void dl_null(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; uint32_t family = *(uint32_t *)p;; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte null frame", caplen, length); } if (caplen < NULL_HDRLEN) { DEBUG(6) ("warning: received incomplete null frame"); return; } /* One of the symptoms of a broken DLT_NULL is that this value is * not set correctly, so we don't check for it -- instead, just * assume everything is IP. --JE 20 April 1999 */ #ifndef DLT_NULL_BROKEN /* make sure this is AF_INET */ //memcpy((char *)&family, (char *)p, sizeof(family)); //family = ntohl(family); if (family != AF_INET && family != AF_INET6) { DEBUG(6)("warning: received null frame with unknown type (type 0x%x) (AF_INET=%x; AF_INET6=%x)", family,AF_INET,AF_INET6); return; } #endif //process_packet(h->ts,p + NULL_HDRLEN, caplen - NULL_HDRLEN,flow::NO_VLAN); packet_info pi(h->ts,p+NULL_HDRLEN,caplen - NULL_HDRLEN,flow::NO_VLAN); process_packet_info(pi); }
void dl_ethernet(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; struct be13::ether_header *eth_header = (struct be13::ether_header *) p; /* Variables to support VLAN */ const u_short *ether_type = ð_header->ether_type; /* where the ether type is located */ const u_char *ether_data = p+sizeof(struct be13::ether_header); /* where the data is located */ if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte ether frame", caplen, length); } /* Handle basic VLAN packets */ if (ntohs(*ether_type) == ETHERTYPE_VLAN) { //vlan = ntohs(*(u_short *)(p+sizeof(struct ether_header))); ether_type += 2; /* skip past VLAN header (note it skips by 2s) */ ether_data += 4; /* skip past VLAN header */ caplen -= 4; } if (caplen < sizeof(struct be13::ether_header)) { DEBUG(6) ("warning: received incomplete ethernet frame"); return; } /* Create a packet_info structure with ip data and data length */ struct timeval tv; be13::packet_info pi(DLT_IEEE802,h,p,tvshift(tv,h->ts), ether_data, caplen - sizeof(struct be13::ether_header)); switch (ntohs(*ether_type)){ case ETHERTYPE_IP: case ETHERTYPE_IPV6: process_packet_info(pi); break; #ifdef ETHERTYPE_ARP case ETHERTYPE_ARP: /* What should we do for ARP? */ break; #endif #ifdef ETHERTYPE_LOOPBACK case ETHERTYPE_LOOPBACK: /* What do do for loopback? */ break; #endif #ifdef ETHERTYPE_REVARP case ETHERTYPE_REVARP: /* What to do for REVARP? */ break; #endif default: /* Unknown Ethernet Frame Type */ DEBUG(6) ("warning: received ethernet frame with unknown type 0x%x", ntohs(eth_header->ether_type)); break; } }
void dl_ethernet(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; struct ether_header *eth_header = (struct ether_header *) p; /* Variables to support VLAN */ int32_t vlan = flow::NO_VLAN; /* default is no vlan */ const u_short *ether_type = ð_header->ether_type; /* where the ether type is located */ const u_char *ether_data = p+sizeof(struct ether_header); /* where the data is located */ if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte ether frame", caplen, length); } /* Handle basic VLAN packets */ if (ntohs(*ether_type) == ETHERTYPE_VLAN) { vlan = ntohs(*(u_short *)(p+sizeof(struct ether_header))); ether_type += 2; /* skip past VLAN header (note it skips by 2s) */ ether_data += 4; /* skip past VLAN header */ caplen -= 4; } if (caplen < sizeof(struct ether_header)) { DEBUG(6) ("warning: received incomplete ethernet frame"); return; } /* switch on ether type */ switch (ntohs(*ether_type)){ case ETHERTYPE_IP: case ETHERTYPE_IPV6: //process_packet_info(h->ts,ether_data, caplen - sizeof(struct ether_header),vlan); { packet_info pi(h->ts,ether_data, caplen - sizeof(struct ether_header),vlan); process_packet_info(pi); return; } #ifdef ETHERTYPE_ARP case ETHERTYPE_ARP: #endif #ifdef ETHERTYPE_LOOPBACK case ETHERTYPE_LOOPBACK: #endif #ifdef ETHERTYPE_REVARP case ETHERTYPE_REVARP: #endif return; default: break; } /* Unknown Ethernet Frame Type */ DEBUG(6) ("warning: received ethernet frame with unknown type 0x%x", ntohs(eth_header->ether_type)); }
/* DLT_RAW: just a raw IP packet, no encapsulation or link-layer * headers. Used for PPP connections under some OSs including Linux * and IRIX. */ void dl_raw(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { if (h->caplen != h->len) { DEBUG(6) ("warning: only captured %d bytes of %d byte raw frame", h->caplen, h->len); } struct timeval tv; be13::packet_info pi(DLT_RAW,h,p,tvshift(tv,h->ts),p, h->caplen); process_packet_info(pi); }
void Handle80211DataToAP(const struct timeval& t, const data_hdr_t *hdr, const u_char *rest, int len) { if (opt_enforce_80211_frame_checksum && !fcs_ok) return; #ifdef DEBUG_WIFI cout << " " << "802.11 data to AP:\t" << hdr->sa << " -> " << hdr->da << "\t" << len << endl; #endif struct timeval tv; /* TK1: Does the pcap header make sense? */ /* TK2: How do we get and preserve the the three MAC addresses? */ be13::packet_info pi(DLT_IEEE802_11,(const pcap_pkthdr *)0,(const u_char *)0,tvshift(tv,t),rest,len); process_packet_info(pi); }
/* DLT_RAW: just a raw IP packet, no encapsulation or link-layer * headers. Used for PPP connections under some OSs including Linux * and IRIX. */ void dl_raw(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte raw frame", caplen, length); } //process_packet_info(h->ts,p, caplen,flow::NO_VLAN); packet_info pi(h->ts,p, caplen,flow::NO_VLAN); process_packet_info(pi); }
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p){ u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame", caplen, length); } if (caplen < SLL_HDR_LEN) { DEBUG(6) ("warning: received incomplete Linux cooked frame"); return; } //process_packet_info(h->ts,p + SLL_HDR_LEN, caplen - SLL_HDR_LEN,flow::NO_VLAN); packet_info pi(h->ts,p + SLL_HDR_LEN, caplen - SLL_HDR_LEN,flow::NO_VLAN); process_packet_info(pi); }
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p){ u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame", caplen, length); } if (caplen < SLL_HDR_LEN) { DEBUG(6) ("warning: received incomplete Linux cooked frame"); return; } struct timeval tv; be13::packet_info pi(DLT_LINUX_SLL,h,p,tvshift(tv,h->ts),p + SLL_HDR_LEN, caplen - SLL_HDR_LEN); process_packet_info(pi); }
void dl_ppp(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte PPP frame", caplen, length); } if (caplen < PPP_HDRLEN) { DEBUG(6) ("warning: received incomplete PPP frame"); return; } struct timeval tv; be13::packet_info pi(DLT_PPP,h,p,tvshift(tv,h->ts),p + PPP_HDRLEN, caplen - PPP_HDRLEN); process_packet_info(pi); }
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame", caplen, length); } if (caplen < SLL_HDR_LEN) { DEBUG(6) ("warning: received incomplete Linux cooked frame"); return; } struct _sll_header { u_int16_t sll_pkttype; /* packet type */ u_int16_t sll_hatype; /* link-layer address type */ u_int16_t sll_halen; /* link-layer address length */ u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */ u_int16_t sll_protocol; /* protocol */ }; _sll_header *sllp = (_sll_header*)p; u_int mpls_sz = 0; if (ntohs(sllp->sll_protocol) == ETHERTYPE_MPLS) { // unwind MPLS stack do { if(caplen < SLL_HDR_LEN + mpls_sz + 4){ DEBUG(6) ("warning: MPLS stack overrun"); return; } mpls_sz += 4; caplen -= 4; } while ((p[SLL_HDR_LEN + mpls_sz - 2] & 1) == 0 ); } struct timeval tv; be13::packet_info pi(DLT_LINUX_SLL,h,p,tvshift(tv,h->ts),p + SLL_HDR_LEN + mpls_sz, caplen - SLL_HDR_LEN); process_packet_info(pi); }
void Handle80211DataFromAP(const struct timeval& t, const data_hdr_t *hdr, const u_char *rest, int len) { if (opt_enforce_80211_frame_checksum && !fcs_ok) return; #ifdef DEBUG_WIFI cout << hdr->sa; cout << " " << "802.11 data from AP:\t" << hdr->sa << " -> " << hdr->da << "\t" << len << endl; #endif struct timeval tv; /* TK1: Does the pcap header make sense? */ /* TK2: How do we get and preserve the the three MAC addresses? */ printf("DATA_HDRLEN=%d DATA_WDS_HDRLEN=%d\n",DATA_HDRLEN,DATA_WDS_HDRLEN); sbuf_t sb(pos0_t(),rest,len,len,0); sb.hex_dump(std::cout); rest += 10; // where does 10 come from? len -= 10; be13::packet_info pi(DLT_IEEE802_11,(const pcap_pkthdr *)0,(const u_char *)0,tvshift(tv,t),rest,len); printf("pi.ip_version=%d\n",pi.ip_version()); process_packet_info(pi); }