void process_ip(const u_char* packet, const struct ether_header *ethernet, const struct sniff_ip *ip, const char *payload, u_int size_ip){ ip = (struct sniff_ip*)(packet + ETHERNET_SIZE); size_ip = IP_HL(ip)*4; ip_packets++; char buffer[MAX_BUF_SIZE]; sprintf(buffer, "%s", inet_ntoa(ip->ip_src)); IP_src_addr = insert(IP_src_addr, buffer); sprintf(buffer, "%s", inet_ntoa(ip->ip_dst)); IP_dest_addr = insert(IP_dest_addr, buffer); sprintf(buffer, "%d", ip->ip_ttl); TTL_list = insert(TTL_list, buffer); if(ntohs (ethernet->ether_type) == ETHERTYPE_IP){ if(ip->ip_p==IPPROTO_TCP){ strcpy(buffer, "TCP"); transLayer = insert(transLayer, buffer); process_tcp(packet, size_ip); } else if(ip->ip_p == IPPROTO_UDP){ strcpy(buffer, "UDP"); transLayer = insert(transLayer, buffer); process_udp(packet, size_ip); } else if(ip->ip_p == IPPROTO_ICMP){ strcpy(buffer, "ICMP"); transLayer = insert(transLayer, buffer); process_icmp(packet, size_ip, ip); } else{ sprintf(buffer, "0x%02x", ip->ip_p); transLayer = insert(transLayer, buffer); } } }
genErr_t process_l4(void *jobj_ref) { debug ("In function %s", __FUNCTION__); struct json_object *jobj = (struct json_object *)jobj_ref; void *tjobj = NULL; tjobj=get_val_from_key(jobj, "udp", lObj); if(tjobj) { process_udp(tjobj); free_json_obj(tjobj); } else { debug ("%s", "udp not available"); } tjobj=get_val_from_key(jobj, "tcp", lObj); if(tjobj) { process_tcp(tjobj); free_json_obj(tjobj); } else { debug ("%s", "tcp not available"); } return (SUCCESS); }
void tcpdemux::process_ip6(const struct timeval &ts,const u_char *data, const uint32_t caplen, const int32_t vlan) { const struct private_ip6_hdr *ip_header = (struct private_ip6_hdr *) data; u_int16_t ip_payload_len; /* make sure that the packet is at least as long as the IPv6 header */ if (caplen < sizeof(struct private_ip6_hdr)) { DEBUG(6) ("received truncated IPv6 datagram!"); return; } /* for now we're only looking for TCP; throw away everything else */ if (ip_header->ip6_nxt != IPPROTO_TCP) { DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip6_nxt); return; } ip_payload_len = ntohs(ip_header->ip6_plen); /* make sure there's some data */ if (ip_payload_len == 0) { DEBUG(6) ("received truncated IP datagram!"); return; } /* do TCP processing */ process_tcp(ts, data + sizeof(struct private_ip6_hdr), ip_payload_len, ipaddr(ip_header->ip6_src.s6_addr), ipaddr(ip_header->ip6_dst.s6_addr), vlan,AF_INET6); }
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; struct skb_buf skb; //get unique ID of packet in queue ph = nfq_get_msg_packet_hdr(nfa); if(!ph) { return -1; } skb.packet_id= ntohl(ph->packet_id); //get payload skb.pload_len = nfq_get_payload(nfa, &(skb.pload)); if(skb.pload_len <=0) { nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload); return -1; } skb.pload[skb.pload_len]='\0'; process_tcp(&skb ,tcp_stream_handle); return 0; }
int tcpdemux::process_ip4(const be13::packet_info &pi) { /* make sure that the packet is at least as long as the min IP header */ if (pi.ip_datalen < sizeof(struct be13::ip4)) { DEBUG(6) ("received truncated IP datagram!"); return -1; // couldn't process } const struct be13::ip4 *ip_header = (struct be13::ip4 *) pi.ip_data; DEBUG(100)("process_ip4. caplen=%d vlan=%d ip_p=%d",(int)pi.pcap_hdr->caplen,(int)pi.vlan(),(int)ip_header->ip_p); if(debug>200){ sbuf_t sbuf(pos0_t(),(const uint8_t *)pi.ip_data,pi.ip_datalen,pi.ip_datalen,false); sbuf.hex_dump(std::cerr); } /* for now we're only looking for TCP; throw away everything else */ if (ip_header->ip_p != IPPROTO_TCP) { DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip_p); return -1; // couldn't process } /* check and see if we got everything. NOTE: we must use * ip_total_len after this, because we may have captured bytes * beyond the end of the packet (e.g. ethernet padding). */ size_t ip_len = ntohs(ip_header->ip_len); if (pi.ip_datalen < ip_len) { DEBUG(6) ("warning: captured only %ld bytes of %ld-byte IP datagram", (long) pi.ip_datalen, (long) ip_len); } /* XXX - throw away everything but fragment 0; this version doesn't * know how to do fragment reassembly. */ if (ntohs(ip_header->ip_off) & 0x1fff) { DEBUG(2) ("warning: throwing away IP fragment from X to X"); return -1; } /* figure out where the IP header ends */ size_t ip_header_len = ip_header->ip_hl * 4; /* make sure there's some data */ if (ip_header_len > ip_len) { DEBUG(6) ("received truncated IP datagram!"); return -1; } /* do TCP processing, faking an ipv6 address */ uint16_t ip_payload_len = ip_len - ip_header_len; ipaddr src(ip_header->ip_src.addr); ipaddr dst(ip_header->ip_dst.addr); return process_tcp(src, dst, AF_INET, pi.ip_data + ip_header_len, ip_payload_len, pi); }
void tcpdemux::process_ip4(const struct timeval &ts,const u_char *data, uint32_t caplen,int32_t vlan) { const struct ip *ip_header = (struct ip *) data; u_int ip_header_len; u_int ip_total_len; /* make sure that the packet is at least as long as the min IP header */ if (caplen < sizeof(struct ip)) { DEBUG(6) ("received truncated IP datagram!"); return; } DEBUG(100)("process_ip4. caplen=%d vlan=%d ip_p=%d",(int)caplen,(int)vlan,(int)ip_header->ip_p); /* for now we're only looking for TCP; throw away everything else */ if (ip_header->ip_p != IPPROTO_TCP) { DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip_p); return; } /* check and see if we got everything. NOTE: we must use * ip_total_len after this, because we may have captured bytes * beyond the end of the packet (e.g. ethernet padding). */ ip_total_len = ntohs(ip_header->ip_len); if (caplen < ip_total_len) { DEBUG(6) ("warning: captured only %ld bytes of %ld-byte IP datagram", (long) caplen, (long) ip_total_len); } /* XXX - throw away everything but fragment 0; this version doesn't * know how to do fragment reassembly. */ if (ntohs(ip_header->ip_off) & 0x1fff) { DEBUG(2) ("warning: throwing away IP fragment from X to X"); return; } /* figure out where the IP header ends */ ip_header_len = ip_header->ip_hl * 4; /* make sure there's some data */ if (ip_header_len > ip_total_len) { DEBUG(6) ("received truncated IP datagram!"); return; } /* do TCP processing, faking an ipv6 address */ process_tcp(ts,data + ip_header_len, ip_total_len - ip_header_len, ipaddr(ip_header->ip_src.s_addr), ipaddr(ip_header->ip_dst.s_addr), vlan,AF_INET); }
static void gen_ip_proc(u_char * data, int skblen, struct timeval* ts) { switch (((struct ip *) data)->ip_p) { case IPPROTO_TCP: process_tcp(data, skblen, ts); break; case IPPROTO_UDP: process_udp(data, ts); break; case IPPROTO_ICMP: if (nids_params.n_tcp_streams) process_icmp(data, ts); break; default: break; } }
static void gen_ip_proc(u_char * data, int skblen,int id) { switch (((struct ip *) data)->ip_p) { case IPPROTO_TCP: process_tcp(data, skblen,id); break; case IPPROTO_UDP: process_udp((char *)data,id); break; case IPPROTO_ICMP: if (nids_params.n_tcp_streams) process_icmp(data,id); break; default: //printf("other!\n"); break; } }
static void gen_ip_proc(u_char * data, int skblen) { switch (((struct ip *) data)->ip_p) { case IPPROTO_TCP: pthread_mutex_lock(&tcp_lost_mutex); process_tcp(data, skblen); pthread_mutex_unlock(&tcp_lost_mutex); break; case IPPROTO_UDP: process_udp( (char*)data ); break; case IPPROTO_ICMP: if (nids_params.n_tcp_streams) process_icmp(data); break; default: break; } }
void process_ip(void) { cur_pkt->ip_hdr = (ip_hdr_t *) (cur_pkt->buf + sizeof(eth_hdr_t)); cur_sock->src_ip = cur_pkt->ip_hdr->src_addr; if (unlikely(cur_pkt->ip_hdr->version != 4)) { log_debug1("this is not the packet you are looking for"); return; } if (unlikely(! is_this_card_ip((struct in_addr *) &cur_pkt->ip_hdr->dst_addr))) { log_debug1("this is not the packet you are looking for"); return; } switch(cur_pkt->ip_hdr->proto) { case IP_PROTO_TCP: process_tcp(); break; case IP_PROTO_ICMP: process_icmp(); break; } }
int tcpdemux::process_ip6(const be13::packet_info &pi) { /* make sure that the packet is at least as long as the IPv6 header */ if (pi.ip_datalen < sizeof(struct be13::ip6_hdr)) { DEBUG(6) ("received truncated IPv6 datagram!"); return -1; } const struct be13::ip6_hdr *ip_header = (struct be13::ip6_hdr *) pi.ip_data; /* for now we're only looking for TCP; throw away everything else */ if (ip_header->ip6_ctlun.ip6_un1.ip6_un1_nxt != IPPROTO_TCP) { DEBUG(50) ("got non-TCP frame -- IP proto %d", ip_header->ip6_ctlun.ip6_un1.ip6_un1_nxt); return -1; } /* do TCP processing */ uint16_t ip_payload_len = ntohs(ip_header->ip6_ctlun.ip6_un1.ip6_un1_plen); ipaddr src(ip_header->ip6_src.addr.addr8); ipaddr dst(ip_header->ip6_dst.addr.addr8); return process_tcp(src, dst ,AF_INET6, pi.ip_data + sizeof(struct be13::ip6_hdr),ip_payload_len,pi); }
void process_ip(char *ip_pkt) { struct in_addr s_in; struct in_addr d_in; pkt->ip_head = (struct iphdr *)ip_pkt; s_in.s_addr = pkt->ip_head->saddr; d_in.s_addr = pkt->ip_head->daddr; printf("Packet source IP is: %s\n", inet_ntoa(s_in)); printf("Packet destination IP is: %s\n", inet_ntoa(d_in)); printf("Packet ip next layer is: %04x\n", pkt->ip_head->protocol); tmp_pkt += sizeof(struct iphdr); length -= sizeof(struct iphdr); switch(pkt->ip_head->protocol){ case 0x0006: process_tcp(tmp_pkt); break; default: break; } }
void process_packet(unsigned char *ignore, const struct pcap_pkthdr *header, const unsigned char *packet) { // static int packet_count = 1; struct flow_record *record; unsigned char proto = 0; /* declare pointers to packet headers */ const struct ip_hdr *ip; unsigned int transport_len; unsigned int ip_hdr_len; const void *transport_start; struct flow_key key; flocap_stats_incr_num_packets(); if (output_level > none) { fprintf(output, "\npacket number %lu:\n", flocap_stats_get_num_packets()); } // packet_count++; // ethernet = (struct ethernet_hdr*)(packet); /* define/compute ip header offset */ ip = (struct ip_hdr*)(packet + ETHERNET_HDR_LEN); ip_hdr_len = ip_hdr_length(ip); if (ip_hdr_len < 20) { if (output_level > none) { fprintf(output, " * Invalid IP header length: %u bytes\n", ip_hdr_len); } return; } if (ntohs(ip->ip_len) < sizeof(struct ip_hdr) || ntohs(ip->ip_len) > header->caplen) { /* * IP packet is malformed (shorter than a complete IP header, or * claims to be longer than it is), or not entirely captured by * libpcap (which will depend on MTU and SNAPLEN; you can change * the latter if need be). */ return ; } transport_len = ntohs(ip->ip_len) - ip_hdr_len; /* print source and destination IP addresses */ if (output_level > none) { fprintf(output, " from: %s\n", inet_ntoa(ip->ip_src)); fprintf(output, " to: %s\n", inet_ntoa(ip->ip_dst)); fprintf(output, " ip len: %u\n", ntohs(ip->ip_len)); fprintf(output, " ip hdr len: %u\n", ip_hdr_len); } if (ip_fragment_offset(ip) == 0) { /* fill out IP-specific fields of flow key, plus proto selector */ key.sa = ip->ip_src; key.da = ip->ip_dst; proto = key.prot = ip->ip_prot; } else { // fprintf(info, "found IP fragment (offset: %02x)\n", ip_fragment_offset(ip)); /* * select IP processing, since we don't have a TCP or UDP header */ key.sa = ip->ip_src; key.da = ip->ip_dst; proto = key.prot = IPPROTO_IP; } /* determine transport protocol and handle appropriately */ transport_start = (void *)ip + ip_hdr_len; switch(proto) { case IPPROTO_TCP: record = process_tcp(header, transport_start, transport_len, &key); break; case IPPROTO_UDP: record = process_udp(header, transport_start, transport_len, &key); break; case IPPROTO_ICMP: record = process_icmp(header, transport_start, transport_len, &key); break; case IPPROTO_IP: default: record = process_ip(header, transport_start, transport_len, &key); break; } /* * if our packet is malformed TCP, UDP, or ICMP, then the process * functions will return NULL; we deal with that case by treating it * as just an IP packet */ if (record == NULL) { #if 1 record = process_ip(header, transport_start, transport_len, &key); if (record == NULL) { fprintf(info, "warning: unable to process ip packet (improper length or otherwise malformed)\n"); return; } record->invalid++; #else /* * if the processing of malformed packets causes trouble, choose * this code path instead */ return; #endif } /* * set minimum ttl in flow record */ if (record->ttl > ip->ip_ttl) { record->ttl = ip->ip_ttl; } /* increment packet count in flow record */ record->np++; /* update flow record timestamps */ if (timerisset(&record->start)) { record->end = header->ts; } else { record->start = record->end = header->ts; } /* * copy initial data packet, if configured to report idp, and this * is the first packet in the flow with nonzero data payload */ if ((report_idp) && record->op && (record->idp_len == 0)) { record->idp_len = (ntohs(ip->ip_len) < report_idp ? ntohs(ip->ip_len) : report_idp); record->idp = malloc(record->idp_len); memcpy(record->idp, ip, record->idp_len); if (output_level > none) { fprintf(output, "stashed %u bytes of IDP\n", record->idp_len); } } /* increment overall byte count */ flocap_stats_incr_num_bytes(transport_len); return; }
void process_hl_tcp (OS_FRAME *frame) { /* Process tcp protocol frame */ process_tcp (frame); }