printf("\nError opening output file\n");
return 0;
}
}
while (packet = pcap_next(handle,header)) {
disassemble_packet((u_char*)&arg, header, packet);
}
pcap_close(handle);
return 1;
}
int main(int argc, char *argv[])
{
pcap_t *pcap;
const u_char *packet;
struct pcap_pkthdr header;
struct bpf_program fp;
bpf_u_int32 devnet=0, devmask;
signal(SIGINT, intHandler);
parse_options(argc, argv);
if (live_pcap) {
if (pcap_lookupnet(capdev, &devnet, &devmask, errbuf) == -1) {
fprintf(stderr, "WARNING: Can't get netmask for device %s\n", capdev);
devnet = 0;
devmask = 0;
}
pcap = pcap_open_live(capdev, BUFSIZ, 1, 1000, errbuf);
} else {
pcap = pcap_open_offline(capfile, errbuf);
}
if (has_expression) {
if (pcap_compile(pcap, &fp, capture_expression, 0, devnet) == -1) error(pcap_geterr(pcap));
if (pcap_setfilter(pcap, &fp) == -1) error(pcap_geterr(pcap));
}
if (pcap == NULL) error(errbuf);
pcap_loop(pcap, -1, &process_packet, NULL);
pcap_close(pcap);
print_stat();
exit(0);
}
char* determine_server_ip() {
int count = 0;
pcap_t *handle;
handle = pcap_open_offline(file, errbuff);
const u_char *packet;
struct pcap_pkthdr header;
const struct ip *ip; /* The IP header */
while(count<3){
packet = pcap_next(handle, &header);
ip = (struct ip*)(packet + SIZE_ETHERNET);
if(ip->ip_p==IPPROTO_TCP) {
return inet_ntoa(ip->ip_dst);
}
count++;
}
return 0;
}
int main(int argc, char *argv[]) {
char *dev;
char errbuf[PCAP_ERRBUF_SIZE];
bpf_u_int32 net;
bpf_u_int32 netmask;
struct in_addr net_addr, mask_addr;
pcap_t *pd;
if(!(dev = pcap_lookupdev(errbuf))) {
perror(errbuf);
exit(1);
}
if(pcap_lookupnet(dev, &net, &netmask, errbuf) < 0) {
perror(errbuf);
exit(1);
}
net_addr.s_addr = net;
mask_addr.s_addr = netmask;
printf("Device : %s\n", dev);
printf("Net Address : %s\n", inet_ntoa(net_addr));
printf("Netmask : %s\n", inet_ntoa(mask_addr));
if((pd = pcap_open_offline("icmp2.pcap", errbuf)) == NULL) {
perror(errbuf);
exit(1);
}
if(pcap_loop(pd, PCAP_CNT_MAX, packet_view, 0) < 0) {
perror(pcap_geterr(pd));
exit(1);
}
pcap_close(pd);
return 1;
}
int
tc_offline_init(tc_event_loop_t *event_loop, char *pcap_file)
{
#if (!TCPCOPY_PCAP_SEND)
int fd;
#endif
char ebuf[PCAP_ERRBUF_SIZE];
#if (!TCPCOPY_PCAP_SEND)
/* init the raw socket to send */
if ((fd = tc_raw_socket_out_init()) == TC_INVALID_SOCKET) {
return TC_ERROR;
} else {
tc_raw_socket_out = fd;
}
#else
tc_pcap_send_init(clt_settings.output_if_name, clt_settings.mtu);
#endif
if (pcap_file == NULL) {
return TC_ERROR;
}
if ((clt_settings.pcap = pcap_open_offline(pcap_file, ebuf)) == NULL) {
tc_log_info(LOG_ERR, 0, "open %s" , ebuf);
fprintf(stderr, "open %s\n", ebuf);
return TC_ERROR;
}
gettimeofday(&base_time, NULL);
tc_log_info(LOG_NOTICE, 0, "open pcap success:%s", pcap_file);
tc_log_info(LOG_NOTICE, 0, "send the first packets here");
send_packets_from_pcap(1);
/* register a timer for offline */
tc_event_timer_add(event_loop, 0, tc_process_offline_packet);
return TC_OK;
}
unsigned int* read_rtp_seq(const char *fpcap, int dport, int n)
{
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_pkthdr *header;
const u_char *pkt_data;
unsigned int seq;
int res, i = 0;
ip_header *ih;
udp_header *uh;
u_int ip_len;
unsigned int* tseq = (unsigned int*)malloc(n*sizeof(unsigned int));
fp = pcap_open_offline(fpcap, errbuf);
/* Retrieve the packets from the file */
while((res = pcap_next_ex(fp, &header, &pkt_data)) >= 0)
{
/* retireve the position of the ip header */
ih = (ip_header *) (pkt_data + 14); //length of ethernet header
/* retireve the position of the udp header */
ip_len = (ih->ver_ihl & 0xf) * 4;
uh = (udp_header *) ((u_char*)ih + ip_len);
if( ntohs(uh->dport) == dport) {
memcpy (&seq, pkt_data + 44, 2);
tseq[i] = ntohs(seq);
i++;
}
}
pcap_close(fp);
return tseq;
}
int
epcap_open(EPCAP_STATE *ep)
{
char errbuf[PCAP_ERRBUF_SIZE];
if (ep->file) {
PCAP_ERRBUF(ep->p = pcap_open_offline(ep->file, errbuf));
} else {
if (ep->dev == NULL)
PCAP_ERRBUF(ep->dev = pcap_lookupdev(errbuf));
PCAP_ERRBUF(ep->p = pcap_open_live(ep->dev, ep->snaplen, ep->promisc, ep->timeout, errbuf));
/* monitor mode */
#ifdef PCAP_ERROR_RFMON_NOTSUP
if (pcap_can_set_rfmon(ep->p) == 1)
(void)pcap_set_rfmon(ep->p, ep->rfmon);
#endif
}
return (0);
}
static void openPcapFileOrDevice(void)
{
u_int snaplen = 1514;
int promisc = 1;
char errbuf[PCAP_ERRBUF_SIZE];
if((_pcap_handle = pcap_open_live(_pcap_file, snaplen, promisc, 500, errbuf)) == NULL) {
_pcap_handle = pcap_open_offline(_pcap_file, _pcap_error_buffer);
capture_until = 0;
if (_pcap_handle == NULL) {
printf("ERROR: could not open pcap file: %s\n", _pcap_error_buffer);
exit(-1);
} else
printf("Reading packets from pcap file %s...\n", _pcap_file);
} else
printf("Capturing live traffic from device %s...\n", _pcap_file);
_pcap_datalink_type = pcap_datalink(_pcap_handle);
if(_bpf_filter != NULL) {
struct bpf_program fcode;
if(pcap_compile(_pcap_handle, &fcode, _bpf_filter, 1, 0xFFFFFF00) < 0) {
printf("pcap_compile error: '%s'\n", pcap_geterr(_pcap_handle));
} else {
if(pcap_setfilter(_pcap_handle, &fcode) < 0) {
printf("pcap_setfilter error: '%s'\n", pcap_geterr(_pcap_handle));
} else
printf("Succesfully set BPF filter to '%s'\n", _bpf_filter);
}
}
if(capture_until > 0) {
printf("Capturing traffic up to %u seconds\n", (unsigned int)capture_until);
capture_until += time(NULL);
}
}
TmEcode InitPcapFile(PcapFileFileVars *pfv)
{
char errbuf[PCAP_ERRBUF_SIZE] = "";
if(unlikely(pfv->filename == NULL)) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Filename was null");
SCReturnInt(TM_ECODE_FAILED);
}
pfv->pcap_handle = pcap_open_offline(pfv->filename, errbuf);
if (pfv->pcap_handle == NULL) {
SCLogError(SC_ERR_FOPEN, "%s", errbuf);
SCReturnInt(TM_ECODE_FAILED);
}
if (pfv->shared != NULL && pfv->shared->bpf_string != NULL) {
SCLogInfo("using bpf-filter \"%s\"", pfv->shared->bpf_string);
if (pcap_compile(pfv->pcap_handle, &pfv->filter, pfv->shared->bpf_string, 1, 0) < 0) {
SCLogError(SC_ERR_BPF, "bpf compilation error %s for %s",
pcap_geterr(pfv->pcap_handle), pfv->filename);
SCReturnInt(TM_ECODE_FAILED);
}
if (pcap_setfilter(pfv->pcap_handle, &pfv->filter) < 0) {
SCLogError(SC_ERR_BPF,"could not set bpf filter %s for %s",
pcap_geterr(pfv->pcap_handle), pfv->filename);
SCReturnInt(TM_ECODE_FAILED);
}
}
pfv->datalink = pcap_datalink(pfv->pcap_handle);
SCLogDebug("datalink %" PRId32 "", pfv->datalink);
Decoder temp;
TmEcode validated = ValidateLinkType(pfv->datalink, &temp);
SCReturnInt(validated);
}
int main(int argc, char **argv)
{
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap_src = NULL;
opt_register_table(opts, NULL);
if (!opt_parse(&argc, argv, opt_log_stderr))
return 1;
if (!g_ifc_name && !g_file_name)
return err_ret("No packet source specified\n");
if (g_ifc_name && g_file_name)
return err_ret("Both file and interface source specified\n");
if (g_ifc_name)
pcap_src = pcap_open_live(g_ifc_name, PCAP_SNAPLEN_ALL,
1, -1, errbuf);
else if (g_file_name)
pcap_src = pcap_open_offline(g_file_name, errbuf);
if (!pcap_src) {
fprintf(stderr, "Couldn't open packet source: %s\n", errbuf);
return 1;
}
pcap_loop(pcap_src, PCAP_CNT_INF, packet_cb, NULL);
pcap_close(pcap_src);
if (g_dump)
dist_dump(dist1, dist2, dist_min);
if (g_hm)
hm_dump();
return 0;
}
int main(int argc, char *argv[])
{
char *f;
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *pc;
FILE *out = stdout;
while(--argc>0) {
f = *++argv;
pc = pcap_open_offline(f, errbuf);
if(pc == NULL) {
fprintf(stderr, "pcap_open_offline(%s): %s\n",
f, errbuf);
exit(10);
}
pcap_dispatch(pc, -1, pcap_skbuff, (u_char *)out);
pcap_close(pc);
}
exit(0);
}
/*
* Class: disy_jnipcap_Pcap
* Method: openOffline
* Signature: (Ljava/lang/String;Ljava/lang/StringBuilder;)J
*/
JNIEXPORT jlong JNICALL
Java_disy_jnipcap_Pcap_openOffline (JNIEnv *env, jclass jcls, jstring jfname, jobject jerrbuf)
{
if (jfname == NULL || jerrbuf == NULL) {
throwException (env, "Ljava/lang/NullPointerException;", NULL);
return (jlong) NULL;
}
char errbuf[PCAP_ERRBUF_SIZE];
errbuf[0] = '\0';
const char *fname = (*env)->GetStringUTFChars (env, jfname, 0);
pcap_t *p = pcap_open_offline(fname, errbuf);
(*env)->ReleaseStringUTFChars (env, jfname, fname);
buildString (env, jerrbuf, 0, errbuf);
if (p == NULL) return (jlong) NULL;
if (mid_Pcap_init == NULL) {
pcap_close (p);
return (jlong) NULL;
}
return (jlong) p;
}
/*-----------------------------------------------------------------------------------*/
void
pcapif_init(struct netif *netif)
{
struct pcapif *p;
p = malloc(sizeof(struct pcapif));
netif->state = p;
netif->name[0] = 'p';
netif->name[1] = 'c';
netif->output = pcapif_output;
p->pd = pcap_open_offline("pcapdump", errbuf);
if(p->pd == NULL) {
printf("pcapif_init: failed %s\n", errbuf);
return;
}
p->sem = sys_sem_new(0);
p->p = NULL;
p->lasttime = 0;
sys_thread_new(pcapif_thread, netif);
}
static captureObject *
newcaptureObjectFile(char *filename)
{
char errbuf[PCAP_ERRBUF_SIZE];
captureObject *self;
self = PyObject_New(captureObject, &capture_Type);
if (self == NULL)
return NULL;
self->device = NULL;
self->filename = PyMem_New(char, strlen(filename));
strcpy(self->filename, filename);
self->pcap = pcap_open_offline(filename, errbuf);
if (! self->pcap)
{
PyMem_Free(self->device);
PyErr_SetString(ErrorObject, errbuf);
return NULL;
}
return self;
}
int
capture_offline(const char *infile, const char *outfile)
{
// Error text (in case of file open error)
char errbuf[PCAP_ERRBUF_SIZE];
// Set capture mode
capinfo.status = CAPTURE_OFFLINE_LOADING;
// Set capture input file
capinfo.infile = infile;
// Open PCAP file
if ((capinfo.handle = pcap_open_offline(infile, errbuf)) == NULL) {
fprintf(stderr, "Couldn't open pcap file %s: %s\n", infile, errbuf);
return 1;
}
// If requested store packets in a dump file
if (outfile) {
if ((capinfo.pd = dump_open(outfile)) == NULL) {
fprintf(stderr, "Couldn't open output dump file %s: %s\n", outfile,
pcap_geterr(capinfo.handle));
return 2;
}
}
// Get datalink to parse packets correctly
capinfo.link = pcap_datalink(capinfo.handle);
// Check linktypes sngrep knowns before start parsing packets
if ((capinfo.link_hl = datalink_size(capinfo.link)) == -1) {
fprintf(stderr, "Unable to handle linktype %d\n", capinfo.link);
return 3;
}
return 0;
}
int main(int argc, char **argv)
{
pcap_t *pcap;
const unsigned char *packet;
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_pkthdr header;
int i=0;
logfile=fopen("log.txt","w");
if(logfile==NULL)
{
printf("Unable to create file.");
}
if(argc>=2){
for(i=1;i<argc;i++){
pcap = pcap_open_offline(argv[i], errbuf);
if (pcap == NULL)
{
fprintf(stderr, "error reading pcap file: %s\n", errbuf);
exit(EXIT_FAILURE);
}
while ((packet = pcap_next(pcap, &header)) != NULL)
{ process_packet(NULL,&header,packet);
//dump_packet(packet, header.ts, header.caplen);
//appIdSearch(packet);
}
printf("\nCapture complete.\n");
}
}
return 0;
}
int main(int argc, char **argv)
{
char errbuf[PCAP_ERRBUF_SIZE+1];
char *pcap_fname, *db_fname;
pcap_t *pc;
int rc;
if (argc < 3) {
fprintf(stderr, "You need to specify PCAP and database file\n");
exit(2);
}
pcap_fname = argv[1];
db_fname = argv[2];
pc = pcap_open_offline(pcap_fname, errbuf);
if (!pc) {
fprintf(stderr, "Cannot open %s: %s\n", pcap_fname, errbuf);
exit(1);
}
db = meas_db_open(NULL, db_fname);
if (!db)
exit(0);
rc = meas_db_begin(db);
if (rc < 0) {
fprintf(stderr, "Error during BEGIN\n");
exit(1);
}
pcap_loop(pc, 0 , pcap_cb, NULL);
meas_db_commit(db);
exit(0);
}
int main(int argc, char *argv[])
{
pcap_t *pcap;
const unsigned char *packet;
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_pkthdr header;
struct tcphdr *tcp;
/* Skip over the program name. */
++argv; --argc;
/* We expect exactly one argument, the name of the file to dump. */
if ( argc != 1 )
{
fprintf(stderr, "program requires one argument, the trace file to dump\n");
exit(1);
}
pcap = pcap_open_offline(argv[0], errbuf);
if (pcap == NULL)
{
fprintf(stderr, "error reading pcap file: %s\n", errbuf);
exit(1);
}
/* Now just loop through extracting packets as long as we have
* some to read.
*/
while ((packet = pcap_next(pcap, &header)) != NULL)
{
//dump_UDP_packet(packet, header.ts, header.caplen);
dump_TCP_packet(packet, header.ts, header.caplen);
}
// terminate
return 0;
}
int main(int argc, char** argv)
{
char *dev, *error_openoffline, *fname, *gen_error;
pcap_t *desc;//declaring the decsriptor
pcap_dumper_t *pd;
struct pcap_pkthdr *header;//declaring packet header
u_char *sp;//packet data written to savefile
dev="eth1";//setting the device as eth1
fname=argv[1];
desc=pcap_open_offline( fname, error_openoffline );
if( desc == NULL )
{
printf("The session could not open as %s", error_openoffline );
exit(1);
}
pd=pcap_dump_open( desc, fname );
if( pd == NULL )
{ gen_error=pcap_geterr( desc );
printf( "\nThe dump could not be opened as %s", gen_error );
exit(1);
}
pcap_dump( (u_char *) pd, header, sp);
printf("\nThe data is %h", sp );
printf("\nThe data is %s", sp );
pcap_dump_close( pd );
pcap_close( desc );
return 0;
}
int main(int argc, char **argv)
{
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
#ifdef WIN32
/* Load Npcap and its functions. */
if (!LoadNpcapDlls())
{
fprintf(stderr, "Couldn't load Npcap\n");
exit(1);
}
#endif
if(argc != 2)
{
printf("usage: %s filename", argv[0]);
return -1;
}
/* Open the capture file */
if ((fp = pcap_open_offline(argv[1], // name of the device
errbuf // error buffer
)) == NULL)
{
fprintf(stderr,"\nUnable to open the file %s.\n", argv[1]);
return -1;
}
/* read and dispatch packets until EOF is reached */
pcap_loop(fp, 0, dispatcher_handler, NULL);
pcap_close(fp);
return 0;
}
int
epcap_open(EPCAP_STATE *ep)
{
char errbuf[PCAP_ERRBUF_SIZE];
if (ep->file) {
PCAP_ERRBUF(ep->p = pcap_open_offline(ep->file, errbuf));
} else {
if (ep->dev == NULL)
PCAP_ERRBUF(ep->dev = pcap_lookupdev(errbuf));
PCAP_ERRBUF(ep->p = pcap_open_live(ep->dev, ep->snaplen, ep->promisc, ep->timeout, errbuf));
/* monitor mode */
if (pcap_can_set_rfmon(ep->p) == 1)
(void)pcap_set_rfmon(ep->p, ep->rfmon);
}
if (ep->filter_in) {
pcap_setdirection(ep->p, PCAP_D_IN);
}
return (0);
}
static PyObject*
open_offline(PyObject *self, PyObject *args)
{
char errbuff[PCAP_ERRBUF_SIZE];
char * filename;
if(!PyArg_ParseTuple(args,"s",&filename))
return NULL;
pcap_t* pt;
pt = pcap_open_offline(filename, errbuff);
if(!pt)
{
PyErr_SetString(PcapError, errbuff);
return NULL;
}
#ifdef WIN32
pcap_setmintocopy(pt, 0);
#endif
return new_pcapobject( pt, /*net=*/0, /*mask=*/0 );
}
/* Initializes pcap capture settings and returns a pcap handle on success, NULL on error */
pcap_t *capture_init(char *capture_source)
{
pcap_t *handle = NULL;
char errbuf[PCAP_ERRBUF_SIZE] = { 0 };
#ifdef __APPLE__
// must disassociate from any current AP. This is the only way.
pid_t pid = fork();
if (!pid) {
char* argv[] = {"/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", "-z", NULL};
execve("/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport", argv, NULL);
}
int status;
waitpid(pid,&status,0);
handle = pcap_create(capture_source,errbuf);
if (handle) {
pcap_set_snaplen(handle, BUFSIZ);
pcap_set_timeout(handle, 50);
pcap_set_rfmon(handle, 1);
pcap_set_promisc(handle, 1);
int status = pcap_activate(handle);
if (status)
cprintf(CRITICAL, "pcap_activate status %d\n", status);
}
#else
handle = pcap_open_live(capture_source, BUFSIZ, 1, 0, errbuf);
#endif
if(!handle)
{
handle = pcap_open_offline(capture_source, errbuf);
}
return handle;
}
int main(int argc,char **argv) {
pcap_t *pcap;
char pcapErr[PCAP_ERRBUF_SIZE], line[80] ;
char* title;
int datalink;
char timeDuration[MAX_BUF_SIZE];
char file_name[MAX_BUF_SIZE];
if (argc != 2) {
printf("Usage: ./wiretap file.pcap\n");
printf(" ./wiretap file.pcap > output.txt\n");
exit(1);
}
strcpy(file_name, argv[1]);
pcap = pcap_open_offline(file_name, pcapErr);
if (pcap == NULL) {
fprintf(stderr, "pcap_open_offline failed: %s\n", pcapErr);
exit(EXIT_FAILURE);
}
datalink = pcap_datalink(pcap);
if(datalink != Ethernet) {
printf("not Ethernet!\n");
exit(EXIT_FAILURE);
}
pcap_loop(pcap,-1,my_callback,NULL);
getTimeDiff(timeDuration);
print_summary(timebuffer, start_time, timeDuration);
printf("=== Link layer ===\n\n");
print("Source ethernet addresses", eth_src_addr, packets);
free_nodes(eth_src_addr);
print("Destination ethernet addresses", eth_dest_addr, packets);
free_nodes(eth_dest_addr);
printf("=== Network Layer ===\n\n");
print("Network layer protocols", net_layer, packets);
free_nodes(net_layer);
print("Source IP addresses", IP_src_addr, ip_packets);
free_nodes(IP_src_addr);
print("Destination IP addresses", IP_dest_addr, ip_packets);
free_nodes(IP_dest_addr);
print("TTLs",TTL_list, ip_packets);
free_nodes(TTL_list);
print_arp(arp_participants);
free_arp_nodes(arp_participants);
printf("=== Transport Layer ===\n\n");
print("Transport Layer protocols", transLayer, ip_packets);
free_nodes(transLayer);
printf("=== Transport Layer: TCP ===\n\n");
print("Source TCP ports", TCP_src_ports, TCP_packets);
free_nodes(TCP_src_ports);
print("Destination TCP ports", TCP_dest_ports, TCP_packets);
free_nodes(TCP_dest_ports);
print("TCP flags", TCP_flags, TCP_packets);
free_nodes(TCP_flags);
print("TCP options", TCP_options, TCP_packets);
free_nodes(TCP_options);
printf("=== Transport Layer: UDP ===\n\n");
print("Source UDP ports", UDP_src_ports, UDP_packets);
free_nodes(UDP_src_ports);
print("Destination UDP ports", UDP_dest_ports, UDP_packets);
free_nodes(UDP_dest_ports);
printf("=== Transport Layer: ICMP ===\n\n");
print("Source IPs for ICMP", ICMP_src_IP, ICMP_packets);
free_nodes(ICMP_src_IP);
print("Destination IPs for ICMP", ICMP_dest_IP, ICMP_packets);
free_nodes(ICMP_dest_IP);
print("ICMP types", ICMP_TYPE, ICMP_packets);
free_nodes(ICMP_TYPE);
print("ICMP codes", ICMP_CODE, ICMP_packets);
free_nodes(ICMP_CODE);
print("ICMP responses", ICMP_RESPONSE, ICMP_packets);
free_nodes(ICMP_RESPONSE);
pcap_close(pcap);
}
//-------------------------------------------------------------------
int main(int argc, char **argv)
{
unsigned int pkt_counter=0; // packet counter
unsigned long byte_counter=0; //total bytes seen in entire trace
unsigned long cur_counter=0; //counter for current 1-second interval
unsigned long max_volume = 0; //max value of bytes in one-second interval
unsigned long current_ts=0; //current timestamp
//temporary packet buffers
struct pcap_pkthdr header; // The header that pcap gives us
const u_char *packet; // The actual packet
//check command line arguments
if (argc < 2) {
fprintf(stderr, "Usage: %s [input pcaps]\n", argv[0]);
exit(1);
}
//-------- Begin Main Packet Processing Loop -------------------
//loop through each pcap file in command line args
for (int fnum=1; fnum < argc; fnum++) {
//-----------------
//open the pcap file
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE]; //not sure what to do with this, oh well
handle = pcap_open_offline(argv[fnum], errbuf); //call pcap library function
if (handle == NULL) {
fprintf(stderr,"Couldn't open pcap file %s: %s\n", argv[fnum], errbuf);
return(2);
}
//-----------------
//begin processing the packets in this particular file, one at a time
while (packet = pcap_next(handle,&header)) {
// header contains information about the packet (e.g. timestamp)
u_char *pkt_ptr = (u_char *)packet; //cast a pointer to the packet data
//parse the first (ethernet) header, grabbing the type field
int ether_type = ((int)(pkt_ptr[12]) << 8) | (int)pkt_ptr[13];
int ether_offset = 0;
if (ether_type == ETHER_TYPE_IP) //most common
ether_offset = 14;
else if (ether_type == ETHER_TYPE_8021Q) //my traces have this
ether_offset = 18;
else
fprintf(stderr, "Unknown ethernet type, %04X, skipping...\n", ether_type);
//parse the IP header
pkt_ptr += ether_offset; //skip past the Ethernet II header
struct ip *ip_hdr = (struct ip *)pkt_ptr; //point to an IP header structure
int packet_length = ntohs(ip_hdr->ip_len);
//check to see if the next second has started, for statistics purposes
if (current_ts == 0) { //this takes care of the very first packet seen
current_ts = header.ts.tv_sec;
} else if (header.ts.tv_sec > current_ts) {
printf("%d KBps\n", cur_counter/1000); //print
cur_counter = 0; //reset counters
current_ts = header.ts.tv_sec; //update time interval
}
cur_counter += packet_length;
byte_counter += packet_length; //byte counter update
pkt_counter++; //increment number of packets seen
} //end internal loop for reading packets (all in one file)
pcap_close(handle); //close the pcap file
} //end for loop through each command line argument
//---------- Done with Main Packet Processing Loop --------------
//output some statistics about the whole trace
byte_counter /= 1e6; //convert to MB to make easier to read
printf("Processed %d packets and %u MBytes, in %d files\n", pkt_counter, byte_counter, argc-1);
return 0; //done
} //end of main() function
Test::TestResult ConnectionFilterTestSuite::execTest()
{
std::cout << "running tests on ConnectionFilter" << std::endl;
msg_init();
msg_setlevel(100);
captureDevice = pcap_open_offline("data/connectionfiltertest.pcap", errorBuffer);
if (!captureDevice) {
ERROR(errorBuffer);
}
Packet* p;
ConnectionFilter connFilter(5, 100, 10, 1000);
// first packet is a udp packet
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
// process six packets that come from a connection that did not have any syn packet
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
// process a valid short 5 packets connection
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // SYN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // SYN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == true);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // FIN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // RST
// process a valid connection
// ignore the first syn packet
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // SYN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // SYN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == true);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == true);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == true);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // passed export limit
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false);
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // FIN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // FIN
p = getNextPacket(captureDevice);
REQUIRE(connFilter.processPacket(p) == false); // ACK
pcap_close(captureDevice);
std::cout << "All tests on ConnectionFilter passed" << std::endl;
return PASSED;
}
//http://articles.sysprogs.org/kdvmware/kdcom.shtml
//http://j00ru.vexillium.org/?p=405
//http://visi.kenshoto.com/static/apidocs/vstruct.defs.kdcom-module.html
//https://code.google.com/p/reactos-mirror/source/browse/trunk/reactos/include/reactos/windbgkd.h
int main(int argc, char* argv[]){
//printKD_PACKET((KD_PACKET_HEADER*)(unciphered_go+8));
//exit(0);
//TODO: move this !
initCallBack();
int i;
#if DEBUG
printf("controlKey :\n");
for(i=0; i<32; i++){
printf("%02x ", controlKey[i]);
}
printf("\n");
#endif
//Expand controlKey
aes_key_setup(controlKey, controlW, 256);
#if DEBUG
printf("hmacKey :\n");
for(i=0; i<32; i++){
printf("%02x ", hmacKey[i]);
}
printf("\n");
#endif
//Generate hmacKey from controlKey
for(i=0; i<32; i++){
hmacKey[i] = controlKey[i]^0xFF;
}
if(argc == 2){
kd_server();
}
//
//
//All my tests !
//---------------------
printf("\nPoke :\n");
//KDNET_PACKET_HEADER* poke_pkt = (KDNET_PACKET_HEADER*)poke;
//printKDNET_PACKET(poke_pkt);
BYTE* tmp = cbc_decrypt(poke+6, 0x160, controlW, poke+sizeof(poke)-16);
uint8_t arf[2096];
memset(arf, 0, 2096);
for(i=0; i<6; i++){
arf[i] = poke[i];
};
for(i=0; i<0x160-16; i++){
arf[i+6] = tmp[i];
}
printf("\n\n");
for(i=0; i<0x166; i++){
printf("%02x ", arf[i]);
if(i%16 == 15){
printf("\n");
}
}
printf("\n");
BYTE tmpSHA[32];
hmacSHA256Context myHmacSHA256Context;
hmacSHA256Init(&myHmacSHA256Context, hmacKey, 32);
hmacSHA256Update(&myHmacSHA256Context, arf, 0x166);
hmacSHA256Final(&myHmacSHA256Context, tmpSHA);
printf("\nChecksum:\n");
for(i=0; i<16; i++){
printf("%02x ", tmpSHA[i]);
}
printf("\n\n");
printf("\nPoke response :\n");
BYTE* unciphered_poke_resp = cbc_decrypt(poke_resp+6, sizeof(poke_resp)-6-16, controlW, poke_resp+sizeof(poke_resp)-16);
BYTE dataKey[32];
SHA256Context mySHA256Context;
SHA256Init(&mySHA256Context);
SHA256Update(&mySHA256Context, controlKey, 32);
SHA256Update(&mySHA256Context, unciphered_poke_resp+8, 322);
SHA256Final(&mySHA256Context, dataKey);
aes_key_setup(dataKey, dataW, 256);
printf("\ndataKey :\n");
for(i=0; i<32; i++){
printf("%02x ", dataKey[i]);
}
printf("\n");
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE]; //not sure what to do with this, oh well
handle = pcap_open_offline("/home/arfarf/git/samples/debug_trace.pcap", errbuf); //call pcap library function
const u_char *packet; // The actual packet
struct pcap_pkthdr header; // The header that pcap gives us
int pkt_num = 1;
while ((packet = pcap_next(handle,&header))) {
u_char *debug_pkt = (u_char *)packet+42; //cast a pointer to the packet data
int debug_pkt_len = header.caplen-42;
if(debug_pkt[5] == 0){//Only Data Packet
BYTE *unciphered_debug_pkt = cbc_decrypt(debug_pkt+6, debug_pkt_len-6-16, dataW, debug_pkt+debug_pkt_len-16);
KD_PACKET_HEADER* tmp = (KD_PACKET_HEADER*)(unciphered_debug_pkt+8);
//if(tmp->ApiNumber == DbgKdContinueApi2){
if(pkt_num == 680 || pkt_num == 681){
printf("%d.\n", pkt_num);
printHexData(unciphered_debug_pkt, debug_pkt_len-6-16);
printKD_PACKET(tmp);
printf("\n");
}
}
pkt_num++;
}
exit(0);
printf("\nConnection Check :\n");
cbc_decrypt(conncheck+6, sizeof(conncheck)-6-16, dataW, conncheck+sizeof(conncheck)-16);
printf("\nConnection Check response:\n");
cbc_decrypt(conncheck_resp+6, sizeof(conncheck_resp)-6-16, dataW, conncheck_resp+sizeof(conncheck_resp)-16);
//...
printf("\nPOKE (repeat):\n");
cbc_decrypt(poke_repeat+6, 0x160, controlW, poke_repeat+sizeof(poke_repeat)-16);
//...
printf("\n[!] Break :\n");
BYTE *unciphered_break = cbc_decrypt(break_data+6, sizeof(break_data)-6-16, dataW, break_data+sizeof(break_data)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_break+8));
printf("\n[!] Wait State :\n");
BYTE *unciphered_wait_state = cbc_decrypt(wait_state+6, sizeof(wait_state)-6-16, dataW, wait_state+sizeof(wait_state)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_wait_state+8));
printf("\n[!] Reset:\n");
BYTE *unciphered_reset = cbc_decrypt(reset+6, sizeof(reset)-6-16, dataW, reset+sizeof(reset)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_reset+8));
printf("\n[!] Reset ACK:\n");
BYTE *unciphered_reset_ack = cbc_decrypt(reset_ack+6, sizeof(reset_ack)-6-16, dataW, reset_ack+sizeof(reset_ack)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_reset_ack+8));
printf("\n[!] Wait State 2:\n");
BYTE *unciphered_wait_state2 = cbc_decrypt(wait_state2+6, sizeof(wait_state2)-6-16, dataW, wait_state2+sizeof(wait_state2)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_wait_state2+8));
printf("\n[!] Get Version API REQ :\n");
BYTE *unciphered_get_version_api_req = cbc_decrypt(get_version_api_req+6, sizeof(get_version_api_req)-6-16, dataW, get_version_api_req+sizeof(get_version_api_req)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_get_version_api_req+8));
printf("\n[!] Get Version API RESP :\n");
BYTE *unciphered_get_version_api_resp = cbc_decrypt(get_version_api_resp+6, sizeof(get_version_api_resp)-6-16, dataW, get_version_api_resp+sizeof(get_version_api_resp)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_get_version_api_resp+8));
exit(0);
printf("\n[!] Read Virtual Memory API REQ\n");
BYTE *unciphered_read_virtual_memory_api_req = cbc_decrypt(read_virtual_memory_api_req+6, sizeof(read_virtual_memory_api_req)-6-16, dataW, read_virtual_memory_api_req+sizeof(read_virtual_memory_api_req)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_req+8));
printf("\n[!] Read Virtual Memory API REQ ACK\n");
BYTE *unciphered_read_virtual_memory_api_req_ack = cbc_decrypt(read_virtual_memory_api_req_ack+6, sizeof(read_virtual_memory_api_req_ack)-6-16, dataW, read_virtual_memory_api_req_ack+sizeof(read_virtual_memory_api_req_ack)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_req_ack+8));
printf("\n[!] Read Virtual Memory API RESP\n");
BYTE *unciphered_read_virtual_memory_api_resp = cbc_decrypt(read_virtual_memory_api_resp+6, sizeof(read_virtual_memory_api_resp)-6-16, dataW, read_virtual_memory_api_resp+sizeof(read_virtual_memory_api_resp)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_resp+8));
uint32_t tmp_checksum = checksumKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_resp+8), sizeof(read_virtual_memory_api_resp)-6-16);
printf("Checksum test : 00001ce3 %08x\n", tmp_checksum);
printf("\n[!] Read Virtual Memory API RESP ACK\n");
BYTE *unciphered_read_virtual_memory_api_resp_ack = cbc_decrypt(read_virtual_memory_api_resp_ack+6, sizeof(read_virtual_memory_api_resp_ack)-6-16, dataW, read_virtual_memory_api_resp_ack+sizeof(read_virtual_memory_api_resp_ack)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_resp_ack+8));
printf("\n[!] Next\n");
BYTE *unciphered_next = cbc_decrypt(next+6, sizeof(next)-6-16, dataW, next+sizeof(next)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_next+8));
exit(0);
printf("Get Register RESP\n");
BYTE* unciphered_get_register_resp = cbc_decrypt(get_register_resp+6, sizeof(get_register_resp)-6-16, dataW, get_register_resp+sizeof(get_register_resp)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_get_register_resp+8));
//unciphered_break_ack = cbc_decrypt(cmd_data+6, sizeof(cmd_data)-6-16, dataW, cmd_data+sizeof(cmd_data)-16);
//printKD_PACKET((KD_PACKET_HEADER*)(unciphered_break_ack+8));
return 0;
}
int setup_firewall(firewall_t* fwall, char* in, char* out, char* errbuf) {
FILE *settings;
settings = fopen("settings.config", "r");
if (settings == NULL) {
return 0;
}
int read = 0;
char buff[1024];
while (fgets(buff, 1024, settings) != NULL) {
int str_tam = strlen(buff);
if (read == 0) {
str_to_mac(buff, fwall->virtual_mac);
} else if (read == 1) {
str_to_mac(buff, fwall->firewall_mac);
} else if (read == 2) {
str_to_mac(buff, fwall->switch_mac);
} else if (read == 3) {
str_to_mac(buff, fwall->router_mac);
} else if (read == 4) {
fwall->virtual_ip_str = (char*) malloc(str_tam+1);
memcpy(fwall->virtual_ip_str, buff, str_tam);
fwall->virtual_ip_str[str_tam] = 0;
str_to_ip(fwall->virtual_ip_str, fwall->virtual_ip_bin);
} else if (read == 5) {
fwall->firewall_ip_str = (char*) malloc(str_tam+1);
memcpy(fwall->firewall_ip_str, buff, str_tam);
fwall->firewall_ip_str[str_tam] = 0;
str_to_ip(fwall->firewall_ip_str, fwall->firewall_ip_bin);
} else if (read == 6) {
fwall->switch_ip_str = (char*) malloc(str_tam+1);
memcpy(fwall->switch_ip_str, buff, str_tam);
fwall->switch_ip_str[str_tam] = 0;
str_to_ip(fwall->switch_ip_str, fwall->switch_ip_bin);
}
read++;
if (read == MAX_INPUT_LINES)
break;
}
if (read != MAX_INPUT_LINES) {
fclose(settings);
return 0;
}
int sz = strlen(in);
fwall->dev_name_in = (char*) malloc(sz);
memcpy(fwall->dev_name_in, in, sz);
sz = strlen(out);
fwall->dev_name_out = (char*) malloc(sz);
memcpy(fwall->dev_name_out, out, sz);
fwall->pcap_in_timeout = IN_TIMEOUT;
fwall->pcap_out_timeout = OUT_TIMEOUT;
NEXT_TCP_PORT = HIGH_PORT;
NEXT_UDP_PORT = HIGH_PORT;
ONLINE = 1;
int i;
for (i=0;i<strlen(fwall->dev_name_in);i++)
if (fwall->dev_name_in[i] == '.') ONLINE = 0;
if (ONLINE) {
if (device_not_found(in, errbuf)) {
printf("Device %s not found!\n",in);
return 0;
}
if (device_not_found(out, errbuf)) {
printf("Device %s not found!\n",out);
return 0;
}
fwall->pcap_in = pcap_open_live(fwall->dev_name_in, BUFSIZ, 0, fwall->pcap_in_timeout, errbuf);
if (fwall->pcap_in == NULL) {
printf("Error pcap in: %s\n", errbuf);
return 0;
}
if (pcap_datalink(fwall->pcap_in) != 1) {
printf("Not ethernet data-link pcap in!\n");
return 0;
}
fwall->pcap_out = pcap_open_live(fwall->dev_name_out, BUFSIZ, 0, fwall->pcap_out_timeout, errbuf);
if (fwall->pcap_out == NULL) {
printf("Error pcap out: %s\n", errbuf);
return 0;
}
if (pcap_datalink(fwall->pcap_out) != 1) {
printf("Not ethernet data-link pcap out!\n");
return 0;
}
} else {
fwall->pcap_in = pcap_open_offline(fwall->dev_name_in, errbuf);
if (fwall->pcap_in == NULL) {
printf("Error pcap in: %s\n", errbuf);
return 0;
}
if (pcap_datalink(fwall->pcap_in) != 1) {
printf("Not ethernet data-link pcap in!\n");
return 0;
}
fwall->pcap_out = pcap_open_offline(fwall->dev_name_out, errbuf);
if (fwall->pcap_out == NULL) {
printf("Error pcap out: %s\n", errbuf);
return 0;
}
if (pcap_datalink(fwall->pcap_out) != 1) {
printf("Not ethernet data-link pcap out!\n");
return 0;
}
}
fclose(settings);
return 1;
}