void process_ip(const u_char* packet, const struct ether_header *ethernet, const struct sniff_ip *ip, const char *payload, u_int size_ip){
ip = (struct sniff_ip*)(packet + ETHERNET_SIZE);
size_ip = IP_HL(ip)*4;
ip_packets++;
char buffer[MAX_BUF_SIZE];
sprintf(buffer, "%s", inet_ntoa(ip->ip_src));
IP_src_addr = insert(IP_src_addr, buffer);
sprintf(buffer, "%s", inet_ntoa(ip->ip_dst));
IP_dest_addr = insert(IP_dest_addr, buffer);
sprintf(buffer, "%d", ip->ip_ttl);
TTL_list = insert(TTL_list, buffer);
if(ntohs (ethernet->ether_type) == ETHERTYPE_IP){
if(ip->ip_p==IPPROTO_TCP){
strcpy(buffer, "TCP");
transLayer = insert(transLayer, buffer);
process_tcp(packet, size_ip);
} else if(ip->ip_p == IPPROTO_UDP){
strcpy(buffer, "UDP");
transLayer = insert(transLayer, buffer);
process_udp(packet, size_ip);
} else if(ip->ip_p == IPPROTO_ICMP){
strcpy(buffer, "ICMP");
transLayer = insert(transLayer, buffer);
process_icmp(packet, size_ip, ip);
} else{
sprintf(buffer, "0x%02x", ip->ip_p);
transLayer = insert(transLayer, buffer);
}
}
}
genErr_t process_l4(void *jobj_ref)
{
debug ("In function %s", __FUNCTION__);
struct json_object *jobj = (struct json_object *)jobj_ref;
void *tjobj = NULL;
tjobj=get_val_from_key(jobj, "udp", lObj);
if(tjobj)
{
process_udp(tjobj);
free_json_obj(tjobj);
}
else
{
debug ("%s", "udp not available");
}
tjobj=get_val_from_key(jobj, "tcp", lObj);
if(tjobj)
{
process_tcp(tjobj);
free_json_obj(tjobj);
}
else
{
debug ("%s", "tcp not available");
}
return (SUCCESS);
}
void tcpdemux::process_ip6(const struct timeval &ts,const u_char *data, const uint32_t caplen, const int32_t vlan)
{
const struct private_ip6_hdr *ip_header = (struct private_ip6_hdr *) data;
u_int16_t ip_payload_len;
/* make sure that the packet is at least as long as the IPv6 header */
if (caplen < sizeof(struct private_ip6_hdr)) {
DEBUG(6) ("received truncated IPv6 datagram!");
return;
}
/* for now we're only looking for TCP; throw away everything else */
if (ip_header->ip6_nxt != IPPROTO_TCP) {
DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip6_nxt);
return;
}
ip_payload_len = ntohs(ip_header->ip6_plen);
/* make sure there's some data */
if (ip_payload_len == 0) {
DEBUG(6) ("received truncated IP datagram!");
return;
}
/* do TCP processing */
process_tcp(ts,
data + sizeof(struct private_ip6_hdr),
ip_payload_len,
ipaddr(ip_header->ip6_src.s6_addr),
ipaddr(ip_header->ip6_dst.s6_addr),
vlan,AF_INET6);
}
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
struct nfqnl_msg_packet_hdr *ph;
struct skb_buf skb;
//get unique ID of packet in queue
ph = nfq_get_msg_packet_hdr(nfa);
if(!ph)
{
return -1;
}
skb.packet_id= ntohl(ph->packet_id);
//get payload
skb.pload_len = nfq_get_payload(nfa, &(skb.pload));
if(skb.pload_len <=0)
{
nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload);
return -1;
}
skb.pload[skb.pload_len]='\0';
process_tcp(&skb ,tcp_stream_handle);
return 0;
}
int tcpdemux::process_ip4(const be13::packet_info &pi)
{
/* make sure that the packet is at least as long as the min IP header */
if (pi.ip_datalen < sizeof(struct be13::ip4)) {
DEBUG(6) ("received truncated IP datagram!");
return -1; // couldn't process
}
const struct be13::ip4 *ip_header = (struct be13::ip4 *) pi.ip_data;
DEBUG(100)("process_ip4. caplen=%d vlan=%d ip_p=%d",(int)pi.pcap_hdr->caplen,(int)pi.vlan(),(int)ip_header->ip_p);
if(debug>200){
sbuf_t sbuf(pos0_t(),(const uint8_t *)pi.ip_data,pi.ip_datalen,pi.ip_datalen,false);
sbuf.hex_dump(std::cerr);
}
/* for now we're only looking for TCP; throw away everything else */
if (ip_header->ip_p != IPPROTO_TCP) {
DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip_p);
return -1; // couldn't process
}
/* check and see if we got everything. NOTE: we must use
* ip_total_len after this, because we may have captured bytes
* beyond the end of the packet (e.g. ethernet padding).
*/
size_t ip_len = ntohs(ip_header->ip_len);
if (pi.ip_datalen < ip_len) {
DEBUG(6) ("warning: captured only %ld bytes of %ld-byte IP datagram",
(long) pi.ip_datalen, (long) ip_len);
}
/* XXX - throw away everything but fragment 0; this version doesn't
* know how to do fragment reassembly.
*/
if (ntohs(ip_header->ip_off) & 0x1fff) {
DEBUG(2) ("warning: throwing away IP fragment from X to X");
return -1;
}
/* figure out where the IP header ends */
size_t ip_header_len = ip_header->ip_hl * 4;
/* make sure there's some data */
if (ip_header_len > ip_len) {
DEBUG(6) ("received truncated IP datagram!");
return -1;
}
/* do TCP processing, faking an ipv6 address */
uint16_t ip_payload_len = ip_len - ip_header_len;
ipaddr src(ip_header->ip_src.addr);
ipaddr dst(ip_header->ip_dst.addr);
return process_tcp(src, dst, AF_INET,
pi.ip_data + ip_header_len, ip_payload_len,
pi);
}
void tcpdemux::process_ip4(const struct timeval &ts,const u_char *data, uint32_t caplen,int32_t vlan)
{
const struct ip *ip_header = (struct ip *) data;
u_int ip_header_len;
u_int ip_total_len;
/* make sure that the packet is at least as long as the min IP header */
if (caplen < sizeof(struct ip)) {
DEBUG(6) ("received truncated IP datagram!");
return;
}
DEBUG(100)("process_ip4. caplen=%d vlan=%d ip_p=%d",(int)caplen,(int)vlan,(int)ip_header->ip_p);
/* for now we're only looking for TCP; throw away everything else */
if (ip_header->ip_p != IPPROTO_TCP) {
DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip_p);
return;
}
/* check and see if we got everything. NOTE: we must use
* ip_total_len after this, because we may have captured bytes
* beyond the end of the packet (e.g. ethernet padding).
*/
ip_total_len = ntohs(ip_header->ip_len);
if (caplen < ip_total_len) {
DEBUG(6) ("warning: captured only %ld bytes of %ld-byte IP datagram",
(long) caplen, (long) ip_total_len);
}
/* XXX - throw away everything but fragment 0; this version doesn't
* know how to do fragment reassembly.
*/
if (ntohs(ip_header->ip_off) & 0x1fff) {
DEBUG(2) ("warning: throwing away IP fragment from X to X");
return;
}
/* figure out where the IP header ends */
ip_header_len = ip_header->ip_hl * 4;
/* make sure there's some data */
if (ip_header_len > ip_total_len) {
DEBUG(6) ("received truncated IP datagram!");
return;
}
/* do TCP processing, faking an ipv6 address */
process_tcp(ts,data + ip_header_len, ip_total_len - ip_header_len,
ipaddr(ip_header->ip_src.s_addr),
ipaddr(ip_header->ip_dst.s_addr),
vlan,AF_INET);
}
static void gen_ip_proc(u_char * data, int skblen, struct timeval* ts)
{
switch (((struct ip *) data)->ip_p) {
case IPPROTO_TCP:
process_tcp(data, skblen, ts);
break;
case IPPROTO_UDP:
process_udp(data, ts);
break;
case IPPROTO_ICMP:
if (nids_params.n_tcp_streams)
process_icmp(data, ts);
break;
default:
break;
}
}
static void gen_ip_proc(u_char * data, int skblen,int id)
{
switch (((struct ip *) data)->ip_p) {
case IPPROTO_TCP:
process_tcp(data, skblen,id);
break;
case IPPROTO_UDP:
process_udp((char *)data,id);
break;
case IPPROTO_ICMP:
if (nids_params.n_tcp_streams)
process_icmp(data,id);
break;
default:
//printf("other!\n");
break;
}
}
static void gen_ip_proc(u_char * data, int skblen)
{
switch (((struct ip *) data)->ip_p) {
case IPPROTO_TCP:
pthread_mutex_lock(&tcp_lost_mutex);
process_tcp(data, skblen);
pthread_mutex_unlock(&tcp_lost_mutex);
break;
case IPPROTO_UDP:
process_udp( (char*)data );
break;
case IPPROTO_ICMP:
if (nids_params.n_tcp_streams)
process_icmp(data);
break;
default:
break;
}
}
void
process_ip(void)
{
cur_pkt->ip_hdr = (ip_hdr_t *) (cur_pkt->buf + sizeof(eth_hdr_t));
cur_sock->src_ip = cur_pkt->ip_hdr->src_addr;
if (unlikely(cur_pkt->ip_hdr->version != 4)) {
log_debug1("this is not the packet you are looking for");
return;
}
if (unlikely(! is_this_card_ip((struct in_addr *) &cur_pkt->ip_hdr->dst_addr))) {
log_debug1("this is not the packet you are looking for");
return;
}
switch(cur_pkt->ip_hdr->proto) {
case IP_PROTO_TCP:
process_tcp(); break;
case IP_PROTO_ICMP:
process_icmp(); break;
}
}
int tcpdemux::process_ip6(const be13::packet_info &pi)
{
/* make sure that the packet is at least as long as the IPv6 header */
if (pi.ip_datalen < sizeof(struct be13::ip6_hdr)) {
DEBUG(6) ("received truncated IPv6 datagram!");
return -1;
}
const struct be13::ip6_hdr *ip_header = (struct be13::ip6_hdr *) pi.ip_data;
/* for now we're only looking for TCP; throw away everything else */
if (ip_header->ip6_ctlun.ip6_un1.ip6_un1_nxt != IPPROTO_TCP) {
DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip6_ctlun.ip6_un1.ip6_un1_nxt);
return -1;
}
/* do TCP processing */
uint16_t ip_payload_len = ntohs(ip_header->ip6_ctlun.ip6_un1.ip6_un1_plen);
ipaddr src(ip_header->ip6_src.addr.addr8);
ipaddr dst(ip_header->ip6_dst.addr.addr8);
return process_tcp(src, dst ,AF_INET6,
pi.ip_data + sizeof(struct be13::ip6_hdr),ip_payload_len,pi);
}
void process_ip(char *ip_pkt)
{
struct in_addr s_in;
struct in_addr d_in;
pkt->ip_head = (struct iphdr *)ip_pkt;
s_in.s_addr = pkt->ip_head->saddr;
d_in.s_addr = pkt->ip_head->daddr;
printf("Packet source IP is: %s\n", inet_ntoa(s_in));
printf("Packet destination IP is: %s\n", inet_ntoa(d_in));
printf("Packet ip next layer is: %04x\n", pkt->ip_head->protocol);
tmp_pkt += sizeof(struct iphdr);
length -= sizeof(struct iphdr);
switch(pkt->ip_head->protocol){
case 0x0006:
process_tcp(tmp_pkt);
break;
default:
break;
}
}
void
process_packet(unsigned char *ignore, const struct pcap_pkthdr *header, const unsigned char *packet) {
// static int packet_count = 1;
struct flow_record *record;
unsigned char proto = 0;
/* declare pointers to packet headers */
const struct ip_hdr *ip;
unsigned int transport_len;
unsigned int ip_hdr_len;
const void *transport_start;
struct flow_key key;
flocap_stats_incr_num_packets();
if (output_level > none) {
fprintf(output, "\npacket number %lu:\n", flocap_stats_get_num_packets());
}
// packet_count++;
// ethernet = (struct ethernet_hdr*)(packet);
/* define/compute ip header offset */
ip = (struct ip_hdr*)(packet + ETHERNET_HDR_LEN);
ip_hdr_len = ip_hdr_length(ip);
if (ip_hdr_len < 20) {
if (output_level > none) {
fprintf(output, " * Invalid IP header length: %u bytes\n", ip_hdr_len);
}
return;
}
if (ntohs(ip->ip_len) < sizeof(struct ip_hdr) || ntohs(ip->ip_len) > header->caplen) {
/*
* IP packet is malformed (shorter than a complete IP header, or
* claims to be longer than it is), or not entirely captured by
* libpcap (which will depend on MTU and SNAPLEN; you can change
* the latter if need be).
*/
return ;
}
transport_len = ntohs(ip->ip_len) - ip_hdr_len;
/* print source and destination IP addresses */
if (output_level > none) {
fprintf(output, " from: %s\n", inet_ntoa(ip->ip_src));
fprintf(output, " to: %s\n", inet_ntoa(ip->ip_dst));
fprintf(output, " ip len: %u\n", ntohs(ip->ip_len));
fprintf(output, " ip hdr len: %u\n", ip_hdr_len);
}
if (ip_fragment_offset(ip) == 0) {
/* fill out IP-specific fields of flow key, plus proto selector */
key.sa = ip->ip_src;
key.da = ip->ip_dst;
proto = key.prot = ip->ip_prot;
} else {
// fprintf(info, "found IP fragment (offset: %02x)\n", ip_fragment_offset(ip));
/*
* select IP processing, since we don't have a TCP or UDP header
*/
key.sa = ip->ip_src;
key.da = ip->ip_dst;
proto = key.prot = IPPROTO_IP;
}
/* determine transport protocol and handle appropriately */
transport_start = (void *)ip + ip_hdr_len;
switch(proto) {
case IPPROTO_TCP:
record = process_tcp(header, transport_start, transport_len, &key);
break;
case IPPROTO_UDP:
record = process_udp(header, transport_start, transport_len, &key);
break;
case IPPROTO_ICMP:
record = process_icmp(header, transport_start, transport_len, &key);
break;
case IPPROTO_IP:
default:
record = process_ip(header, transport_start, transport_len, &key);
break;
}
/*
* if our packet is malformed TCP, UDP, or ICMP, then the process
* functions will return NULL; we deal with that case by treating it
* as just an IP packet
*/
if (record == NULL) {
#if 1
record = process_ip(header, transport_start, transport_len, &key);
if (record == NULL) {
fprintf(info, "warning: unable to process ip packet (improper length or otherwise malformed)\n");
return;
}
record->invalid++;
#else
/*
* if the processing of malformed packets causes trouble, choose
* this code path instead
*/
return;
#endif
}
/*
* set minimum ttl in flow record
*/
if (record->ttl > ip->ip_ttl) {
record->ttl = ip->ip_ttl;
}
/* increment packet count in flow record */
record->np++;
/* update flow record timestamps */
if (timerisset(&record->start)) {
record->end = header->ts;
} else {
record->start = record->end = header->ts;
}
/*
* copy initial data packet, if configured to report idp, and this
* is the first packet in the flow with nonzero data payload
*/
if ((report_idp) && record->op && (record->idp_len == 0)) {
record->idp_len = (ntohs(ip->ip_len) < report_idp ? ntohs(ip->ip_len) : report_idp);
record->idp = malloc(record->idp_len);
memcpy(record->idp, ip, record->idp_len);
if (output_level > none) {
fprintf(output, "stashed %u bytes of IDP\n", record->idp_len);
}
}
/* increment overall byte count */
flocap_stats_incr_num_bytes(transport_len);
return;
}
void process_hl_tcp (OS_FRAME *frame) {
/* Process tcp protocol frame */
process_tcp (frame);
}
