/** Prints packet timestaps regardless of format*/ int _tmain(int argc, _TCHAR* argv[]) { char errbuf[PCAP_ERRBUF_SIZE]; wchar_t cmd[1024]; wchar_t tshark_path[MAX_PATH]; wchar_t file_path[MAX_PATH]; if ( argc != 3 ) { wprintf(L"Prints packet timestaps regardless of format.\n"); wprintf(L"Usage:\n\t%ls <tshark path> <trace file>\n", argv[0]); return 1; } // conversion to short path name in case there are spaces if ( ! GetShortPathNameW(argv[1], tshark_path, MAX_PATH) || ! GetShortPathNameW(argv[2], file_path, MAX_PATH) ) { printf("Failed to convert paths to short form."); return 1; } // create tshark command, which will make the trace conversion and print in libpcap format to stdout if ( swprintf_s(cmd, 1024, L"%ls -r %ls -w - -F libpcap", tshark_path, file_path) < 0 ) { wprintf(L"Failed to create command\n"); return 1; } // start tshark FILE *tshark_out = _wpopen(cmd, L"rb"); if ( tshark_out == NULL ) { strerror_s(errbuf, PCAP_ERRBUF_SIZE, errno); printf("Failed run tshark: %s\n", errbuf); wprintf(L"Command: %ls", cmd); return 1; } // open stdout from tshark pcap_t *pcap = pcap_fopen_offline(tshark_out, errbuf); if ( pcap == NULL ) { printf("Error opening stream from tshark: %s\n", errbuf); return 1; } // print information about every packet int trace struct pcap_pkthdr hdr; while ( pcap_next(pcap, &hdr) ) { printf("packet: ts: %u.%06u, len: %4u, caplen: %4u\n", hdr.ts.tv_sec, hdr.ts.tv_usec, hdr.len, hdr.caplen); } // clean up pcap_close(pcap); _pclose(tshark_out); return 0; }
static ifreader_t interface_open(const char *target, int channel) { interface_handle_t *handle; char errbuf[PCAP_ERRBUF_SIZE]; handle = (interface_handle_t *) calloc(1, sizeof(interface_handle_t)); if(!handle) return NULL; handle->capture_packets = false; handle->pf = fopen(target, "r"); if(handle->pf == NULL) { fprintf(stderr, "Cannot open target %s: %s\n", target, strerror(errno)); free(handle); return NULL; } handle->pc = pcap_fopen_offline(handle->pf, errbuf); if(handle->pc == NULL) { fprintf(stderr, "Cannot read target %s: %s\n", target, errbuf); fclose(handle->pf); free(handle); return NULL; } ifreader_t instance = interfacemgr_create_handle(target); instance->interface_data = handle; if(pcap_datalink(handle->pc) == DLT_EN10MB) { instance->ethernet = true; } else if(pcap_datalink(handle->pc) == DLT_IEEE802_15_4 ) { instance->ethernet = false; instance->fcs = true; } else if ( pcap_datalink(handle->pc) == DLT_IEEE802_15_4_NOFCS) { instance->ethernet = false; instance->fcs = false; } else { fprintf(stderr, "This program only supports 802.15.4 and Ethernet encapsulated 802.15.4 sniffers (DLT: %d)\n", pcap_datalink(handle->pc)); free(handle); return NULL; } handle->first_offset = ftell(handle->pf); return instance; }
pcap_t * pcap_open_offline(const char *fname, char *errbuf) { pcap_t *p; FILE *fp; if (fname[0] == '-' && fname[1] == '\0') fp = stdin; else { fp = fopen(fname, "r"); if (fp == NULL) { snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname, pcap_strerror(errno)); return (NULL); } } p = pcap_fopen_offline(fp, errbuf); if (p == NULL) { if (fp != stdin) fclose(fp); } return (p); }
int main(int argc, char *argv[]) { const char *from_dev = NULL; /* Capture from device */ const char *from_file = NULL; /* Read from pcap file */ int from_stdin = 0; /* Read from stdin */ pcap_t *in; /* PCAP input handle */ int limit = -1; /* How many packets to sniff */ char errbuf[PCAP_ERRBUF_SIZE]; /* Error buffer */ char *to_file = NULL; /* PCAP output file */ char *pcap_filter = NULL; /* PCAP filter string */ char *radius_filter = NULL; int port = 1812; struct bpf_program fp; /* Holds compiled filter */ bpf_u_int32 ip_mask = PCAP_NETMASK_UNKNOWN; /* Device Subnet mask */ bpf_u_int32 ip_addr = 0; /* Device IP */ char buffer[1024]; int opt; FR_TOKEN parsecode; const char *radius_dir = RADIUS_DIR; fr_debug_flag = 2; log_dst = stdout; /* * Get options */ while ((opt = getopt(argc, argv, "c:d:Ff:hi:I:p:qr:s:Svw:xX")) != EOF) { switch (opt) { case 'c': limit = atoi(optarg); if (limit <= 0) { fprintf(stderr, "radsniff: Invalid number of packets \"%s\"\n", optarg); exit(1); } break; case 'd': radius_dir = optarg; break; case 'F': from_stdin = 1; to_stdout = 1; break; case 'f': pcap_filter = optarg; break; case 'h': usage(0); break; case 'i': from_dev = optarg; break; case 'I': from_file = optarg; break; case 'p': port = atoi(optarg); break; case 'q': if (fr_debug_flag > 0) { fr_debug_flag--; } break; case 'r': radius_filter = optarg; break; case 's': radius_secret = optarg; break; case 'S': do_sort = 1; break; case 'v': INFO(log_dst, "%s %s\n", radsniff_version, pcap_lib_version()); exit(0); break; case 'w': to_file = optarg; break; case 'x': case 'X': fr_debug_flag++; break; default: usage(64); } } /* What's the point in specifying -F ?! */ if (from_stdin && from_file && to_file) { usage(64); } /* Can't read from both... */ if (from_file && from_dev) { usage(64); } /* Reading from file overrides stdin */ if (from_stdin && (from_file || from_dev)) { from_stdin = 0; } /* Writing to file overrides stdout */ if (to_file && to_stdout) { to_stdout = 0; } /* * If were writing pcap data stdout we *really* don't want to send * logging there as well. */ log_dst = to_stdout ? stderr : stdout; #if !defined(HAVE_PCAP_FOPEN_OFFLINE) || !defined(HAVE_PCAP_DUMP_FOPEN) if (from_stdin || to_stdout) { fprintf(stderr, "radsniff: PCAP streams not supported.\n"); exit(64); } #endif if (!pcap_filter) { pcap_filter = buffer; snprintf(buffer, sizeof(buffer), "udp port %d or %d or %d", port, port + 1, 3799); } /* * There are times when we don't need the dictionaries. */ if (!to_stdout) { if (dict_init(radius_dir, RADIUS_DICTIONARY) < 0) { fr_perror("radsniff"); exit(64); } } if (radius_filter) { parsecode = userparse(radius_filter, &filter_vps); if (parsecode == T_OP_INVALID) { fprintf(stderr, "radsniff: Invalid RADIUS filter \"%s\" (%s)\n", radius_filter, fr_strerror()); exit(64); } if (!filter_vps) { fprintf(stderr, "radsniff: Empty RADIUS filter \"%s\"\n", radius_filter); exit(64); } filter_tree = rbtree_create((rbcmp) fr_packet_cmp, free, 0); if (!filter_tree) { fprintf(stderr, "radsniff: Failed creating filter tree\n"); exit(1); } } /* * Setup the request tree */ request_tree = rbtree_create((rbcmp) fr_packet_cmp, free, 0); if (!request_tree) { fprintf(stderr, "radsniff: Failed creating request tree\n"); exit(1); } /* * Allocate a null packet for decrypting attributes in CoA requests */ nullpacket = rad_alloc(NULL, 0); if (!nullpacket) { fprintf(stderr, "radsniff: Out of memory\n"); exit(1); } /* * Get the default capture device */ if (!from_stdin && !from_file && !from_dev) { from_dev = pcap_lookupdev(errbuf); if (!from_dev) { fprintf(stderr, "radsniff: Failed discovering default interface (%s)\n", errbuf); exit(1); } INFO(log_dst, "Capturing from interface \"%s\"\n", from_dev); } /* * Print captures values which will be used */ if (fr_debug_flag > 2) { DEBUG1(log_dst, "Sniffing with options:\n"); if (from_dev) DEBUG1(log_dst, " Device : [%s]\n", from_dev); if (limit > 0) DEBUG1(log_dst, " Capture limit (packets) : [%d]\n", limit); DEBUG1(log_dst, " PCAP filter : [%s]\n", pcap_filter); DEBUG1(log_dst, " RADIUS secret : [%s]\n", radius_secret); if (filter_vps){DEBUG1(log_dst, " RADIUS filter :\n"); vp_printlist(log_dst, filter_vps); } } /* * Figure out whether were doing a reading from a file, doing a live * capture or reading from stdin. */ if (from_file) { in = pcap_open_offline(from_file, errbuf); #ifdef HAVE_PCAP_FOPEN_OFFLINE } else if (from_stdin) { in = pcap_fopen_offline(stdin, errbuf); #endif } else if (from_dev) { pcap_lookupnet(from_dev, &ip_addr, &ip_mask, errbuf); in = pcap_open_live(from_dev, 65536, 1, 1, errbuf); } else { fprintf(stderr, "radsniff: No capture devices available\n"); } if (!in) { fprintf(stderr, "radsniff: Failed opening input (%s)\n", errbuf); exit(1); } if (to_file) { out = pcap_dump_open(in, to_file); if (!out) { fprintf(stderr, "radsniff: Failed opening output file (%s)\n", pcap_geterr(in)); exit(1); } #ifdef HAVE_PCAP_DUMP_FOPEN } else if (to_stdout) { out = pcap_dump_fopen(in, stdout); if (!out) { fprintf(stderr, "radsniff: Failed opening stdout (%s)\n", pcap_geterr(in)); exit(1); } #endif } /* * Apply the rules */ if (pcap_compile(in, &fp, pcap_filter, 0, ip_mask) < 0) { fprintf(stderr, "radsniff: Failed compiling PCAP filter (%s)\n", pcap_geterr(in)); exit(1); } if (pcap_setfilter(in, &fp) < 0) { fprintf(stderr, "radsniff: Failed applying PCAP filter (%s)\n", pcap_geterr(in)); exit(1); } /* * Enter the main capture loop... */ pcap_loop(in, limit, got_packet, NULL); /* * ...were done capturing. */ pcap_close(in); if (out) { pcap_dump_close(out); } if (filter_tree) { rbtree_free(filter_tree); } INFO(log_dst, "Done sniffing\n"); return 0; }
int main(int argc, char * argv[]) { char *ival = NULL; char *rval = NULL; char *sval = NULL; char *bpf = NULL; char errbuf[PCAP_ERRBUF_SIZE]; int index; int c; int rtn; bpf_u_int32 mask = 0; bpf_u_int32 net = 0; struct bpf_program fp; FILE *pcap_file = NULL; opterr = 0; while ((c = getopt (argc, argv, "i:r:s:")) != -1) { switch (c) { case 'h': print_help(stdout); exit(EXIT_SUCCESS); break; case 'i': ival = optarg; break; case 'r': rval = optarg; break; case 's': sval = optarg; break; case '?': if (optopt == 'c') fprintf (stderr, "Option -%c requires an argument.\n", optopt); else if (isprint (optopt)) fprintf (stderr, "Unknown option `-%c'.\n", optopt); else fprintf (stderr, "Unknown option character `\\x%x'.\n", optopt); print_help(stderr); return 1; default: abort (); } } printf ("i = %s, r = %s, s = %s\n", ival, rval, sval); for (index = optind; index < argc; index++) { bpf = argv[index]; if(index > optind) { fprintf(stderr, "Please put BPF in quotes\n"); exit(EXIT_FAILURE); } //printf ("Non-option argument %s\n", argv[index]); } if(rval != NULL) { pcap_file = fopen(rval, "r"); if(pcap_file == NULL) { perror(NULL); exit(EXIT_FAILURE); } handle = pcap_fopen_offline(pcap_file, errbuf); if (handle == NULL) { fprintf(stderr, "Could not open pcap file: %s\n", errbuf); return(2); } } else { if(ival == NULL) { ival = pcap_lookupdev(errbuf); if(ival == NULL) { fprintf(stderr, "Couldn't find default device: %s\n", errbuf); return(2); } else { printf("sniffing on: %s\n", ival); } } if (pcap_lookupnet(ival, &net, &mask, errbuf) == -1) { fprintf(stderr, "Couldn't get netmask for device %s: %s\n", ival, errbuf); net = 0; mask = 0; } handle = pcap_open_live(ival, BUFSIZ, 1, 1000, errbuf); if (handle == NULL) { fprintf(stderr, "Couldn't find default device: %s\n", errbuf); return(2); } } if(bpf != NULL) { if (pcap_compile(handle, &fp, bpf, 0, net) == -1) { fprintf(stderr, "Couldn't parse filter %s: %s\n", bpf, pcap_geterr(handle)); return(2); } if (pcap_setfilter(handle, &fp) == -1) { fprintf(stderr, "Couldn't install filter %s: %s\n", bpf, pcap_geterr(handle)); return(2); } } signal(SIGINT, int_handler); rtn = pcap_loop(handle, -1, got_packet, (u_char*)sval); if(rtn == -1) { fprintf(stderr, "%s\n", pcap_geterr(handle)); return EXIT_FAILURE; } pcap_close(handle); return EXIT_SUCCESS; }
/** Open a PCAP handle abstraction * * This opens interfaces for capture or injection, or files/streams for reading/writing. * @param pcap created with fr_pcap_init. * @return 0 on success, -1 on error. */ int fr_pcap_open(fr_pcap_t *pcap) { switch (pcap->type) { case PCAP_INTERFACE_OUT: case PCAP_INTERFACE_IN: { #if defined(HAVE_PCAP_CREATE) && defined(HAVE_PCAP_ACTIVATE) pcap->handle = pcap_create(pcap->name, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } if (pcap_set_snaplen(pcap->handle, SNAPLEN) != 0) { create_error: fr_strerror_printf("%s", pcap_geterr(pcap->handle)); pcap_close(pcap->handle); pcap->handle = NULL; return -1; } if (pcap_set_timeout(pcap->handle, PCAP_NONBLOCK_TIMEOUT) != 0) { goto create_error; } if (pcap_set_promisc(pcap->handle, pcap->promiscuous) != 0) { goto create_error; } if (pcap_set_buffer_size(pcap->handle, SNAPLEN * (pcap->buffer_pkts ? pcap->buffer_pkts : PCAP_BUFFER_DEFAULT)) != 0) { goto create_error; } if (pcap_activate(pcap->handle) != 0) { goto create_error; } #else /* * Alternative functions for libpcap < 1.0 */ pcap->handle = pcap_open_live(pcap->name, SNAPLEN, pcap->promiscuous, PCAP_NONBLOCK_TIMEOUT, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } #endif /* * Despite accepting an errbuff, pcap_setnonblock doesn't seem to write * error message there in newer versions. */ if (pcap_setnonblock(pcap->handle, true, pcap->errbuf) != 0) { fr_strerror_printf("%s", *pcap->errbuf != '\0' ? pcap->errbuf : pcap_geterr(pcap->handle)); pcap_close(pcap->handle); pcap->handle = NULL; return -1; } pcap->fd = pcap_get_selectable_fd(pcap->handle); pcap->link_layer = pcap_datalink(pcap->handle); #ifndef __linux__ { int value = 1; if (ioctl(pcap->fd, BIOCIMMEDIATE, &value) < 0) { fr_strerror_printf("Failed setting BIOCIMMEDIATE: %s", fr_syserror(errno)); } } #endif } break; case PCAP_FILE_IN: pcap->handle = pcap_open_offline(pcap->name, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } pcap->fd = pcap_get_selectable_fd(pcap->handle); pcap->link_layer = pcap_datalink(pcap->handle); break; case PCAP_FILE_OUT: if (pcap->link_layer < 0) { pcap->link_layer = DLT_EN10MB; } pcap->handle = pcap_open_dead(pcap->link_layer, SNAPLEN); if (!pcap->handle) { fr_strerror_printf("Unknown error occurred opening dead PCAP handle"); return -1; } pcap->dumper = pcap_dump_open(pcap->handle, pcap->name); if (!pcap->dumper) { fr_strerror_printf("%s", pcap_geterr(pcap->handle)); return -1; } break; #ifdef HAVE_PCAP_FOPEN_OFFLINE case PCAP_STDIO_IN: pcap->handle = pcap_fopen_offline(stdin, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } pcap->fd = pcap_get_selectable_fd(pcap->handle); pcap->link_layer = pcap_datalink(pcap->handle); break; #else case PCAP_STDIO_IN: fr_strerror_printf("This version of libpcap does not support reading pcap data from streams"); return -1; #endif #ifdef HAVE_PCAP_DUMP_FOPEN case PCAP_STDIO_OUT: pcap->handle = pcap_open_dead(DLT_EN10MB, SNAPLEN); pcap->dumper = pcap_dump_fopen(pcap->handle, stdout); if (!pcap->dumper) { fr_strerror_printf("%s", pcap_geterr(pcap->handle)); return -1; } break; #else case PCAP_STDIO_OUT: fr_strerror_printf("This version of libpcap does not support writing pcap data to streams"); return -1; #endif case PCAP_INVALID: default: fr_assert(0); fr_strerror_printf("Bad handle type (%i)", pcap->type); return -1; } return 0; }
int offline_capture(FILE *fcapture) { struct bpf_program bpf; char errbuf[PCAP_ERRBUF_SIZE]; char filter[300]; char ports_str[256]; char **ports; int r, n_ports; pcap = pcap_fopen_offline(fcapture, errbuf); if (!pcap) { LOGGER(ERROR, "pcap: %s\n", errbuf); return 1; } if(port) { int i, n = 0 ; ports = split_string(port, strlen(port), ",", 1, &n_ports); if(n_ports > 10) { LOGGER(ERROR, "it's unscientific to listen so many ports.\n", errbuf); return 1; } n = snprintf(ports_str, 256, "tcp port %s", ports[0]); for(i = 1; i < n_ports; i++) { n += snprintf(ports_str + n, 256, " or tcp port %s", ports[i]); } split_string_free(ports, n_ports); } // Capture only TCP if (global_options.server && n_ports) { sprintf(filter, "host %s and (%s)", global_options.server, ports_str); } else if (global_options.server && !n_ports) { sprintf(filter, "host %s", global_options.server); } else if (!global_options.server && n_ports) { sprintf(filter, "(%s)", ports_str); } else { sprintf(filter, "tcp"); } if (pcap_compile(pcap, &bpf, filter, 1, 0)) { LOGGER(ERROR, "pcap: %s\n", pcap_geterr(pcap)); return 1; } if (pcap_setfilter(pcap, &bpf)) { LOGGER(ERROR, "pcap: %s\n", pcap_geterr(pcap)); return 1; } // The -1 here stands for "infinity" r = pcap_loop(pcap, -1, process_packet, (unsigned char *) pcap); if (r == -1) { LOGGER(ERROR, "pcap: %s\n", pcap_geterr(pcap)); return 1; } return 1; }
PcapInterface::PcapInterface(const char *name) : NetworkInterface(name) { char pcap_error_buffer[PCAP_ERRBUF_SIZE]; struct stat buf; pcap_handle = NULL, pcap_list = NULL; if((stat(name, &buf) == 0) || (name[0] == '-')) { /* The file exists so we need to check if it's a text file or a pcap file */ if(strcmp(name, "-") == 0) { /* stdin */ pcap_handle = pcap_fopen_offline(stdin, pcap_error_buffer); pcap_datalink_type = DLT_EN10MB; } else if((pcap_handle = pcap_open_offline(ifname, pcap_error_buffer)) == NULL) { if((pcap_list = fopen(name, "r")) == NULL) { ntop->getTrace()->traceEvent(TRACE_ERROR, "Unable to open file %s", name); exit(0); } else read_pkts_from_pcap_dump = true; } else { char *slash = strrchr(ifname, '/'); if(slash) { char *old = ifname; ifname = strdup(&slash[1]); free(old); } ntop->getTrace()->traceEvent(TRACE_NORMAL, "Reading packets from pcap file %s...", ifname); read_pkts_from_pcap_dump = true, purge_idle_flows_hosts = false; pcap_datalink_type = pcap_datalink(pcap_handle); } } else { pcap_handle = pcap_open_live(ifname, ntop->getGlobals()->getSnaplen(), ntop->getPrefs()->use_promiscuous(), 500, pcap_error_buffer); if(pcap_handle) { char *bl = strrchr(ifname, #ifdef WIN32 '\\' #else '/' #endif ); if(bl != NULL) { char *tmp = ifname; ifname = strdup(&bl[1]); free(tmp); } ntop->getTrace()->traceEvent(TRACE_NORMAL, "Reading packets from interface %s...", ifname); read_pkts_from_pcap_dump = false; pcap_datalink_type = pcap_datalink(pcap_handle); } } if(ntop->getPrefs()->are_ixia_timestamps_enabled()) ntop->getTrace()->traceEvent(TRACE_WARNING, "Hardware timestamps are supported only on PF_RING capture interfaces"); }
static pcap_dev_t *setup_pcap_Ffile(FILE *fp, char *filter, int snaplen) { pcap_t *handle; pcap_dev_t *pcap_dev; char errbuf[PCAP_ERRBUF_SIZE]; uint32_t linkoffset, linktype; dbg_printf("Enter function: %s\n", __FUNCTION__); if ( !fp ) return NULL; handle = pcap_fopen_offline(fp, errbuf); if (handle == NULL) { LogError("Couldn't attach FILE handle %s", errbuf); return NULL; } if ( filter ) { struct bpf_program filter_code; bpf_u_int32 netmask = 0; // Compile and apply the filter if (pcap_compile(handle, &filter_code, filter, 0, netmask) == -1) { LogError("Couldn't parse filter %s: %s", filter, pcap_geterr(handle)); return NULL; } if (pcap_setfilter(handle, &filter_code) == -1) { LogError("Couldn't install filter %s: %s", filter, pcap_geterr(handle)); return NULL; } } linkoffset = 0; linktype = pcap_datalink(handle); switch ( linktype ) { case DLT_RAW: linkoffset = 0; break; case DLT_PPP: linkoffset = 2; break; case DLT_NULL: linkoffset = 4; break; case DLT_LOOP: linkoffset = 14; break; case DLT_EN10MB: linkoffset = 14; break; case DLT_LINUX_SLL: linkoffset = 16; break; case DLT_IEEE802_11: linkoffset = 22; break; default: LogError("Unsupported data link type %i", linktype); return NULL; } pcap_dev = (pcap_dev_t *)calloc(1, sizeof(pcap_dev_t)); if ( !pcap_dev ) { LogError("malloc() error in %s line %d: %s\n", __FILE__, __LINE__, strerror(errno) ); return NULL; } pcap_dev->handle = handle; pcap_dev->snaplen = snaplen; pcap_dev->linkoffset = linkoffset; pcap_dev->linktype = linktype; return pcap_dev; } // End of setup_pcap_file
/** Open a PCAP handle abstraction * * This opens interfaces for capture or injection, or files/streams for reading/writing. * @param pcap created with fr_pcap_init. * @return 0 on success, -1 on error. */ int fr_pcap_open(fr_pcap_t *pcap) { switch (pcap->type) { case PCAP_INTERFACE_OUT: case PCAP_INTERFACE_IN: pcap->handle = pcap_open_live(pcap->name, SNAPLEN, true, PCAP_NONBLOCK_TIMEOUT, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } pcap->fd = pcap_get_selectable_fd(pcap->handle); #ifndef __linux__ { int value = 1; if (ioctl(pcap->fd, BIOCIMMEDIATE, &value) < 0) { fr_strerror_printf("Failed setting BIOCIMMEDIATE: %s", fr_syserror(errno)); } } #endif break; case PCAP_FILE_IN: pcap->handle = pcap_open_offline(pcap->name, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } break; case PCAP_FILE_OUT: pcap->handle = pcap_open_dead(DLT_EN10MB, SNAPLEN); pcap->dumper = pcap_dump_open(pcap->handle, pcap->name); if (!pcap->dumper) { fr_strerror_printf("%s", pcap->errbuf); return -1; } break; #ifdef HAVE_PCAP_FOPEN_OFFLINE case PCAP_STDIO_IN: pcap->handle = pcap_fopen_offline(stdin, pcap->errbuf); if (!pcap->handle) { fr_strerror_printf("%s", pcap->errbuf); return -1; } break; #else case PCAP_STDIO_IN: fr_strerror_printf("This version of libpcap does not support reading pcap data from streams"); return -1; #endif #ifdef HAVE_PCAP_DUMP_FOPEN case PCAP_STDIO_OUT: pcap->handle = pcap_open_dead(DLT_EN10MB, SNAPLEN); pcap->dumper = pcap_dump_fopen(pcap->handle, stdout); if (!pcap->dumper) { fr_strerror_printf("%s", pcap_geterr(pcap->handle)); return -1; } break; #else case PCAP_STDIO_OUT: fr_strerror_printf("This version of libpcap does not support writing pcap data to streams"); return -1; #endif case PCAP_INVALID: default: fr_assert(0); return -1; } return 0; }
int main(int argc,char *argv[]) { char *dev,errbuf[PCAP_ERRBUF_SIZE]; pcap_t *handle; /* Session handle */ struct bpf_program fp; /* compiled filter expression */ char filter_exp[]="ether proto \\ip"; //"ip proto \\udp or \\tcp or \\icmp"; /* Filter expression */ bpf_u_int32 mask; /* netmask of sniffing device */ bpf_u_int32 net; /* IP address of const struct pcap_pkthdrsniffing device */ struct sigaction *act_alarm,*act_int; struct pcap_pkthdr header; const u_char *packet=NULL; act_alarm=(struct sigaction*)malloc(sizeof(struct sigaction)); act_int=(struct sigaction*)malloc(sizeof(struct sigaction)); memset(act_alarm,'\0',sizeof(act_alarm)); memset(act_int,'\0',sizeof(act_int)); act_alarm->sa_handler=alarm_printhandler; sigemptyset(&act_alarm->sa_mask); act_alarm->sa_flags=0; sigaction(SIGALRM,act_alarm,NULL); act_int->sa_handler=INT_handler; sigemptyset(&act_int->sa_mask); act_int->sa_flags=0; sigaction(SIGINT,act_int,NULL); if(gettimeofday(¤t_time,NULL) != 0) { fprintf(stderr,"Error in gettimeofday(): %s\n",strerror(errno)); exit(1); } /* Handle commandline here */ memset(interface,'\0',sizeof(interface)); memset(filename,'\0',sizeof(filename)); memset(my_ip,'\0',sizeof(my_ip)); handle_commandline(argc,argv); newvalue=(struct itimerval*)malloc(sizeof(struct itimerval)); newvalue->it_interval.tv_sec=epoch; newvalue->it_interval.tv_usec=0; newvalue->it_value.tv_sec=epoch; newvalue->it_value.tv_usec=0; setitimer(ITIMER_REAL,newvalue,NULL); /* fetch ip address */ getifaddrs(&addr); while(addr) { if(addr->ifa_addr && addr->ifa_addr->sa_family == AF_INET && strcmp(addr->ifa_name,interface)==0) { struct sockaddr_in *paddr = (struct sockaddr_in *)addr->ifa_addr; //fprintf(stdout,"%s %s\n",addr->ifa_name,inet_ntoa(paddr->sin_addr)); //project strcpy(filename,inet_ntoa(paddr->sin_addr)); strcpy(my_ip,inet_ntoa(paddr->sin_addr)); break; } addr = addr->ifa_next; } //printf("Filename: %s",filename); if(epoch == 0) { epoch=1; // default is 1 sec } if(interface[0] == '\0') { dev=" "; } else { dev=interface; } //fprintf(stdout,"Device is %s\n",dev); /* Lookup network */ if(pcap_lookupnet(dev,&net,&mask,errbuf) == -1) { //fprintf(stderr, "Can't get netmask for device %s\n", dev); net = 0; mask = 0; } //printf("IP: %d\n",net); //printf("Mask: %d\n",mask); /* Opening device for sniffing */ if(read_file == NULL) { if((handle=pcap_create(dev,errbuf)) == NULL) { fprintf(stderr,"Error in pcap_create: %s",errbuf); exit(1); } if(pcap_set_promisc(handle,5) == PCAP_ERROR_ACTIVATED || pcap_set_timeout(handle,epoch*1000) == PCAP_ERROR_ACTIVATED ) { fprintf(stderr,"Capture handle already activated"); exit(1); } pcap_activate(handle); } else { filer=fopen(read_file,"r"); /* block the alarm handler too */ sigaddset(&act_alarm->sa_mask,SIGALRM); sigprocmask(SIG_BLOCK,&act_alarm->sa_mask,NULL); if(filer == NULL) { perror("Error in fopen file"); exit(1); } handle=pcap_fopen_offline(filer,errbuf); if(handle == NULL) { fprintf(stderr,"Error in pcap_open_offline(): %s",errbuf); exit(1); } } if(write_file != NULL) { filew=fopen(write_file,"w"); } if(handle == NULL) { fprintf(stderr,"Couldn't open device %s: %s\n",dev,errbuf); exit(1); } /* Determine the type of link-headers the device provides */ if(pcap_datalink(handle) != DLT_EN10MB) { fprintf(stderr,"Usage: ./traffana -v [-r filename] [-i interface] [-T epoch] [-w filename]\n"); exit(1); } /* Complie filter */ if(pcap_compile(handle,&fp, filter_exp,0,net) == -1) { fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle)); exit(1); } /* Set filter */ if (pcap_setfilter(handle, &fp) == -1) { fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle)); exit(1); } /* set the diection */ //pcap_setdirection(handle,PCAP_D_IN); /* Grab the packets */ if(read_file == NULL) { err_loop=pcap_loop(handle,-1,got_packet,(u_char *)filew); // count -1 or 0 for infinity packets AND pass argument the name // of th file if(err_loop == -1) { pcap_perror(handle,errbuf); fprintf(stderr,"Error in pcap_loop(): %s\n",errbuf); exit(1); } } if(read_file !=NULL) { while((packet = pcap_next(handle,&header))!=NULL) { got_packet(0,&header,packet); } } /* Close session */ if(read_file != NULL) { print_readfile_stats(sec1,usec1); /* to read the last epoch */ } pcap_freecode(&fp); pcap_close(handle); return 0; }
/** Prints packet timestaps regardless of format*/ int _tmain(int argc, _TCHAR* argv[]) { char errbuf[PCAP_ERRBUF_SIZE]; _TCHAR cmd[1024]; _TCHAR tshark_path[MAX_PATH]; _TCHAR file_path[MAX_PATH]; /* Load Npcap and its functions. */ if (!LoadNpcapDlls()) { fprintf(stderr, "Couldn't load Npcap\n"); exit(1); } if ( argc != 3 ) { _tprintf(_T("Prints packet timestaps regardless of format.\n")); _tprintf(_T("Usage:\n\t%s <tshark path> <trace file>\n"), argv[0]); return 1; } // conversion to short path name in case there are spaces if ( ! GetShortPathName(argv[1], tshark_path, MAX_PATH) || ! GetShortPathName(argv[2], file_path, MAX_PATH) ) { _tprintf(_T("Failed to convert paths to short form.")); return 1; } // create tshark command, which will make the trace conversion and print in libpcap format to stdout if ( _stprintf_s(cmd, 1024, _T("%s -r %s -w - -F libpcap"), tshark_path, file_path) < 0 ) { _tprintf(_T("Failed to create command\n")); return 1; } // start tshark FILE *tshark_out = _tpopen(cmd, _T("rb")); if ( tshark_out == NULL ) { strerror_s(errbuf, PCAP_ERRBUF_SIZE, errno); printf("Failed run tshark: %s\n", errbuf); _tprintf(_T("Command: %s"), cmd); return 1; } // open stdout from tshark pcap_t *pcap = pcap_fopen_offline(tshark_out, errbuf); if ( pcap == NULL ) { printf("Error opening stream from tshark: %s\n", errbuf); return 1; } // print information about every packet int trace struct pcap_pkthdr hdr; while ( pcap_next(pcap, &hdr) ) { printf("packet: ts: %u.%06u, len: %4u, caplen: %4u\n", hdr.ts.tv_sec, hdr.ts.tv_usec, hdr.len, hdr.caplen); } // clean up pcap_close(pcap); _pclose(tshark_out); return 0; }