void operator()(struct nflog_data *nfa) { //struct nfulnl_msg_packet_hdr *ph = nflog_get_msg_packet_hdr(nfa); char *prefix = nflog_get_prefix(nfa); char *payload = 0; int payload_len = nflog_get_payload(nfa, &payload); struct timeval tv; memset(&tv, 0, sizeof(tv)); nflog_get_timestamp(nfa, &tv); std::cout << (unsigned)tv.tv_sec << "." << tv.tv_usec; std::cout << "\t" << nflog_get_indev(nfa); std::cout << "\t" << nflog_get_outdev(nfa); std::cout << "\t" << payload_len; if (payload_len > 0) handle_packet(payload, payload_len); if (prefix && strlen(prefix)) { std::cout << "\t\"" << prefix << "\""; } std::cout << std::endl; // write a pcap file here if required if (pcap_writer) { const size_t pcap_len = payload_len+sizeof(ether_header); pcap_pkthdr head; memset(&head, 0, sizeof(head)); head.ts = tv; head.caplen = pcap_len; head.len = pcap_len; // make pcap header unsigned char tbuf[pcap_len]; ether_header* ehead = reinterpret_cast<ether_header*>(&tbuf[0]); memset(ehead, 0, sizeof(ehead)); ehead->ether_dhost[0]=0xFA; ehead->ether_dhost[1]=0xCE; ehead->ether_shost[0]=0xFA; ehead->ether_shost[1]=0xCE; *reinterpret_cast<u_int32_t*>(&ehead->ether_dhost[2]) = nflog_get_outdev(nfa); *reinterpret_cast<u_int32_t*>(&ehead->ether_shost[2]) = nflog_get_indev(nfa); ehead->ether_type=htons(ETHERTYPE_IP); // copy payload and dump memcpy(tbuf+sizeof(ether_header), payload, payload_len); pcap_dump(reinterpret_cast<u_char*>(pcap_writer), &head, reinterpret_cast<const u_char*>(tbuf)); } }
const char * log_payload_get_prefix(struct log_payload *self) { return nflog_get_prefix(self->nfad); }
char macstr[18]; // 17 + nul void *protoh; struct tcphdr *tcph; struct udphdr *udph; struct icmphdr *icmph; char *payload; int payload_len; struct timeval tv; struct vrmr_log_record *log_record = data; char s[256]; union ipv4_adress ip; memset(log_record, 0, sizeof(struct vrmr_log_record)); /* Check first if this pkt comes from a vuurmuur logrule */ char *prefix = nflog_get_prefix(nfa); vrmr_log_record_parse_prefix(log_record, prefix); /* Copy hostname in log_rule struct, seems kind of silly to do this every * time */ if (gethostname(log_record->hostname, HOST_NAME_MAX) == -1) { vrmr_debug(NONE, "Error getting hostname"); return -1; } /* Alright, get the nflog packet header and determine what hw_protocol we're * dealing with */ if (!(ph = nflog_get_msg_packet_hdr(nfa))) { vrmr_error(-1, "Error", "Can't get packet header"); return -1; }