/* dump_UDP_packet() * * This routine parses a packet, expecting Ethernet, IP, and UDP headers. * It extracts the UDP source and destination port numbers along with the UDP * packet length by casting structs over a pointer that we move through * the packet. We can do this sort of casting safely because libpcap * guarantees that the pointer will be aligned. * * The "ts" argument is the timestamp associated with the packet. * * Note that "capture_len" is the length of the packet *as captured by the * tracing program*, and thus might be less than the full length of the * packet. However, the packet pointer only holds that much data, so * we have to be careful not to read beyond it. */ void dump_UDP_packet(const unsigned char *packet, struct timeval ts, unsigned int capture_len) { struct ip *ip; struct UDP_hdr *udp; unsigned int IP_header_length; /* For simplicity, we assume Ethernet encapsulation. */ if (capture_len < sizeof(struct ether_header)) { /* We didn't even capture a full Ethernet header, so we * can't analyze this any further. */ too_short(ts, "Ethernet header"); return; } /* Skip over the Ethernet header. */ packet += sizeof(struct ether_header); capture_len -= sizeof(struct ether_header); if (capture_len < sizeof(struct ip)) { /* Didn't capture a full IP header */ too_short(ts, "IP header"); return; } ip = (struct ip*) packet; IP_header_length = ip->ip_hl * 4; /* ip_hl is in 4-byte words */ if (capture_len < IP_header_length) { /* didn't capture the full IP header including options */ too_short(ts, "IP header with options"); return; } if (ip->ip_p != IPPROTO_UDP) { problem_pkt(ts, "non-UDP packet"); return; } /* Skip over the IP header to get to the UDP header. */ packet += IP_header_length; capture_len -= IP_header_length; if (capture_len < sizeof(struct UDP_hdr)) { too_short(ts, "UDP header"); return; } udp = (struct UDP_hdr*) packet; printf("%s UDP src_port=%d dst_port=%d length=%d\n", timestamp_string(ts), ntohs(udp->uh_sport), ntohs(udp->uh_dport), ntohs(udp->uh_ulen)); }
int get_packet_meta(const unsigned char *packet, struct timeval ts, unsigned int capture_len, struct packet_meta *out) { /* For simplicity, we assume Ethernet encapsulation. */ if (capture_len < sizeof(struct ether_header)) { /* We didn't even capture a full Ethernet header, so we * can't analyze this any further. */ too_short(ts, "Ethernet header"); return 0; } /* Skip over the Ethernet header. */ packet += sizeof(struct ether_header); capture_len -= sizeof(struct ether_header); if (capture_len < sizeof(struct ip)) { /* Didn't capture a full IP header */ too_short(ts, "IP header"); return 0; } struct ip *ip = (struct ip*) packet; unsigned int IP_header_length = ip->ip_hl * 4; /* ip_hl is in 4-byte words */ if (capture_len < IP_header_length) { /* didn't capture the full IP header including options */ too_short(ts, "IP header with options"); return 0; } out->ipv4_src = ip->ip_src.s_addr; out->ipv4_dst = ip->ip_src.s_addr; /* Skip over the IP header to get to next layer. */ packet += IP_header_length; capture_len -= IP_header_length; if (ip->ip_p == IPPROTO_TCP) { // out->protocol = IPPROTO_TCP; if (capture_len < sizeof(struct tcphdr)) { too_short(ts, "TCP header"); return 0; } struct tcphdr *tcp = (struct tcphdr *) packet; out->dst_port = ntohs(tcp->th_dport); out->src_port = ntohs(tcp->th_sport); return 1; } else if (ip->ip_p == IPPROTO_UDP) { // out->protocol = IPPROTO_UDP; if (capture_len < sizeof(struct UDP_hdr)) { too_short(ts, "UDP header"); return 0; } struct UDP_hdr *udp = (struct UDP_hdr*) packet; out->dst_port = ntohs(udp->uh_dport); out->src_port = ntohs(udp->uh_sport); return 1; } else { puts("not UDP nor TCP, skip unknown protocol"); return 0; } }
void dump_TCP_packet(const unsigned char *packet, struct timeval ts, unsigned int capture_len) { struct ip *ip; struct TCP_hdr *tcp; unsigned int IP_header_length; unsigned int TCP_hdr_len = sizeof(struct TCP_hdr); /* For simplicity, we assume Ethernet encapsulation. */ if (capture_len < sizeof(struct ether_header)) { /* We didn't even capture a full Ethernet header, so we * can't analyze this any further. */ too_short(ts, "Ethernet header"); return; } /* Skip over the Ethernet header. */ packet += sizeof(struct ether_header); capture_len -= sizeof(struct ether_header); if (capture_len < sizeof(struct ip)) { /* Didn't capture a full IP header */ too_short(ts, "IP header"); return; } ip = (struct ip*) packet; IP_header_length = ip->ip_hl * 4; /* ip_hl is in 4-byte words */ if (capture_len < IP_header_length) { /* didn't capture the full IP header including options */ too_short(ts, "IP header with options"); return; } if (ip->ip_p != IPPROTO_TCP) { problem_pkt(ts, "non-TCP packet"); return; } /* Skip over the IP header to get to the UDP header.*/ packet += IP_header_length; capture_len -= IP_header_length; if (capture_len < sizeof(struct TCP_hdr)) { too_short(ts, "TCP header"); return; } tcp = (struct TCP_hdr*) packet; printf("%s UDP src_port=%d dst_port=%d length=%d\n", timestamp_string(ts), ntohs(tcp->th_sport), ntohs(tcp->th_dport), ntohs(tcp->th_seqnum)); switch(ntohs(udp->uh_sport)) { case TELNET: //Source port telnet packet += TCP_hdr_len; capture_len -= t TCP_hdr; process_telnet(packet, capture_len); break; case HTTP: break; default: //Unknown source port break; } switch(ntohs(udp->uh_dport)) { case TELNET: //Dest port telnet break; case HTTP: break; default: //Unknown dest port break; } }