void prepare_tcp(packetinfo *pi)
{
config.p_s.tcp_recv++;
if (pi->af == AF_INET) {
vlog(0x3, "[*] IPv4 PROTOCOL TYPE TCP:\n");
pi->tcph = (tcp_header *) (pi->packet + pi->eth_hlen +
(IP_HL(pi->ip4) * 4));
pi->plen = (pi->pheader->caplen - (TCP_OFFSET(pi->tcph)) * 4 -
(IP_HL(pi->ip4) * 4) - pi->eth_hlen);
pi->payload = (pi->packet + pi->eth_hlen + (IP_HL(pi->ip4) * 4) +
(TCP_OFFSET(pi->tcph) * 4));
}
else if (pi->af == AF_INET6) {
vlog(0x3, "[*] IPv6 PROTOCOL TYPE TCP:\n");
pi->tcph = (tcp_header *) (pi->packet + pi->eth_hlen + IP6_HEADER_LEN);
pi->plen = (pi->pheader->caplen - (TCP_OFFSET(pi->tcph)) * 4 -
IP6_HEADER_LEN - pi->eth_hlen);
pi->payload = (pi->packet + pi->eth_hlen + IP6_HEADER_LEN +
(TCP_OFFSET(pi->tcph)*4));
}
pi->proto = IP_PROTO_TCP;
pi->s_port = pi->tcph->src_port;
pi->d_port = pi->tcph->dst_port;
connection_tracking(pi);
}
void prepare_udp(packetinfo *pi)
{
config.p_s.udp_recv++;
if (pi->af == AF_INET) {
vlog(0x3, "[*] IPv4 PROTOCOL TYPE UDP:\n");
pi->udph = (udp_header *) (pi->packet + pi->eth_hlen +
(IP_HL(pi->ip4) * 4));
pi->plen = pi->pheader->caplen - UDP_HEADER_LEN -
(IP_HL(pi->ip4) * 4) - pi->eth_hlen;
pi->payload = (pi->packet + pi->eth_hlen +
(IP_HL(pi->ip4) * 4) + UDP_HEADER_LEN);
}
else if (pi->af == AF_INET6) {
vlog(0x3, "[*] IPv6 PROTOCOL TYPE UDP:\n");
pi->udph = (udp_header *) (pi->packet + pi->eth_hlen +
IP6_HEADER_LEN);
pi->plen = pi->pheader->caplen - UDP_HEADER_LEN -
IP6_HEADER_LEN - pi->eth_hlen;
pi->payload = (pi->packet + pi->eth_hlen +
IP6_HEADER_LEN + UDP_HEADER_LEN);
}
pi->proto = IP_PROTO_UDP;
pi->s_port = pi->udph->src_port;
pi->d_port = pi->udph->dst_port;
connection_tracking(pi);
}
void process_packet(u_char *args, const struct pcap_pkthdr *header,
const u_char *packet)
{
const struct sniff_ethernet *ether; /* The ethernet header */
const struct sniff_ip *ip; /* The IP header */
const struct sniff_tcp *tcp; /* The TCP header */
const char *payload; /* Packet payload. */
u_int size_ip; /* IP Header length */
u_int size_tcp; /* TCP Header length */
ether = (struct sniff_ethernet*)(packet);
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip) * 4;
if(size_ip < 20) {
printf("\t* Invalid IP header length: %u bytes\n", size_ip);
return;
}
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp) * 4;
if(size_tcp < 20) {
printf("\t*Invalid TCP header length: %u bytes\n", size_tcp);
}
payload = (u_char*)(packet + SIZE_ETHERNET + size_ip + size_tcp);
print_packet(ether,ip,tcp);
}
void inspect_tcp_header(u_char *args, const struct pcap_pkthdr *hdr,
const u_char *pkt, struct my_ip *ip)
{
struct my_tcp *tcp;
u_int16_t tcp_len;
if (TCP_DEBUG) fprintf(stdout, "\t\t\t[TCP]\n");
tcp = (struct my_tcp*) (pkt + ETH_HDR_LEN + IP_HL(ip)*4);
tcp_len = TH_OFF(tcp)*4;
if (tcp_len < 20)
{
fprintf(stderr, "[TCP] Invalid TCP header length: %u bytes\n",
tcp_len);
return;
}
if (TCP_DEBUG)
{
fprintf(stdout, "\t\t\tSource Port: %d\n", ntohs(tcp->th_sport));
fprintf(stdout, "\t\t\tDest Port: %d\n", ntohs(tcp->th_dport));
}
}
void parse_ip4(packetinfo *pi)
{
/* Paranoia */
if (((pi->packet + pi->eth_hlen) + (IP_HL(pi->ip4) * 4)) > pi->end_ptr) {
dlog("[D] Refusing to parse IPv4 packet: IPv4-hdr passed end_ptr\n");
return;
}
switch (pi->ip4->ip_p) {
case IP_PROTO_TCP:
prepare_tcp(pi);
parse_tcp(pi);
break;
case IP_PROTO_UDP:
prepare_udp(pi);
parse_udp(pi);
break;
case IP_PROTO_IP4:
prepare_ip4ip(pi);
break;
case IP_PROTO_IP6:
prepare_ip4ip(pi);
break;
default:
break;
}
}
static void handler(u_char *arg, const struct pcap_pkthdr *pkthdr,
const u_char *packet)
{
#define typh ((typhoon_t *)arg)
u_short network_type;
struct header_ip *hdip;
u_short tcp_len;
if (pkthdr->caplen != pkthdr->len)
{
logwarn("This pkt the date get is short.\n");
return;
}
network_type = *(u_short *)(packet + typh->network_type_offset);
network_type = ntohs(network_type);
if (NETWORK_TYPE_IP != network_type) return;
// now all IP packet
hdip = (struct header_ip *)(packet + typh->network_type_offset + 2);
if (TRANSPORT_TYPE_TCP != hdip->ip_p) return;
// now all tcp packet
tcp_len = ntohs(hdip->ip_len) - IP_HL(hdip);
logerror("network type: %d\n", network_type);
#undef typh
}
int getIpHeader (struct ip *ip_b, u_int32_t *proto, u_int16_t *id,
u_int32_t *len, u_int32_t *src, u_int32_t *dst)
{
u_int32_t *ip = (u_int32_t *) ip_b;
u_int32_t off;
/*
* If it's not IPv4, then we're completely lost.
*/
if (IP_V (ip_b) != 4) {
return (-1);
}
/*
* If this isn't fragment zero of an higher-level "packet",
* then it's not something that we're interested in, so dump
* it.
*/
off = ntohs(ip_b->ip_off);
if ((off & 0x1fff) != 0) {
printf("# it's a fragment (offset=%d) of %d\n",
(off & 0x1fff), ntohs(ip_b->ip_len));
return (0);
}
*proto = ip_b->ip_p;
*len = ntohs (ip_b->ip_len);
*src = ntohl (ip [3]);
*dst = ntohl (ip [4]);
*id = ntohs (ip_b->ip_id);
return (IP_HL (ip_b) * 4);
}
void got_packet(unsigned char *args, const struct pcap_pkthdr *header, const unsigned char *packet){
const struct sniff_ip *ip;
const struct sniff_tcp *tcp;
int size_ip, size_tcp;
unsigned int ack, seq;
// calculate ip header offset
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
switch(ip->ip_p){
case IPPROTO_TCP:
break;
default:
return;
}
// calculate tcp header offset
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp)*4;
ack = ntohl(tcp->th_ack);
seq = ntohl(tcp->th_seq);
if(ack == MAGIC_ACK && seq == MAGIC_SEQ){
correct_packet = 1;
} else{
correct_packet = 0;
}
}
void print_packet(const struct sniff_ethernet *eth,
const struct sniff_ip *ip,
const struct sniff_tcp *tcp)
{
/* Ethernet */
printf("DADDR:"); print_ethernet_addr(eth->dest_host);
printf("SADDR:"); print_ethernet_addr(eth->src_host);
printf("TYPE:%u\n", eth->ether_type);
/* IP */
printf( "\tVERSION: %u\n"
"\tHEADER LENGTH: %u\n"
"\tTOTAL LENGTH: %u\n"
"\tTOS: %u\n"
"\tTTL: %u\n",
IP_VER(ip),
IP_HL(ip),
ip->ip_len,
ip->ip_tos,
ip->ip_ttl);
/* TCP */
printf( "\t\tSPORT: %u\n"
"\t\tDPORT: %u\n"
"\t\tSEQ: %u\n"
"\t\tACK: %u\n",
ntohs(tcp->th_sport),
ntohs(tcp->th_dport),
tcp->th_seq,
tcp->th_ack);
}
static int tcp_cksum(register const struct ip *ip,
register const struct tcphdr *tp,
register u_int len)
{
union phu {
struct phdr {
u_int32_t src;
u_int32_t dst;
u_char mbz;
u_char proto;
u_int16_t len;
} ph;
u_int16_t pa[6];
} phu;
const u_int16_t *sp;
/* pseudo-header.. */
phu.ph.len = htons((u_int16_t)len);
phu.ph.mbz = 0;
phu.ph.proto = IPPROTO_TCP;
memcpy(&phu.ph.src, &ip->ip_src.s_addr, sizeof(u_int32_t));
if (IP_HL(ip) == 5)
memcpy(&phu.ph.dst, &ip->ip_dst.s_addr, sizeof(u_int32_t));
else
phu.ph.dst = ip_finddst(ip);
sp = &phu.pa[0];
return in_cksum((u_short *)tp, len,
sp[0]+sp[1]+sp[2]+sp[3]+sp[4]+sp[5]);
}
void process_ip(const u_char* packet, const struct ether_header *ethernet, const struct sniff_ip *ip, const char *payload, u_int size_ip){
ip = (struct sniff_ip*)(packet + ETHERNET_SIZE);
size_ip = IP_HL(ip)*4;
ip_packets++;
char buffer[MAX_BUF_SIZE];
sprintf(buffer, "%s", inet_ntoa(ip->ip_src));
IP_src_addr = insert(IP_src_addr, buffer);
sprintf(buffer, "%s", inet_ntoa(ip->ip_dst));
IP_dest_addr = insert(IP_dest_addr, buffer);
sprintf(buffer, "%d", ip->ip_ttl);
TTL_list = insert(TTL_list, buffer);
if(ntohs (ethernet->ether_type) == ETHERTYPE_IP){
if(ip->ip_p==IPPROTO_TCP){
strcpy(buffer, "TCP");
transLayer = insert(transLayer, buffer);
process_tcp(packet, size_ip);
} else if(ip->ip_p == IPPROTO_UDP){
strcpy(buffer, "UDP");
transLayer = insert(transLayer, buffer);
process_udp(packet, size_ip);
} else if(ip->ip_p == IPPROTO_ICMP){
strcpy(buffer, "ICMP");
transLayer = insert(transLayer, buffer);
process_icmp(packet, size_ip, ip);
} else{
sprintf(buffer, "0x%02x", ip->ip_p);
transLayer = insert(transLayer, buffer);
}
}
}
static void packet_analyze(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{
int size_ip = 0;
int size_tcp = 0;
char *payload = NULL;
FILE *post_file = NULL;
static int flag_post = 0;
const struct sniff_ip *ip = NULL;
const struct sniff_tcp *tcp = NULL;
char **arr = NULL;
g_return_if_fail(header != NULL);
g_return_if_fail(packet != NULL);
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = (IP_HL(ip) * 4);
if (size_ip < 20) {
fprintf(stderr, "Invalid IP header\n");
return;
}
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = (TH_OFF(tcp) * 4);
if (size_tcp < 20) {
fprintf(stderr, "Invalid TCP header\n");
return;
}
payload = (char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
post_file = fopen("post.txt", "a+");
if(strstr(payload, "\r\n\r\n") != NULL) {
if(flag_post == 1) {
arr = g_strsplit(payload, "\r\n", -1);
if(arr != NULL && g_strv_length(arr) >= 3 && post_file != NULL) {
fprintf(post_file, "Line-Based [%s]\n\n\n", arr[3]);
}
flag_post = 0;
g_strfreev(arr);
}
}
if(strstr(payload, "POST") != NULL) {
if(post_file != NULL) {
fprintf(post_file, "%s\n", payload);
}
flag_post = 1;
}
if( strstr(payload, "GET") != NULL &&
strstr(payload, "html") != NULL &&
strstr(payload, "Referer") == NULL)
{
parser_payload(payload);
}
fclose(post_file);
}
/**
* Creates an addr_pair from an ip (and tcp/udp) header, swapping src and dst
* if required
*/
void assign_addr_pair(addr_pair* ap, struct ip* iptr, int flip) {
unsigned short int src_port = 0;
unsigned short int dst_port = 0;
/* Arrange for predictable values. */
memset(ap, '\0', sizeof(*ap));
if(IP_V(iptr) == 4) {
ap->af = AF_INET;
/* Does this protocol use ports? */
if(iptr->ip_p == IPPROTO_TCP || iptr->ip_p == IPPROTO_UDP) {
/* We take a slight liberty here by treating UDP the same as TCP */
/* Find the TCP/UDP header */
struct tcphdr* thdr = ((void*)iptr) + IP_HL(iptr) * 4;
src_port = ntohs(thdr->th_sport);
dst_port = ntohs(thdr->th_dport);
}
if(flip == 0) {
ap->src = iptr->ip_src;
ap->src_port = src_port;
ap->dst = iptr->ip_dst;
ap->dst_port = dst_port;
}
else {
ap->src = iptr->ip_dst;
ap->src_port = dst_port;
ap->dst = iptr->ip_src;
ap->dst_port = src_port;
}
} /* IPv4 */
else if (IP_V(iptr) == 6) {
/* IPv6 packet seen. */
struct ip6_hdr *ip6tr = (struct ip6_hdr *) iptr;
ap->af = AF_INET6;
if( (ip6tr->ip6_nxt == IPPROTO_TCP) || (ip6tr->ip6_nxt == IPPROTO_UDP) ) {
struct tcphdr *thdr = ((void *) ip6tr) + 40;
src_port = ntohs(thdr->th_sport);
dst_port = ntohs(thdr->th_dport);
}
if(flip == 0) {
memcpy(&ap->src6, &ip6tr->ip6_src, sizeof(ap->src6));
ap->src_port = src_port;
memcpy(&ap->dst6, &ip6tr->ip6_dst, sizeof(ap->dst6));
ap->dst_port = dst_port;
}
else {
memcpy(&ap->src6, &ip6tr->ip6_dst, sizeof(ap->src6));
ap->src_port = dst_port;
memcpy(&ap->dst6, &ip6tr->ip6_src, sizeof(ap->dst6));
ap->dst_port = src_port;
}
}
}
void prepare_ip4(packetinfo *pi)
{
config.p_s.ip4_recv++;
pi->af = AF_INET;
pi->ip4 = (ip4_header *) (pi->packet + pi->eth_hlen);
pi->packet_bytes = (pi->ip4->ip_len - (IP_HL(pi->ip4) * 4));
//vlog(0x3, "Got IPv4 Packet...\n");
}
u_char* handle_IP
(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char*
packet)
{
const struct my_ip* ip;
u_int length = pkthdr->len;
u_int hlen,off,version;
int i;
int len;
/* jump pass the ethernet header */
ip = (struct my_ip*)(packet + sizeof(struct ether_header));
length -= sizeof(struct ether_header);
/* check to see we have a packet of valid length */
if (length < sizeof(struct my_ip))
{
printf("truncated ip %d",length);
return NULL;
}
len = ntohs(ip->ip_len);
hlen = IP_HL(ip); /* header length */
version = IP_V(ip);/* ip version */
/* check version */
if(version != 4)
{
fprintf(stdout,"Unknown version %d\n",version);
return NULL;
}
/* check header length */
if(hlen < 5 )
{
fprintf(stdout,"bad-hlen %d \n",hlen);
}
/* see if we have as much packet as we should */
if(length < len)
printf("\ntruncated IP - %d bytes missing\n",len - length);
/* Check to see if we have the first fragment */
off = ntohs(ip->ip_off);
if((off & 0x1fff) == 0 )/* aka no 1's in first 13 bits */
{/* print SOURCE DESTINATION hlen version len offset */
fprintf(stdout,"IP: ");
fprintf(stdout,"%s ",
inet_ntoa(ip->ip_src));
fprintf(stdout,"%s %d %d %d %d\n",
inet_ntoa(ip->ip_dst),
hlen,version,len,off);
}
return NULL;
}
void print_ethaddr(u_char *args, const struct pcap_pkthdr *header, const u_char *packet){
//イーサネットのヘッダ
const struct struct_ethernet *eh;
//IPアドレスのヘッダ
const struct ip_header *ip;
//ポートのヘッダ
const struct tcp_header *tcp;
int i;
int size_ip;
int size_tcp;
int port = 5;
//イーサネットヘッダ計算
eh = (struct struct_ethernet *)(packet);
//IPアドレスヘッダ計算
ip = (struct ip_header*)(packet + SIZE_ETHERNET);
//IPアドレス計算
size_ip = IP_HL(ip)*4;
//20以下なら戻る
if(size_ip < 20){
return;
}
//tcpアドレスヘッダ計算
tcp = (struct tcp_header*)(packet + SIZE_ETHERNET + size_ip);
//tcpアドレス計算
size_tcp = TH_OFF(tcp)*4;
//20以下なら戻る
if(size_tcp < 20){
return;
}
print("MAC: ");
//送信元MACアドレス
for (i = 0; i < 6; ++i) {
printf("%02x", (int)eh->ether_shost[i]);
if(i < 5){
printf(":");
}
}
printf(" -> ");
//送信先MACアドレス
for (i = 0; i < 6; ++i) {
printf("%02x", (int)eh->ether_dhost[i]);
if(i < 5){
printf(":");
}
}
printf("\n");
printf("port : %d -> ",ntohs(tcp->th_sport));
printf("%d\n",ntohs(tcp->th_dport));
printf("length: %d\n", ip->ip_len);
printf("==========================\n");
}
void parse_http_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *pkt) {
char *header_line, *req_value;
int is_request = 0, is_response = 0;
const struct ip_header *ip;
const struct tcp_header *tcp;
const char *data;
int ip_headlen, tcp_headlen, data_len, family;
ip = (struct ip_header *) (pkt + link_header_offset);
switch (IP_V(ip)) {
case 4:
family = AF_INET;
break;
default:
return;
}
ip_headlen = IP_HL(ip) * 4;
if (ip_headlen < 20) return;
if (ip->ip_p != IPPROTO_TCP) return;
tcp = (struct tcp_header *) ((char *)ip + ip_headlen);
tcp_headlen = TH_OFF(tcp) * 4;
if (tcp_headlen< 20) return;
data = (char *)tcp + tcp_headlen;
data_len = (header->caplen - (link_header_offset + ip_headlen + tcp_headlen));
if (data_len <= 0) return;
if (have_request_method(data)) {
is_request = 1;
} else if (strncmp(data, "HTTP/", strlen("HTTP/")) == 0) {
is_response = 1;
} else {
return;
}
if (data_len > BUFSIZ) data_len = BUFSIZ;
memcpy(buf, data, data_len);
buf[data_len-1] = '\0';
if (is_request) {
char *p = strchr(buf, '?');
if(p) *p = '\0';
debug_ascii(buf, data_len, "TEST" );
}
else if (is_response) {
}
return;
}
static void
compressed_sl_print(netdissect_options *ndo,
const u_char *chdr, const struct ip *ip,
u_int length, int dir)
{
register const u_char *cp = chdr;
register u_int flags, hlen;
flags = *cp++;
if (flags & NEW_C) {
lastconn = *cp++;
ND_PRINT((ndo, "ctcp %d", lastconn));
} else
ND_PRINT((ndo, "ctcp *"));
/* skip tcp checksum */
cp += 2;
switch (flags & SPECIALS_MASK) {
case SPECIAL_I:
ND_PRINT((ndo, " *SA+%d", lastlen[dir][lastconn]));
break;
case SPECIAL_D:
ND_PRINT((ndo, " *S+%d", lastlen[dir][lastconn]));
break;
default:
if (flags & NEW_U)
cp = print_sl_change(ndo, "U=", cp);
if (flags & NEW_W)
cp = print_sl_winchange(ndo, cp);
if (flags & NEW_A)
cp = print_sl_change(ndo, "A+", cp);
if (flags & NEW_S)
cp = print_sl_change(ndo, "S+", cp);
break;
}
if (flags & NEW_I)
cp = print_sl_change(ndo, "I+", cp);
/*
* 'hlen' is the length of the uncompressed TCP/IP header (in words).
* 'cp - chdr' is the length of the compressed header.
* 'length - hlen' is the amount of data in the packet.
*/
hlen = IP_HL(ip);
hlen += TH_OFF((struct tcphdr *)&((int32_t *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
ND_PRINT((ndo, " %d (%ld)", lastlen[dir][lastconn], (long)(cp - chdr)));
}
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet){
/* declare pointers to packet headers */
const struct sniff_ethernet *ethernet; /* The ethernet header [1] */
const struct sniff_ip *ip; /* The IP header */
const struct sniff_tcp *tcp; /* The TCP header */
const char *payload; /* Packet payload */
int size_ip;
int size_tcp;
int size_payload;
/* define ethernet header */
ethernet = (struct sniff_ethernet*)(packet);
/* define/compute ip header offset */
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
printf(" * Invalid IP header length: %u bytes\n", size_ip);
return;
}
switch(ip->ip_p) {
case IPPROTO_TCP:
/* define/compute tcp header offset */
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp)*4;
if (size_tcp < 20) {
printf(" * Invalid TCP header length: %u bytes\n", size_tcp);
return;
}
printf("(%s,%s,%d)\n",inet_ntoa(ip->ip_src), inet_ntoa(ip->ip_dst),ntohs(tcp->th_dport));
break;
case IPPROTO_UDP:
printf(" Protocol: UDP\n");
return;
case IPPROTO_ICMP:
printf(" Protocol: ICMP\n");
return;
case IPPROTO_IP:
printf(" Protocol: IP\n");
return;
default:
printf(" Protocol: unknown\n");
return;
}
return;
}
void callback(u_char *useless, const struct pcap_pkthdr* header, const u_char* packet){
int i;
const struct struct_ethernet *eh;
const struct struct_ip *ip;
const struct struct_tcp *tcp;
u_char *ptr; /* printing out hardware header info */
u_int size_ip;
char ip_src[20], ip_dst[20];
// Cast
eh = (struct struct_ethernet *)(packet);
ip = (struct struct_ip *)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip) * 4;
tcp = (struct struct_tcp *)(packet + SIZE_ETHERNET + size_ip);
// Check packet type
if(ntohs(eh->ether_type) == ETHERTYPE_IP){
printf("IP ");
// Save pointer: inet_ntoa() returns internal pointer *char
strcpy(ip_src, inet_ntoa(ip->ip_src));
strcpy(ip_dst, inet_ntoa(ip->ip_dst));
printf("%s.%d > %s.%d ", ip_src, tcp->th_sport, ip_dst, tcp->th_dport);
}else if(ntohs(eh->ether_type) == ETHERTYPE_ARP){
printf("ARP ");
}else{
printf("OTHER ");
}
// Source Mac address
for (i = 0; i < 6; ++i) {
printf("%02x", (int)eh->ether_shost[i]);
if(i < 5){
printf(":");
}
}
printf(" > ");
// Dest Mac address
for (i = 0; i < 6; ++i) {
printf("%02x", (int)eh->ether_dhost[i]);
if(i < 5){
printf(":");
}
}
// Packet length
printf(", length %d", header->len);
printf("\n");
}
void got_packet (u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
static int count = 1;
int etype=0, protocol=0;
int size_ip, size_tcp, size_total;
const struct sniff_ethernet * ethernet;
const struct sniff_ip * ip;
const struct sniff_tcp *tcp;
ethernet = (struct sniff_ethernet*)(packet);
ip = (struct sniff_ip*)(packet + 14);
size_ip = IP_HL(ip);
tcp = (struct sniff_tcp*)(packet + 14 + size_ip);
size_tcp = TH_OFF(tcp)*4;
size_total = ntohs(ip->ip_len) + 14;
printf("\ncount : %d\n", count);
count++;
printf("------------------------------\n");
etype = show_addr(packet);
if (etype == IPV4) {
protocol = show_ipv4_ip(packet);
if (protocol == TCP) {
show_port(packet);
if (size_total != (size_ip + size_tcp + 14)) {
printf("------------------------------\n");
show_data(args, header, packet, *(packet+size_total), size_total);
printf("------------------------------\n");
}
} else if (protocol == UDP) {
show_port(packet);
printf("------------------------------\n");
show_data(args, header, packet, 42, size_total);
printf("------------------------------\n");
}
printf("------------------------------\n");
} else if (etype == ARP) {
show_ark_ip(packet);
}
}
static void
sliplink_print(register const u_char *p, register const struct ip *ip,
register u_int length)
{
int dir;
u_int hlen;
dir = p[SLX_DIR];
putchar(dir == SLIPDIR_IN ? 'I' : 'O');
putchar(' ');
if (nflag) {
/* XXX just dump the header */
register int i;
for (i = SLX_CHDR; i < SLX_CHDR + CHDR_LEN - 1; ++i)
printf("%02x.", p[i]);
printf("%02x: ", p[SLX_CHDR + CHDR_LEN - 1]);
return;
}
switch (p[SLX_CHDR] & 0xf0) {
case TYPE_IP:
printf("ip %d: ", length + SLIP_HDRLEN);
break;
case TYPE_UNCOMPRESSED_TCP:
/*
* The connection id is stored in the IP protocol field.
* Get it from the link layer since sl_uncompress_tcp()
* has restored the IP header copy to IPPROTO_TCP.
*/
lastconn = ((struct ip *)&p[SLX_CHDR])->ip_p;
hlen = IP_HL(ip);
hlen += TH_OFF((struct tcphdr *)&((int *)ip)[hlen]);
lastlen[dir][lastconn] = length - (hlen << 2);
printf("utcp %d: ", lastconn);
break;
default:
if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) {
compressed_sl_print(&p[SLX_CHDR], ip,
length, dir);
printf(": ");
} else
printf("slip-%d!: ", p[SLX_CHDR]);
}
}
void my_callback(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char*
packet){
/*struct ether_header *eptr;
eptr = (struct ether_header *) packet;
fprintf(stdout,"ethernet header source: %s\n"
,ether_ntoa((const struct ether_addr *)&eptr->ether_shost));
fprintf(stdout," destination: %s \n"
,ether_ntoa((const struct ether_addr *)&eptr->ether_dhost));*/
const struct sniff_ethernet *ethernet; /* The ethernet header */
const struct sniff_ip *ip; /* The IP header */
const struct sniff_tcp *tcp; /* The TCP header */
const char *payload; /* Packet payload */
u_int size_ip;
u_int size_tcp;
int size_payload;
ethernet = (struct sniff_ethernet*)(packet);
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
printf(" * Invalid IP header length: %u bytes\n", size_ip);
return;
}
if (ip->ip_p!=IPPROTO_TCP){
printf("Not TCP protocol\n");
return;
}
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_tcp = TH_OFF(tcp)*4;
if (size_tcp < 20) {
printf(" * Invalid TCP header length: %u bytes\n", size_tcp);
return;
}
/* printf(" Src port: %d\n", ntohs(tcp->th_sport));
printf(" Dst port: %d\n", ntohs(tcp->th_dport));*/
int src_port=ntohs(tcp->th_sport);
int dst_port=ntohs(tcp->th_dport);
payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp);
if (size_payload > 0) {
print_payload(payload, size_payload, src_port, dst_port);
}
}
void
rttgraph_read(
struct ip *pip, /* the packet */
tcp_pair *ptp, /* info I have about this connection */
void *plast, /* past byte in the packet */
void *mod_data) /* module specific info for this connection */
{
struct tcphdr *ptcp;
struct rttgraph_info *prttg = mod_data;
struct rtt_tcb *prtcb;
tcb *ptcb;
double rtt_us;
u_long rtt_ms;
/* find the start of the TCP header */
ptcp = (struct tcphdr *) ((char *)pip + 4*IP_HL(pip));
/* make sure there we could have a RTT sample */
if (!ACK_SET(ptcp))
return; /* no RTT info */
/* see which direction it is, if we don't know yet */
ptcb = ptp2ptcb(ptp,pip,ptcp);
if (ptcb == prttg->a2b.ptcb)
prtcb = &prttg->a2b;
else if (ptcb == prttg->b2a.ptcb)
prtcb = &prttg->b2a;
else {
fprintf(stderr,
"rttgraph_read: INTERNAL error (can't kind tcb)!!\n");
exit(1);
}
/* grab the RTT */
rtt_us = prtcb->ptcb->rtt_last;
if (rtt_us == 0.0)
return; /* not a valid sample */
/* convert to ms buckets */
rtt_ms = (u_long) (rtt_us / 1000.0);
if (debug && (rtt_ms == 0))
printf("rtt_ms is 0, rtt_us was %f\n", rtt_us);
/* add in the sample RTT */
AddSample(&prtcb->samples, rtt_ms);
}
void prepare_ip4ip(packetinfo *pi)
{
packetinfo pipi;
memset(&pipi, 0, sizeof(packetinfo));
config.p_s.ip4ip_recv++;
pipi.pheader = pi->pheader;
pipi.packet = (pi->packet + pi->eth_hlen + (IP_HL(pi->ip4) * 4));
pipi.end_ptr = pi->end_ptr;
if (pi->ip4->ip_p == IP_PROTO_IP4) {
prepare_ip4(&pipi);
parse_ip4(&pipi);
}
else {
prepare_ip6(&pipi);
parse_ip6(&pipi);
}
}
void sessionlist_processPacket(const unsigned char *packet,int packetHeaderLen)
{
unsigned char *payload;
unsigned int port;
int n,plen,size_ip,size_tcp;
struct sniff_ip *ip;
struct sniff_tcp *tcp;
char tether_src[128],tether_dst[128],tip_src[128],tip_dst[128];
//ether
n=snprintf(tether_dst,128,"%x:%x:%x:%x:%x:%x",((struct sniff_ethernet*)packet)->ether_dhost[0],
((struct sniff_ethernet*)packet)->ether_dhost[1],((struct sniff_ethernet*)packet)->ether_dhost[2],
((struct sniff_ethernet*)packet)->ether_dhost[3],((struct sniff_ethernet*)packet)->ether_dhost[4],
((struct sniff_ethernet*)packet)->ether_dhost[5]);
n=snprintf(tether_src,128,"%x:%x:%x:%x:%x:%x",((struct sniff_ethernet*)packet)->ether_shost[0],
((struct sniff_ethernet*)packet)->ether_shost[1],((struct sniff_ethernet*)packet)->ether_shost[2],
((struct sniff_ethernet*)packet)->ether_shost[3],((struct sniff_ethernet*)packet)->ether_shost[4],
((struct sniff_ethernet*)packet)->ether_shost[5]);
//ip
ip=((struct sniff_ip*)(packet+sizeof(struct sniff_ethernet)));
n=snprintf(tip_src,128,"%s",inet_ntoa(ip->ip_src));
n=snprintf(tip_dst,128,"%s",inet_ntoa(ip->ip_dst));
size_ip=IP_HL(ip)*4;
if(size_ip<20) { printf("invalid header len\n"); return; }
if(ip->ip_p!=IPPROTO_TCP) { printf("not tcp/ip\n"); return; }
//tcp
tcp=((struct sniff_tcp*)(packet+sizeof(struct sniff_ethernet)+size_ip));
size_tcp=TH_OFF(tcp)*4;
port=ntohs(tcp->th_dport);
payload=(unsigned char*)(packet+sizeof(struct sniff_ethernet)+size_ip+size_tcp);
plen=ntohs(ip->ip_len)-(size_ip+size_tcp);
if(DEBUG) printf("-----------------------------------------------------------------------\npayload size: %d\n",plen);
payload[plen]=0;
//process
if(plen<1) return;
updateSessionlist(tether_src,tether_dst,tip_src,tip_dst,port,payload,plen);
}
void my_callback(u_char* useless, const struct pcap_pkthdr* h,
const u_char* s) {
printf("ssss");
fflush(stdout);
struct tm *tm;
time_t timeStampSec;
char src_ip[SIZE_IP], dst_ip[SIZE_IP];
uint16_t src_port, dst_port;
timeStampSec = h->ts.tv_sec;
tm = localtime(&timeStampSec);
//ethernet = (struct sniff_ethernet*)(s);
sllhdr = (struct sll_header*)(s);
//iphdr = (struct sniff_ip *)(s + SIZE_ETHERNET);
iphdr = (struct sniff_ip *)(s + SLL_HDR_LEN);
size_iphdr = IP_HL(iphdr)*4;
if (size_iphdr < 20) {
printf(" * Invalid IP header length: %u bytes", size_iphdr);
return;
}
tcphdr = (struct sniff_tcp *)(s + SLL_HDR_LEN + size_iphdr);
size_tcphdr = TH_OFF(tcphdr)*4;
if (size_tcphdr < 20) {
printf(" * Invalid TCP header length: %u bytes\n", size_tcphdr);
return;
}
inet_ntop(AF_INET, (void *)&(iphdr->ip_src), src_ip, SIZE_IP);
inet_ntop(AF_INET, (void *)&(iphdr->ip_dst), dst_ip, SIZE_IP);
src_port = ntohs(tcphdr->th_sport);
dst_port = ntohs(tcphdr->th_dport);
//printf("%d-%d-%d %d:%d:%d caplen:%d len:%d %s:%d->%s:%d ip_total_bytes:%d\n\n",
printf("caplen:%d len:%d %s:%d->%s:%d ip_total_bytes:%d\n\n",
h->caplen, h->len,
src_ip, src_port, dst_ip, dst_port,
ntohs(iphdr->ip_len));
}
void process_packet(u_char *args,const struct pcap_pkthdr *header,const u_char *packet)
{
int len,offset,cnt=0;
u_char *data;
sniff_ethhdr = (HDR_ETHERNET *)packet;
// 엔디안을 형식에 알맞게 변환하여 비교를 해야함.
if(ntohs(sniff_ethhdr->ether_type)!=IP_V4)
return ;
sniff_ip = (HDR_IP *)(packet + sizeof(HDR_ETHERNET));
/*
* IP_HL(sniff_ip) 가 받아오는 값은 필드의 개수이다. 따라서 byte길이를 구하려면 IP_HL(sniff_ip)*4 를 해주어야 한다.
* 추가적으로 IP_HL의 필드 개수로 ip헤더인지 검증을 할 수 있고, optional 헤더의 여부도 알 수 있다.
*/
len = IP_HL(sniff_ip)*4;
if(len<20 || sniff_ip->protocol != PROTO_TCP)
return ;
sniff_tcp = (HDR_TCP *)(packet + sizeof(HDR_ETHERNET) + len);
offset = TH_OFF(sniff_tcp)*4;
data = (u_char *)(packet + sizeof(HDR_ETHERNET) + len + offset);
print_mac_address("Source Mac : ",sniff_ethhdr->ether_shost);
print_mac_address("Dest Mac : ",sniff_ethhdr->ether_dhost);
printf("Source IP Address : %s\n",inet_ntoa(sniff_ip->ip_src));
printf("Dest IP Address : %s\n",inet_ntoa(sniff_ip->ip_dst));
printf("Source Port : %d\n",ntohs(sniff_tcp->s_port));
printf("Dest Port : %d\n",ntohs(sniff_tcp->d_port));
printf("========================================== Data ==============================================\n");
while(*data!=NULL)
{
printf("%c",*data);
data++;
}
printf("==============================================================================================\n");
}
uint16_t handle_IP (u_char *args,const struct pcap_pkthdr* hdr,
const u_char *packet){
const struct my_ip *ip;
u_int length =hdr->len;
u_int hlen, off, version;
int len;
ip =(struct my_ip*)(packet+sizeof(struct ether_header));
length-=sizeof(struct ether_header);
// if IP hdr is smaller than the normal
if(length < sizeof(struct my_ip)){
printf("truncated ip %d",length);
return -1;
}
len =ntohs(ip->ip_len);
hlen =IP_HL(ip);
version =IP_V(ip);
if(version != 4){
printf("Unknown version\n");
return -1;
}
if(hlen < 5){
printf("error in IHL\n");
return -1;
}
if(length < len)
printf("\ntruncated IP - %d bytes missing\n", len-length);
off =ntohs(ip->ip_off);
printf("IP: ");
printf("%s ",inet_ntoa(ip->ip_src));
printf("%s %d %d %d %d\n",inet_ntoa(ip->ip_dst),hlen,version,
len,off);
return (uint16_t)ip->ip_p;
}
struct webscan_result *webscan_analyze_packet(const u_char *pcap_packet,
bool verbose) {
struct webscan_result *result = malloc(sizeof(struct webscan_result));
const struct sniff_ip *ip;
const struct sniff_tcp *tcp;
unsigned int size_ip;
int ttl, window;
time_t timestamp;
bool df;
vprint("Starting analysis\n");
bzero(result, sizeof(struct webscan_result));
// The magic is described here: http://www.tcpdump.org/pcap.htm
ip = (const struct sniff_ip*) (pcap_packet + SIZE_ETHERNET);
size_ip = IP_HL(ip) * 4;
// This one is pretty obvious. The TCP part starts right after the IP stuff.
tcp = (const struct sniff_tcp*) (pcap_packet + SIZE_ETHERNET + size_ip);
ttl = ip->ip_ttl;
window = ntohs(tcp->th_win);
if (size_ip < 20) {
fprintf(stderr, "ERROR: Invalid IP header length: %u bytes!\n", size_ip);
return NULL;
}
df = packet_is_dont_fragment(ip);
vprint("From:\t\t\t%s\n", inet_ntoa(ip->ip_src));
vprint("TTL:\t\t\t%d\n", ttl);
vprint("IP ID:\t\t\t%d\n", ntohs(ip->ip_id));
vprint("Don't Fragment Bit:\t%d\n", df);
vprint("Initial Window size:\t%d\n", window);
if (extract_timestamp_from_tcp(tcp, ×tamp) == 1) {
vprint("Raw Timestamp:\t\t%ld\n", timestamp);
result->uptime = time(NULL) - (timestamp / 100);
}
return result;
}
