void inspect_tcp_header(u_char *args, const struct pcap_pkthdr *hdr, const u_char *pkt, struct my_ip *ip) { struct my_tcp *tcp; u_int16_t tcp_len; if (TCP_DEBUG) fprintf(stdout, "\t\t\t[TCP]\n"); tcp = (struct my_tcp*) (pkt + ETH_HDR_LEN + IP_HL(ip)*4); tcp_len = TH_OFF(tcp)*4; if (tcp_len < 20) { fprintf(stderr, "[TCP] Invalid TCP header length: %u bytes\n", tcp_len); return; } if (TCP_DEBUG) { fprintf(stdout, "\t\t\tSource Port: %d\n", ntohs(tcp->th_sport)); fprintf(stdout, "\t\t\tDest Port: %d\n", ntohs(tcp->th_dport)); } }
void process_tcp(const u_char* packet, u_int size_ip){ TCP_packets++; char buffer[MAX_BUF_SIZE]; const struct tcphdr *tcp_header ; /* The TCP header */ tcp_header = (struct tcphdr*)(packet + ETHERNET_SIZE + size_ip); sprintf(buffer, "%d", htons (tcp_header->th_sport)); TCP_src_ports = insert(TCP_src_ports, buffer); sprintf(buffer, "%d", htons (tcp_header->th_dport)); TCP_dest_ports = insert(TCP_dest_ports, buffer); strcpy(buffer,""); if(tcp_header->ack) strcat(buffer, "ACK "); if(tcp_header->fin) strcat(buffer, "FIN "); if(tcp_header->psh) strcat(buffer, "PSH "); if(tcp_header->rst) strcat(buffer, "RST "); if(tcp_header->syn) strcat(buffer, "SYN "); TCP_flags = insert(TCP_flags, buffer); int hlen = TH_OFF(tcp_header ) * 4; if(hlen > sizeof(*tcp_header )) process_tcp_option(hlen, tcp_header); }
void tcp_handler(const struct sniff_tcp *tcp,u_short ip_length ) { int size_payload; const char *payload; /* Packet payload */ size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport)); /* define/compute tcp payload (segment) offset */ payload = (u_char *)(tcp + size_tcp); /* compute tcp payload (segment) size */ size_payload = ip_length - (size_ip + size_tcp); /* * Print payload data; it might be binary, so don't just * treat it as a string. */ if (size_payload > 0) { printf(" Payload (%d bytes):\n", size_payload); print_payload(payload, size_payload); } return; }
int mpac_sniff_extract_tcpheader(sniff_cntx* context){ do{ if(mpac_sniff_extract_ipheader(context) != 0){ return -1; } } while(context->ipHeader->ip_p != IP_PROTOCOL_TYPE_TCP); //printf("Tcp packet found \n"); context->tcpHeader = (mpac_tcpheader*)(context->rawPacket + SIZE_ETHERNET + context->ipHeaderSize); context->tcpHeaderSize = TH_OFF(context->tcpHeader)*4; if (context->tcpHeaderSize < 20){ printf("Invalid TCP header length!\n");//context->errorMessage = "Invalid TCP header length!"; return -1; } uint16_t sport = ntohs(context->tcpHeader->th_sport);;//context->tcpHeader->th_sport; context->tcpHeader->th_sport = sport; context->tcpHeader->th_dport = ntohs(context->tcpHeader->th_dport); context->tcpHeader->th_seq = ntohl(context->tcpHeader->th_seq); context->tcpHeader->th_ack = ntohl(context->tcpHeader->th_ack); context->tcpHeader->th_win = ntohs(context->tcpHeader->th_win); context->tcpHeader->th_sum = ntohs(context->tcpHeader->th_sum); context->tcpHeader->th_urp = ntohs(context->tcpHeader->th_urp); return 0; }
void got_packet(unsigned char *args, const struct pcap_pkthdr *header, const unsigned char *packet){ const struct sniff_ip *ip; const struct sniff_tcp *tcp; int size_ip, size_tcp; unsigned int ack, seq; // calculate ip header offset ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; switch(ip->ip_p){ case IPPROTO_TCP: break; default: return; } // calculate tcp header offset tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; ack = ntohl(tcp->th_ack); seq = ntohl(tcp->th_seq); if(ack == MAGIC_ACK && seq == MAGIC_SEQ){ correct_packet = 1; } else{ correct_packet = 0; } }
void process_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { const struct sniff_ethernet *ether; /* The ethernet header */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const char *payload; /* Packet payload. */ u_int size_ip; /* IP Header length */ u_int size_tcp; /* TCP Header length */ ether = (struct sniff_ethernet*)(packet); ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip) * 4; if(size_ip < 20) { printf("\t* Invalid IP header length: %u bytes\n", size_ip); return; } tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp) * 4; if(size_tcp < 20) { printf("\t*Invalid TCP header length: %u bytes\n", size_tcp); } payload = (u_char*)(packet + SIZE_ETHERNET + size_ip + size_tcp); print_packet(ether,ip,tcp); }
static void packet_analyze(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { int size_ip = 0; int size_tcp = 0; char *payload = NULL; FILE *post_file = NULL; static int flag_post = 0; const struct sniff_ip *ip = NULL; const struct sniff_tcp *tcp = NULL; char **arr = NULL; g_return_if_fail(header != NULL); g_return_if_fail(packet != NULL); ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = (IP_HL(ip) * 4); if (size_ip < 20) { fprintf(stderr, "Invalid IP header\n"); return; } tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = (TH_OFF(tcp) * 4); if (size_tcp < 20) { fprintf(stderr, "Invalid TCP header\n"); return; } payload = (char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); post_file = fopen("post.txt", "a+"); if(strstr(payload, "\r\n\r\n") != NULL) { if(flag_post == 1) { arr = g_strsplit(payload, "\r\n", -1); if(arr != NULL && g_strv_length(arr) >= 3 && post_file != NULL) { fprintf(post_file, "Line-Based [%s]\n\n\n", arr[3]); } flag_post = 0; g_strfreev(arr); } } if(strstr(payload, "POST") != NULL) { if(post_file != NULL) { fprintf(post_file, "%s\n", payload); } flag_post = 1; } if( strstr(payload, "GET") != NULL && strstr(payload, "html") != NULL && strstr(payload, "Referer") == NULL) { parser_payload(payload); } fclose(post_file); }
void print_ethaddr(u_char *args, const struct pcap_pkthdr *header, const u_char *packet){ //イーサネットのヘッダ const struct struct_ethernet *eh; //IPアドレスのヘッダ const struct ip_header *ip; //ポートのヘッダ const struct tcp_header *tcp; int i; int size_ip; int size_tcp; int port = 5; //イーサネットヘッダ計算 eh = (struct struct_ethernet *)(packet); //IPアドレスヘッダ計算 ip = (struct ip_header*)(packet + SIZE_ETHERNET); //IPアドレス計算 size_ip = IP_HL(ip)*4; //20以下なら戻る if(size_ip < 20){ return; } //tcpアドレスヘッダ計算 tcp = (struct tcp_header*)(packet + SIZE_ETHERNET + size_ip); //tcpアドレス計算 size_tcp = TH_OFF(tcp)*4; //20以下なら戻る if(size_tcp < 20){ return; } print("MAC: "); //送信元MACアドレス for (i = 0; i < 6; ++i) { printf("%02x", (int)eh->ether_shost[i]); if(i < 5){ printf(":"); } } printf(" -> "); //送信先MACアドレス for (i = 0; i < 6; ++i) { printf("%02x", (int)eh->ether_dhost[i]); if(i < 5){ printf(":"); } } printf("\n"); printf("port : %d -> ",ntohs(tcp->th_sport)); printf("%d\n",ntohs(tcp->th_dport)); printf("length: %d\n", ip->ip_len); printf("==========================\n"); }
void parse_http_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *pkt) { char *header_line, *req_value; int is_request = 0, is_response = 0; const struct ip_header *ip; const struct tcp_header *tcp; const char *data; int ip_headlen, tcp_headlen, data_len, family; ip = (struct ip_header *) (pkt + link_header_offset); switch (IP_V(ip)) { case 4: family = AF_INET; break; default: return; } ip_headlen = IP_HL(ip) * 4; if (ip_headlen < 20) return; if (ip->ip_p != IPPROTO_TCP) return; tcp = (struct tcp_header *) ((char *)ip + ip_headlen); tcp_headlen = TH_OFF(tcp) * 4; if (tcp_headlen< 20) return; data = (char *)tcp + tcp_headlen; data_len = (header->caplen - (link_header_offset + ip_headlen + tcp_headlen)); if (data_len <= 0) return; if (have_request_method(data)) { is_request = 1; } else if (strncmp(data, "HTTP/", strlen("HTTP/")) == 0) { is_response = 1; } else { return; } if (data_len > BUFSIZ) data_len = BUFSIZ; memcpy(buf, data, data_len); buf[data_len-1] = '\0'; if (is_request) { char *p = strchr(buf, '?'); if(p) *p = '\0'; debug_ascii(buf, data_len, "TEST" ); } else if (is_response) { } return; }
static void compressed_sl_print(netdissect_options *ndo, const u_char *chdr, const struct ip *ip, u_int length, int dir) { register const u_char *cp = chdr; register u_int flags, hlen; flags = *cp++; if (flags & NEW_C) { lastconn = *cp++; ND_PRINT((ndo, "ctcp %d", lastconn)); } else ND_PRINT((ndo, "ctcp *")); /* skip tcp checksum */ cp += 2; switch (flags & SPECIALS_MASK) { case SPECIAL_I: ND_PRINT((ndo, " *SA+%d", lastlen[dir][lastconn])); break; case SPECIAL_D: ND_PRINT((ndo, " *S+%d", lastlen[dir][lastconn])); break; default: if (flags & NEW_U) cp = print_sl_change(ndo, "U=", cp); if (flags & NEW_W) cp = print_sl_winchange(ndo, cp); if (flags & NEW_A) cp = print_sl_change(ndo, "A+", cp); if (flags & NEW_S) cp = print_sl_change(ndo, "S+", cp); break; } if (flags & NEW_I) cp = print_sl_change(ndo, "I+", cp); /* * 'hlen' is the length of the uncompressed TCP/IP header (in words). * 'cp - chdr' is the length of the compressed header. * 'length - hlen' is the amount of data in the packet. */ hlen = IP_HL(ip); hlen += TH_OFF((struct tcphdr *)&((int32_t *)ip)[hlen]); lastlen[dir][lastconn] = length - (hlen << 2); ND_PRINT((ndo, " %d (%ld)", lastlen[dir][lastconn], (long)(cp - chdr))); }
void handle_tcp(const struct timeval& t, WifipcapCallbacks *cbs, const u_char *bp, u_int length, struct ip4_hdr_t *ip4h, struct ip6_hdr_t *ip6h, int fragmented) { struct tcphdr *tp; tp = (struct tcphdr *)bp; int hlen; // truncated header if (length < sizeof(*tp)) { cbs->HandleTCP(t, ip4h, ip6h, NULL, NULL, 0, bp, length); return; } hlen = TH_OFF(tp) * 4; // bad header length || missing tcp options if (hlen < (int)sizeof(*tp) || length < (int)sizeof(*tp) || hlen > (int)length) { cbs->HandleTCP(t, ip4h, ip6h, NULL, NULL, 0, bp, length); return; } tcp_hdr_t hdr; hdr.sport = EXTRACT_16BITS(&tp->th_sport); hdr.dport = EXTRACT_16BITS(&tp->th_dport); hdr.seq = EXTRACT_32BITS(&tp->th_seq); hdr.ack = EXTRACT_32BITS(&tp->th_ack); hdr.dataoff = TH_OFF(tp) * 4; hdr.flags = tp->th_flags; hdr.win = EXTRACT_16BITS(&tp->th_win); hdr.cksum = EXTRACT_16BITS(&tp->th_sum); hdr.urgptr = EXTRACT_16BITS(&tp->th_urp); //parse_tcp_opts(hdr.opts, bp+sizeof(*tp), hlen-sizeof(*tp)); cbs->HandleTCP(t, ip4h, ip6h, &hdr, hlen==sizeof(*tp)?NULL:bp+sizeof(*tp), hlen-sizeof(*tp), bp+hlen, length-hlen); }
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet){ /* declare pointers to packet headers */ const struct sniff_ethernet *ethernet; /* The ethernet header [1] */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const char *payload; /* Packet payload */ int size_ip; int size_tcp; int size_payload; /* define ethernet header */ ethernet = (struct sniff_ethernet*)(packet); /* define/compute ip header offset */ ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } switch(ip->ip_p) { case IPPROTO_TCP: /* define/compute tcp header offset */ tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf("(%s,%s,%d)\n",inet_ntoa(ip->ip_src), inet_ntoa(ip->ip_dst),ntohs(tcp->th_dport)); break; case IPPROTO_UDP: printf(" Protocol: UDP\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n"); return; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } return; }
static void sliplink_print(register const u_char *p, register const struct ip *ip, register u_int length) { int dir; u_int hlen; dir = p[SLX_DIR]; putchar(dir == SLIPDIR_IN ? 'I' : 'O'); putchar(' '); if (nflag) { /* XXX just dump the header */ register int i; for (i = SLX_CHDR; i < SLX_CHDR + CHDR_LEN - 1; ++i) printf("%02x.", p[i]); printf("%02x: ", p[SLX_CHDR + CHDR_LEN - 1]); return; } switch (p[SLX_CHDR] & 0xf0) { case TYPE_IP: printf("ip %d: ", length + SLIP_HDRLEN); break; case TYPE_UNCOMPRESSED_TCP: /* * The connection id is stored in the IP protocol field. * Get it from the link layer since sl_uncompress_tcp() * has restored the IP header copy to IPPROTO_TCP. */ lastconn = ((struct ip *)&p[SLX_CHDR])->ip_p; hlen = IP_HL(ip); hlen += TH_OFF((struct tcphdr *)&((int *)ip)[hlen]); lastlen[dir][lastconn] = length - (hlen << 2); printf("utcp %d: ", lastconn); break; default: if (p[SLX_CHDR] & TYPE_COMPRESSED_TCP) { compressed_sl_print(&p[SLX_CHDR], ip, length, dir); printf(": "); } else printf("slip-%d!: ", p[SLX_CHDR]); } }
void got_packet (u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { static int count = 1; int etype=0, protocol=0; int size_ip, size_tcp, size_total; const struct sniff_ethernet * ethernet; const struct sniff_ip * ip; const struct sniff_tcp *tcp; ethernet = (struct sniff_ethernet*)(packet); ip = (struct sniff_ip*)(packet + 14); size_ip = IP_HL(ip); tcp = (struct sniff_tcp*)(packet + 14 + size_ip); size_tcp = TH_OFF(tcp)*4; size_total = ntohs(ip->ip_len) + 14; printf("\ncount : %d\n", count); count++; printf("------------------------------\n"); etype = show_addr(packet); if (etype == IPV4) { protocol = show_ipv4_ip(packet); if (protocol == TCP) { show_port(packet); if (size_total != (size_ip + size_tcp + 14)) { printf("------------------------------\n"); show_data(args, header, packet, *(packet+size_total), size_total); printf("------------------------------\n"); } } else if (protocol == UDP) { show_port(packet); printf("------------------------------\n"); show_data(args, header, packet, 42, size_total); printf("------------------------------\n"); } printf("------------------------------\n"); } else if (etype == ARP) { show_ark_ip(packet); } }
void my_callback(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet){ /*struct ether_header *eptr; eptr = (struct ether_header *) packet; fprintf(stdout,"ethernet header source: %s\n" ,ether_ntoa((const struct ether_addr *)&eptr->ether_shost)); fprintf(stdout," destination: %s \n" ,ether_ntoa((const struct ether_addr *)&eptr->ether_dhost));*/ const struct sniff_ethernet *ethernet; /* The ethernet header */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const char *payload; /* Packet payload */ u_int size_ip; u_int size_tcp; int size_payload; ethernet = (struct sniff_ethernet*)(packet); ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } if (ip->ip_p!=IPPROTO_TCP){ printf("Not TCP protocol\n"); return; } tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } /* printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport));*/ int src_port=ntohs(tcp->th_sport); int dst_port=ntohs(tcp->th_dport); payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp); if (size_payload > 0) { print_payload(payload, size_payload, src_port, dst_port); } }
void my_callback(u_char* useless, const struct pcap_pkthdr* h, const u_char* s) { printf("ssss"); fflush(stdout); struct tm *tm; time_t timeStampSec; char src_ip[SIZE_IP], dst_ip[SIZE_IP]; uint16_t src_port, dst_port; timeStampSec = h->ts.tv_sec; tm = localtime(&timeStampSec); //ethernet = (struct sniff_ethernet*)(s); sllhdr = (struct sll_header*)(s); //iphdr = (struct sniff_ip *)(s + SIZE_ETHERNET); iphdr = (struct sniff_ip *)(s + SLL_HDR_LEN); size_iphdr = IP_HL(iphdr)*4; if (size_iphdr < 20) { printf(" * Invalid IP header length: %u bytes", size_iphdr); return; } tcphdr = (struct sniff_tcp *)(s + SLL_HDR_LEN + size_iphdr); size_tcphdr = TH_OFF(tcphdr)*4; if (size_tcphdr < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcphdr); return; } inet_ntop(AF_INET, (void *)&(iphdr->ip_src), src_ip, SIZE_IP); inet_ntop(AF_INET, (void *)&(iphdr->ip_dst), dst_ip, SIZE_IP); src_port = ntohs(tcphdr->th_sport); dst_port = ntohs(tcphdr->th_dport); //printf("%d-%d-%d %d:%d:%d caplen:%d len:%d %s:%d->%s:%d ip_total_bytes:%d\n\n", printf("caplen:%d len:%d %s:%d->%s:%d ip_total_bytes:%d\n\n", h->caplen, h->len, src_ip, src_port, dst_ip, dst_port, ntohs(iphdr->ip_len)); }
void sessionlist_processPacket(const unsigned char *packet,int packetHeaderLen) { unsigned char *payload; unsigned int port; int n,plen,size_ip,size_tcp; struct sniff_ip *ip; struct sniff_tcp *tcp; char tether_src[128],tether_dst[128],tip_src[128],tip_dst[128]; //ether n=snprintf(tether_dst,128,"%x:%x:%x:%x:%x:%x",((struct sniff_ethernet*)packet)->ether_dhost[0], ((struct sniff_ethernet*)packet)->ether_dhost[1],((struct sniff_ethernet*)packet)->ether_dhost[2], ((struct sniff_ethernet*)packet)->ether_dhost[3],((struct sniff_ethernet*)packet)->ether_dhost[4], ((struct sniff_ethernet*)packet)->ether_dhost[5]); n=snprintf(tether_src,128,"%x:%x:%x:%x:%x:%x",((struct sniff_ethernet*)packet)->ether_shost[0], ((struct sniff_ethernet*)packet)->ether_shost[1],((struct sniff_ethernet*)packet)->ether_shost[2], ((struct sniff_ethernet*)packet)->ether_shost[3],((struct sniff_ethernet*)packet)->ether_shost[4], ((struct sniff_ethernet*)packet)->ether_shost[5]); //ip ip=((struct sniff_ip*)(packet+sizeof(struct sniff_ethernet))); n=snprintf(tip_src,128,"%s",inet_ntoa(ip->ip_src)); n=snprintf(tip_dst,128,"%s",inet_ntoa(ip->ip_dst)); size_ip=IP_HL(ip)*4; if(size_ip<20) { printf("invalid header len\n"); return; } if(ip->ip_p!=IPPROTO_TCP) { printf("not tcp/ip\n"); return; } //tcp tcp=((struct sniff_tcp*)(packet+sizeof(struct sniff_ethernet)+size_ip)); size_tcp=TH_OFF(tcp)*4; port=ntohs(tcp->th_dport); payload=(unsigned char*)(packet+sizeof(struct sniff_ethernet)+size_ip+size_tcp); plen=ntohs(ip->ip_len)-(size_ip+size_tcp); if(DEBUG) printf("-----------------------------------------------------------------------\npayload size: %d\n",plen); payload[plen]=0; //process if(plen<1) return; updateSessionlist(tether_src,tether_dst,tip_src,tip_dst,port,payload,plen); }
void process_packet(u_char *args,const struct pcap_pkthdr *header,const u_char *packet) { int len,offset,cnt=0; u_char *data; sniff_ethhdr = (HDR_ETHERNET *)packet; // 엔디안을 형식에 알맞게 변환하여 비교를 해야함. if(ntohs(sniff_ethhdr->ether_type)!=IP_V4) return ; sniff_ip = (HDR_IP *)(packet + sizeof(HDR_ETHERNET)); /* * IP_HL(sniff_ip) 가 받아오는 값은 필드의 개수이다. 따라서 byte길이를 구하려면 IP_HL(sniff_ip)*4 를 해주어야 한다. * 추가적으로 IP_HL의 필드 개수로 ip헤더인지 검증을 할 수 있고, optional 헤더의 여부도 알 수 있다. */ len = IP_HL(sniff_ip)*4; if(len<20 || sniff_ip->protocol != PROTO_TCP) return ; sniff_tcp = (HDR_TCP *)(packet + sizeof(HDR_ETHERNET) + len); offset = TH_OFF(sniff_tcp)*4; data = (u_char *)(packet + sizeof(HDR_ETHERNET) + len + offset); print_mac_address("Source Mac : ",sniff_ethhdr->ether_shost); print_mac_address("Dest Mac : ",sniff_ethhdr->ether_dhost); printf("Source IP Address : %s\n",inet_ntoa(sniff_ip->ip_src)); printf("Dest IP Address : %s\n",inet_ntoa(sniff_ip->ip_dst)); printf("Source Port : %d\n",ntohs(sniff_tcp->s_port)); printf("Dest Port : %d\n",ntohs(sniff_tcp->d_port)); printf("========================================== Data ==============================================\n"); while(*data!=NULL) { printf("%c",*data); data++; } printf("==============================================================================================\n"); }
void my_callback(u_char* useless, const struct pcap_pkthdr* pkthdr, const u_char* s) { static int count = 1; ethernet = (struct sniff_ethernet*)(s); iphdr = (struct sniff_ip *)(s + SIZE_ETHERNET); size_iphdr = IP_HL(iphdr)*4; if (size_iphdr < 20) { printf(" * Invalid IP header length: %u bytes\n", size_iphdr); return; } tcphdr = (struct sniff_tcp *)(s + SIZE_ETHERNET + size_iphdr); size_tcphdr = TH_OFF(tcphdr)*4; if (size_tcphdr < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcphdr); return; } fprintf(stdout, "%d-%s-%s-%d-%d\n", count, s, useless, pkthdr->caplen, pkthdr->len); fflush(stdout); count++; }
void show_ip( const u_char *packet ) { struct sniff_ip *ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); struct sniff_tcp *tcp = NULL; int i = 0; int ip_size = 100; int size_ip , size_tcp; printf("IP:\n"); /* printf(" IP version: %u %d <<4:%d >>2%d", *ver, ip->ip_vhl, ip->ip_vhl << 4, ip->ip_vhl >> 2); */ unsigned char *tmp = (unsigned char *)(packet + SIZE_ETHERNET); tmp = (unsigned char *)(packet + SIZE_ETHERNET + 12); printf(" src:"); for( i = 0; i < 4; i++) { if ( 3 == i ) printf("%d\n", tmp[i]); else printf("%d.", tmp[i]); } tmp = (unsigned char *)(packet + SIZE_ETHERNET + 16); printf(" dst:"); for( i = 0; i < 4; i++) { if ( 3 == i ) printf("%d\n", tmp[i]); else printf("%d.", tmp[i]); } printf("\n"); /* print source and destination IP addresses */ printf(" Vers: %d\n", ip->ip_vhl >> 4); printf(" From: %s\n", inet_ntoa(ip->ip_src)); printf(" To: %s\n", inet_ntoa(ip->ip_dst)); /* determine protocol */ switch(ip->ip_p) { case IPPROTO_TCP: printf(" Protocol: TCP\n"); break; case IPPROTO_UDP: printf(" Protocol: UDP\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n"); return; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } ip_size = 4*(ip->ip_vhl & 0x0f); if(IPPROTO_TCP != ip->ip_p || ip_size > 20) return; printf("TCP:\n"); unsigned char* tcp_t = (unsigned char *)(packet + SIZE_ETHERNET + ip_size); uint16_t *sport = (uint16_t *)tcp_t; printf(" IP size:%d\n", ip_size); printf(" src Port:%d %d\n", sport[0], ntohs(sport[0])); printf(" dst Port:%d %d\n", sport[1], ntohs(sport[1])); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport)); }
void tcp_print(netdissect_options *ndo, register const u_char *bp, register u_int length, register const u_char *bp2, int fragmented) { register const struct tcphdr *tp; register const struct ip *ip; register u_char flags; register u_int hlen; register char ch; uint16_t sport, dport, win, urp; uint32_t seq, ack, thseq, thack; u_int utoval; uint16_t magic; register int rev; #ifdef INET6 register const struct ip6_hdr *ip6; #endif tp = (const struct tcphdr *)bp; ip = (const struct ip *)bp2; #ifdef INET6 if (IP_V(ip) == 6) ip6 = (const struct ip6_hdr *)bp2; else ip6 = NULL; #endif /*INET6*/ ch = '\0'; if (!ND_TTEST(tp->th_dport)) { ND_PRINT((ndo, "%s > %s: [|tcp]", ipaddr_string(ndo, &ip->ip_src), ipaddr_string(ndo, &ip->ip_dst))); return; } sport = EXTRACT_16BITS(&tp->th_sport); dport = EXTRACT_16BITS(&tp->th_dport); hlen = TH_OFF(tp) * 4; #ifdef INET6 if (ip6) { if (ip6->ip6_nxt == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ip6addr_string(ndo, &ip6->ip6_src), tcpport_string(ndo, sport), ip6addr_string(ndo, &ip6->ip6_dst), tcpport_string(ndo, dport))); } else { ND_PRINT((ndo, "%s > %s: ", tcpport_string(ndo, sport), tcpport_string(ndo, dport))); } } else #endif /*INET6*/ { if (ip->ip_p == IPPROTO_TCP) { ND_PRINT((ndo, "%s.%s > %s.%s: ", ipaddr_string(ndo, &ip->ip_src), tcpport_string(ndo, sport), ipaddr_string(ndo, &ip->ip_dst), tcpport_string(ndo, dport))); } else { ND_PRINT((ndo, "%s > %s: ", tcpport_string(ndo, sport), tcpport_string(ndo, dport))); } } if (hlen < sizeof(*tp)) { ND_PRINT((ndo, " tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp))); return; } ND_TCHECK(*tp); seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win); urp = EXTRACT_16BITS(&tp->th_urp); if (ndo->ndo_qflag) { ND_PRINT((ndo, "tcp %d", length - hlen)); if (hlen > length) { ND_PRINT((ndo, " [bad hdr length %u - too long, > %u]", hlen, length)); } return; } flags = tp->th_flags; ND_PRINT((ndo, "Flags [%s]", bittok2str_nosep(tcp_flag_values, "none", flags))); if (!ndo->ndo_Sflag && (flags & TH_ACK)) { /* * Find (or record) the initial sequence numbers for * this conversation. (we pick an arbitrary * collating order so there's only one entry for * both directions). */ rev = 0; #ifdef INET6 if (ip6) { register struct tcp_seq_hash6 *th; struct tcp_seq_hash6 *tcp_seq_hash; const struct in6_addr *src, *dst; struct tha6 tha; tcp_seq_hash = tcp_seq_hash6; src = &ip6->ip6_src; dst = &ip6->ip6_dst; if (sport > dport) rev = 1; else if (sport == dport) { if (UNALIGNED_MEMCMP(src, dst, sizeof ip6->ip6_dst) > 0) rev = 1; } if (rev) { UNALIGNED_MEMCPY(&tha.src, dst, sizeof ip6->ip6_dst); UNALIGNED_MEMCPY(&tha.dst, src, sizeof ip6->ip6_src); tha.port = dport << 16 | sport; } else { UNALIGNED_MEMCPY(&tha.dst, dst, sizeof ip6->ip6_dst); UNALIGNED_MEMCPY(&tha.src, src, sizeof ip6->ip6_src); tha.port = sport << 16 | dport; } for (th = &tcp_seq_hash[tha.port % TSEQ_HASHSIZE]; th->nxt; th = th->nxt) if (memcmp((char *)&tha, (char *)&th->addr, sizeof(th->addr)) == 0) break; if (!th->nxt || (flags & TH_SYN)) { /* didn't find it or new conversation */ if (th->nxt == NULL) { th->nxt = (struct tcp_seq_hash6 *) calloc(1, sizeof(*th)); if (th->nxt == NULL) (*ndo->ndo_error)(ndo, "tcp_print: calloc"); } th->addr = tha; if (rev) th->ack = seq, th->seq = ack - 1; else th->seq = seq, th->ack = ack - 1; } else { if (rev) seq -= th->ack, ack -= th->seq; else seq -= th->seq, ack -= th->ack; } thseq = th->seq; thack = th->ack; } else { #else /*INET6*/ { #endif /*INET6*/ register struct tcp_seq_hash *th; struct tcp_seq_hash *tcp_seq_hash; const struct in_addr *src, *dst; struct tha tha; tcp_seq_hash = tcp_seq_hash4; src = &ip->ip_src; dst = &ip->ip_dst; if (sport > dport) rev = 1; else if (sport == dport) { if (UNALIGNED_MEMCMP(src, dst, sizeof ip->ip_dst) > 0) rev = 1; } if (rev) { UNALIGNED_MEMCPY(&tha.src, dst, sizeof ip->ip_dst); UNALIGNED_MEMCPY(&tha.dst, src, sizeof ip->ip_src); tha.port = dport << 16 | sport; } else { UNALIGNED_MEMCPY(&tha.dst, dst, sizeof ip->ip_dst); UNALIGNED_MEMCPY(&tha.src, src, sizeof ip->ip_src); tha.port = sport << 16 | dport; } for (th = &tcp_seq_hash[tha.port % TSEQ_HASHSIZE]; th->nxt; th = th->nxt) if (memcmp((char *)&tha, (char *)&th->addr, sizeof(th->addr)) == 0) break; if (!th->nxt || (flags & TH_SYN)) { /* didn't find it or new conversation */ if (th->nxt == NULL) { th->nxt = (struct tcp_seq_hash *) calloc(1, sizeof(*th)); if (th->nxt == NULL) (*ndo->ndo_error)(ndo, "tcp_print: calloc"); } th->addr = tha; if (rev) th->ack = seq, th->seq = ack - 1; else th->seq = seq, th->ack = ack - 1; } else { if (rev) seq -= th->ack, ack -= th->seq; else seq -= th->seq, ack -= th->ack; } thseq = th->seq; thack = th->ack; } } else {
/* * dissect/print packet */ void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { static int count = 1; /* packet counter */ /* declare pointers to packet headers */ const struct sniff_ethernet *ethernet; /* The ethernet header [1] */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const char *payload; /* Packet payload */ int size_ip; int size_tcp; int size_payload; memcpy(&buffer,packet,sizeof(buffer)); printf("\nPacket number %d:\n", count); count++; /* define ethernet header */ ethernet = (struct sniff_ethernet*)(packet); const u_char *ptr; int i; ptr = ethernet->ether_dhost; i = ETHER_ADDR_LEN; printf(" Ethernet Header\n"); printf(" Destination Address: "); do{ printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++); }while(--i>0); printf("\n"); ptr = ethernet->ether_shost; i = ETHER_ADDR_LEN; printf(" Source Address: "); do{ printf("%s%x",(i == ETHER_ADDR_LEN) ? " " : ":",*ptr++); }while(--i>0); printf("\n"); /* define/compute ip header offset */ ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } #if PRINTHEADER /* print source and destination IP addresses */ printf("IP Header\n"); printf(" From: %s\n", inet_ntoa(ip->ip_src)); printf(" To: %s\n", inet_ntoa(ip->ip_dst)); printf(" Type: %d\n", IP_V(ip)); printf(" TTL : %d\n", ip->ip_ttl); printf(" CheckSum: 0x%x\n", ntohs(ip->ip_sum)); /* determine protocol */ switch(ip->ip_p) { case IPPROTO_TCP: printf(" Protocol: TCP\n"); break; case IPPROTO_UDP: printf(" Protocol: UDP\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n"); return; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } /*OK, this packet is TCP.*/ /* define/compute tcp header offset */ tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf("TCP Header\n"); printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport)); printf(" Sequence: %u\n", tcp->th_seq); printf(" Ack : %u\n",tcp->th_ack); printf(" DataOff : 0x%x\n", tcp->th_offx2); printf(" Urgt Ptr: 0x%x\n", ntohs(tcp->th_urp)); printf(" Window : 0x%x\n", ntohs(tcp->th_win)); printf(" ChkSm : 0x%x\n", ntohs(tcp->th_sum)); /* define/compute tcp payload (segment) offset */ payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); /* compute tcp payload (segment) size */ size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp); /* * Print payload data; it might be binary, so don't just * treat it as a string. */ if (size_payload > 0) { printf(" Payload (%d bytes):\n", size_payload); print_payload(payload, size_payload); } else { printf(" Payload not printed\n"); } #endif return; }
/* Process each packet that passes the capture filter */ void parse_http_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *pkt) { struct tm *pkt_time; char *header_line, *req_value; char saddr[INET6_ADDRSTRLEN], daddr[INET6_ADDRSTRLEN]; char sport[PORTSTRLEN], dport[PORTSTRLEN]; char ts[MAX_TIME_LEN]; int is_request = 0, is_response = 0; unsigned int eth_type = 0, offset; const struct eth_header *eth; const struct ip_header *ip; const struct ip6_header *ip6; const struct tcp_header *tcp; const char *data; int size_ip, size_tcp, size_data, family; /* Check the ethernet type and insert a VLAN offset if necessary */ eth = (struct eth_header *) pkt; eth_type = ntohs(eth->ether_type); if (eth_type == ETHER_TYPE_VLAN) { offset = link_offset + 4; } else { offset = link_offset; } offset += eth_skip_bits; /* Position pointers within packet stream and do sanity checks */ ip = (struct ip_header *) (pkt + offset); ip6 = (struct ip6_header *) (pkt + offset); switch (IP_V(ip)) { case 4: family = AF_INET; break; case 6: family = AF_INET6; break; default: return; } if (family == AF_INET) { size_ip = IP_HL(ip) * 4; if (size_ip < 20) return; if (ip->ip_p != IPPROTO_TCP) return; } else { /* AF_INET6 */ size_ip = sizeof(struct ip6_header); if (ip6->ip6_nh != IPPROTO_TCP) size_ip = process_ip6_nh(pkt, size_ip, header->caplen, offset); if (size_ip < 40) return; } tcp = (struct tcp_header *) (pkt + offset + size_ip); size_tcp = TH_OFF(tcp) * 4; if (size_tcp < 20) return; data = (char *) (pkt + offset + size_ip + size_tcp); size_data = (header->caplen - (offset + size_ip + size_tcp)); if (size_data <= 0) return; /* Check if we appear to have a valid request or response */ if (is_request_method(data)) { is_request = 1; } else if (strncmp(data, HTTP_STRING, strlen(HTTP_STRING)) == 0) { is_response = 1; } else { return; } /* Copy packet data to editable buffer that was created in main() */ if (size_data > BUFSIZ) size_data = BUFSIZ; memcpy(buf, data, size_data); buf[size_data] = '\0'; /* Parse header line, bail if malformed */ if ((header_line = parse_header_line(buf)) == NULL) return; if (is_request) { if (parse_client_request(header_line)) return; } else if (is_response) { if (parse_server_response(header_line)) return; } /* Iterate through request/entity header fields */ while ((header_line = parse_header_line(NULL)) != NULL) { if ((req_value = strchr(header_line, ':')) == NULL) continue; *req_value++ = '\0'; while (isspace(*req_value)) req_value++; insert_value(header_line, req_value); } /* Grab source/destination IP addresses */ if (family == AF_INET) { inet_ntop(family, &ip->ip_src, saddr, sizeof(saddr)); inet_ntop(family, &ip->ip_dst, daddr, sizeof(daddr)); } else { /* AF_INET6 */ inet_ntop(family, &ip6->ip_src, saddr, sizeof(saddr)); inet_ntop(family, &ip6->ip_dst, daddr, sizeof(daddr)); } insert_value("source-ip", saddr); insert_value("dest-ip", daddr); /* Grab source/destination ports */ snprintf(sport, PORTSTRLEN, "%d", ntohs(tcp->th_sport)); snprintf(dport, PORTSTRLEN, "%d", ntohs(tcp->th_dport)); insert_value("source-port", sport); insert_value("dest-port", dport); /* Extract packet capture time */ pkt_time = localtime((time_t *) &header->ts.tv_sec); strftime(ts, MAX_TIME_LEN, "%Y-%m-%d %H:%M:%S", pkt_time); insert_value("timestamp", ts); if (rate_stats) { update_host_stats(get_value("host"), header->ts.tv_sec); clear_values(); } else { print_format_values(); } if (dumpfile) pcap_dump((unsigned char *) dumpfile, header, pkt); num_parsed++; if (parse_count && (num_parsed >= parse_count)) pcap_breakloop(pcap_hnd); return; }
/* Process each packet that passes the capture filter */ void parse_http_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *pkt) { struct tm *pkt_time; char *header_line, *req_value; char saddr[INET_ADDRSTRLEN], daddr[INET_ADDRSTRLEN]; char sport[PORTSTRLEN], dport[PORTSTRLEN]; char ts[MAX_TIME_LEN]; int is_request = 0, is_response = 0; const struct ip_header *ip; const struct tcp_header *tcp; const char *data; int size_ip, size_tcp, size_data; /* Position pointers within packet stream and do sanity checks */ ip = (struct ip_header *) (pkt + header_offset); size_ip = IP_HL(ip) * 4; if (size_ip < 20) return; if (ip->ip_p != IPPROTO_TCP) return; tcp = (struct tcp_header *) (pkt + header_offset + size_ip); size_tcp = TH_OFF(tcp) * 4; if (size_tcp < 20) return; data = (char *) (pkt + header_offset + size_ip + size_tcp); size_data = (header->caplen - (header_offset + size_ip + size_tcp)); if (size_data <= 0) return; /* Check if we appear to have a valid request or response */ if (is_request_method(data)) { is_request = 1; } else if (strncmp(data, HTTP_STRING, strlen(HTTP_STRING)) == 0) { is_response = 1; } else { return; } /* Copy packet data to editable buffer that was created in main() */ if (size_data > BUFSIZ) size_data = BUFSIZ; strncpy(buf, data, size_data); buf[size_data] = '\0'; /* Parse header line, bail if malformed */ if ((header_line = parse_header_line(buf)) == NULL) return; if (is_request) { if (parse_client_request(header_line)) return; } else if (is_response) { if (parse_server_response(header_line)) return; } /* Iterate through request/entity header fields */ while ((header_line = parse_header_line(NULL)) != NULL) { if ((req_value = strchr(header_line, ':')) == NULL) continue; *req_value++ = '\0'; while (isspace(*req_value)) req_value++; insert_value(header_line, req_value); } /* Grab source/destination IP addresses */ strncpy(saddr, (char *) inet_ntoa(ip->ip_src), INET_ADDRSTRLEN); strncpy(daddr, (char *) inet_ntoa(ip->ip_dst), INET_ADDRSTRLEN); insert_value("source-ip", saddr); insert_value("dest-ip", daddr); /* Grab source/destination ports */ sprintf(sport, "%d", ntohs(tcp->th_sport)); sprintf(dport, "%d", ntohs(tcp->th_dport)); insert_value("source-port", sport); insert_value("dest-port", dport); /* Extract packet capture time */ pkt_time = localtime((time_t *) &header->ts.tv_sec); strftime(ts, MAX_TIME_LEN, "%Y-%m-%d %H:%M:%S", pkt_time); insert_value("timestamp", ts); print_format_values(); if (dumpfile) pcap_dump((unsigned char *) dumpfile, header, pkt); num_parsed++; if (parse_count && (num_parsed >= parse_count)) pcap_breakloop(pcap_hnd); return; }
void parse_packet(u_char *dumpfile, const struct pcap_pkthdr *header,const u_char *packet) { /* struct tm *ltime; char timestr[16]; //convert the timestamp to readable format ltime=(struct tm *)localtime(&header->ts.tv_sec); strftime( timestr, sizeof(timestr), "%H:%M:%S", ltime); */ const struct sniff_ethernet *ethernet; /* The ethernet header */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const char *payload; /* Packet payload */ int i; u_int size_ip; u_int size_tcp; ethernet = (struct sniff_ethernet*)(packet); ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { //printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { //printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } /*Printing EtherHeader*/ if (ntohs (ethernet->ether_type) == ETHERTYPE_IP) { //fprintf(stdout, "%-20s: %s\n", "Ether type", "IP"); } else if (ntohs(ethernet->ether_type) == ETHERTYPE_ARP) { // fprintf(stdout, "%-20s: %s\n", "Ether type", "ARP"); } else if (ntohs(ethernet->ether_type) == ETHERTYPE_REVARP) { // fprintf(stdout, "%-20s: %s\n", "Ether type", "RARP"); } else { // fprintf(stdout, "%-20s: %s\n", "Ether type", "?"); return; //exit(1); } mac_t srcEther; mac_t dstEther; sprintf(srcEther, "%s", ether_ntoa((const struct ether_addr *)ðernet->ether_shost)); sprintf(dstEther, "%s", ether_ntoa((const struct ether_addr *)ðernet->ether_dhost)); // fprintf(stdout, "%-20s: %s\n", "SrcEther", ether_ntoa((const struct ether_addr *)ðernet->ether_shost)); // fprintf(stdout, "%-20s: %s\n", "DstEther", ether_ntoa((const struct ether_addr *)ðernet->ether_dhost)); /*Printing IP header*/ char srcIp[INET_ADDRSTRLEN]; /*or malloc it later*/ char dstIp[INET_ADDRSTRLEN]; //srcIp = inet_ntoa(*(struct in_addr *)&ip->ip_src.s_addr); /*To convert in_addr_t to in_addr. Caused overlapping of srcIp and dstIp*/ inet_ntop(AF_INET, &(ip->ip_src), srcIp, INET_ADDRSTRLEN); inet_ntop(AF_INET, &(ip->ip_dst), dstIp, INET_ADDRSTRLEN); fprintf(stdout, "%s -> %s\n",srcIp, dstIp); hash* h1 = hashlist_ops.hashlist_findhash(&hash_ignorelist,srcIp); if (h1 != NULL) return; FILE* fp; if ( strcmp(hwaddr, srcEther) == 0 ) { fp = fopen("data/outgoing","a"); fprintf(fp,"%s\n",dstIp); } else { fp = fopen("data/incoming","a"); fprintf(fp,"%s\n",srcIp); } fclose(fp); }
/**************************** * CREATION OF PACKET STATE * ****************************/ void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { const struct sniff_ethernet *ethernet; /* The ethernet header */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const struct sniff_udp *udp; u_int8_t *payload; /* Packet payload */ u_int size_ip; u_int size_protocol; u_int16_t length_protocol; /* Spoofed src and the real dst of the packets */ u_int32_t dip; u_int32_t sip; u_int8_t *daddr; u_int8_t *saddr; /* GET PACKET INFORMATION SUB-STATE */ if (packet == NULL) { printf(" * No packet received\n"); return; } if (DEBUG == 1) { printf(" DEBUG: Packet is not null\n Packet Type:\n"); } ethernet = (struct sniff_ethernet*)(packet); if (ethernet->ether_type == ETHER_IP) { ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %i bytes\n", size_ip); return; } if (DEBUG == 1) { printf(" * It's a valid IP packet\n"); } /* Distinguish between TCP and UDP packets */ if (ip->ip_p == TCP_PROTOCOL) { tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_protocol = TH_OFF(tcp)*4; if (size_protocol < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_protocol); return; } } else if (ip->ip_p == UDP_PROTOCOL) { udp = (struct sniff_udp*)(packet + SIZE_ETHERNET + size_ip); size_protocol = SIZE_UDP; } } else if (ethernet->ether_type == ETHER_ARP) { struct sniff_arp * arp; arp = (struct sniff_arp*)(packet + SIZE_ETHERNET); if (DEBUG) { printf(" * It's a ARP Packet\n"); } int length; spoof_arp(inet_addr(victim_ip), /* target (me) protocol address */ inet_addr((char*)arp->arp_spa), /* destination (hacker) protocol address */ (u_int8_t*) libnet_hex_aton(victim_ethernet, &length), /* target (me) hw address */ (u_int8_t*) &arp->arp_sha); /* destination protocol address */ spoof_arp(inet_addr(relayer_ip), inet_addr((char*)arp->arp_spa), (u_int8_t*) libnet_hex_aton(relayer_ethernet, &length), (u_int8_t*) &arp->arp_sha); return; } else { fprintf(stderr, "Don't know this protocol. Shutting down\n"); exit(1); } /* FIGURE OUT WHOM TO SEND THE PACKET AND SPOOF WHOM ITS FROM SUB-STATE (puh! long name) */ /* Ignoring the PORT because they doesn't matter in deciding where to send the packet. The ports will be the same if it's the relayere, victim or the hacker which receives the packet */ if (DEBUG == 1) { printf(" DEBUG: Deciding source and destionation addresses:\n"); } int length; /* don't know why I need this ... But just to be safe.. */ if(ip->ip_dst.s_addr == inet_addr(victim_ip)) /* Not sure if this comparison works... */ { sip = inet_addr(relayer_ip); saddr = (u_int8_t*)libnet_hex_aton(relayer_ethernet, &length); if (saddr == NULL) { fprintf(stderr, "Couldn't Convert MAC address: %s\n", relayer_ethernet); exit(1); } if (DEBUG == 1) { printf(" * Src IP: %s\n", relayer_ip); printf(" * Dst Ether: %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n", saddr[0],saddr[1],saddr[2],saddr[3],saddr[4],saddr[5]); } } else if (ip->ip_dst.s_addr == inet_addr(relayer_ip)) { sip = inet_addr(victim_ip); saddr = (u_int8_t*)libnet_hex_aton(victim_ethernet, &length); if (saddr == NULL) { fprintf(stderr, "Couldn't Convert MAC address: %s\n", victim_ethernet); exit(1); } if (DEBUG == 1) { printf(" * Src IP: %s\n", victim_ip); printf(" * Dst Ether: %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n", saddr[0],saddr[1],saddr[2],saddr[3],saddr[4],saddr[5]); } } /* destination is always the same */ dip = ip->ip_src.s_addr; daddr = (u_int8_t*)ethernet->ether_shost; if (daddr == NULL) { fprintf(stderr, "Couldn't fetch the dst MAC addr from ethernet header\n"); exit(1); } if (DEBUG == 1) { printf(" * Dst IP: %s\n", inet_ntoa(ip->ip_src)); printf(" * Dst Ether: %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n", daddr[0],daddr[1],daddr[2],daddr[3],daddr[4],daddr[5]); } /* GENERATE PACKET SUB-STATE */ if (DEBUG == 1) { printf(" DEBUG: Trying to generate packet\n"); } /* Initialize libnet */ libnet_t *l; char errbuf_net[LIBNET_ERRBUF_SIZE]; l = libnet_init(LIBNET_LINK, dev, errbuf_net); if(l == NULL) { fprintf(stderr, "Error Opening Context: %s\n", errbuf_net); return; } if(ethernet->ether_type == ETHER_IP) { if (ip->ip_p == TCP_PROTOCOL) { /* Create TCP packet with switched src and dst ports */ libnet_ptag_t libnet_tcp = 0; int size_payload; size_payload = ntohs(ip->ip_len) - (size_ip + size_protocol); u_int8_t *tcp_options = (u_int8_t* )(packet + SIZE_ETHERNET + size_ip + 20); u_int32_t size_tcp_options = (u_int32_t)(size_protocol - 20); libnet_build_tcp_options(tcp_options, size_tcp_options, l, 0); if (size_payload == 0) { payload = NULL; } else { payload = (u_int8_t *)(packet + SIZE_ETHERNET + size_ip + size_protocol); } if (DEBUG == 1) { printf(" * Size of payload %i\n", size_payload); printf(" * Size of IP header %i\n", size_ip); printf(" * Size of IP length %i\n", ip->ip_len); } length_protocol = size_protocol + size_payload; libnet_tcp = libnet_build_tcp(htons(tcp->th_sport), htons(tcp->th_dport), ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags, ntohs(tcp->th_win), 0, ntohs(tcp->th_urp), length_protocol, payload, size_payload, l, libnet_tcp); if (libnet_tcp == -1) { fprintf(stderr, "Unable to build TCP header: %s\n", libnet_geterror(l)); exit(1); } if (DEBUG == 1) { printf(" * IP packet successfully generated\n"); } } else if (ip->ip_p == UDP_PROTOCOL) { /* Create a new UDP packet but with switched ports */ libnet_ptag_t libnet_udp = 0; int size_payload; size_payload = ntohs(ip->ip_len) - size_ip; payload = (u_int8_t *)(packet + SIZE_ETHERNET + size_ip + size_protocol); length_protocol = (udp->uh_length) + size_payload; libnet_udp = libnet_build_udp(htons(udp->uh_dport), htons(udp->uh_sport), length_protocol, 0, payload, size_payload, l, libnet_udp); if (libnet_udp == -1) { fprintf(stderr, "Unable to build UDP header: %s\n", libnet_geterror(l)); exit(1); } } /* Create a new IP packet with the IP for src and dst switched */ u_int8_t* ip_options = (u_int8_t*)(packet + SIZE_ETHERNET + 20); u_int32_t size_ip_options = (u_int32_t)(size_ip - 20); libnet_build_ipv4_options(ip_options, size_ip_options, l, 0); int size_ip_payload; u_int8_t* ip_payload; if (ip->ip_p == TCP_PROTOCOL || ip->ip_p == UDP_PROTOCOL) { ip_payload = NULL; size_ip_payload = 0; } else { ip_payload = (u_int8_t*)(packet + SIZE_ETHERNET + size_ip); size_ip_payload = ntohs(ip->ip_len) - size_ip; } libnet_ptag_t libnet_ipv4 = 0; libnet_ipv4 = libnet_build_ipv4(ntohs(ip->ip_len), ip->ip_tos, ntohs(ip->ip_id), ntohs(ip->ip_off), ip->ip_ttl, ip->ip_p, 0, sip, dip, ip_payload, size_ip_payload, l, libnet_ipv4); if (libnet_ipv4 == -1) { fprintf(stderr, "Unable to build IPv4 header: %s\n", libnet_geterror(l)); exit(1); } } /* Last but not least the Ethernet packet (Not sure if we're gonna need it) */ libnet_ptag_t libnet_eth = 0; libnet_eth = libnet_build_ethernet(daddr, saddr, ETHERTYPE_IP, NULL, 0, l, libnet_eth); if (libnet_eth == -1) { fprintf (stderr, "Unable to build Ethernet header: %s\n", libnet_geterror(l)); exit(1); } if (DEBUG == 1) { printf(" * Ethernet packet successfully generated\n"); } /* This probably not a good idea to run for a long time on my own network */ if ((libnet_write(l)) == -1) { fprintf(stderr, "Unable to send packet: %s\\n", libnet_geterror(l)); exit(1); } else { if (DEBUG == 1) { printf(" DEBUG: Packet replicated and sent\n"); } } libnet_destroy(l); /* Always need to call this before returning * It should have been a mechanism that you could * use for "after return do this" */ }
/* * * dissect/print packet * */ void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { static int count = 1; /* packet counter */ /* declare pointers to packet headers */ const struct sniff_ethernet *ethernet; /* The ethernet header [1] */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const struct sniff_udp *udp; const struct sniff_icmp *icmp; const struct sniff_arp *arp, *rarp; const char *payload; /* Packet payload */ int i; int size_ip; int size_tcp; int size_payload; struct timeval tv; time_t nowtime; struct tm *nowtm; char tmbuf[64], buf[64]; bool tcp_packet = false, udp_packet = false, icmp_packet = false; printf("\nPacket length : %d\n", header->len); count++; tv = header->ts; nowtime = tv.tv_sec; nowtm = localtime(&nowtime); strftime(tmbuf, sizeof tmbuf, "%Y-%m-%d %H:%M:%S", nowtm); snprintf(buf, sizeof buf, "%s.%06d", tmbuf, tv.tv_usec); printf("Time Stamp : %s\n", buf); /* define ethernet header */ ethernet = (struct sniff_ethernet*)(packet); printf("Source MAC Address : "); for (i = 0; i < ETHER_ADDR_LEN; i++) { printf("%02x", ethernet->ether_shost[i]); if (i != (ETHER_ADDR_LEN-1)) printf(":"); } printf("\n"); printf("Destination MAC Address : "); for (i = 0; i<ETHER_ADDR_LEN; i++) { printf("%02x", ethernet->ether_dhost[i]); if (i != (ETHER_ADDR_LEN-1)) printf(":"); } printf("\n"); if (ntohs(ethernet->ether_type) == ETHERTYPE_IP) printf("Ethernet Type : IP\n"); else if (ntohs(ethernet->ether_type) == ETHERTYPE_ARP) { printf("Ethernet Type : ARP\n"); arp = (struct sniff_arp *)(packet + SIZE_ETHERNET); printf("Hardware type: %s\n", (ntohs(arp->htype) == 1) ? "Ethernet" : "Unknown"); printf("Protocol type: %s\n", (ntohs(arp->ptype) == 0x0800) ? "IPv4" : "Unknown"); printf("Operation: %s\n", (ntohs(arp->oper) == ARP_REQUEST)? "ARP Request" : "ARP Reply"); /* If is Ethernet and IPv4, print packet contents */ if (ntohs(arp->htype) == 1 && ntohs(arp->ptype) == 0x0800){ printf("Sender MAC: "); for(i=0; i<6;i++) printf("%02X:", arp->sha[i]); printf("\nSender IP: "); for(i=0; i<4;i++) printf("%d.", arp->spa[i]); printf("\nTarget MAC: "); for(i=0; i<6;i++) printf("%02X:", arp->tha[i]); printf("\nTarget IP: "); for(i=0; i<4; i++) printf("%d.", arp->tpa[i]); printf("\n"); } return ; } else if (ntohs(ethernet->ether_type) == ETHERTYPE_REVARP) { printf("Ethernet Type : REVARP\n"); arp = (struct sniff_arp *)(packet + SIZE_ETHERNET); printf("Hardware type: %s\n", (ntohs(arp->htype) == 1) ? "Ethernet" : "Unknown"); printf("Protocol type: %s\n", (ntohs(arp->ptype) == 0x0800) ? "IPv4" : "Unknown"); printf("Operation : "); if ((ntohs(arp->oper) == RARP_REQ_REV)) printf("RARP Request Reverse\n"); else if ((ntohs(arp->oper) == RARP_REPLY_REV)) printf("RARP Reply Reverse\n"); /* If is Ethernet and IPv4, print packet contents */ if (ntohs(arp->htype) == 1 && ntohs(arp->ptype) == 0x0800){ printf("Sender MAC: "); for(i=0; i<6;i++) printf("%02X:", arp->sha[i]); printf("\nSender IP: "); for(i=0; i<4;i++) printf("%d.", arp->spa[i]); printf("\nTarget MAC: "); for(i=0; i<6;i++) printf("%02X:", arp->tha[i]); printf("\nTarget IP: "); for(i=0; i<4; i++) printf("%d.", arp->tpa[i]); printf("\n"); } return ; } /* define/compute ip header offset */ ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } /* print source and destination IP addresses */ printf(" From: %s\n", inet_ntoa(ip->ip_src)); printf(" To: %s\n", inet_ntoa(ip->ip_dst)); /* determine protocol */ switch(ip->ip_p) { case IPPROTO_TCP: tcp_packet = true; printf(" Protocol: TCP\n"); break; case IPPROTO_UDP: udp_packet = true; printf(" Protocol: UDP\n"); break; case IPPROTO_ICMP: icmp_packet = true; printf(" Protocol: ICMP\n"); break; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } // printf("tcp_packet : %d, udp_packet : %d, icmp_packet : %d\n", tcp_packet, udp_packet, icmp_packet); /* define/compute tcp header offset */ if (tcp_packet) { tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport)); /* define/compute tcp payload (segment) offset */ payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); /* compute tcp payload (segment) size */ size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp); } else if (udp_packet) { /* define/compute udp header offset */ udp = (struct sniff_udp*)(packet + SIZE_ETHERNET + size_ip); printf(" Src port: %d\n", ntohs(udp->uh_sport)); printf(" Dst port: %d\n", ntohs(udp->uh_dport)); /* define/compute udp payload (segment) offset */ payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + SIZE_UDP); /* compute udp payload (segment) size */ size_payload = ntohs(ip->ip_len) - (size_ip + SIZE_UDP); if (size_payload > ntohs(udp->uh_ulen)) size_payload = ntohs(udp->uh_ulen); } else if (icmp_packet) { icmp = (struct sniff_icmp*)(packet + SIZE_ETHERNET + size_ip); printf("Type : %d", (unsigned int)(icmp->type)); if ((unsigned int)(icmp->type) == 11) printf(" (TTL Expired)\n"); else if ((unsigned int)(icmp->type) == ICMP_ECHO) printf(" (ICMP Echo Request)\n"); else if ((unsigned int)(icmp->type) == ICMP_ECHOREPLY) printf(" (ICMP Echo Reply)\n"); payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + sizeof(icmp)); size_payload = ntohs(ip->ip_len) - (size_ip + sizeof(icmp)); } printpayload: /* * * Print payload data; it might be binary, so don't just * * treat it as a string. * */ if (size_payload > 0) { printf(" Payload (%d bytes):\n", size_payload); if (args) { const u_char *ch, *found = NULL; char tempbuf[size_payload]; ch = payload; for(i = 0; i < size_payload; i++) { if (isprint(*ch)) tempbuf[i] = *ch; else tempbuf[i] = '.'; ch++; } found = strstr(tempbuf, (char *)args); if (found) { printf("FOUND\n"); print_payload(payload, size_payload); return ; } else { printf("Not Found\n"); return ; } } print_payload(payload, size_payload); } return; }
void tcp_print(register const u_char *bp, register u_int length, register const u_char *bp2, int fragmented) { register const struct tcphdr *tp; register const struct ip *ip; register u_char flags; register u_int hlen; register char ch; u_int16_t sport, dport, win, urp; u_int32_t seq, ack, thseq, thack; u_int utoval; int threv; #ifdef INET6 register const struct ip6_hdr *ip6; #endif tp = (struct tcphdr *)bp; ip = (struct ip *)bp2; #ifdef INET6 if (IP_V(ip) == 6) ip6 = (struct ip6_hdr *)bp2; else ip6 = NULL; #endif /*INET6*/ ch = '\0'; if (!TTEST(tp->th_dport)) { (void)printf("%s > %s: [|tcp]", ipaddr_string(&ip->ip_src), ipaddr_string(&ip->ip_dst)); return; } sport = EXTRACT_16BITS(&tp->th_sport); dport = EXTRACT_16BITS(&tp->th_dport); hlen = TH_OFF(tp) * 4; /* * If data present, header length valid, and NFS port used, * assume NFS. * Pass offset of data plus 4 bytes for RPC TCP msg length * to NFS print routines. */ if (!qflag && hlen >= sizeof(*tp) && hlen <= length && (length - hlen) >= 4) { u_char *fraglenp; u_int32_t fraglen; register struct sunrpc_msg *rp; enum sunrpc_msg_type direction; fraglenp = (u_char *)tp + hlen; if (TTEST2(*fraglenp, 4)) { fraglen = EXTRACT_32BITS(fraglenp) & 0x7FFFFFFF; if (fraglen > (length - hlen) - 4) fraglen = (length - hlen) - 4; rp = (struct sunrpc_msg *)(fraglenp + 4); if (TTEST(rp->rm_direction)) { direction = (enum sunrpc_msg_type)EXTRACT_32BITS(&rp->rm_direction); if (dport == NFS_PORT && direction == SUNRPC_CALL) { nfsreq_print((u_char *)rp, fraglen, (u_char *)ip); return; } if (sport == NFS_PORT && direction == SUNRPC_REPLY) { nfsreply_print((u_char *)rp, fraglen, (u_char *)ip); return; } } } } #ifdef INET6 if (ip6) { if (ip6->ip6_nxt == IPPROTO_TCP) { (void)printf("%s.%s > %s.%s: ", ip6addr_string(&ip6->ip6_src), tcpport_string(sport), ip6addr_string(&ip6->ip6_dst), tcpport_string(dport)); } else { (void)printf("%s > %s: ", tcpport_string(sport), tcpport_string(dport)); } } else #endif /*INET6*/ { if (ip->ip_p == IPPROTO_TCP) { (void)printf("%s.%s > %s.%s: ", ipaddr_string(&ip->ip_src), tcpport_string(sport), ipaddr_string(&ip->ip_dst), tcpport_string(dport)); } else { (void)printf("%s > %s: ", tcpport_string(sport), tcpport_string(dport)); } } if (hlen < sizeof(*tp)) { (void)printf(" tcp %d [bad hdr length %u - too short, < %lu]", length - hlen, hlen, (unsigned long)sizeof(*tp)); return; } TCHECK(*tp); seq = EXTRACT_32BITS(&tp->th_seq); ack = EXTRACT_32BITS(&tp->th_ack); win = EXTRACT_16BITS(&tp->th_win); urp = EXTRACT_16BITS(&tp->th_urp); if (qflag) { (void)printf("tcp %d", length - hlen); if (hlen > length) { (void)printf(" [bad hdr length %u - too long, > %u]", hlen, length); } return; } flags = tp->th_flags; printf("Flags [%s]", bittok2str_nosep(tcp_flag_values, "none", flags)); if (!Sflag && (flags & TH_ACK)) { register struct tcp_seq_hash *th; const void *src, *dst; register int rev; struct tha tha; /* * Find (or record) the initial sequence numbers for * this conversation. (we pick an arbitrary * collating order so there's only one entry for * both directions). */ #ifdef INET6 rev = 0; if (ip6) { src = &ip6->ip6_src; dst = &ip6->ip6_dst; if (sport > dport) rev = 1; else if (sport == dport) { if (memcmp(src, dst, sizeof ip6->ip6_dst) > 0) rev = 1; } if (rev) { memcpy(&tha.src, dst, sizeof ip6->ip6_dst); memcpy(&tha.dst, src, sizeof ip6->ip6_src); tha.port = dport << 16 | sport; } else { memcpy(&tha.dst, dst, sizeof ip6->ip6_dst); memcpy(&tha.src, src, sizeof ip6->ip6_src); tha.port = sport << 16 | dport; } } else { /* * Zero out the tha structure; the src and dst * fields are big enough to hold an IPv6 * address, but we only have IPv4 addresses * and thus must clear out the remaining 124 * bits. * * XXX - should we just clear those bytes after * copying the IPv4 addresses, rather than * zeroing out the entire structure and then * overwriting some of the zeroes? * * XXX - this could fail if we see TCP packets * with an IPv6 address with the lower 124 bits * all zero and also see TCP packes with an * IPv4 address with the same 32 bits as the * upper 32 bits of the IPv6 address in question. * Can that happen? Is it likely enough to be * an issue? */ memset(&tha, 0, sizeof(tha)); src = &ip->ip_src; dst = &ip->ip_dst; if (sport > dport) rev = 1; else if (sport == dport) { if (memcmp(src, dst, sizeof ip->ip_dst) > 0) rev = 1; } if (rev) { memcpy(&tha.src, dst, sizeof ip->ip_dst); memcpy(&tha.dst, src, sizeof ip->ip_src); tha.port = dport << 16 | sport; } else { memcpy(&tha.dst, dst, sizeof ip->ip_dst); memcpy(&tha.src, src, sizeof ip->ip_src); tha.port = sport << 16 | dport; } } #else rev = 0; src = &ip->ip_src; dst = &ip->ip_dst; if (sport > dport) rev = 1; else if (sport == dport) { if (memcmp(src, dst, sizeof ip->ip_dst) > 0) rev = 1; } if (rev) { memcpy(&tha.src, dst, sizeof ip->ip_dst); memcpy(&tha.dst, src, sizeof ip->ip_src); tha.port = dport << 16 | sport; } else { memcpy(&tha.dst, dst, sizeof ip->ip_dst); memcpy(&tha.src, src, sizeof ip->ip_src); tha.port = sport << 16 | dport; } #endif threv = rev; for (th = &tcp_seq_hash[tha.port % TSEQ_HASHSIZE]; th->nxt; th = th->nxt) if (memcmp((char *)&tha, (char *)&th->addr, sizeof(th->addr)) == 0) break; if (!th->nxt || (flags & TH_SYN)) { /* didn't find it or new conversation */ if (th->nxt == NULL) { th->nxt = (struct tcp_seq_hash *) calloc(1, sizeof(*th)); if (th->nxt == NULL) error("tcp_print: calloc"); } th->addr = tha; if (rev) th->ack = seq, th->seq = ack - 1; else th->seq = seq, th->ack = ack - 1; } else { if (rev) seq -= th->ack, ack -= th->seq; else seq -= th->seq, ack -= th->ack; } thseq = th->seq; thack = th->ack; } else { /*fool gcc*/ thseq = thack = threv = 0; } if (hlen > length) { (void)printf(" [bad hdr length %u - too long, > %u]", hlen, length); return; } if (IP_V(ip) == 4 && vflag && !Kflag && !fragmented) { u_int16_t sum, tcp_sum; if (TTEST2(tp->th_sport, length)) { sum = tcp_cksum(ip, tp, length); (void)printf(", cksum 0x%04x",EXTRACT_16BITS(&tp->th_sum)); if (sum != 0) { tcp_sum = EXTRACT_16BITS(&tp->th_sum); (void)printf(" (incorrect -> 0x%04x)",in_cksum_shouldbe(tcp_sum, sum)); } else (void)printf(" (correct)"); } } #ifdef INET6 if (IP_V(ip) == 6 && ip6->ip6_plen && vflag && !Kflag && !fragmented) { u_int16_t sum,tcp_sum; if (TTEST2(tp->th_sport, length)) { sum = nextproto6_cksum(ip6, (u_short *)tp, length, IPPROTO_TCP); (void)printf(", cksum 0x%04x",EXTRACT_16BITS(&tp->th_sum)); if (sum != 0) { tcp_sum = EXTRACT_16BITS(&tp->th_sum); (void)printf(" (incorrect -> 0x%04x)",in_cksum_shouldbe(tcp_sum, sum)); } else (void)printf(" (correct)"); } } #endif length -= hlen; if (vflag > 1 || length > 0 || flags & (TH_SYN | TH_FIN | TH_RST)) { (void)printf(", seq %u", seq); if (length > 0) { (void)printf(":%u", seq + length); } } if (flags & TH_ACK) { (void)printf(", ack %u", ack); } (void)printf(", win %d", win); if (flags & TH_URG) (void)printf(", urg %d", urp); /* * Handle any options. */ if (hlen > sizeof(*tp)) { register const u_char *cp; register u_int i, opt, datalen; register u_int len; hlen -= sizeof(*tp); cp = (const u_char *)tp + sizeof(*tp); printf(", options ["); while (hlen > 0) { if (ch != '\0') putchar(ch); TCHECK(*cp); opt = *cp++; if (ZEROLENOPT(opt)) len = 1; else { TCHECK(*cp); len = *cp++; /* total including type, len */ if (len < 2 || len > hlen) goto bad; --hlen; /* account for length byte */ } --hlen; /* account for type byte */ datalen = 0; /* Bail if "l" bytes of data are not left or were not captured */ #define LENCHECK(l) { if ((l) > hlen) goto bad; TCHECK2(*cp, l); } printf("%s", tok2str(tcp_option_values, "Unknown Option %u", opt)); switch (opt) { case TCPOPT_MAXSEG: datalen = 2; LENCHECK(datalen); (void)printf(" %u", EXTRACT_16BITS(cp)); break; case TCPOPT_WSCALE: datalen = 1; LENCHECK(datalen); (void)printf(" %u", *cp); break; case TCPOPT_SACK: datalen = len - 2; if (datalen % 8 != 0) { (void)printf("malformed sack"); } else { u_int32_t s, e; (void)printf(" %d ", datalen / 8); for (i = 0; i < datalen; i += 8) { LENCHECK(i + 4); s = EXTRACT_32BITS(cp + i); LENCHECK(i + 8); e = EXTRACT_32BITS(cp + i + 4); if (threv) { s -= thseq; e -= thseq; } else { s -= thack; e -= thack; } (void)printf("{%u:%u}", s, e); } } break; case TCPOPT_CC: case TCPOPT_CCNEW: case TCPOPT_CCECHO: case TCPOPT_ECHO: case TCPOPT_ECHOREPLY: /* * those options share their semantics. * fall through */ datalen = 4; LENCHECK(datalen); (void)printf(" %u", EXTRACT_32BITS(cp)); break; case TCPOPT_TIMESTAMP: datalen = 8; LENCHECK(datalen); (void)printf(" val %u ecr %u", EXTRACT_32BITS(cp), EXTRACT_32BITS(cp + 4)); break; case TCPOPT_SIGNATURE: datalen = TCP_SIGLEN; LENCHECK(datalen); #ifdef HAVE_LIBCRYPTO switch (tcp_verify_signature(ip, tp, bp + TH_OFF(tp) * 4, length, cp)) { case SIGNATURE_VALID: (void)printf("valid"); break; case SIGNATURE_INVALID: (void)printf("invalid"); break; case CANT_CHECK_SIGNATURE: (void)printf("can't check - "); for (i = 0; i < TCP_SIGLEN; ++i) (void)printf("%02x", cp[i]); break; } #else for (i = 0; i < TCP_SIGLEN; ++i) (void)printf("%02x", cp[i]); #endif break; case TCPOPT_AUTH: (void)printf("keyid %d", *cp++); datalen = len - 3; for (i = 0; i < datalen; ++i) { LENCHECK(i); (void)printf("%02x", cp[i]); } break; case TCPOPT_EOL: case TCPOPT_NOP: case TCPOPT_SACKOK: /* * Nothing interesting. * fall through */ break; case TCPOPT_UTO: datalen = 2; LENCHECK(datalen); utoval = EXTRACT_16BITS(cp); (void)printf("0x%x", utoval); if (utoval & 0x0001) utoval = (utoval >> 1) * 60; else utoval >>= 1; (void)printf(" %u", utoval); break; default: datalen = len - 2; for (i = 0; i < datalen; ++i) { LENCHECK(i); (void)printf("%02x", cp[i]); } break; } /* Account for data printed */ cp += datalen; hlen -= datalen; /* Check specification against observed length */ ++datalen; /* option octet */ if (!ZEROLENOPT(opt)) ++datalen; /* size octet */ if (datalen != len) (void)printf("[len %d]", len); ch = ','; if (opt == TCPOPT_EOL) break; } putchar(']'); }
/* * dissect/print packet */ void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { static int count = 1; /* packet counter */ /* declare pointers to packet headers */ const struct sniff_ethernet *ethernet; /* The ethernet header [1] */ const struct sniff_ip *ip; /* The IP header */ const struct sniff_tcp *tcp; /* The TCP header */ const char *payload; /* Packet payload */ int size_ip; int size_tcp; int size_payload; printf("\nPacket number %d:\n", count); if (count == 4) { printf("This is packet 4"); count++; /* define ethernet header */ ethernet = (struct sniff_ethernet*)(packet); /* define/compute ip header offset */ ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } /* print source and destination IP addresses */ printf(" From: %s\n", inet_ntoa(ip->ip_src)); printf(" To: %s\n", inet_ntoa(ip->ip_dst)); /* determine protocol */ switch(ip->ip_p) { case IPPROTO_TCP: printf(" Protocol: TCP\n"); break; case IPPROTO_UDP: printf(" Protocol: UDP\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n"); return; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } /* * OK, this packet is TCP. */ /* define/compute tcp header offset */ tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport)); /* define/compute tcp payload (segment) offset */ payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); /* compute tcp payload (segment) size */ size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp); /* * Print payload data; it might be binary, so don't just * treat it as a string. */ if (size_payload > 0) { printf(" Payload (%d bytes):\n", size_payload); print_payload(payload, size_payload); } } else { count++; /* define ethernet header */ ethernet = (struct sniff_ethernet*)(packet); /* define/compute ip header offset */ ip = (struct sniff_ip*)(packet + SIZE_ETHERNET); size_ip = IP_HL(ip)*4; if (size_ip < 20) { printf(" * Invalid IP header length: %u bytes\n", size_ip); return; } /* print source and destination IP addresses */ printf(" From: %s\n", inet_ntoa(ip->ip_src)); printf(" To: %s\n", inet_ntoa(ip->ip_dst)); /* determine protocol */ switch(ip->ip_p) { case IPPROTO_TCP: printf(" Protocol: TCP\n"); break; case IPPROTO_UDP: printf(" Protocol: UDP\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n"); return; case IPPROTO_IP: printf(" Protocol: IP\n"); return; default: printf(" Protocol: unknown\n"); return; } /* * OK, this packet is TCP. */ /* define/compute tcp header offset */ tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip); size_tcp = TH_OFF(tcp)*4; if (size_tcp < 20) { printf(" * Invalid TCP header length: %u bytes\n", size_tcp); return; } printf(" Src port: %d\n", ntohs(tcp->th_sport)); printf(" Dst port: %d\n", ntohs(tcp->th_dport)); /* define/compute tcp payload (segment) offset */ payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp); /* compute tcp payload (segment) size */ size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp); /* * Print payload data; it might be binary, so don't just * treat it as a string. */ if (size_payload > 0) { printf(" Payload (%d bytes):\n", size_payload); print_payload(payload, size_payload); } } return; }
void traffic_read( struct ip *pip, /* the packet */ tcp_pair *ptp, /* info I have about this connection */ void *plast, /* past byte in the packet */ void *mod_data) /* connection info for this one */ { struct tcphdr *ptcp = (struct tcphdr *) ((char *)pip + 4*IP_HL(pip)); struct traffic_info *pti1 = FindPort(ntohs(ptcp->th_sport)); struct traffic_info *pti2 = FindPort(ntohs(ptcp->th_dport)); u_long bytes = ntohs(pip->ip_len); static timeval last_time = {0,0}; struct conn_info *pci = mod_data; int was_rexmit = 0; /* in case files aren't set up yet */ traffic_init_files(); /* if neither port is interesting, then ignore this one */ if (!pti1 && !pti2) { return; } /* OK, this connection is now active */ pci->wasactive = 1; /* check to see if it's really "open" (traffic in both directions) */ if (!pci->wasopen) { if ((ptp->a2b.packets > 0) && (ptp->b2a.packets > 0)) { /* bidirectional: OK, we'll call it open */ pci->wasopen = 1; pci->isopen = 1; ++num_opens; ++ttl_num_opens; ++open_conns; /* instantaneous opens and closes */ if (doplot_i_open) { DoplotIOpen(ntohs(ptcp->th_dport), TRUE); DoplotIOpen(ntohs(ptcp->th_sport), TRUE); DoplotIOpen(0, TRUE); } } } /* add to port-specific counters */ if (pti1) { pti1->nbytes += bytes; pti1->npackets += 1; } if (pti2) { pti2->nbytes += bytes; pti2->npackets += 1; } /* add to GLOBAL counters */ ports[0]->nbytes += bytes; ports[0]->npackets += 1; ports[0]->npureacks += 1; /* see if we're closing it */ if (RESET_SET(ptcp) || (FIN_SET(ptcp) && /* find in BOTH directions */ ((ptp->a2b.fin_count>0) && (ptp->b2a.fin_count>0)))) { if (pci->isopen) { pci->isopen = 0; ++num_closes; --open_conns; /* instantaneous opens and closes */ if (doplot_i_open) { DoplotIOpen(ntohs(ptcp->th_dport), FALSE); DoplotIOpen(ntohs(ptcp->th_sport), FALSE); DoplotIOpen(0, FALSE); } } } /* half open conns */ if (FIN_SET(ptcp)) { if ((ptp->a2b.fin_count>0) && (ptp->b2a.fin_count>0)) { if (pci->halfopen) { /* fully closed now */ --num_halfopens; pci->halfopen = 0; } } else if (!pci->halfopen) { /* half open now */ ++num_halfopens; pci->halfopen = 1; } } /* check losses */ if (pci->last_dupacks != ptp->a2b.rtt_triple_dupack+ ptp->b2a.rtt_triple_dupack) { pci->last_dupacks = ptp->a2b.rtt_triple_dupack+ ptp->b2a.rtt_triple_dupack; ++dupacks; ++ttl_dupacks; } if (pci->last_rexmits != ptp->a2b.rexmit_pkts+ptp->b2a.rexmit_pkts) { pci->last_rexmits = ptp->a2b.rexmit_pkts+ptp->b2a.rexmit_pkts; was_rexmit = 1; ++rexmits; ++ttl_rexmits; } /* add to total data counters */ data_nbytes_all += bytes; if (!was_rexmit) data_nbytes_nonrexmit += bytes; /* RTT stats */ if (ACK_SET(ptcp)) { tcb *ptcb; int rtt; /* see which of the 2 TCB's this goes with */ if (ptp->addr_pair.a_port == ntohs(ptcp->th_dport)) ptcb = &ptp->a2b; else ptcb = &ptp->b2a; /* check the rtt counter of the last sample */ rtt = ptcb->rtt_last / 1000.0; if ((pci->last_rtts != ptcb->rtt_count + ptcb->rtt_amback) && (ptcb->rtt_last != 0.0) && (rtt > rtt_minvalid) && (rtt <= rtt_maxvalid)) { /* sample is only valid when one of these counters is higher */ pci->last_rtts = ptcb->rtt_count + ptcb->rtt_amback; /* keep stats */ rtt_ttl += rtt; ttl_rtt_ttl += rtt; ++rtt_samples; ++ttl_rtt_samples; /* also, remember min and max */ if ((rtt_max == -1) || (rtt_max < rtt)) rtt_max = rtt; if ((rtt_min == -1) || (rtt_min > rtt)) rtt_min = rtt; if (ldebug > 9) printf("Rtt: %d, min:%d, max:%d\n", rtt, rtt_min, rtt_max); } } /* see if this is now "long duration" */ if (!pci->islong) { int etime_msecs = elapsed(ptp->first_time,current_time); if (etime_msecs/1000000 > longconn_duration) { pci->islong = 1; } } /* count "pure acks" (no data) */ if (ACK_SET(ptcp)) { int tcp_length, tcp_data_length; tcp_length = getpayloadlength(pip, plast); tcp_data_length = tcp_length - (4 * TH_OFF(ptcp)); if (tcp_data_length == 0) { if (pti1) { ++pti1->npureacks; } if (pti2) { ++pti2->npureacks; } } } /* determine elapsed time and age the samples */ if (elapsed(last_time,current_time)/1000000.0 > age_interval) { AgeTraffic(); last_time = current_time; } }