/**
* post AutoGen argument processing
*/
void
post_args(_U_ int argc, _U_ char *argv[])
{
char ebuf[PCAP_ERRBUF_SIZE];
#ifdef DEBUG
if (HAVE_OPT(DBUG))
debug = OPT_VALUE_DBUG;
#else
if (HAVE_OPT(DBUG))
warn("not configured with --enable-debug. Debugging disabled.");
#endif
#ifdef ENABLE_VERBOSE
if (HAVE_OPT(VERBOSE))
options.verbose = 1;
if (HAVE_OPT(DECODE))
tcpdump.args = safe_strdup(OPT_ARG(DECODE));
#endif
#ifdef ENABLE_FRAGROUTE
if (HAVE_OPT(FRAGROUTE))
options.fragroute_args = safe_strdup(OPT_ARG(FRAGROUTE));
options.fragroute_dir = FRAGROUTE_DIR_BOTH;
if (HAVE_OPT(FRAGDIR)) {
if (strcmp(OPT_ARG(FRAGDIR), "c2s") == 0) {
options.fragroute_dir = FRAGROUTE_DIR_C2S;
} else if (strcmp(OPT_ARG(FRAGDIR), "s2c") == 0) {
options.fragroute_dir = FRAGROUTE_DIR_S2C;
} else if (strcmp(OPT_ARG(FRAGDIR), "both") == 0) {
options.fragroute_dir = FRAGROUTE_DIR_BOTH;
} else {
errx(-1, "Unknown --fragdir value: %s", OPT_ARG(FRAGDIR));
}
}
#endif
/* open up the input file */
options.infile = safe_strdup(OPT_ARG(INFILE));
if ((options.pin = pcap_open_offline(options.infile, ebuf)) == NULL)
errx(-1, "Unable to open input pcap file: %s", ebuf);
#ifdef HAVE_PCAP_SNAPSHOT
if (pcap_snapshot(options.pin) < 65535)
warnx("%s was captured using a snaplen of %d bytes. This may mean you have truncated packets.",
options.infile, pcap_snapshot(options.pin));
#endif
}
pcap_parser_file *
pcap_file_open(char *filename)
{
char errbuf[PCAP_ERRBUF_SIZE];
pcap_parser_file *thefile;
struct stat result;
thefile = malloc(sizeof(pcap_parser_file));
thefile->packetnum = 0;
thefile->dnspacketnum = 0;
if (stat(filename, &result) != 0) {
fatal("File %s does not exist or is not accessible: %s", filename, strerror(errno));
}
thefile->size = result.st_size;
thefile->creation = result.st_ctime;
thefile->firstpacket.tv_sec = 0;
thefile->firstpacket.tv_usec = 0;
thefile->lastpacket.tv_sec = 0;
thefile->lastpacket.tv_usec = 0;
thefile->handle = pcap_open_offline(filename, errbuf);
if (thefile->handle == NULL) {
fatal("Couldn't open file %s: %s\n", filename, errbuf);
}
thefile->datalink = pcap_datalink(thefile->handle);
thefile->snaplen = pcap_snapshot(thefile->handle);
if (verbose) {
fprintf(stdout,
"Analyzing %s, version %i.%i, type %s, max packet size %u bytes...\n",
filename, pcap_major_version(thefile->handle),
pcap_minor_version(thefile->handle),
pcap_datalink_val_to_description(thefile->datalink),
thefile->snaplen);
}
return thefile;
}
int main (int argc, char** argv)
{
char ebuf[PCAP_ERRBUF_SIZE];
pcap_t* plik=NULL;
int snaplen=-1;
if (argc!=2)
{
printf( "Zla liczba argumentow\n" );
printf( "Podaj nazwe pliku zrzutu\n" );
exit(0);
}
if (!(plik=pcap_open_offline(argv[1], ebuf)))
{
perror(ebuf);
exit(1);
}
printf( "Wersja pcap, z ktora zapisano plik: %d.%d\n",
pcap_major_version(plik),
pcap_minor_version(plik));
if (pcap_is_swapped(plik))
printf( "Plik ma odwrocony porzadek bajtow\n" );
else
printf( "Plik ma porzadek bajtow taki jak w komputerze\n" );
snaplen = pcap_snapshot(plik);
printf( "Maksymalna dlugosc zapisywanych danych pakietu: %d\n",
snaplen);
pcap_close(plik);
return 0;
}
int
init_pcap(void)
{
hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
if (hpcap == NULL) {
logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
return (-1);
}
if (pcap_datalink(hpcap) != DLT_PFLOG) {
logmsg(LOG_ERR, "Invalid datalink type");
pcap_close(hpcap);
hpcap = NULL;
return (-1);
}
set_pcap_filter();
cur_snaplen = snaplen = pcap_snapshot(hpcap);
/* lock */
if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
return (-1);
}
return (0);
}
/*
* Class: disy_jnipcap_Pcap
* Method: snapshot
* Signature: (J)I
*/
JNIEXPORT jint JNICALL
Java_disy_jnipcap_Pcap_snapshot (JNIEnv *env, jclass jcls, jlong jptr)
{
pcap_t *p = (pcap_t *) jptr;
if (p == NULL) return -1;
return (jint) pcap_snapshot (p);
}
int
main (int argc, char *argv[])
{
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *descriptor;
int snaplen;
if (argc < 2)
{
printf ("Uzyj: %s plik_zrzutu\n", argv[0]);
return 0;
}
descriptor = pcap_open_offline (argv[1], errbuf);
if (descriptor == NULL)
{
fprintf (stderr, "%s\n", errbuf);
exit (EXIT_FAILURE);
}
printf ("Wersja pcap, z ktora zapisano plik: %d.%d\n",
pcap_major_version (descriptor), pcap_minor_version (descriptor));
if (pcap_is_swapped (descriptor))
printf ("Plik ma odwrocony porzadek bajtow.\n");
else
printf ("Plik ma porzadek bajtow taki jak w komputerze.\n");
snaplen = pcap_snapshot (descriptor);
printf ("Maksymalna dlugosc zapisywanych danych pakietu: %d\n", snaplen);
pcap_close (descriptor);
return 0;
}
void reader_libpcapfile_opened()
{
int dlt_to_linktype(int dlt);
pcapFileHeader.linktype = dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap);
pcapFileHeader.snaplen = pcap_snapshot(pcap);
offlineFile = pcap_file(pcap);
if (config.bpf) {
struct bpf_program bpf;
if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
exit(1);
}
if (pcap_setfilter(pcap, &bpf) == -1) {
LOG("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
exit(1);
}
}
int t;
for (t = 0; t < MOLOCH_FILTER_MAX; t++) {
if (config.bpfsNum[t]) {
int i;
if (bpf_programs[t]) {
for (i = 0; i < config.bpfsNum[t]; i++) {
pcap_freecode(&bpf_programs[t][i]);
}
} else {
bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program));
}
for (i = 0; i < config.bpfsNum[t]; i++) {
if (pcap_compile(pcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(pcap));
exit(1);
}
}
moloch_reader_should_filter = reader_libpcapfile_should_filter;
}
}
if (config.flushBetween)
moloch_session_flush();
offlinePcapName = strdup(offlinePcapFilename);
int fd = pcap_fileno(pcap);
if (fd == -1) {
g_timeout_add(0, reader_libpcapfile_read, NULL);
} else {
moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL);
}
}
/*
* filter is compiled and set in the privileged process.
* get the compiled output and set it locally for filtering dumps etc.
*/
struct bpf_program *
priv_pcap_setfilter(pcap_t *hpcap, int oflag, u_int32_t netmask)
{
struct bpf_program *fcode = NULL;
int snap, link;
char *ebuf;
if (priv_fd < 0)
errx(1, "%s: called from privileged portion", __func__);
ebuf = pcap_geterr(hpcap);
snap = pcap_snapshot(hpcap);
link = pcap_datalink(hpcap);
fcode = calloc(1, sizeof(*fcode));
if (fcode == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "out of memory");
return (NULL);
}
write_command(priv_fd, PRIV_SETFILTER);
/* send oflag, netmask, snaplen and linktype */
must_write(priv_fd, &oflag, sizeof(oflag));
must_write(priv_fd, &netmask, sizeof(netmask));
must_write(priv_fd, &snap, sizeof(snap));
must_write(priv_fd, &link, sizeof(link));
/* receive compiled filter */
must_read(priv_fd, &fcode->bf_len, sizeof(fcode->bf_len));
if (fcode->bf_len <= 0) {
int len;
len = read_string(priv_fd, ebuf, PCAP_ERRBUF_SIZE, __func__);
if (len == 0)
snprintf(ebuf, PCAP_ERRBUF_SIZE, "pcap compile error");
goto err;
}
fcode->bf_insns = calloc(fcode->bf_len, sizeof(struct bpf_insn));
if (fcode->bf_insns == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "out of memory");
goto err;
}
must_read(priv_fd, fcode->bf_insns,
fcode->bf_len * sizeof(struct bpf_insn));
pcap_setfilter(hpcap, fcode);
return (fcode);
err:
free(fcode);
return (NULL);
}
static int pcaprr_daq_get_snaplen(void *handle)
{
Pcaprr_Context_t *context = (Pcaprr_Context_t *) handle;
/* rationale: we want the same snaplen across all of the interfaces */
if (context->handle && context->handle_count)
return pcap_snapshot(context->handle[0]);
return context->snaplen;
}
void reader_libpcap_start() {
int dlt_to_linktype(int dlt);
//ALW - Bug: assumes all linktypes are the same
pcapFileHeader.linktype = dlt_to_linktype(pcap_datalink(pcaps[0])) | pcap_datalink_ext(pcaps[0]);
pcapFileHeader.snaplen = pcap_snapshot(pcaps[0]);
pcap_t *dpcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
int t;
for (t = 0; t < MOLOCH_FILTER_MAX; t++) {
if (config.bpfsNum[t]) {
int i;
if (bpf_programs[t]) {
for (i = 0; i < config.bpfsNum[t]; i++) {
pcap_freecode(&bpf_programs[t][i]);
}
} else {
bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program));
}
for (i = 0; i < config.bpfsNum[t]; i++) {
if (pcap_compile(dpcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(dpcap));
exit(1);
}
}
moloch_reader_should_filter = reader_libpcap_should_filter;
}
}
int i;
for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) {
if (config.bpf) {
struct bpf_program bpf;
if (pcap_compile(pcaps[i], &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcaps[i]));
exit(1);
}
if (pcap_setfilter(pcaps[i], &bpf) == -1) {
LOG("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcaps[i]));
exit(1);
}
}
char name[100];
snprintf(name, sizeof(name), "moloch-pcap%d", i);
g_thread_new(name, &reader_libpcap_thread, (gpointer)pcaps[i]);
}
}
static void
tcpeek_init_pcap(void) {
char *ifname, errmsg[PCAP_ERRBUF_SIZE], expression[] = "tcp or icmp";
struct bpf_program bpf;
if(strisempty(g.option.ifname)) {
ifname = pcap_lookupdev(errmsg);
if(!ifname) {
error_abort("%s", errmsg);
}
strncpy(g.option.ifname, ifname, sizeof(g.option.ifname) - 1);
}
g.pcap.pcap = pcap_create(g.option.ifname, errmsg);
if(!g.pcap.pcap) {
error_abort("%s", errmsg);
}
if(pcap_set_buffer_size(g.pcap.pcap, g.option.buffer * 1024 * 1024) != 0) {
error_abort("%s", "can not set buffer size");
}
if(pcap_set_snaplen(g.pcap.pcap, DEFAULT_PCAP_SNAPLEN) != 0) {
error_abort("%s", "can not set snaplen");
}
if(pcap_set_promisc(g.pcap.pcap, g.option.promisc) != 0) {
error_abort("%s", "can not set promiscuous mode");
}
if(pcap_set_timeout(g.pcap.pcap, 1) != 0) {
error_abort("%s", "can not set timeout");
}
if(pcap_activate(g.pcap.pcap) != 0) {
error_abort("%s", pcap_geterr(g.pcap.pcap));
}
if(pcap_compile(g.pcap.pcap, &bpf, expression, 0, 0) == -1) {
error_abort("%s '%s'", pcap_geterr(g.pcap.pcap), expression);
}
if(pcap_setfilter(g.pcap.pcap, &bpf) == -1){
error_abort("%s", pcap_geterr(g.pcap.pcap));
}
pcap_freecode(&bpf);
g.pcap.snapshot = pcap_snapshot(g.pcap.pcap);
g.pcap.datalink = pcap_datalink(g.pcap.pcap);
if(g.pcap.datalink != DLT_EN10MB && g.pcap.datalink != DLT_LINUX_SLL) {
error_abort("not support datalink %s (%s)",
pcap_datalink_val_to_name(g.pcap.datalink),
pcap_datalink_val_to_description(g.pcap.datalink)
);
}
}
static void pcap_duplicate(struct Options *opts)
{
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *in_pcap;
pcap_t *out_pcap;
pcap_dumper_t *dumper;
int datalink;
in_pcap = pcap_open_offline(opts->in_file, errbuf);
if (in_pcap == NULL) {
printf("Error opening %s: %s\n", opts->in_file, errbuf);
return;
}
datalink = pcap_datalink(in_pcap);
out_pcap = pcap_open_dead(datalink, pcap_snapshot(in_pcap));
if (out_pcap == NULL) {
pcap_close(in_pcap);
puts("Error calling pcap_open_dead())");
return;
}
dumper = pcap_dump_open(out_pcap, opts->out_file);
if (dumper == NULL) {
printf("Error opening output %s: %s\n", opts->out_file, pcap_geterr(out_pcap));
pcap_close(in_pcap);
pcap_close(out_pcap);
return;
}
struct pcap_pkthdr hdr;
const unsigned char *packet;
while ((packet = pcap_next(in_pcap, &hdr)) != NULL) {
int i;
for (i = 0; i < opts->count_n; i++) {
if (opts->change_ip && datalink == DLT_EN10MB) {
change_ethpacket(&hdr, (unsigned char *)packet); //cast a way const ok.
}
pcap_dump((u_char*)dumper, &hdr, packet);
}
}
pcap_dump_close(dumper);
pcap_close(in_pcap);
pcap_close(out_pcap);
}
/* Packet handler: write packets to a file in CAP format */
static int pf_capture_pkt_handler(netio_desc_t *nio,void *pkt,size_t len,
void *opt)
{
struct netio_filter_capture *c = opt;
struct pcap_pkthdr pkt_hdr;
if (c != NULL) {
gettimeofday(&pkt_hdr.ts,0);
pkt_hdr.caplen = m_min(len, (u_int)pcap_snapshot(c->desc));
pkt_hdr.len = len;
/* thread safe dump */
pthread_mutex_lock(&c->lock);
pcap_dump((u_char *)c->dumper,&pkt_hdr,pkt);
pcap_dump_flush(c->dumper);
pthread_mutex_unlock(&c->lock);
}
return(NETIO_FILTER_ACTION_PASS);
}
void capture_init(void)
{
pcap_t *pd;
pcap_t *pb = NULL; /* for the bridge */
pcap_dumper_t *pdump;
bpf_u_int32 net, mask;
struct bpf_program bpf;
char pcap_errbuf[PCAP_ERRBUF_SIZE];
/*
* if the user didn't specified the interface,
* we have to found one...
*/
if (!GBL_OPTIONS->read && GBL_OPTIONS->iface == NULL) {
char *ifa = pcap_lookupdev(pcap_errbuf);
ON_ERROR(ifa, NULL, "No suitable interface found...");
GBL_OPTIONS->iface = iface_name(ifa);
}
if (GBL_OPTIONS->iface)
DEBUG_MSG("capture_init %s", GBL_OPTIONS->iface);
else
DEBUG_MSG("capture_init (no interface)");
if (GBL_SNIFF->type == SM_BRIDGED) {
if (!strcmp(GBL_OPTIONS->iface, GBL_OPTIONS->iface_bridge))
FATAL_ERROR("Bridging iface must be different from %s", GBL_OPTIONS->iface);
USER_MSG("Bridging %s and %s...\n\n", GBL_OPTIONS->iface, GBL_OPTIONS->iface_bridge);
} else if (GBL_OPTIONS->read) {
USER_MSG("Reading from %s... ", GBL_OPTIONS->pcapfile_in);
} else
USER_MSG("Listening on %s... ", GBL_OPTIONS->iface);
/* set the snaplen to maximum */
GBL_PCAP->snaplen = UINT16_MAX;
/* open the interface from GBL_OPTIONS (user specified) */
if (GBL_OPTIONS->read)
pd = pcap_open_offline(GBL_OPTIONS->pcapfile_in, pcap_errbuf);
else
pd = pcap_open_live(GBL_OPTIONS->iface, GBL_PCAP->snaplen, GBL_PCAP->promisc,
PCAP_TIMEOUT, pcap_errbuf);
ON_ERROR(pd, NULL, "pcap_open: %s", pcap_errbuf);
/*
* update to the reap assigned snapshot.
* this may be different reading from files
*/
DEBUG_MSG("requested snapshot: %d assigned: %d", GBL_PCAP->snaplen, pcap_snapshot(pd));
GBL_PCAP->snaplen = pcap_snapshot(pd);
/* get the file size */
if (GBL_OPTIONS->read) {
struct stat st;
fstat(fileno(pcap_file(pd)), &st);
GBL_PCAP->dump_size = st.st_size;
}
/* set the pcap filters */
if (GBL_PCAP->filter != NULL && strcmp(GBL_PCAP->filter, "")) {
DEBUG_MSG("pcap_filter: %s", GBL_PCAP->filter);
if (pcap_lookupnet(GBL_OPTIONS->iface, &net, &mask, pcap_errbuf) == -1)
ERROR_MSG("%s", pcap_errbuf);
if (pcap_compile(pd, &bpf, GBL_PCAP->filter, 1, mask) < 0)
ERROR_MSG("%s", pcap_errbuf);
if (pcap_setfilter(pd, &bpf) == -1)
ERROR_MSG("pcap_setfilter");
pcap_freecode(&bpf);
}
/* if in bridged sniffing, we have to open even the other iface */
if (GBL_SNIFF->type == SM_BRIDGED) {
pb = pcap_open_live(GBL_OPTIONS->iface_bridge, GBL_PCAP->snaplen, GBL_PCAP->promisc,
PCAP_TIMEOUT, pcap_errbuf);
ON_ERROR(pb, NULL, "%s", pcap_errbuf);
/* set the pcap filters */
if (GBL_PCAP->filter != NULL) {
if (pcap_lookupnet(GBL_OPTIONS->iface_bridge, &net, &mask, pcap_errbuf) == -1)
ERROR_MSG("%s", pcap_errbuf);
if (pcap_compile(pb, &bpf, GBL_PCAP->filter, 1, mask) < 0)
ERROR_MSG("%s", pcap_errbuf);
if (pcap_setfilter(pb, &bpf) == -1)
ERROR_MSG("pcap_setfilter");
pcap_freecode(&bpf);
}
}
/* open the dump file */
if (GBL_OPTIONS->write) {
DEBUG_MSG("pcapfile_out: %s", GBL_OPTIONS->pcapfile_out);
pdump = pcap_dump_open(pd, GBL_OPTIONS->pcapfile_out);
ON_ERROR(pdump, NULL, "%s", pcap_geterr(pd));
GBL_PCAP->dump = pdump;
}
/* set the right dlt type for the iface */
GBL_PCAP->dlt = pcap_datalink(pd);
DEBUG_MSG("capture_init: %s [%d]", pcap_datalink_val_to_description(GBL_PCAP->dlt), GBL_PCAP->dlt);
USER_MSG("(%s)\n\n", pcap_datalink_val_to_description(GBL_PCAP->dlt));
/* check that the bridge type is the same as the main iface */
if (GBL_SNIFF->type == SM_BRIDGED && pcap_datalink(pb) != GBL_PCAP->dlt)
FATAL_ERROR("You can NOT bridge two different type of interfaces !");
/* check if we support this media */
if (get_decoder(LINK_LAYER, GBL_PCAP->dlt) == NULL) {
if (GBL_OPTIONS->read)
FATAL_ERROR("Dump file not supported (%s)", pcap_datalink_val_to_description(GBL_PCAP->dlt));
else
FATAL_ERROR("Inteface \"%s\" not supported (%s)", GBL_OPTIONS->iface, pcap_datalink_val_to_description(GBL_PCAP->dlt));
}
/* set the alignment for the buffer */
set_alignment(GBL_PCAP->dlt);
/* allocate the buffer for the packets (UINT16_MAX) */
SAFE_CALLOC(GBL_PCAP->buffer, UINT16_MAX + GBL_PCAP->align, sizeof(char));
/* set the global descriptor for both the iface and the bridge */
GBL_PCAP->pcap = pd;
if (GBL_SNIFF->type == SM_BRIDGED)
GBL_PCAP->pcap_bridge = pb;
/* on exit clean up the structures */
atexit(capture_close);
}
/**
* \brief replay two pcap files out two interfaces
*
* Internal to tcpreplay, does the heavy lifting for --dualfile
*/
static int
replay_two_files(tcpreplay_t *ctx, int idx1, int idx2)
{
char *path1, *path2;
pcap_t *pcap1 = NULL, *pcap2 = NULL;
char ebuf[PCAP_ERRBUF_SIZE];
int rcode = 0;
assert(ctx);
assert(ctx->options->sources[idx1].type = source_filename);
assert(ctx->options->sources[idx2].type = source_filename);
path1 = ctx->options->sources[idx1].filename;
path2 = ctx->options->sources[idx2].filename;
/* can't use stdin in dualfile mode */
if ((strncmp(path1, "-", strlen(path1)) == 0) ||
(strncmp(path2, "-", strlen(path2)) == 0)) {
tcpreplay_seterr(ctx, "%s", "Invalid use of STDIN '-' in dual file mode");
return -1;
}
/* read from first pcap file if we haven't cached things yet */
if (!ctx->options->preload_pcap) {
if ((pcap1 = pcap_open_offline(path1, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx1].dlt = pcap_datalink(pcap1);
if ((pcap2 = pcap_open_offline(path2, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx2].dlt = pcap_datalink(pcap2);
} else {
if (!ctx->options->file_cache[idx1].cached) {
if ((pcap1 = pcap_open_offline(path1, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx1].dlt = pcap_datalink(pcap1);
}
if (!ctx->options->file_cache[idx2].cached) {
if ((pcap2 = pcap_open_offline(path2, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx2].dlt = pcap_datalink(pcap2);
}
}
if (pcap1 != NULL) {
#ifdef HAVE_PCAP_SNAPSHOT
if (pcap_snapshot(pcap1) < 65535) {
tcpreplay_setwarn(ctx, "%s was captured using a snaplen of %d bytes. This may mean you have truncated packets.",
path1, pcap_snapshot(pcap1));
rcode = -2;
}
if (pcap_snapshot(pcap2) < 65535) {
tcpreplay_setwarn(ctx, "%s was captured using a snaplen of %d bytes. This may mean you have truncated packets.",
path2, pcap_snapshot(pcap2));
rcode = -2;
}
#endif
if (ctx->intf1dlt == -1)
ctx->intf1dlt = sendpacket_get_dlt(ctx->intf1);
if ((ctx->intf1dlt >= 0) && (ctx->intf1dlt != pcap_datalink(pcap1))) {
tcpreplay_setwarn(ctx, "%s DLT (%s) does not match that of the outbound interface: %s (%s)",
path1, pcap_datalink_val_to_name(pcap_datalink(pcap1)),
ctx->intf1->device, pcap_datalink_val_to_name(ctx->intf1dlt));
rcode = -2;
}
if (ctx->intf2dlt == -1)
ctx->intf2dlt = sendpacket_get_dlt(ctx->intf2);
if ((ctx->intf2dlt >= 0) && (ctx->intf2dlt != pcap_datalink(pcap2))) {
tcpreplay_setwarn(ctx, "%s DLT (%s) does not match that of the outbound interface: %s (%s)",
path2, pcap_datalink_val_to_name(pcap_datalink(pcap2)),
ctx->intf2->device, pcap_datalink_val_to_name(ctx->intf2dlt));
rcode = -2;
}
if (ctx->intf1dlt != ctx->intf2dlt) {
tcpreplay_seterr(ctx, "DLT mismatch for %s (%d) and %s (%d)",
path1, ctx->intf1dlt, path2, ctx->intf2dlt);
return -1;
}
}
#ifdef ENABLE_VERBOSE
if (ctx->options->verbose) {
/* in cache mode, we may not have opened the file */
if (pcap1 == NULL) {
if ((pcap1 = pcap_open_offline(path1, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx1].dlt = pcap_datalink(pcap1);
}
/* init tcpdump */
tcpdump_open(ctx->options->tcpdump, pcap1);
}
#endif
send_dual_packets(ctx, pcap1, idx1, pcap2, idx2);
if (pcap1 != NULL)
pcap_close(pcap1);
if (pcap2 != NULL)
pcap_close(pcap2);
#ifdef ENABLE_VERBOSE
tcpdump_close(ctx->options->tcpdump);
#endif
return rcode;
}
/**
* \brief replay a pcap file out interface(s)
*
* Internal to tcpreplay. Does the heavy lifting.
*/
static int
replay_file(tcpreplay_t *ctx, int idx)
{
char *path;
pcap_t *pcap = NULL;
char ebuf[PCAP_ERRBUF_SIZE];
assert(ctx);
assert(ctx->options->sources[idx].type = source_filename);
path = ctx->options->sources[idx].filename;
/* close stdin if reading from it (needed for some OS's) */
if (strncmp(path, "-", 1) == 0)
close(1);
/* read from pcap file if we haven't cached things yet */
if (!ctx->options->preload_pcap) {
if ((pcap = pcap_open_offline(path, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx].dlt = pcap_datalink(pcap);
#ifdef HAVE_PCAP_SNAPSHOT
if (pcap_snapshot(pcap) < 65535)
warnx("%s was captured using a snaplen of %d bytes. This may mean you have truncated packets.",
path, pcap_snapshot(pcap));
#endif
} else {
if (!ctx->options->file_cache[idx].cached) {
if ((pcap = pcap_open_offline(path, ebuf)) == NULL) {
tcpreplay_seterr(ctx, "Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx].dlt = pcap_datalink(pcap);
}
}
#if 0
/*
* this API is broken right now. This needs to be handled via a pipe or
* something else so we can pass the output up to the calling programm
*/
#ifdef ENABLE_VERBOSE
if (ctx->options->verbose) {
/* in cache mode, we may not have opened the file */
if (pcap == NULL)
if ((pcap = pcap_open_offline(path, ebuf)) == NULL) {
tcpreplay_seterr("Error opening pcap file: %s", ebuf);
return -1;
}
ctx->options->file_cache[idx].dlt = pcap_datalink(pcap);
/* init tcpdump */
tcpdump_open(ctx->options->tcpdump, pcap);
}
#endif
#endif
if (pcap != NULL) {
if (ctx->intf1dlt == -1)
ctx->intf1dlt = sendpacket_get_dlt(ctx->intf1);
#if 0
if ((ctx->intf1dlt >= 0) && (ctx->intf1dlt != pcap_datalink(pcap)))
warnx("%s DLT (%s) does not match that of the outbound interface: %s (%s)",
path, pcap_datalink_val_to_name(pcap_datalink(pcap)),
ctx->options->intf1->device, pcap_datalink_val_to_name(ctx->intf1dlt));
#endif
if (ctx->intf1dlt != ctx->options->file_cache[idx].dlt)
tcpreplay_setwarn(ctx, "%s DLT (%s) does not match that of the outbound interface: %s (%s)",
path, pcap_datalink_val_to_name(pcap_datalink(pcap)),
ctx->intf1->device, pcap_datalink_val_to_name(ctx->intf1dlt));
}
ctx->stats.active_pcap = ctx->options->sources[idx].filename;
send_packets(ctx, pcap, idx);
if (pcap != NULL)
pcap_close(pcap);
#if 0
#ifdef ENABLE_VERBOSE
tcpdump_close(ctx->options->tcpdump);
#endif
#endif
return 0;
}
pread_f *is_tcpdump(char *filename)
{
char errbuf[100];
char *physname = "<unknown>";
int type;
#ifdef __WIN32
if ((pcap = pcap_open_offline(filename, errbuf)) == NULL) {
#else
if ((pcap = pcap_open_offline("-", errbuf)) == NULL) {
#endif /* __WIN32 */
if (debug > 2)
fprintf(stderr,"PCAP said: '%s'\n", errbuf);
rewind(stdin);
return(NULL);
}
if (debug) {
printf("Using 'pcap' version of tcpdump\n");
if (debug > 1) {
printf("\tversion_major: %d\n", pcap_major_version(pcap));
printf("\tversion_minor: %d\n", pcap_minor_version(pcap));
printf("\tsnaplen: %d\n", pcap_snapshot(pcap));
printf("\tlinktype: %d\n", pcap_datalink(pcap));
printf("\tswapped: %d\n", pcap_is_swapped(pcap));
}
}
/* check the phys type (pretend everything is ethernet) */
memset(ð_header,0,EH_SIZE);
switch (type = pcap_datalink(pcap)) {
case 100:
case PCAP_DLT_EN10MB:
/* OK, we understand this one */
physname = "Ethernet";
break;
case PCAP_DLT_IEEE802:
/* just pretend it's normal ethernet */
physname = "Ethernet";
break;
case PCAP_DLT_SLIP:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "Slip";
break;
case PCAP_DLT_PPP:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "PPP or HDLC PPP";
break;
case PCAP_DLT_FDDI:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "FDDI";
break;
case PCAP_DLT_NULL:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "NULL";
break;
case PCAP_DLT_ATM_RFC1483:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "ATM, LLC/SNAP encapsulated";
break;
case PCAP_DLT_RAW:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "RAW_IP";
break;
case PCAP_DLT_LINUX_SLL:
/* linux cooked socket type */
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "Linux Cooked Socket";
break;
case PCAP_DLT_IEEE802_11:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "IEEE802_11";
break;
case PCAP_DLT_IEEE802_11_RADIO:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "IEEE802_11_RADIO";
break;
case PCAP_DLT_PRISM2:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "PRISM2";
break;
case PCAP_DLT_C_HDLC:
eth_header.ether_type = htons(ETHERTYPE_IP);
physname = "Cisco HDLC";
break;
default:
fprintf(stderr,"tcptrace did not understand link format (%d)!\n",type);
fprintf(stderr,
"\t If you can give us a capture file with this link format\n\
\t or even better, a patch to decipher this format, we shall add it in, \n\
\t in a future release.\n");
rewind(stdin);
return(NULL);
}
if (debug)
fprintf(stderr,"Tcpdump format, physical type is %d (%s)\n",
type, physname);
/* set up some stuff */
ip_buf = MallocZ(IP_MAXPACKET);
return(pread_tcpdump);
}
/* support for writing a new pcap file */
void
PcapSavePacket(
char *filename,
struct ip *pip,
void *plast)
{
static MFILE *f_savefile = NULL;
struct pcap_pkthdr phdr;
int wlen;
if (f_savefile == NULL) {
struct pcap_file_header fhdr;
/* try to open the file */
if ((f_savefile = Mfopen(filename, "w")) == NULL) {
perror(filename);
exit(-1);
}
/* make up the header info it wants */
/* this comes from version 2.4, no pcap routine handy :-( */
fhdr.magic = TCPDUMP_MAGIC;
fhdr.version_major = PCAP_VERSION_MAJOR;
fhdr.version_minor = PCAP_VERSION_MINOR;
fhdr.thiszone = 0; /* don't have this info, just make it up */
fhdr.snaplen = 1000000; /* don't have this info, just make it up */
fhdr.linktype = PCAP_DLT_EN10MB; /* always Ethernet (10Mb) */
fhdr.sigfigs = 0;
/* write the header */
Mfwrite((char *)&fhdr, sizeof(fhdr), 1, f_savefile);
if (debug)
fprintf(stderr,"Created pcap save file '%s'\n", filename);
}
/* create the packet header */
/* (copying time structure in 2 steps to avoid RedHat brain damage) */
phdr.ts.tv_sec = current_time.tv_sec;
phdr.ts.tv_usec = current_time.tv_usec;
phdr.caplen = (char *)plast - (char *)pip + 1;
phdr.caplen += EH_SIZE; /* add in the ether header */
phdr.len = EH_SIZE + ntohs(PIP_LEN(pip)); /* probably this */
/* write the packet header */
Mfwrite(&phdr, sizeof(phdr), 1, f_savefile);
/* write a (bogus) ethernet header */
memset(ð_header,0,EH_SIZE);
eth_header.ether_type = htons(ETHERTYPE_IP);
Mfwrite(ð_header, sizeof(eth_header), 1, f_savefile);
/* write the IP/TCP parts */
wlen = phdr.caplen - EH_SIZE; /* remove the ether header */
Mfwrite(pip, wlen, 1, f_savefile);
}
#else /* GROK_TCPDUMP */
void
PcapSavePacket(
char *filename,
struct ip *pip,
void *plast)
{
fprintf(stderr,"\
Sorry, packet writing only supported with the pcap library\n\
compiled into the program (See GROK_TCPDUMP)\n");
exit(-2);
}
int
nmsg_pcap_snapshot(nmsg_pcap_t pcap) {
return (pcap_snapshot(pcap->handle));
}
int main(int argc, char *argv[])
{
int opt = 0;
/*
signal(SIGABRT, sighandler);
signal(SIGHUP, sighandler);
signal(SIGINT, sighandler);
signal(SIGKILL, sighandler);
signal(SIGQUIT, sighandler);
signal(SIGSEGV, sighandler);
signal(SIGTERM, sighandler);
*/
/* parse command line arguments */
while ((opt = getopt(argc, argv, "i:")) != -1) {
switch (opt) {
case 'i':
dev = optarg;
break;
default:
fprintf(stderr, "Missing option: %c", opt);
break;
}
}
fprintf(stdout, "Device: %s\n", dev);
#if 0
pcap_object.savefile =
open("v300-new.pcap", O_WRONLY | O_TRUNC | O_CREAT, 0600);
if (pcap_object.savefile < 0) {
fprintf(stderr, "Error opening output file\n");
goto lzEXIT;
}
linktype = pcap_datalink(pcap_object.handler);
file_snaplen = pcap_snapshot(pcap_object.handler);
/* write capture file header */
pcap_write_header(pcap_object.savefile, linktype, file_snaplen);
#endif
pcap_object.exitflag = 0;
pcap_object.packets_captured = 0;
int inpkts = 0, inpkts_to_sync = 0;
time_t upd_time, cur_time;
int pkt_num = 0;
pthread_t threads[2];
int rc = 0;
int skfd = 0;
struct ifreq ifr;
CAPTURE_IOCTL capture_ioctl;
#if 1
/*
upd_time = time(NULL);
time_t end_time, begin_time;
begin_time = time(NULL);
*/
bzero(&capture_ioctl, sizeof(capture_ioctl));
bzero(&ifr, sizeof(ifr));
strncpy(ifr.ifr_name, "eth5", sizeof(ifr.ifr_name) - 1);
ifr.ifr_data = (char *)&capture_ioctl;
if ((skfd = socket(AF_INET, SOCK_DGRAM, 0)) == 0) {
fprintf(stderr, "create socket error!\n");
goto lzEXIT;
}
/* tell 10GE port start capture */
capture_ioctl.cmd = CAPTURE_CMD_START;
if (ioctl(skfd, SIOCETHTOOL, &ifr) == -1) {
fprintf(stderr, "ioctl: CAPTURE_CMD_START error!\n");
goto lzEXIT;
}
fprintf(stderr, "send CAPTURE_CMD_START to driver, start capture!\n");
#endif
pBuffer = (char *)calloc(1, ringsize + 1);
if (!pBuffer) {
fprintf(stderr, "Malloc failed, exiting\n");
goto lzEXIT;
}
pReadPtr = pBuffer;
pWritePtr = pBuffer;
fprintf(stderr, "Ring buffer size: %d\n", ringsize);
fp = fopen("/tmp/pcap000.pcap", "w");
if (fp == NULL) {
fprintf(stderr, "fopen error\n");
goto lzEXIT;
}
FILE *procf = NULL;
int rmem_def = 0;
procf = fopen(RMEM_DEF, "r");
if (procf) {
fscanf(procf, "%d", &rmem_def);
fclose(procf);
}
if (rmem_def != RECV_BUFF_SIZE) {
char cmd[64] = "";
sprintf(cmd, "echo \"%d\" > %s", RECV_BUFF_SIZE, RMEM_DEF);
system(cmd);
sprintf(cmd, "echo \"%d\" > %s", RECV_BUFF_SIZE, RMEM_MAX);
system(cmd);
}
fprintf(stderr, "%s: %d\n%s: %d\n", RMEM_DEF, RECV_BUFF_SIZE, RMEM_MAX,
RECV_BUFF_SIZE);
// Create the corresponding measurement thread
struct sched_param schParam;
pthread_attr_t ptaAttr;
schParam.sched_priority = THREAD_DEFAULT_PRIORITY + 10;
pthread_attr_init(&ptaAttr);
pthread_attr_setdetachstate(&ptaAttr, PTHREAD_CREATE_DETACHED);
pthread_attr_setschedpolicy(&ptaAttr, SCHED_FIFO);
pthread_attr_setschedparam(&ptaAttr, &schParam);
//pthread_attr_setstacksize(&ptaAttr, THREAD_DEFAULT_STACKSIZE*3);
if (0 != pthread_create(&threads[0], &ptaAttr, (void *(*)(void *))Reader, NULL))
{
fprintf(stderr, "pthread_create error\n");
goto lzEXIT;
}
schParam.sched_priority = THREAD_DEFAULT_PRIORITY;
pthread_attr_init(&ptaAttr);
pthread_attr_setdetachstate(&ptaAttr, PTHREAD_CREATE_DETACHED);
pthread_attr_setschedpolicy(&ptaAttr, SCHED_FIFO);
pthread_attr_setschedparam(&ptaAttr, &schParam);
//pthread_attr_setstacksize(&ptaAttr, THREAD_DEFAULT_STACKSIZE*3);
rc = pthread_create(&threads[1], &ptaAttr, (void *(*)(void *))Writer, NULL);
if (rc) {
fprintf(stderr, "pthread_create error\n");
goto lzEXIT;
}
while (!pcap_object.exitflag) {
usleep(500000);
fprintf(stderr, "Got %ld\n", pcap_object.packets_captured);
}
/*
if( 0 == (rc = pthread_cancel(threads[0])) )
{
pthread_join(threads[0], NULL);
}
if( 0 == (rc = pthread_cancel(threads[1])) )
{
pthread_join(threads[1], NULL);
}
*/
fprintf(stderr, "\n%ld packets captured\n",
pcap_object.packets_captured);
fprintf(stderr, "ring buffer use: %.1lf%% of %d MB\n",
100.0 * (float)pcap_object.packets_captured / (float)(ringsize),
ringsize / 1024 / 1024);
lzEXIT:
if (skfd != 0)
close(skfd);
skfd = 0;
if (pBuffer != NULL) {
free(pBuffer);
pBuffer = NULL;
}
if (fp != NULL)
fclose(fp);
fp = NULL;
if (pcap_object.savefile > 0) {
fsync(pcap_object.savefile);
close(pcap_object.savefile);
}
printf("Packet capture done.\n");
exit(0);
}
/*
* appSetup(argc, argv);
*
* Perform all the setup for this application include setting up
* required modules, parsing options, etc. This function should be
* passed the same arguments that were passed into main().
*
* Returns to the caller if all setup succeeds. If anything fails,
* this function will cause the application to exit with a FAILURE
* exit status.
*/
static void
appSetup(
int argc,
char **argv)
{
SILK_FEATURES_DEFINE_STRUCT(features);
char errbuf[PCAP_ERRBUF_SIZE];
int arg_index;
/* verify same number of options and help strings */
assert((sizeof(appHelp)/sizeof(char*)) ==
(sizeof(appOptions)/sizeof(struct option)));
/* register the application */
skAppRegister(argv[0]);
skAppVerifyFeatures(&features, NULL);
skOptionsSetUsageCallback(&appUsageLong);
/* register the options */
if (skOptionsRegister(appOptions, &appOptionsHandler, NULL))
{
skAppPrintErr("Unable to register options");
exit(EXIT_FAILURE);
}
/* register the teardown handler */
if (atexit(appTeardown) < 0) {
skAppPrintErr("Unable to register appTeardown() with atexit()");
appTeardown();
exit(EXIT_FAILURE);
}
/* parse options */
arg_index = skOptionsParse(argc, argv);
if (arg_index < 0) {
skAppUsage(); /* never returns */
}
/* verify input file */
if (arg_index >= argc) {
skAppPrintErr("No input packet file found");
skAppUsage(); /* never returns */
}
/* verify output is not a terminal */
if (FILEIsATty(stdout)) {
skAppPrintErr("stdout is connected to a terminal");
skAppUsage(); /* never returns */
}
/* open input file */
g_pkt_input = pcap_open_offline(argv[arg_index], errbuf);
if (g_pkt_input == NULL) {
skAppPrintErr("Unable to open input file %s: %s",
argv[arg_index], errbuf);
exit(EXIT_FAILURE);
}
/* open output file (tcpdump format packet file) */
g_output = pcap_open_dead(pcap_datalink(g_pkt_input),
pcap_snapshot(g_pkt_input));
if (g_output == NULL) {
skAppPrintErr("Error opening stdout: %s", errbuf);
exit(EXIT_FAILURE);
}
g_output_dumper = pcap_dump_open(g_output, "-");
if (g_output_dumper == NULL) {
skAppPrintErr("Error opening stdout: %s", pcap_geterr(g_output));
exit(EXIT_FAILURE);
}
return; /* OK */
}
int main(int argc, char *argv[])
{
struct bpf_program fcode;
pcap_handler printer;
char ebuf[PCAP_ERRBUF_SIZE];
int c,i,snaplen=512,size,packetcnt;
bpf_u_int32 myself, localnet, netmask;
unsigned char *pcap_userdata;
filter_rule = argv[1];
signal(SIGINT,sig_int);
opterr =0;
if(argc-1 <1)
{
usage();
exit(1);
}
while( (c=getopt(argc,argv,"i:c:pher")) != -1) {
switch(c) {
case 'i' :
device = optarg;
break;
case 'p' :
pflag = 1;
break;
case 'c':
cflag = 1;
packetcnt = atoi(optarg);
if(packetcnt <=0) {
fprintf(stderr, "invalid pacet number %s",optarg);
exit(1);
}
break;
case 'e':
eflag =1;
break;
case 'r':
rflag =1;
break;
case 'h':
usage();
exit(1);
}
}
if(device == NULL) {
if( (device = pcap_lookupdev(ebuf) ) ==NULL)
{
perror(ebuf);
exit(-1);
}
}
fprintf(stdout,"device = %s\n", device);
pd = pcap_open_live(device , snaplen, PROMISCOUS, 1000, ebuf);
if(pd == NULL) {
perror(ebuf);
exit(-1);
}
i = pcap_snapshot(pd);
if(snaplen <i) {
perror(ebuf);
exit(-1);
}
if(pcap_lookupnet(device, &localnet, &netmask, ebuf) <0) {
perror(ebuf);
exit(-1);
}
setuid(getuid());
if(pcap_compile(pd, &fcode, filter_rule , 0, netmask)<0) {
perror(ebuf);
exit(-1);
}
if(pcap_setfilter(pd, &fcode) <0) {
perror(ebuf);
exit(-1);
}
fflush(stderr);
printer = lookup_printer(pcap_datalink(pd));
pcap_userdata = 0;
if(pcap_loop(pd,packetcnt, printer, pcap_userdata) <0) {
perror("pcap_loop error");
exit(-1);
}
pcap_close(pd);
exit(0);
}
int
main(int argc, char **argv)
{
int cnt, op, i, done = 0;
bpf_u_int32 localnet, netmask;
char *cp, *cmdbuf, *device;
struct bpf_program fcode;
void (*oldhandler)(int);
u_char *pcap_userdata;
char ebuf[PCAP_ERRBUF_SIZE];
cnt = -1;
device = NULL;
if ((cp = strrchr(argv[0], '/')) != NULL)
program_name = cp + 1;
else
program_name = argv[0];
opterr = 0;
while ((i = getopt(argc, argv, "pa")) != -1)
{
switch (i)
{
case 'p':
pflag = 1;
break;
case 'a':
aflag = 1;
break;
case '?':
default:
done = 1;
break;
}
if (done) break;
}
if (argc > (optind)) cmdbuf = copy_argv(&argv[optind]);
else cmdbuf = "";
if (device == NULL) {
device = pcap_lookupdev(ebuf);
if (device == NULL)
error("%s", ebuf);
}
pd = pcap_open_live(device, snaplen, 1, 1000, ebuf);
if (pd == NULL)
error("%s", ebuf);
i = pcap_snapshot(pd);
if (snaplen < i) {
warning("snaplen raised from %d to %d", snaplen, i);
snaplen = i;
}
if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) {
localnet = 0;
netmask = 0;
warning("%s", ebuf);
}
/*
* Let user own process after socket has been opened.
*/
setuid(getuid());
if (pcap_compile(pd, &fcode, cmdbuf, 1, netmask) < 0)
error("%s", pcap_geterr(pd));
(void)setsignal(SIGTERM, program_ending);
(void)setsignal(SIGINT, program_ending);
/* Cooperate with nohup(1) */
if ((oldhandler = setsignal(SIGHUP, program_ending)) != SIG_DFL)
(void)setsignal(SIGHUP, oldhandler);
if (pcap_setfilter(pd, &fcode) < 0)
error("%s", pcap_geterr(pd));
pcap_userdata = 0;
(void)fprintf(stderr, "%s: listening on %s\n", program_name, device);
if (pcap_loop(pd, cnt, raw_print, pcap_userdata) < 0) {
(void)fprintf(stderr, "%s: pcap_loop: %s\n",
program_name, pcap_geterr(pd));
exit(1);
}
pcap_close(pd);
exit(0);
}
LOCAL void reader_libpcapfile_opened()
{
int dlt_to_linktype(int dlt);
if (config.flushBetween)
moloch_session_flush();
moloch_packet_set_linksnap(dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap), pcap_snapshot(pcap));
offlineFile = pcap_file(pcap);
if (config.bpf && pcapFileHeader.linktype != 239) {
struct bpf_program bpf;
if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOGEXIT("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
}
if (pcap_setfilter(pcap, &bpf) == -1) {
LOGEXIT("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
}
}
readerPos++;
if (readerFileName[readerPos])
moloch_free_later(readerFileName[readerPos], g_free);
readerFileName[readerPos] = g_strdup(offlinePcapFilename);
int fd = pcap_fileno(pcap);
if (fd == -1) {
g_timeout_add(0, reader_libpcapfile_read, NULL);
} else {
moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL);
}
if (filenameOpsNum > 0) {
// Free any previously allocated
if (readerFieldOps[readerPos].size > 0)
moloch_field_ops_free(&readerFieldOps[readerPos]);
moloch_field_ops_init(&readerFieldOps[readerPos], filenameOpsNum, MOLOCH_FIELD_OPS_FLAGS_COPY);
// Go thru all the filename ops looking for matches and then expand the value string
int i;
for (i = 0; i < filenameOpsNum; i++) {
GMatchInfo *match_info = 0;
g_regex_match(filenameOps[i].regex, offlinePcapFilename, 0, &match_info);
if (g_match_info_matches(match_info)) {
GError *error = 0;
char *expand = g_match_info_expand_references(match_info, filenameOps[i].expand, &error);
if (error) {
LOG("Error expanding '%s' with '%s' - %s", offlinePcapFilename, filenameOps[i].expand, error->message);
g_error_free(error);
}
if (expand) {
moloch_field_ops_add(&readerFieldOps[readerPos], filenameOps[i].field, expand, -1);
g_free(expand);
}
}
g_match_info_free(match_info);
}
}
}
OfflinePacketFilter& OfflinePacketFilter::operator=(const OfflinePacketFilter& other) {
string_filter_ = other.string_filter_;
init(string_filter_, pcap_datalink(other.handle_), pcap_snapshot(other.handle_));
return* this;
}
int
main(int argc, char **argv)
{
register int cnt, op, i;
bpf_u_int32 localnet, netmask;
register char *cp, *infile, *cmdbuf, *device, *RFileName, *WFileName;
pcap_handler printer;
struct bpf_program fcode;
RETSIGTYPE (*oldhandler)(int);
u_char *pcap_userdata;
char ebuf[PCAP_ERRBUF_SIZE];
cnt = -1;
device = NULL;
infile = NULL;
RFileName = NULL;
WFileName = NULL;
if ((cp = strrchr(argv[0], '/')) != NULL)
program_name = cp + 1;
else
program_name = argv[0];
if (abort_on_misalignment(ebuf) < 0)
error("%s", ebuf);
opterr = 0;
while (
(op = getopt(argc, argv, "ac:defF:i:lnNOpqr:s:StT:vw:xY")) != EOF)
switch (op) {
case 'a':
++aflag;
break;
case 'c':
cnt = atoi(optarg);
if (cnt <= 0)
error("invalid packet count %s", optarg);
break;
case 'd':
++dflag;
break;
case 'e':
++eflag;
break;
case 'f':
++fflag;
break;
case 'F':
infile = optarg;
break;
case 'i':
device = optarg;
break;
case 'l':
#ifdef HAVE_SETLINEBUF
setlinebuf(stdout);
#else
setvbuf(stdout, NULL, _IOLBF, 0);
#endif
break;
case 'n':
++nflag;
break;
case 'N':
++Nflag;
break;
case 'O':
Oflag = 0;
break;
case 'p':
++pflag;
break;
case 'q':
++qflag;
break;
case 'r':
RFileName = optarg;
break;
case 's':
snaplen = atoi(optarg);
if (snaplen <= 0)
error("invalid snaplen %s", optarg);
break;
case 'S':
++Sflag;
break;
case 't':
--tflag;
break;
case 'T':
if (strcasecmp(optarg, "vat") == 0)
packettype = PT_VAT;
else if (strcasecmp(optarg, "wb") == 0)
packettype = PT_WB;
else if (strcasecmp(optarg, "rpc") == 0)
packettype = PT_RPC;
else if (strcasecmp(optarg, "rtp") == 0)
packettype = PT_RTP;
else if (strcasecmp(optarg, "rtcp") == 0)
packettype = PT_RTCP;
else
error("unknown packet type `%s'", optarg);
break;
case 'v':
++vflag;
break;
case 'w':
WFileName = optarg;
break;
#ifdef YYDEBUG
case 'Y':
{
/* Undocumented flag */
extern int yydebug;
yydebug = 1;
}
break;
#endif
case 'x':
++xflag;
break;
default:
usage();
/* NOTREACHED */
}
if (aflag && nflag)
error("-a and -n options are incompatible");
if (tflag > 0)
thiszone = gmt2local(0);
if (RFileName != NULL) {
/*
* We don't need network access, so set it back to the user id.
* Also, this prevents the user from reading anyone's
* trace file.
*/
setuid(getuid());
pd = pcap_open_offline(RFileName, ebuf);
if (pd == NULL)
error("%s", ebuf);
localnet = 0;
netmask = 0;
if (fflag != 0)
error("-f and -r options are incompatible");
} else {
if (device == NULL) {
device = pcap_lookupdev(ebuf);
if (device == NULL)
error("%s", ebuf);
}
pd = pcap_open_live(device, snaplen, !pflag, 1000, ebuf);
if (pd == NULL)
error("%s", ebuf);
i = pcap_snapshot(pd);
if (snaplen < i) {
warning("snaplen raised from %d to %d", snaplen, i);
snaplen = i;
}
if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) {
localnet = 0;
netmask = 0;
warning("%s", ebuf);
}
/*
* Let user own process after socket has been opened.
*/
setuid(getuid());
}
if (infile)
cmdbuf = read_infile(infile);
else
cmdbuf = copy_argv(&argv[optind]);
if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0)
error("%s", pcap_geterr(pd));
if (dflag) {
bpf_dump(&fcode, dflag);
exit(0);
}
init_addrtoname(localnet, netmask);
(void)setsignal(SIGTERM, cleanup);
(void)setsignal(SIGINT, cleanup);
/* Cooperate with nohup(1) */
if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
(void)setsignal(SIGHUP, oldhandler);
if (pcap_setfilter(pd, &fcode) < 0)
error("%s", pcap_geterr(pd));
if (WFileName) {
pcap_dumper_t *p = pcap_dump_open(pd, WFileName);
if (p == NULL)
error("%s", pcap_geterr(pd));
printer = pcap_dump;
pcap_userdata = (u_char *)p;
} else {
printer = lookup_printer(pcap_datalink(pd));
pcap_userdata = 0;
}
if (RFileName == NULL) {
(void)fprintf(stderr, "%s: listening on %s\n",
program_name, device);
(void)fflush(stderr);
}
if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) {
(void)fprintf(stderr, "%s: pcap_loop: %s\n",
program_name, pcap_geterr(pd));
exit(1);
}
pcap_close(pd);
exit(0);
}
/*-
-- snaplen = cap:snapshot()
The snapshot length.
For a live capture, snapshot is the maximum amount of the packet that will be
captured, for writing of captures, it is the maximum size of a packet that can
be written.
*/
static int lpcap_snapshot(lua_State* L)
{
pcap_t* cap = checkpcap(L);
lua_pushnumber(L, pcap_snapshot(cap));
return 1;
}