static void decode_packet(unsigned char *buf, int len) { struct ether_header *eh = (void *) buf; char src[18], dst[18]; uint16_t type; snprintf(dst, sizeof(dst), "%02x:%02x:%02x:%02x:%02x:%02x", eh->ether_dhost[0], eh->ether_dhost[1], eh->ether_dhost[2], eh->ether_dhost[3], eh->ether_dhost[4], eh->ether_dhost[5]); snprintf(src, sizeof(src), "%02x:%02x:%02x:%02x:%02x:%02x", eh->ether_shost[0], eh->ether_shost[1], eh->ether_shost[2], eh->ether_shost[3], eh->ether_shost[4], eh->ether_shost[5]); type = ntohs(eh->ether_type); printf("> type 0x%04x src %s dst %s <\n", type, src, dst); switch (type) { case ETHERTYPE_IP: decode_ip(buf + 14, len - 14); break; case ETHERTYPE_LOOPBACK: dump_packet(buf, len); break; } }
// 包处理回调函数,对于每个嗅探到的数据包 void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data) { ip_header *ih; u_int ip_len; // 返回IP首部的位置 ih = (ip_header *) (pkt_data + 14); //以太网的首部长度是14 // IP首部长度 ip_len = (ih->ver_ihl & 0xf) * 4; printf("%s ",check_protocol(ih->proto)); // 输出源地址IP和目的地址IP printf("%d.%d.%d.%d -> %d.%d.%d.%d ", ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4, ih->daddr.byte1, ih->daddr.byte2, ih->daddr.byte3, ih->daddr.byte4 ); decode_ip((char*)(pkt_data+14+ip_len),ih->proto); printf("\n"); }
static void m_nick( char *origin, char **argv, int argc, int srv ) { if( !srv ) { if( ircd_srv.protocol & PROTOCOL_NICKv2 ) { if( ircd_srv.protocol & PROTOCOL_NICKIP ) { char ip[25]; ircsnprintf( ip, 25, "%d", ntohl( decode_ip( argv[9] ) ) ); do_nick( argv[0], argv[1], argv[2], argv[3], argv[4], argv[5], ip, argv[6], argv[7], argv[8], argv[10], NULL, NULL ); } else { do_nick( argv[0], argv[1], argv[2], argv[3], argv[4], argv[5], NULL, argv[6], argv[7], argv[8], argv[9], NULL, NULL ); } } else { do_nick( argv[0], argv[1], argv[2], argv[3], argv[4], argv[5], NULL, argv[6], NULL, NULL, argv[9], NULL, NULL ); } } else { do_nickchange( origin, argv[0], NULL ); } }
static void decode_icmp(const uint8_t *packet, size_t pk_len, int pk_layer) { union { const struct myicmphdr *i; const uint8_t *d; } ic_u; /* ;] */ uint8_t type=0, code=0; uint16_t chksum=0; ic_u.d=packet; if (pk_len < 4) { ERR("short icmp header"); return; } type=ic_u.i->type; code=ic_u.i->code; chksum=ntohs(ic_u.i->checksum); if (ISDBG(M_PKT) || GET_SNIFF()) { INF("ICMP: type %u code %u chksum %04x%s", type, code, chksum, "[?]"); } if (type == 3 || type == 5 || type == 11) { /* * dest unreachable, the packet that generated this error should be after the icmpheader * redirect message, same as with unreachable * time exceeded, same as with above */ if (pk_len > sizeof(struct myicmphdr)) { /* there _could_ be data there, try to process it */ const uint8_t *newpacket=NULL; size_t newpk_len=0; newpacket=packet + sizeof(struct myicmphdr); newpk_len=pk_len - sizeof(struct myicmphdr); decode_ip(newpacket, newpk_len, (pk_layer + 1)); } } else if (type == 0 || type == 8) { /* pings ignore */ DBG(M_PKT, "Ignoring ping request or response"); } if (pk_layer == 2) { r_u.i.type=type; r_u.i.subtype=code; report_push(); } return; }
void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) { int tcp_header_length, total_header_size, pkt_data_len; u_char *pkt_data; int total_header_size2; //structs of the packet (different protocol headers) struct ether_header *ETHERheader; struct ip *IPheader; struct tcphdr *TCPheader; //copy of the packet char * packet_copy; packet_copy = malloc(cap_header->len); if (packet_copy <= 0 ) exit(-1); memcpy(packet_copy,packet,cap_header->len); printf("==== Got a %d byte packet ====\n", cap_header->len); decode_ethernet(packet,ETHERheader,packet_copy); decode_ip(packet+ETHER_HDR_LEN,IPheader,packet_copy+ETHER_HDR_LEN); tcp_header_length = decode_tcp(packet+ETHER_HDR_LEN+sizeof(struct ip_hdr),TCPheader, packet_copy+ETHER_HDR_LEN+sizeof(struct ip)); total_header_size = ETHER_HDR_LEN+sizeof(struct ip_hdr)+tcp_header_length; total_header_size2 = ETHER_HDR_LEN+sizeof(struct ip)+tcp_header_length; printf("total_header_size:%d \n total_header_size2:%d \n",total_header_size,total_header_size2); pkt_data = (u_char *)packet + total_header_size; // pkt_data points to the data portion pkt_data_len = cap_header->len - total_header_size; if(pkt_data_len > 0) { printf("\t\t\t%u bytes of packet data\n", pkt_data_len); //dump(pkt_data, pkt_data_len); dump(packet, cap_header->len); } else { printf("\t\t\tNo Packet Data\n"); dump(packet, cap_header->len); } printf("before ipspoof3\n"); //ipspoof3( inet_ntoa(IPheader->ip_src), inet_ntoa(IPheader->ip_dst), "0022433967e9",ETHERheader,IPheader,TCPheader,(u_char *)packet_copy + total_header_size, pkt_data_len); ipspoof4( "", "192.168.1.13", "701a04d83403", (char *)packet, cap_header->len); printf(" after ipspoof3 \n"); free(packet_copy); }
void parse_packet(uint8_t *notused, const struct pcap_pkthdr *phdr, const uint8_t *packet) { size_t pk_len=0; int pk_layer=0; extern pcap_dumper_t *pdump; if (packet == NULL || phdr == NULL) { ERR("%s is null", packet == NULL ? "packet" : "pcap header"); return; } /* when you forget to put this here, it makes for really dull pcap log files */ if (s->pcap_dumpfile) { pcap_dump((uint8_t *)pdump, phdr, packet); } pk_len=phdr->caplen; if (pk_len <= s->ss->header_len) { ERR("this packet is too short " STFMT ", header length is %u", pk_len, s->ss->header_len); return; } if (ISDBG(M_PKT) || GET_SNIFF()) { INF("got packet with length %u (cap %u) with header length at %u", phdr->len, phdr->caplen, s->ss->header_len); } pk_len -= s->ss->header_len; packet += s->ss->header_len; pk_layer++; switch (s->ss->mode) { case MODE_ARPSCAN: report_init(REPORT_TYPE_ARP, &phdr->ts); packet_init(packet, pk_len); decode_arp(packet, pk_len, pk_layer); /* the pcap filter should be arp only */ break; case MODE_TCPSCAN: case MODE_UDPSCAN: case MODE_ICMPSCAN: case MODE_IPSCAN: report_init(REPORT_TYPE_IP, &phdr->ts); packet_init(packet, pk_len); decode_ip(packet, pk_len, pk_layer); /* the pcap filter should be ip only */ break; } return; }
static void slice_icmp(const uint8_t *packet, size_t pk_len, packetlayers_t *plz, int pk_layer) { union { const struct myicmphdr *i; const uint8_t *d; } ic_u; /* ;] */ uint8_t type=0, code=0; uint16_t chksum=0; assert(plz != NULL); assert(packet != NULL); ic_u.d=packet; if (pk_len < 4) { return; } type=ic_u.i->type; code=ic_u.i->code; chksum=ntohs(ic_u.i->checksum); if (type == 3 || type == 5 || type == 11) { /* dest unreachable, the packet that generated this error should be after the icmpheader */ /* redirect message, same as with unreachable */ /* time exceeded, same as with above */ if (pk_len > sizeof(struct myicmphdr)) { /* there _could_ be data there, try to process it */ const uint8_t *newpacket=NULL; size_t newpk_len=0; newpacket=packet + sizeof(struct myicmphdr); newpk_len=pk_len - sizeof(struct myicmphdr); decode_ip(newpacket, newpk_len, (pk_layer + 1)); } } else if (type == 0 || type == 8) { /* pings ignore */ } if (pk_layer == 2) { r_u.i.type=type; r_u.i.subtype=code; report_push(); } return; }
static inline int bind_dlt_raw(int proto, const unsigned char *pkt, unsigned len, Packet *packet) { int ret = -1; switch (proto) { case DLT_RAW_IP4: ret = decode_ip(pkt, len, packet); break; case DLT_RAW_IP6: ret = decode_ip6(pkt, len, packet); break; } return ret; }
static int cmd_syslog(const char *args[]) { char b1[32], b2[32]; if (args[0] && !strcmp(args[0], "off")) { syslog_addr.daddr = 0; return 0; } if (!args[1]) { pp_printf("use: syslog <ipaddr> <macaddr> (or just \"off\"\n"); return -1; } decode_ip(args[0], (void *)&syslog_addr.daddr); decode_mac(args[1], syslog_mac); pp_printf("Syslog parameters: %s, %s\n", format_ip(b1, (void *)&syslog_addr.daddr), format_mac(b2, syslog_mac)); tics = 0; /* send the first frame immediately to the new host */ return 0; }
void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) { int tcp_header_length, total_header_size, pkt_data_len; u_char *pkt_data; printf("==== %d バイトのパケットを取得しました ====\n", cap_header->len); decode_ethernet(packet); decode_ip(packet+ETHER_HDR_LEN); tcp_header_length = decode_tcp(packet+ETHER_HDR_LEN+sizeof(struct ip_hdr)); total_header_size = ETHER_HDR_LEN+sizeof(struct ip_hdr)+tcp_header_length; pkt_data = (u_char *)packet + total_header_size; // pkt_dataはデータ部分を指す pkt_data_len = cap_header->len - total_header_size; if(pkt_data_len > 0) { printf("\t\t\t%u バイトのパケットデータ\n", pkt_data_len); dump(pkt_data, pkt_data_len); } else printf("\t\t\tパケットデータがありません\n"); }
/* main processing function */ void proc_packet(const u_char *data, u_int size) { struct ip_stat istat; u_int data_offs; u_int tcp_hdr_sz; u_int udp_hdr_sz; /* print captured bytes */ printf("\n\nBytes Captured = [ %d ]\n", size); /* print L2 information */ decode_ethernet(data); /* obtain IP protocol number for further decoding */ decode_ip(data + ETHER_HDR_LEN, &istat); switch(istat.ip_prot) { case 1: decode_icmp(data + ETHER_HDR_LEN + istat.ip_len); data_offs = ETHER_HDR_LEN + istat.ip_len; break; case 6: tcp_hdr_sz = decode_tcp(data + ETHER_HDR_LEN + istat.ip_len); data_offs = ETHER_HDR_LEN + istat.ip_len + tcp_hdr_sz; break; case 17: udp_hdr_sz = decode_udp(data + ETHER_HDR_LEN + istat.ip_len); data_offs = ETHER_HDR_LEN + istat.ip_len + udp_hdr_sz; break; default: break; } /* print raw encapsulated data */ praw(data + data_offs, size); }