void packetcapture_open_live(char* interface, char* filterexpr, int promisc) { char ebuf[PCAP_ERRBUF_SIZE]; struct bpf_program filter; if (!(pc = pcap_open_live(interface, SNAPLEN, promisc, 1000, ebuf))) { log_msg(LOG_ERROR, "pcap_open_live: %s", ebuf); if (getuid() != 0) log_msg(LOG_ERROR, "perhaps you need to be root?"); else if (!interface) log_msg(LOG_ERROR, "perhaps try selecting an interface with the -i option?"); unexpected_exit (-1); } /* Only apply a filter to live packets. Is this right? */ if (pcap_compile(pc, &filter, filterexpr, 1, 0) == -1) { log_msg(LOG_ERROR, "pcap_compile: %s", pcap_geterr(pc)); unexpected_exit (-1); } if (pcap_setfilter(pc, &filter) == -1) { log_msg(LOG_ERROR, "pcap_setfilter: %s", pcap_geterr(pc)); unexpected_exit (-1); } log_msg(LOG_INFO, "listening on %s%s", interface ? interface : "all interfaces", promisc ? " in promiscuous mode" : ""); datalink_info = get_datalink_info(pc); }
void packetcapture_open_offline(char* dumpfile) { char ebuf[PCAP_ERRBUF_SIZE]; if (!(pc = pcap_open_offline(dumpfile, ebuf))) { log_msg(LOG_ERROR, "pcap_open_offline: %s", ebuf); unexpected_exit (-1); } log_msg(LOG_INFO, "reading packets from %s", dumpfile); datalink_info = get_datalink_info(pc); }
int main (int argc, char *argv[]) { char errbuf[PCAP_ERRBUF_SIZE]; pcap_t *dh; struct bpf_program filter; char filter_app[] = "ip and tcp"; bpf_u_int32 mask; bpf_u_int32 net; struct pcap_pkthdr header; const u_char *packet; if (parse_config (argv[0])) { printf ("Failed to parse config file, leaving\n"); return -1; } if (process_parms (argc,argv)) { printf ("Bad parameters, leaving\n"); return -1; } if (devname==NULL) { #ifdef WIN32 printf ("A device number is required. Run with -list to get a list.\n"); #else printf ("A device name (such as eth0) is required\n"); #endif exit (-1); } if (daemonize && debuglogdir[0]==0) { printf ("In daemon mode at least a debug log directory (-dd) must be used\n"); exit (-1); } #ifndef WIN32 if (daemonize) { switch (go_daemon()) { case -1: daemonize=0; log_debug (0, "Failed to become a daemon!"); exit (-1); case 1: // We are the parent. Exit and let the child on its own exit (0); case 0: log_debug (3, "Successfully became a daemon."); break; default: daemonize=0; log_debug (0, "This is a bug!"); exit (-1); } } #endif #ifdef WIN32 pcap_if_t *alldevs; int inum = atoi (devname); if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); exit(1); } int devnum=0; pcap_if_t *d; for(d=alldevs; d; d=d->next) { devnum++; printf("%d. %s", devnum, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } if(devnum==0) { printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); return -1; } if(inum < 1 || inum > devnum) { printf("\nInterface number out of range.\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } /* Jump to the selected adapter */ for(d=alldevs, devnum=0; devnum< inum-1 ;d=d->next, devnum++) {;} strcpymalloc ( (u_char **) &devname, (u_char *) d->name); #endif log_debug (3, "Getting address and mask for device %s...",devname); if (pcap_lookupnet(devname, &net, &mask, errbuf)==-1) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); log_debug (3, "Opening device..."); #ifdef WIN32 /* At this point, we don't need any more the device list. Free it */ dh = pcap_open (devname, 65535, promisc?PCAP_OPENFLAG_PROMISCUOUS:0, 1000, NULL, errbuf); pcap_freealldevs(alldevs); #else // dh = pcap_open_live (devname, 65535, promisc, 1000, errbuf); dh = pcap_open_offline(input_file, errbuf); #endif if (dh==NULL) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); if (data_offset == -1) /* User didn't force an offset, try to find out */ { char *dln; log_debug (3, "Checking datalink type..."); if (get_datalink_info (dh, &dln, &data_offset)) { log_debug (0, "not supported. Please play with the -offset option (see docs)"); exit (-1); } log_debug (3, "OK, %s, offset = %d", dln, data_offset); } else { log_debug (1, "Using an user defined offset [%d], for datalink type [%d], good luck!", data_offset, get_datalink_type(dh)); } log_debug (3, "Compiling filter [%s]...",filter_app); if (pcap_compile(dh, &filter, filter_app, 0, net)==-1) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); log_debug (3, "Setting filter..."); if (pcap_setfilter(dh, &filter)==-1) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); log_debug (3, "Entering capture loop..."); if (chatlogdir[0]!=0) #ifdef WIN32 mkdir (chatlogdir); #else mkdir (chatlogdir,0700); #endif if (debuglogdir[0]!=0) #ifdef WIN32 mkdir (debuglogdir); #else mkdir (debuglogdir,0700); #endif long packet_count = 0; while (1) { packet = pcap_next(dh, &header); if (packet==NULL) { log_debug (5, "No packet received"); continue; } process_packet (++packet_count, &header,packet); } }
int main (int argc, char *argv[]) { char errbuf[PCAP_ERRBUF_SIZE]; pcap_t *dh; struct bpf_program filter; bpf_u_int32 mask; bpf_u_int32 net; struct pcap_pkthdr header; const u_char *packet; if (parse_config (argv[0])) { printf ("Failed to parse config file, leaving\n"); return -1; } if (process_parms (argc,argv)) { printf ("Bad parameters, leaving\n"); return -1; } if (devname==NULL) { printf ("A device name (such as eth0) is required\n"); exit (-1); } if (daemonize) { switch (go_daemon()) { case -1: daemonize=0; log_debug (0, "Failed to become a daemon!"); exit (-1); case 1: // We are the parent. Exit and let the child on its own exit (0); case 0: log_debug (3, "Successfully became a daemon."); break; default: daemonize=0; log_debug (0, "This is a bug!"); exit (-1); } } else strcpy (debuglogdir,""); log_debug (3, "Getting address and mask for device %s...",devname); if (pcap_lookupnet(devname, &net, &mask, errbuf)==-1) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); log_debug (3, "Opening device..."); dh = pcap_open_live (devname, 65535, promisc, 1000, errbuf); if (dh==NULL) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); if (data_offset == -1) /* User didn't force an offset, try to find out */ { char *dln; log_debug (3, "Checking datalink type..."); if (get_datalink_info (dh, &dln, &data_offset)) { log_debug (0, "not supported. Please play with the -offset option (see docs)"); exit (-1); } log_debug (3, "OK, %s, offset = %d", dln, data_offset); } else { log_debug (1, "Using an user defined offset [%d], for datalink type [%d], good luck!", data_offset, get_datalink_type(dh)); } log_debug (3, "Compiling filter [%s]...",filter_app); if (pcap_compile(dh, &filter, filter_app, 0, net)==-1) { log_debug (0, "error: Couldn't parse filter %s", filter_app); exit (-1); } log_debug (3, "OK"); log_debug (3, "Setting filter..."); if (pcap_setfilter(dh, &filter)==-1) { log_debug (0, "error [%s]",errbuf); exit (-1); } log_debug (3, "OK"); log_debug (3, "Entering capture loop..."); if (chatlogdir[0]!=0) mkdir (chatlogdir,0700); if (debuglogdir[0]!=0) mkdir (debuglogdir,0700); long packet_count = 0; while (1) { packet = pcap_next(dh, &header); if (packet==NULL) { log_debug (5, "No packet received"); continue; } process_packet (++packet_count, &header,packet); } }