CaptureReader::CaptureReader(const Params& params) : BaseReader{params.interface}
{
char errbuf[PCAP_ERRBUF_SIZE]; // storage of error description
const char* device {source.c_str()};
handle = pcap_create(device, errbuf);
if(!handle)
{
throw PcapError("pcap_create", errbuf);
}
if(int status {pcap_set_snaplen(handle, params.snaplen)})
{
throw PcapError("pcap_set_snaplen", pcap_statustostr(status));
}
if(int status {pcap_set_promisc(handle, params.promisc ? 1 : 0)})
{
throw PcapError("pcap_set_promisc", pcap_statustostr(status));
}
if(int status {pcap_set_timeout(handle, params.timeout_ms)})
{
throw PcapError("pcap_set_timeout", pcap_statustostr(status));
}
if(int status {pcap_set_buffer_size(handle, params.buffer_size)})
{
throw PcapError("pcap_set_buffer_size", pcap_statustostr(status));
}
if(int status {pcap_activate(handle)})
{
throw PcapError("pcap_activate", pcap_statustostr(status));
}
pcap_direction_t direction {PCAP_D_INOUT};
switch(params.direction)
{
using Direction = CaptureReader::Direction;
case Direction::IN : direction = PCAP_D_IN; break;
case Direction::OUT : direction = PCAP_D_OUT; break;
case Direction::INOUT: direction = PCAP_D_INOUT; break;
}
if(int status {pcap_setdirection(handle, direction)})
{
throw PcapError("pcap_setdirection", pcap_statustostr(status));
}
bpf_u_int32 localnet, netmask;
if(pcap_lookupnet(device, &localnet, &netmask, errbuf) < 0)
{
throw PcapError("pcap_lookupnet", errbuf);
}
BPF bpf(handle, params.filter.c_str(), netmask);
if(pcap_setfilter(handle, bpf) < 0)
{
throw PcapError("pcap_setfiltration", pcap_geterr(handle));
}
}
static void
tcpeek_init_pcap(void) {
char *ifname, errmsg[PCAP_ERRBUF_SIZE], expression[] = "tcp or icmp";
struct bpf_program bpf;
if(strisempty(g.option.ifname)) {
ifname = pcap_lookupdev(errmsg);
if(!ifname) {
error_abort("%s", errmsg);
}
strncpy(g.option.ifname, ifname, sizeof(g.option.ifname) - 1);
}
g.pcap.pcap = pcap_create(g.option.ifname, errmsg);
if(!g.pcap.pcap) {
error_abort("%s", errmsg);
}
if(pcap_set_buffer_size(g.pcap.pcap, g.option.buffer * 1024 * 1024) != 0) {
error_abort("%s", "can not set buffer size");
}
if(pcap_set_snaplen(g.pcap.pcap, DEFAULT_PCAP_SNAPLEN) != 0) {
error_abort("%s", "can not set snaplen");
}
if(pcap_set_promisc(g.pcap.pcap, g.option.promisc) != 0) {
error_abort("%s", "can not set promiscuous mode");
}
if(pcap_set_timeout(g.pcap.pcap, 1) != 0) {
error_abort("%s", "can not set timeout");
}
if(pcap_activate(g.pcap.pcap) != 0) {
error_abort("%s", pcap_geterr(g.pcap.pcap));
}
if(pcap_compile(g.pcap.pcap, &bpf, expression, 0, 0) == -1) {
error_abort("%s '%s'", pcap_geterr(g.pcap.pcap), expression);
}
if(pcap_setfilter(g.pcap.pcap, &bpf) == -1){
error_abort("%s", pcap_geterr(g.pcap.pcap));
}
pcap_freecode(&bpf);
g.pcap.snapshot = pcap_snapshot(g.pcap.pcap);
g.pcap.datalink = pcap_datalink(g.pcap.pcap);
if(g.pcap.datalink != DLT_EN10MB && g.pcap.datalink != DLT_LINUX_SLL) {
error_abort("not support datalink %s (%s)",
pcap_datalink_val_to_name(g.pcap.datalink),
pcap_datalink_val_to_description(g.pcap.datalink)
);
}
}
static pcap_t *open_pcap(const char *iface, bpf_u_int32 *net, bpf_u_int32 *mask)
{
pcap_t *pcap = NULL;
char errbuf[PCAP_ERRBUF_SIZE];
char ipv4str[16], filter[128];
struct bpf_program bpf;
if (pcap_lookupnet(iface, net, mask, errbuf) != 0) {
fprintf(stderr, "pcap_lookupnet(): %s\n", errbuf);
goto fail;
}
if (inet_ntop(AF_INET, (const void *)net, ipv4str, sizeof ipv4str) == NULL) {
perror("inet_ntop()");
goto fail;
}
// snprintf(filter, sizeof filter, "ip dst %s and (tcp[tcpflags] & (tcp-syn | tcp-ack)) = (tcp-syn | tcp-ack)", ipv4str);
snprintf(filter, sizeof filter, "(tcp[tcpflags] & (tcp-syn | tcp-ack)) = (tcp-syn | tcp-ack)");
pcap = pcap_create(iface, errbuf);
if (pcap == NULL) {
fprintf(stderr, "pcap_create(): %s\n", errbuf);
goto fail;
}
(void)pcap_setdirection(pcap, PCAP_D_IN);
if (pcap_set_buffer_size(pcap, 131072) != 0) {
pcap_perror(pcap, "pcap_set_buffer_size()");
goto fail;
}
if (pcap_activate(pcap) != 0) {
pcap_perror(pcap, "pcap_activate()");
goto fail;
}
if (pcap_compile(pcap, &bpf, filter, 1, PCAP_NETMASK_UNKNOWN) != 0) {
pcap_perror(pcap, "pcap_compile()");
goto fail;
}
if (pcap_setfilter(pcap, &bpf) != 0) {
pcap_perror(pcap, "pcap_setfilter()");
goto fail;
}
pcap_freecode(&bpf);
return pcap;
fail:
if (pcap != NULL)
pcap_close(pcap);
return NULL;
}
pcap_t *
reader_libpcap_open_live(const char *source, int snaplen, int promisc, int to_ms, char *errbuf)
{
pcap_t *p;
int status;
p = pcap_create(source, errbuf);
if (p == NULL)
return (NULL);
status = pcap_set_snaplen(p, snaplen);
if (status < 0)
goto fail;
status = pcap_set_promisc(p, promisc);
if (status < 0)
goto fail;
status = pcap_set_timeout(p, to_ms);
if (status < 0)
goto fail;
status = pcap_set_buffer_size(p, config.pcapBufferSize);
if (status < 0)
goto fail;
status = pcap_activate(p);
if (status < 0)
goto fail;
status = pcap_setnonblock(p, TRUE, errbuf);
if (status < 0) {
pcap_close(p);
return (NULL);
}
return (p);
fail:
if (status == PCAP_ERROR)
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", source,
pcap_geterr(p));
else if (status == PCAP_ERROR_NO_SUCH_DEVICE ||
status == PCAP_ERROR_PERM_DENIED)
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s (%s)", source,
pcap_statustostr(status), pcap_geterr(p));
else
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", source,
pcap_statustostr(status));
pcap_close(p);
return (NULL);
}
bool PcapActivity::openLive()
{
Poco::Buffer<char> errBuff(PCAP_ERRBUF_SIZE);
_pcap = pcap_create(_device.c_str(), errBuff.begin());
if (_pcap == nullptr) {
_logger.warning("Couldn't open device %s: %s", _device, std::string(errBuff.begin()));
return false;
}
int status = pcap_set_snaplen(_pcap, 1500);
if (status < 0) {
_logger.warning("Can't set pcap snaplen: %s", std::string(pcap_strerror(status)));
}
status = pcap_set_promisc(_pcap, 1);
if (status < 0) {
_logger.warning("Can't set pcap promiscuous mode: %s", std::string(pcap_strerror(status)));
}
status = pcap_set_timeout(_pcap, 2500);
if (status < 0) {
_logger.warning("Can't set pcap timeout: %s", std::string(pcap_strerror(status)));
}
#ifdef POCO_OS_FAMILY_UNIX
status = pcap_set_buffer_size(_pcap, 2097152); //2MB
#else
status = pcap_setbuff(_pcap, 2097152); //2MB
#endif
if (status < 0) {
_logger.warning("Can't set pcap buffer size: %s", std::string(pcap_strerror(status)));
}
status = pcap_activate(_pcap);
if (status < 0) {
_logger.warning("Couldn't activate device %s: %s", _device, std::string(pcap_strerror(status)));
return false;
}
return true;
}
static int input_pcap_interface_open(struct input *i) {
struct input_pcap_priv *p = i->priv;
char errbuf[PCAP_ERRBUF_SIZE + 1] = { 0 };
char *interface = PTYPE_STRING_GETVAL(p->tpriv.iface.p_interface);
p->p = pcap_create(interface, errbuf);
if (!p->p) {
pomlog(POMLOG_ERR "Error opening interface %s : %s", interface, errbuf);
return POM_ERR;
}
char *promisc = PTYPE_BOOL_GETVAL(p->tpriv.iface.p_promisc);
int err = pcap_set_promisc(p->p, *promisc);
if (err)
pomlog(POMLOG_WARN "Error while setting promisc mode : %s", pcap_statustostr(err));
uint32_t buff_size = *PTYPE_UINT32_GETVAL(p->tpriv.iface.p_buff_size);
err = pcap_set_buffer_size(p->p, buff_size);
if (err)
pomlog(POMLOG_WARN "Error while setting the pcap buffer size : %s", pcap_statustostr(err));
err = pcap_activate(p->p);
if (err < 0) {
pomlog(POMLOG_ERR "Error while activating pcap : %s", pcap_statustostr(err));
return POM_ERR;
} else if (err > 0) {
pomlog(POMLOG_WARN "Warning while activating pcap : %s", pcap_statustostr(err));
}
return input_pcap_common_open(i);
}
int
main(int argc, char **argv)
{
register int op;
register char *cp, *device;
int dorfmon, dopromisc, snaplen, useactivate, bufsize;
char ebuf[PCAP_ERRBUF_SIZE];
pcap_t *pd;
int status = 0;
device = NULL;
dorfmon = 0;
dopromisc = 0;
snaplen = MAXIMUM_SNAPLEN;
bufsize = 0;
useactivate = 0;
if ((cp = strrchr(argv[0], '/')) != NULL)
program_name = cp + 1;
else
program_name = argv[0];
opterr = 0;
while ((op = getopt(argc, argv, "i:Ips:aB:")) != -1) {
switch (op) {
case 'i':
device = optarg;
break;
case 'I':
dorfmon = 1;
useactivate = 1; /* required for rfmon */
break;
case 'p':
dopromisc = 1;
break;
case 's': {
char *end;
snaplen = strtol(optarg, &end, 0);
if (optarg == end || *end != '\0'
|| snaplen < 0 || snaplen > MAXIMUM_SNAPLEN)
error("invalid snaplen %s", optarg);
else if (snaplen == 0)
snaplen = MAXIMUM_SNAPLEN;
break;
}
case 'B':
bufsize = atoi(optarg)*1024;
if (bufsize <= 0)
error("invalid packet buffer size %s", optarg);
useactivate = 1; /* required for bufsize */
break;
case 'a':
useactivate = 1;
break;
default:
usage();
/* NOTREACHED */
}
}
if (useactivate) {
pd = pcap_create(device, ebuf);
if (pd == NULL)
error("%s", ebuf);
status = pcap_set_snaplen(pd, snaplen);
if (status != 0)
error("%s: pcap_set_snaplen failed: %s",
device, pcap_statustostr(status));
if (dopromisc) {
status = pcap_set_promisc(pd, 1);
if (status != 0)
error("%s: pcap_set_promisc failed: %s",
device, pcap_statustostr(status));
}
if (dorfmon) {
status = pcap_set_rfmon(pd, 1);
if (status != 0)
error("%s: pcap_set_rfmon failed: %s",
device, pcap_statustostr(status));
}
status = pcap_set_timeout(pd, 1000);
if (status != 0)
error("%s: pcap_set_timeout failed: %s",
device, pcap_statustostr(status));
if (bufsize != 0) {
status = pcap_set_buffer_size(pd, bufsize);
if (status != 0)
error("%s: pcap_set_buffer_size failed: %s",
device, pcap_statustostr(status));
}
status = pcap_activate(pd);
if (status < 0) {
/*
* pcap_activate() failed.
*/
error("%s: %s\n(%s)", device,
pcap_statustostr(status), pcap_geterr(pd));
} else if (status > 0) {
/*
* pcap_activate() succeeded, but it's warning us
* of a problem it had.
*/
warning("%s: %s\n(%s)", device,
pcap_statustostr(status), pcap_geterr(pd));
}
} else {
*ebuf = '\0';
pd = pcap_open_live(device, 65535, 0, 1000, ebuf);
if (pd == NULL)
error("%s", ebuf);
else if (*ebuf)
warning("%s", ebuf);
}
pcap_close(pd);
exit(status < 0 ? 1 : 0);
}
int main(int argc, char** argv)
{
int ret = 0;
int hadBadPacket = 0;
int inum;
int port;
int saveFile = 0;
int i = 0;
int frame = ETHER_IF_FRAME_LEN;
char err[PCAP_ERRBUF_SIZE];
char filter[32];
const char *server = NULL;
struct bpf_program fp;
pcap_if_t *d;
pcap_addr_t *a;
signal(SIGINT, sig_handler);
#ifndef _WIN32
ssl_InitSniffer(); /* dll load on Windows */
#endif
ssl_Trace("./tracefile.txt", err);
if (argc == 1) {
/* normal case, user chooses device and port */
if (pcap_findalldevs(&alldevs, err) == -1)
err_sys("Error in pcap_findalldevs");
for (d = alldevs; d; d=d->next) {
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if (i == 0)
err_sys("No interfaces found! Make sure pcap or WinPcap is"
" installed correctly and you have sufficient permissions");
printf("Enter the interface number (1-%d): ", i);
ret = scanf("%d", &inum);
if (ret != 1)
printf("scanf port failed\n");
if (inum < 1 || inum > i)
err_sys("Interface number out of range");
/* Jump to the selected adapter */
for (d = alldevs, i = 0; i < inum - 1; d = d->next, i++);
pcap = pcap_create(d->name, err);
if (pcap == NULL) printf("pcap_create failed %s\n", err);
/* get an IPv4 address */
for (a = d->addresses; a; a = a->next) {
switch(a->addr->sa_family)
{
case AF_INET:
server =
iptos(((struct sockaddr_in *)a->addr)->sin_addr.s_addr);
printf("server = %s\n", server);
break;
default:
break;
}
}
if (server == NULL)
err_sys("Unable to get device IPv4 address");
ret = pcap_set_snaplen(pcap, 65536);
if (ret != 0) printf("pcap_set_snaplen failed %s\n", pcap_geterr(pcap));
ret = pcap_set_timeout(pcap, 1000);
if (ret != 0) printf("pcap_set_timeout failed %s\n", pcap_geterr(pcap));
ret = pcap_set_buffer_size(pcap, 1000000);
if (ret != 0)
printf("pcap_set_buffer_size failed %s\n", pcap_geterr(pcap));
ret = pcap_set_promisc(pcap, 1);
if (ret != 0) printf("pcap_set_promisc failed %s\n", pcap_geterr(pcap));
ret = pcap_activate(pcap);
if (ret != 0) printf("pcap_activate failed %s\n", pcap_geterr(pcap));
printf("Enter the port to scan: ");
ret = scanf("%d", &port);
if (ret != 1)
printf("scanf port failed\n");
SNPRINTF(filter, sizeof(filter), "tcp and port %d", port);
ret = pcap_compile(pcap, &fp, filter, 0, 0);
if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap));
ret = pcap_setfilter(pcap, &fp);
if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap));
ret = ssl_SetPrivateKey(server, port, "../../certs/server-key.pem",
FILETYPE_PEM, NULL, err);
if (ret != 0) {
printf("Please run directly from sslSniffer/sslSnifferTest dir\n");
}
#ifdef HAVE_SNI
{
char altName[128];
printf("Enter alternate SNI: ");
ret = scanf("%s", altName);
if (strnlen(altName, 128) > 0) {
ret = ssl_SetNamedPrivateKey(altName,
server, port, "../../certs/server-key.pem",
FILETYPE_PEM, NULL, err);
if (ret != 0) {
printf("Please run directly from "
"sslSniffer/sslSnifferTest dir\n");
}
}
}
#endif
}
else if (argc >= 3) {
saveFile = 1;
pcap = pcap_open_offline(argv[1], err);
if (pcap == NULL) {
printf("pcap_open_offline failed %s\n", err);
ret = -1;
}
else {
const char* passwd = NULL;
/* defaults for server and port */
port = 443;
server = "127.0.0.1";
if (argc >= 4)
server = argv[3];
if (argc >= 5)
port = atoi(argv[4]);
if (argc >= 6)
passwd = argv[5];
ret = ssl_SetPrivateKey(server, port, argv[2],
FILETYPE_PEM, passwd, err);
}
}
else {
/* usage error */
printf( "usage: ./snifftest or ./snifftest dump pemKey"
" [server] [port] [password]\n");
exit(EXIT_FAILURE);
}
if (ret != 0)
err_sys(err);
if (pcap_datalink(pcap) == DLT_NULL)
frame = NULL_IF_FRAME_LEN;
while (1) {
static int packetNumber = 0;
struct pcap_pkthdr header;
const unsigned char* packet = pcap_next(pcap, &header);
packetNumber++;
if (packet) {
byte data[65535+16384]; /* may have a partial 16k record cached */
if (header.caplen > 40) { /* min ip(20) + min tcp(20) */
packet += frame;
header.caplen -= frame;
}
else
continue;
ret = ssl_DecodePacket(packet, header.caplen, data, err);
if (ret < 0) {
printf("ssl_Decode ret = %d, %s\n", ret, err);
hadBadPacket = 1;
}
if (ret > 0) {
data[ret] = 0;
printf("SSL App Data(%d:%d):%s\n", packetNumber, ret, data);
}
}
else if (saveFile)
break; /* we're done reading file */
}
FreeAll();
return hadBadPacket ? EXIT_FAILURE : EXIT_SUCCESS;
}
static ERL_NIF_TERM
nif_pcap_open_live(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
{
ErlNifBinary device = {0};
int snaplen = 0;
int promisc = 0;
int to_ms = 0;
int buffer_size = 0;
int rfmon = 0;
char errbuf[PCAP_ERRBUF_SIZE] = {0};
EWPCAP_STATE *ep = NULL;
ERL_NIF_TERM res = {0};
ERL_NIF_TERM ref = {0};
if (!enif_inspect_iolist_as_binary(env, argv[0], &device))
return enif_make_badarg(env);
if (!enif_get_int(env, argv[1], &snaplen))
return enif_make_badarg(env);
if (!enif_get_int(env, argv[2], &promisc))
return enif_make_badarg(env);
if (!enif_get_int(env, argv[3], &to_ms))
return enif_make_badarg(env);
if (!enif_get_int(env, argv[4], &buffer_size))
return enif_make_badarg(env);
if (!enif_get_int(env, argv[5], &rfmon))
return enif_make_badarg(env);
/* NULL terminate the device name */
if (device.size > 0) {
if (!enif_realloc_binary(&device, device.size+1))
return enif_make_tuple2(env, atom_error, atom_enomem);
device.data[device.size-1] = '\0';
}
ep = enif_alloc_resource(EWPCAP_RESOURCE, sizeof(EWPCAP_STATE));
if (ep == NULL)
return enif_make_tuple2(env, atom_error, atom_enomem);
/* "any" is a Linux only virtual dev */
ep->p = pcap_create((device.size == 0 ? "any" : (char *)device.data),
errbuf);
if (ep->p == NULL)
return enif_make_tuple2(env,
atom_error,
enif_make_string(env, errbuf, ERL_NIF_LATIN1));
/* Set the snaplen */
(void)pcap_set_snaplen(ep->p, snaplen);
/* Set promiscuous mode */
(void)pcap_set_promisc(ep->p, promisc);
/* Set timeout */
(void)pcap_set_timeout(ep->p, to_ms);
/* Set buffer size */
if (buffer_size > 0)
(void)pcap_set_buffer_size(ep->p, buffer_size);
/* Set monitor mode */
if (pcap_can_set_rfmon(ep->p) == 1)
(void)pcap_set_rfmon(ep->p, rfmon);
/* Return failure on error and warnings */
if (pcap_activate(ep->p) != 0) {
pcap_close(ep->p);
return enif_make_tuple2(env,
atom_error,
enif_make_string(env, pcap_geterr(ep->p), ERL_NIF_LATIN1));
}
ep->datalink = pcap_datalink(ep->p);
(void)enif_self(env, &ep->pid);
ep->term_env = enif_alloc_env();
if (ep->term_env == NULL) {
pcap_close(ep->p);
return enif_make_tuple2(env, atom_error, atom_enomem);
}
ep->ref = enif_make_ref(ep->term_env);
ref = enif_make_copy(env, ep->ref);
res = enif_make_resource(env, ep);
enif_release_resource(ep);
return enif_make_tuple2(env,
atom_ok,
enif_make_tuple3(env,
atom_ewpcap_resource,
ref,
res));
}
/** Open a PCAP handle abstraction
*
* This opens interfaces for capture or injection, or files/streams for reading/writing.
* @param pcap created with fr_pcap_init.
* @return 0 on success, -1 on error.
*/
int fr_pcap_open(fr_pcap_t *pcap)
{
switch (pcap->type) {
case PCAP_INTERFACE_OUT:
case PCAP_INTERFACE_IN:
{
#if defined(HAVE_PCAP_CREATE) && defined(HAVE_PCAP_ACTIVATE)
pcap->handle = pcap_create(pcap->name, pcap->errbuf);
if (!pcap->handle) {
fr_strerror_printf("%s", pcap->errbuf);
return -1;
}
if (pcap_set_snaplen(pcap->handle, SNAPLEN) != 0) {
create_error:
fr_strerror_printf("%s", pcap_geterr(pcap->handle));
pcap_close(pcap->handle);
pcap->handle = NULL;
return -1;
}
if (pcap_set_timeout(pcap->handle, PCAP_NONBLOCK_TIMEOUT) != 0) {
goto create_error;
}
if (pcap_set_promisc(pcap->handle, pcap->promiscuous) != 0) {
goto create_error;
}
if (pcap_set_buffer_size(pcap->handle, SNAPLEN *
(pcap->buffer_pkts ? pcap->buffer_pkts : PCAP_BUFFER_DEFAULT)) != 0) {
goto create_error;
}
if (pcap_activate(pcap->handle) != 0) {
goto create_error;
}
#else
/*
* Alternative functions for libpcap < 1.0
*/
pcap->handle = pcap_open_live(pcap->name, SNAPLEN, pcap->promiscuous, PCAP_NONBLOCK_TIMEOUT,
pcap->errbuf);
if (!pcap->handle) {
fr_strerror_printf("%s", pcap->errbuf);
return -1;
}
#endif
/*
* Despite accepting an errbuff, pcap_setnonblock doesn't seem to write
* error message there in newer versions.
*/
if (pcap_setnonblock(pcap->handle, true, pcap->errbuf) != 0) {
fr_strerror_printf("%s", *pcap->errbuf != '\0' ?
pcap->errbuf : pcap_geterr(pcap->handle));
pcap_close(pcap->handle);
pcap->handle = NULL;
return -1;
}
pcap->fd = pcap_get_selectable_fd(pcap->handle);
pcap->link_layer = pcap_datalink(pcap->handle);
#ifndef __linux__
{
int value = 1;
if (ioctl(pcap->fd, BIOCIMMEDIATE, &value) < 0) {
fr_strerror_printf("Failed setting BIOCIMMEDIATE: %s", fr_syserror(errno));
}
}
#endif
}
break;
case PCAP_FILE_IN:
pcap->handle = pcap_open_offline(pcap->name, pcap->errbuf);
if (!pcap->handle) {
fr_strerror_printf("%s", pcap->errbuf);
return -1;
}
pcap->fd = pcap_get_selectable_fd(pcap->handle);
pcap->link_layer = pcap_datalink(pcap->handle);
break;
case PCAP_FILE_OUT:
if (pcap->link_layer < 0) {
pcap->link_layer = DLT_EN10MB;
}
pcap->handle = pcap_open_dead(pcap->link_layer, SNAPLEN);
if (!pcap->handle) {
fr_strerror_printf("Unknown error occurred opening dead PCAP handle");
return -1;
}
pcap->dumper = pcap_dump_open(pcap->handle, pcap->name);
if (!pcap->dumper) {
fr_strerror_printf("%s", pcap_geterr(pcap->handle));
return -1;
}
break;
#ifdef HAVE_PCAP_FOPEN_OFFLINE
case PCAP_STDIO_IN:
pcap->handle = pcap_fopen_offline(stdin, pcap->errbuf);
if (!pcap->handle) {
fr_strerror_printf("%s", pcap->errbuf);
return -1;
}
pcap->fd = pcap_get_selectable_fd(pcap->handle);
pcap->link_layer = pcap_datalink(pcap->handle);
break;
#else
case PCAP_STDIO_IN:
fr_strerror_printf("This version of libpcap does not support reading pcap data from streams");
return -1;
#endif
#ifdef HAVE_PCAP_DUMP_FOPEN
case PCAP_STDIO_OUT:
pcap->handle = pcap_open_dead(DLT_EN10MB, SNAPLEN);
pcap->dumper = pcap_dump_fopen(pcap->handle, stdout);
if (!pcap->dumper) {
fr_strerror_printf("%s", pcap_geterr(pcap->handle));
return -1;
}
break;
#else
case PCAP_STDIO_OUT:
fr_strerror_printf("This version of libpcap does not support writing pcap data to streams");
return -1;
#endif
case PCAP_INVALID:
default:
fr_assert(0);
fr_strerror_printf("Bad handle type (%i)", pcap->type);
return -1;
}
return 0;
}
static int pcaprr_daq_open(Pcaprr_Context_t *context)
{
uint32_t localnet, netmask;
uint32_t defaultnet = 0xFFFFFF00;
#ifndef PCAP_OLDSTYLE
int status;
#endif /* PCAP_OLDSTYLE */
char *dev_start = context->device, *dev_end = context->device;
char tmp;
int num_devs = 1;
if (context->handle)
return DAQ_SUCCESS;
if (context->device)
{
/* context->device = "dag0:4,dag1:4" */
fprintf(stderr, "DAQ device is %s\n", context->device);
for(dev_start = context->device ; *dev_start != '\0' ; dev_start++)
if (*dev_start == ',')
num_devs++;
context->handle = calloc(num_devs, sizeof(context->handle));
fprintf(stderr, "sizeof %lu num_devs %u\n", sizeof(context->handle), num_devs);
context->handle_count = num_devs;
dev_start = context->device;
num_devs = 0;
while(*dev_end != '\0')
{
while(*dev_end && *dev_end != ',') dev_end++;
tmp = *dev_end;
*dev_end = '\0';
fprintf(stderr, "opening dev %s\n", dev_start);
#ifndef PCAP_OLDSTYLE
context->handle[num_devs] = pcap_create(dev_start, context->errbuf);
if (!context->handle[num_devs])
return DAQ_ERROR;
if ((status = pcap_set_snaplen(context->handle[num_devs], context->snaplen)) < 0)
GOTOSRFAIL(context->handle[num_devs], dev_start);
if ((status = pcap_set_promisc(context->handle[num_devs], context->promisc_flag ? 1 : 0)) < 0)
GOTOSRFAIL(context->handle[num_devs], dev_start);
if ((status = pcap_set_timeout(context->handle[num_devs], context->timeout)) < 0)
GOTOSRFAIL(context->handle[num_devs], dev_start);
if ((status = pcap_set_buffer_size(context->handle[num_devs], context->buffer_size)) < 0)
GOTOSRFAIL(context->handle[num_devs], dev_start);
if ((status = pcap_activate(context->handle[num_devs])) < 0)
GOTOSRFAIL(context->handle[num_devs], dev_start);
#else
context->handle[num_devs] = pcap_open_live(dev_start, context->snaplen,
context->promisc_flag ? 1 : 0, context->timeout, context->errbuf);
if (!context->handle[num_devs])
return DAQ_ERROR;
#endif /* PCAP_OLDSTYLE */
if (pcap_lookupnet(dev_start, &localnet, &netmask, context->errbuf) < 0)
netmask = htonl(defaultnet);
if (tmp) {
*dev_end = tmp;
dev_start = ++dev_end;
}
num_devs++;
}
}
context->netmask = htonl(defaultnet);
return DAQ_SUCCESS;
}
void Sniffer::set_buffer_size(unsigned buffer_size) {
if (pcap_set_buffer_size(get_pcap_handle(), buffer_size)) {
throw pcap_error(pcap_geterr(get_pcap_handle()));
}
}
int init_socket(unsigned int loc_idx) {
struct bpf_program filter;
char errbuf[PCAP_ERRBUF_SIZE];
char filter_expr[FILTER_LEN];
int len=0, buffer_size = 0;
LDEBUG("Activating device: %s\n", profile_socket[loc_idx].device);
if (profile_socket[loc_idx].device) {
buffer_size = 1024 * 1024 * profile_socket[loc_idx].ring_buffer;
if ((sniffer_proto[loc_idx] = pcap_create((char *) profile_socket[loc_idx].device, errbuf)) == NULL) {
LERR("Failed to open packet sniffer on %s: pcap_create(): %s", (char * )profile_socket[loc_idx].device, errbuf);
return -1;
};
if (pcap_set_promisc(sniffer_proto[loc_idx], profile_socket[loc_idx].promisc) == -1) {
LERR("Failed to set promisc \"%s\": %s", (char *) profile_socket[loc_idx].device, pcap_geterr(sniffer_proto[loc_idx]));
return -1;
};
if (pcap_set_timeout(sniffer_proto[loc_idx], profile_socket[loc_idx].timeout) == -1) {
LERR("Failed to set timeout \"%s\": %s", (char *) profile_socket[loc_idx].device, pcap_geterr(sniffer_proto[loc_idx]));
return -1;
};
if (pcap_set_snaplen(sniffer_proto[loc_idx], profile_socket[loc_idx].snap_len) == -1) {
LERR("Failed to set snap_len [%d], \"%s\": %s", profile_socket[loc_idx].snap_len, (char *) profile_socket[loc_idx].device, pcap_geterr(sniffer_proto[loc_idx]));
return -1;
};
if (pcap_set_buffer_size(sniffer_proto[loc_idx], buffer_size) == -1) {
LERR("Failed to set buffer_size [%d] \"%s\": %s", buffer_size, (char *) profile_socket[loc_idx].device, pcap_geterr(sniffer_proto[loc_idx]));
return -1;
};
if (pcap_activate(sniffer_proto[loc_idx]) != 0) {
LERR("Failed to activate \"%s\": %s", (char *) profile_socket[loc_idx].device, pcap_geterr(sniffer_proto[loc_idx]));
return -1;
};
LDEBUG("Activated device: [%s]\n", profile_socket[loc_idx].device);
} else {
if ((sniffer_proto[loc_idx] = pcap_open_offline(usefile, errbuf)) == NULL) {
LERR("%s: Failed to open packet sniffer on %s: pcap_open_offline(): %s", module_name, usefile, errbuf);
return -1;
}
LNOTICE("Sending file: %s", usefile);
}
/* create filter string */
if(profile_socket[loc_idx].filter && strlen(profile_socket[loc_idx].filter) > 0)
{
len += snprintf(filter_expr+len, sizeof(filter_expr)-len, "(%s)", profile_socket[loc_idx].filter);
if(ipv4fragments || ipv6fragments)
{
if (ipv4fragments)
{
LDEBUG("Reassembling of IPv4 packets is enabled, adding '%s' to filter", BPF_DEFRAGMENTION_FILTER_IPV4);
len += snprintf(filter_expr+len, sizeof(filter_expr), " or %s", BPF_DEFRAGMENTION_FILTER_IPV4);
}
if (ipv6fragments)
{
LDEBUG("Reassembling of IPv6 packets is enabled, adding '%s' to filter", BPF_DEFRAGMENTION_FILTER_IPV6);
len += snprintf(filter_expr+len, sizeof(filter_expr), " or %s", BPF_DEFRAGMENTION_FILTER_IPV6);
}
}
}
if(profile_socket[loc_idx].capture_filter)
{
if(!strncmp(profile_socket[loc_idx].capture_filter, "rtcp", 4))
{
len += snprintf(filter_expr+len, sizeof(filter_expr), "%s %s", len ? " and" : "", RTCP_FILTER);
}
else if(!strncmp(profile_socket[loc_idx].capture_filter, "rtp", 3))
{
len += snprintf(filter_expr+len, sizeof(filter_expr), "%s %s", len ? " and" : "", RTP_FILTER);
}
}
LNOTICE("Using filter: %s", filter_expr);
/* compile filter expression (global constant, see above) */
if (pcap_compile(sniffer_proto[loc_idx], &filter, filter_expr, 1, 0) == -1) {
LERR("Failed to compile filter \"%s\": %s", filter_expr, pcap_geterr(sniffer_proto[loc_idx]));
return -1;
}
/* install filter on sniffer session */
if (pcap_setfilter(sniffer_proto[loc_idx], &filter)) {
LERR("Failed to install filter: %s", pcap_geterr(sniffer_proto[loc_idx]));
return -1;
}
//disabled temporaly
//pcap_freecode(&filter);
return 1;
}
static int
tc_pcap_open(pcap_t **pd, char *device, int snap_len, int buf_size)
{
int status;
char ebuf[PCAP_ERRBUF_SIZE];
*ebuf = '\0';
*pd = pcap_create(device, ebuf);
if (*pd == NULL) {
tc_log_info(LOG_ERR, 0, "pcap create error:%s", ebuf);
fprintf(stderr, "pcap create error:%s\n", ebuf);
return TC_ERR;
}
status = pcap_set_snaplen(*pd, snap_len);
if (status != 0) {
tc_log_info(LOG_ERR, 0, "pcap_set_snaplen error:%s",
pcap_statustostr(status));
return TC_ERR;
}
status = pcap_set_promisc(*pd, 1);
if (status != 0) {
tc_log_info(LOG_ERR, 0, "pcap_set_promisc error:%s",
pcap_statustostr(status));
}
status = pcap_set_timeout(*pd, 10);
if (status != 0) {
tc_log_info(LOG_ERR, 0, "pcap_set_timeout error:%s",
pcap_statustostr(status));
return TC_ERR;
}
status = pcap_set_buffer_size(*pd, buf_size);
if (status != 0) {
tc_log_info(LOG_ERR, 0, "pcap_set_buffer_size error:%s",
pcap_statustostr(status));
return TC_ERR;
}
tc_log_info(LOG_NOTICE, 0, "pcap_set_buffer_size:%d", buf_size);
#if (HAVE_SET_IMMEDIATE_MODE)
status = pcap_set_immediate_mode(*pd, 1);
if (status != 0) {
tc_log_info(LOG_ERR, 0, "pcap_set_immediate_mode error:%s",
pcap_statustostr(status));
return TC_ERR;
}
#endif
status = pcap_activate(*pd);
if (status < 0) {
tc_log_info(LOG_ERR, 0, "pcap_activate error:%s",
pcap_statustostr(status));
return TC_ERR;
} else if (status > 0) {
tc_log_info(LOG_WARN, 0, "pcap activate warn:%s",
pcap_statustostr(status));
}
return TC_OK;
}
inline void set_buffer_size(pcap_t *source, const int bytes) {
if (pcap_set_buffer_size(source, bytes) != 0) {
throw already_activated_error{source};
}
}
/*
* This thread reads stdin or the network and appends to the ring buffer
*/
void *Reader(void *arg)
{
#ifndef JUSTCOPY
char errbuf[PCAP_ERRBUF_SIZE]; /* error buffer */
struct bpf_program fp; /* compiled filter program */
bpf_u_int32 mask; /* subnet mask */
bpf_u_int32 net; /* ip */
int num_packets = -1; /* number of packets to capture */
#endif
#ifdef CPU_SET
int rtid = gettid(); /* reader thread id */
cpu_set_t csmask;
CPU_ZERO(&csmask);
CPU_SET(READER_CPU, &csmask);
if (my_sched_setaffinity(rtid, sizeof(cpu_set_t), &csmask) != 0) {
fprintf(stderr, "%s: Reader could not set cpu affinity: %s\n",
progname, strerror(errno));
}
if (setpriority(PRIO_PROCESS, rtid, READ_PRIO) != 0) {
fprintf(stderr, "%s: Reader could not set scheduling priority: %s\n",
progname, strerror(errno));
}
#else
replace with equivalent code for your OS or delete and run less optimally
#endif
#ifdef USE_SIGNAL
signal(SIGINT, cleanup);
signal(SIGPIPE, cleanup);
#else
struct sigaction sa;
sa.sa_handler = cleanup;
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0; /* allow signal to abort pcap read */
sigaction(SIGINT, &sa, NULL);
sigaction(SIGPIPE, &sa, NULL);
#endif /* USE_SIGNAL */
if (just_copy) {
static char rbuf[MAXPKT];
int c;
reader_ready = 1;
while (!eof && (c = read(0, rbuf, MAXPKT)) != 0) {
if (c > 0) append(rbuf, c, 1);
}
}
#ifndef JUSTCOPY
else {
/*
* get network number and mask associated with capture device
* (needed to compile a bpf expression).
*/
if (strcmp(dev,"-") && pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
fprintf(stderr, "%s: Couldn't get netmask for dev %s: %s\n",
progname, dev, errbuf);
net = 0;
mask = 0;
}
/* open capture device */
if (!strcmp(dev, "-")) {
handle = pcap_open_offline(dev, errbuf);
#ifndef RHEL3
int sfd = -2;
if (handle) sfd = pcap_get_selectable_fd(handle);
if (sfd >= 0 && lseek(sfd, 0, SEEK_CUR) >= 0) {
warn_buf_full = 0; /* input is a file, don't warn */
}
#endif /* RHEL3 */
}
else
{
//handle = pcap_open_live(dev, d_snap_len, 1, 0, errbuf);
// handle = pcap_open_live(dev, d_snap_len, 1, 0, errbuf);
handle = pcap_create (dev, errbuf);
if (handle == NULL)
{
fprintf (stderr, "%s: Couldn't open device %s: %s\n",
progname, dev, errbuf);
exit (EXIT_FAILURE);
}
if (pcap_set_buffer_size (handle, 200 * 1024 * 1024) != 0)
{
fprintf (stderr, " Couldn't set buffer\n");
exit (EXIT_FAILURE);
}
if (pcap_set_snaplen (handle, d_snap_len) < 0)
{
fprintf (stderr, "Couldn't set snap len\n");
exit (EXIT_FAILURE);
}
if (pcap_set_promisc (handle, 1) < 0)
{
fprintf (stderr, "Couldn't set promisc \n");
exit (EXIT_FAILURE);
}
if (pcap_set_timeout (handle, 0) < 0)
{
fprintf (stderr, "Couldn't set timeout\n");
exit (EXIT_FAILURE);
}
if (pcap_activate (handle) < 0)
{
fprintf (stderr, "Couldn't activate\n");
exit (EXIT_FAILURE);
}
}
if (handle == NULL) {
fprintf(stderr, "%s: Couldn't open device %s: %s\n",
progname, dev, errbuf);
exit(EXIT_FAILURE);
}
reader_ready = 1;
/* make sure we're capturing on an Ethernet device */
if (pcap_datalink(handle) != DLT_EN10MB) {
fprintf(stderr, "%s: %s is not an Ethernet\n", progname, dev);
exit(EXIT_FAILURE);
}
/* compile the filter expression */
if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
fprintf(stderr, "%s: Couldn't parse filter %s: %s\n",
progname, filter_exp, pcap_geterr(handle));
exit(EXIT_FAILURE);
}
/* apply the compiled filter */
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "%s: Couldn't install filter %s: %s\n",
progname, filter_exp, pcap_geterr(handle));
exit(EXIT_FAILURE);
}
/*
* emit pcap file header
*/
#ifndef RHEL3
char tmpstr[] = "/tmp/gulp_hdr.XXXXXX";
int tmpfd = mkstemp(tmpstr);
if (tmpfd >= 0) {
pcap_dumper_t *dump = pcap_dump_fopen(handle, fdopen(tmpfd,"w"));
if (dump) pcap_dump_close(dump);
tmpfd = open(tmpstr, O_RDONLY); /* get pcap to create a header */
if (tmpfd >= 0) read(tmpfd, (char *)&fh, sizeof(fh));
if (tmpfd >= 0) close(tmpfd);
unlink(tmpstr);
fh.snaplen = snap_len; /* snaplen after any decapsulation */
}
#endif /* RHEL3 */
if (fh.magic != 0xa1b2c3d4) { /* if the above failed, do this */
fprintf(stderr, "%s: using canned pcap header\n", progname);
fh.magic = 0xa1b2c3d4;
fh.version_major = 2;
fh.version_minor = 4;
fh.thiszone = 0;
fh.sigfigs = 0;
fh.snaplen = snap_len;
fh.linktype = 1;
}
append((char *)&fh, sizeof(fh), 0);
/* now we can set our callback function */
pcap_loop(handle, num_packets, got_packet, NULL);
fprintf(stderr, "\n%d packets captured\n", captured);
if (ignored > 0) {
fprintf(stderr, "%d packets ignored (too small to decapsulate)\n",
ignored);
}
if (got_stats) {
(void)fprintf(stderr, "%d packets received by filter\n", pcs.ps_recv);
(void)fprintf(stderr, "%d packets dropped by kernel\n", pcs.ps_drop);
/*
* if packets dropped, check/warn if pcap socket buffer is too small
*/
if (pcs.ps_drop > 0) {
procf = fopen(RMEM_DEF, "r");
if (procf) {fscanf(procf, "%d", &rmem_def); fclose(procf);}
procf = fopen(RMEM_MAX, "r");
if (procf) {fscanf(procf, "%d", &rmem_max); fclose(procf);}
if (rmem_def < RMEM_SUG || rmem_max < RMEM_SUG) {
fprintf(stderr, "\nNote %s may drop fewer packets "
"if you increase:\n %s and\n %s\nto %d or more\n\n",
progname, RMEM_MAX, RMEM_DEF, RMEM_SUG);
}
}
}
if (check_block) {
if (would_block)
fprintf(stderr, "select reports writes would have blocked\n");
else
fprintf(stderr, "select reports writes would not have blocked\n");
}
/* cleanup */
pcap_freecode(&fp);
#ifndef RHEL3
pcap_close(handle);
#endif /* RHEL3 */
}
#endif /* JUSTCOPY */
fprintf(stderr, "ring buffer use: %.1lf%% of %d MB\n",
100.0*(double)maxbuffered/(double)(ringsize), ringsize/1024/1024);
eof = 1;
fflush(stderr);
pthread_exit(NULL);
}
int main(int argc, char** argv)
{
int ret;
int inum;
int port;
int i = 0;
char err[PCAP_ERRBUF_SIZE];
char filter[32];
char loopback = 0;
char *server = NULL;
struct bpf_program fp;
pcap_if_t *d;
pcap_addr_t *a;
signal(SIGINT, sig_handler);
#ifndef _WIN32
ssl_InitSniffer();
#endif
ssl_Trace("./tracefile.txt", err);
if (pcap_findalldevs(&alldevs, err) == -1)
err_sys("Error in pcap_findalldevs");
for (d = alldevs; d; d=d->next) {
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if (i == 0)
err_sys("No interfaces found! Make sure pcap or WinPcap is installed");
printf("Enter the interface number (1-%d): ", i);
scanf("%d", &inum);
if (inum < 1 || inum > i)
err_sys("Interface number out of range");
/* Jump to the selected adapter */
for (d = alldevs, i = 0; i < inum - 1; d = d->next, i++);
pcap = pcap_create(d->name, err);
if (pcap == NULL) printf("pcap_create failed %s\n", err);
if (d->flags & PCAP_IF_LOOPBACK)
loopback = 1;
/* get an IPv4 address */
for (a = d->addresses; a; a = a->next) {
switch(a->addr->sa_family)
{
case AF_INET:
server =iptos(((struct sockaddr_in *)a->addr)->sin_addr.s_addr);
printf("server = %s\n", server);
break;
}
}
if (server == NULL)
err_sys("Unable to get device IPv4 address");
ret = pcap_set_snaplen(pcap, 65536);
if (ret != 0) printf("pcap_set_snaplen failed %s\n", pcap_geterr(pcap));
ret = pcap_set_timeout(pcap, 1000);
if (ret != 0) printf("pcap_set_timeout failed %s\n", pcap_geterr(pcap));
ret = pcap_set_buffer_size(pcap, 1000000);
if (ret != 0)
printf("pcap_set_buffer_size failed %s\n", pcap_geterr(pcap));
ret = pcap_set_promisc(pcap, 1);
if (ret != 0) printf("pcap_set_promisc failed %s\n", pcap_geterr(pcap));
ret = pcap_activate(pcap);
if (ret != 0) printf("pcap_activate failed %s\n", pcap_geterr(pcap));
printf("Enter the port to scan: ");
scanf("%d", &port);
SNPRINTF(filter, sizeof(filter), "tcp and port %d", port);
ret = pcap_compile(pcap, &fp, filter, 0, 0);
if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap));
ret = pcap_setfilter(pcap, &fp);
if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap));
ret = ssl_SetPrivateKey(server, port, "../../certs/server-key.pem",
FILETYPE_PEM, NULL, err);
if (ret != 0)
err_sys(err);
while (1) {
struct pcap_pkthdr header;
const unsigned char* packet = pcap_next(pcap, &header);
if (packet) {
byte data[65535];
if (header.caplen > 40) { /* min ip(20) + min tcp(20) */
int frame = ETHER_IF_FRAME_LEN;
if (loopback)
frame = LOCAL_IF_FRAME_LEN;
packet += frame;
header.caplen -= frame;
}
else
continue;
ret = ssl_DecodePacket(packet, header.caplen, data, err);
if (ret < 0)
printf("ssl_Decode ret = %d\n", ret);
if (ret > 0) {
data[ret] = 0;
printf("SSL App Data:%s\n", data);
}
}
}
return 0;
}
int CaptDisMain(int argc, char *argv[])
{
char ifile[RLTM_POL_PATH_DIM];
char dirpath[RLTM_POL_PATH_DIM];
char tmp[RLTM_POL_PATH_DIM];
char errbuf[PCAP_ERRBUF_SIZE];
char intrf[RLTM_POL_PATH_DIM], filter_app[RLTM_POL_PATH_DIM];
struct bpf_program filter; /* The compiled filter */
pcap_t *cap = NULL;
char *param;
int ret;
struct pcap_ref ref;
FILE *fp;
bool end, ses_id, pol_id;
struct pcap_pkthdr *pkt_header;
const u_char *pkt_data;
static time_t tm = 0;
struct pcap_file_header fh;
end = FALSE;
ses_id = FALSE;
pol_id = FALSE;
savepcap = 0;
/* pcapfile protocol id */
pol_prot_id = ProtId("pol");
if (pol_prot_id == -1) {
return -1;
}
/* serial number of packet */
pkt_serial = 1;
/* interace & filter % pol dir name*/
intrf[0] = '\0';
filter_app[0] = '\0';
dirpath[0] = '\0';
ret = RltmPolParam(argc, argv, intrf, filter_app, dirpath);
if (ret != 0) {
return -1;
}
/* check name dir */
if (dirpath[0] == '\0') {
return -1;
}
/* read pol info */
sprintf(ifile, "%s/%s", dirpath, RLTM_POL_INIT_SESSION_FILE);
fp = fopen(ifile, "r");
if (fp == NULL) {
LogPrintf(LV_ERROR, "Pol info file (%s) not present!", ifile);
return -1;
}
while (fgets(tmp, CFG_LINE_MAX_SIZE, fp) != NULL) {
/* check if line is a comment */
if (!CfgParIsComment(tmp)) {
param = strstr(tmp, RLTM_POL_SESSION_ID);
if (param != NULL) {
ret = sscanf(param, RLTM_POL_SESSION_ID"=%lu", &ref.ses_id);
if (ret == 1) {
ses_id = TRUE;
}
}
param = strstr(tmp, RLTM_POL_ID);
if (param != NULL) {
ret = sscanf(param, RLTM_POL_ID"=%lu", &ref.pol_id);
if (ret == 1) {
pol_id = TRUE;
}
}
}
}
fclose(fp);
remove(ifile);
if (ses_id == FALSE || pol_id == FALSE) {
LogPrintf(LV_ERROR, "Pol info file (%s) incomplete!", tmp);
return -1;
}
errbuf[sizeof(errbuf) - 1] = '\0';
errbuf[0] = '\0';
/* open device in promiscuous mode */
#ifdef HAVE_PCAP_CREATE
cap = pcap_create(intrf, errbuf);
#else
cap = pcap_open_live(intrf, 102400, 1, 0, errbuf);
#endif
if (cap == NULL) {
printf("Error: %s\n", errbuf);
return -1;
}
else {
#ifdef HAVE_PCAP_CREATE
ret = pcap_set_snaplen(cap, 102400);
if (ret != 0) {
printf("You have an old version of libpcap\n");
return -1;
}
ret = pcap_set_promisc(cap, 1);
if (ret != 0) {
printf("You have an old version of libpcap\n");
return -1;
}
ret = pcap_set_timeout(cap, 0);
if (ret != 0) {
printf("You have an old version of libpcap\n");
return -1;
}
/* set capture buffer size to 16 MB */
ret = pcap_set_buffer_size(cap, (1<<24));
if (ret != 0) {
printf("You have an old version of libpcap\n");
return -1;
}
ret = pcap_activate(cap);
if (ret != 0) {
printf("pcap_activate failed '%s'\n", pcap_geterr(cap));
return -1;
}
#endif
/* compile and apply the filter */
if (pcap_compile(cap, &filter, filter_app, 1, 0) < 0) {
printf("Bad filter %s\n", filter_app);
pcap_perror(cap, "Filter");
return -1;
}
pcap_setfilter(cap, &filter);
pcap_freecode(&filter);
/* interface */
ref.dev = intrf;
/* data link type */
ref.dlt = pcap_datalink(cap);
/* packet counter */
ref.cnt = 0;
/* end filename */
sprintf(ifile, "%s/%s", dirpath, RLTM_POL_END_SESSION_FILE);
if (savepcap) {
/* pcap file for debug */
sprintf(pcap_deb, "/opt/xplico/pol_%li/sol_%li/raw/interface_%s_%lu.pcap", ref.pol_id, ref.ses_id, intrf, time(NULL));
fp_pcap = fopen(pcap_deb, "w");
crash_ref_name = pcap_deb;
memset(&fh, 0, sizeof(struct pcap_file_header));
fh.magic = 0xA1B2C3D4;
fh.version_major = PCAP_VERSION_MAJOR;
fh.version_minor = PCAP_VERSION_MINOR;
fh.snaplen = 65535;
fh.linktype = ref.dlt;
if (fp_pcap != NULL) {
fwrite((char *)&fh, 1, sizeof(struct pcap_file_header), fp_pcap);
}
else {
LogPrintf(LV_ERROR, "Debug raw file failed: %s", pcap_deb);
sprintf(pcap_deb, "Real Time");
}
}
else {
fp_pcap = NULL;
}
do {
/* read data */
if (pcap_next_ex(cap, &pkt_header, &pkt_data) == -1) {
/* exit */
break;
}
else {
/* decode data */
RltmPolDissector((u_char *)&ref, pkt_header, pkt_data);
}
/* check the end */
if (time(NULL) > tm) {
tm = time(NULL) + 1;
fp = fopen(ifile, "r");
if (fp != NULL) {
end = TRUE;
fclose(fp);
}
}
} while (end == FALSE);
pcap_close(cap);
/* remove file */
remove(ifile);
}
if (fp_pcap != NULL)
fclose(fp_pcap);
return 0;
}
/**
* \brief Init function for ReceivePcap.
*
* This is a setup function for recieving packets
* via libpcap. There are two versions of this function
* depending on the major version of libpcap used.
* For versions prior to 1.x we use open_pcap_live,
* for versions 1.x and greater we use pcap_create + pcap_activate.
*
* \param tv pointer to ThreadVars
* \param initdata pointer to the interface passed from the user
* \param data pointer gets populated with PcapThreadVars
*
* \todo Create a general pcap setup function.
*/
TmEcode ReceivePcapThreadInit(ThreadVars *tv, const void *initdata, void **data)
{
SCEnter();
PcapIfaceConfig *pcapconfig = (PcapIfaceConfig *)initdata;
if (initdata == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "initdata == NULL");
SCReturnInt(TM_ECODE_FAILED);
}
PcapThreadVars *ptv = SCMalloc(sizeof(PcapThreadVars));
if (unlikely(ptv == NULL)) {
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
}
memset(ptv, 0, sizeof(PcapThreadVars));
ptv->tv = tv;
ptv->livedev = LiveGetDevice(pcapconfig->iface);
if (ptv->livedev == NULL) {
SCLogError(SC_ERR_INVALID_VALUE, "Unable to find Live device");
SCFree(ptv);
SCReturnInt(TM_ECODE_FAILED);
}
SCLogInfo("using interface %s", (char *)pcapconfig->iface);
if (LiveGetOffload() == 0) {
(void)GetIfaceOffloading((char *)pcapconfig->iface, 1, 1);
} else {
DisableIfaceOffloading(ptv->livedev, 1, 1);
}
ptv->checksum_mode = pcapconfig->checksum_mode;
if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
SCLogInfo("Running in 'auto' checksum mode. Detection of interface state will require "
xstr(CHECKSUM_SAMPLE_COUNT) " packets.");
}
/* XXX create a general pcap setup function */
char errbuf[PCAP_ERRBUF_SIZE];
ptv->pcap_handle = pcap_create((char *)pcapconfig->iface, errbuf);
if (ptv->pcap_handle == NULL) {
if (strlen(errbuf)) {
SCLogError(SC_ERR_PCAP_CREATE, "Couldn't create a new pcap handler for %s, error %s",
(char *)pcapconfig->iface, errbuf);
} else {
SCLogError(SC_ERR_PCAP_CREATE, "Couldn't create a new pcap handler for %s",
(char *)pcapconfig->iface);
}
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
}
if (pcapconfig->snaplen == 0) {
/* We set snaplen if we can get the MTU */
ptv->pcap_snaplen = GetIfaceMaxPacketSize(pcapconfig->iface);
} else {
ptv->pcap_snaplen = pcapconfig->snaplen;
}
if (ptv->pcap_snaplen > 0) {
/* set Snaplen. Must be called before pcap_activate */
int pcap_set_snaplen_r = pcap_set_snaplen(ptv->pcap_handle, ptv->pcap_snaplen);
if (pcap_set_snaplen_r != 0) {
SCLogError(SC_ERR_PCAP_SET_SNAPLEN, "Couldn't set snaplen, error: %s", pcap_geterr(ptv->pcap_handle));
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
}
SCLogInfo("Set snaplen to %d for '%s'", ptv->pcap_snaplen,
pcapconfig->iface);
}
/* set Promisc, and Timeout. Must be called before pcap_activate */
int pcap_set_promisc_r = pcap_set_promisc(ptv->pcap_handle, pcapconfig->promisc);
//printf("ReceivePcapThreadInit: pcap_set_promisc(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_set_promisc_r);
if (pcap_set_promisc_r != 0) {
SCLogError(SC_ERR_PCAP_SET_PROMISC, "Couldn't set promisc mode, error %s", pcap_geterr(ptv->pcap_handle));
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
}
int pcap_set_timeout_r = pcap_set_timeout(ptv->pcap_handle,LIBPCAP_COPYWAIT);
//printf("ReceivePcapThreadInit: pcap_set_timeout(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_set_timeout_r);
if (pcap_set_timeout_r != 0) {
SCLogError(SC_ERR_PCAP_SET_TIMEOUT, "Problems setting timeout, error %s", pcap_geterr(ptv->pcap_handle));
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
}
#ifdef HAVE_PCAP_SET_BUFF
ptv->pcap_buffer_size = pcapconfig->buffer_size;
if (ptv->pcap_buffer_size >= 0 && ptv->pcap_buffer_size <= INT_MAX) {
if (ptv->pcap_buffer_size > 0)
SCLogInfo("Going to use pcap buffer size of %" PRId32 "", ptv->pcap_buffer_size);
int pcap_set_buffer_size_r = pcap_set_buffer_size(ptv->pcap_handle,ptv->pcap_buffer_size);
//printf("ReceivePcapThreadInit: pcap_set_timeout(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_set_buffer_size_r);
if (pcap_set_buffer_size_r != 0) {
SCLogError(SC_ERR_PCAP_SET_BUFF_SIZE, "Problems setting pcap buffer size, error %s", pcap_geterr(ptv->pcap_handle));
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
}
}
#endif /* HAVE_PCAP_SET_BUFF */
/* activate the handle */
int pcap_activate_r = pcap_activate(ptv->pcap_handle);
//printf("ReceivePcapThreadInit: pcap_activate(%p) returned %" PRId32 "\n", ptv->pcap_handle, pcap_activate_r);
if (pcap_activate_r != 0) {
SCLogError(SC_ERR_PCAP_ACTIVATE_HANDLE, "Couldn't activate the pcap handler, error %s", pcap_geterr(ptv->pcap_handle));
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
SCReturnInt(TM_ECODE_FAILED);
} else {
ptv->pcap_state = PCAP_STATE_UP;
}
/* set bpf filter if we have one */
if (pcapconfig->bpf_filter) {
SCMutexLock(&pcap_bpf_compile_lock);
ptv->bpf_filter = pcapconfig->bpf_filter;
if (pcap_compile(ptv->pcap_handle,&ptv->filter,(char *)ptv->bpf_filter,1,0) < 0) {
SCLogError(SC_ERR_BPF, "bpf compilation error %s", pcap_geterr(ptv->pcap_handle));
SCMutexUnlock(&pcap_bpf_compile_lock);
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
return TM_ECODE_FAILED;
}
if (pcap_setfilter(ptv->pcap_handle,&ptv->filter) < 0) {
SCLogError(SC_ERR_BPF, "could not set bpf filter %s", pcap_geterr(ptv->pcap_handle));
SCMutexUnlock(&pcap_bpf_compile_lock);
SCFree(ptv);
pcapconfig->DerefFunc(pcapconfig);
return TM_ECODE_FAILED;
}
SCMutexUnlock(&pcap_bpf_compile_lock);
}
/* no offloading supported at all */
(void)GetIfaceOffloading(pcapconfig->iface, 1, 1);
ptv->datalink = pcap_datalink(ptv->pcap_handle);
pcapconfig->DerefFunc(pcapconfig);
ptv->capture_kernel_packets = StatsRegisterCounter("capture.kernel_packets",
ptv->tv);
ptv->capture_kernel_drops = StatsRegisterCounter("capture.kernel_drops",
ptv->tv);
ptv->capture_kernel_ifdrops = StatsRegisterCounter("capture.kernel_ifdrops",
ptv->tv);
*data = (void *)ptv;
SCReturnInt(TM_ECODE_OK);
}
int main(int argc, char **argv)
{
/* default values for command line arguments (see also static variables) */
const char *if_name = PCAPPRINT_DEF_IFNAME;
int snaplen = PCAPPRINT_DEF_SNAPLEN;
const char *dlt_name = PCAPPRINT_DEF_DLTNAME;
int num_pkts = -1;
const char *pcap_filename = NULL;
const char *bpf_expr = NULL;
int rfmon = 0;
/* process command line options */
const char *usage = "usage: pcap-print [options]\n";
int c;
while ((c = getopt(argc, argv, ":1234ab:c:dfhi:mNqr:s:tVy:")) != -1) {
switch (c) {
case '1':
case '2':
case '3':
case '4':
enabled_layers[c-'0'-1]++;
break;
case 'a':
/* arbitrary "big" number */
enabled_layers[0] = 100;
enabled_layers[1] = 100;
enabled_layers[2] = 100;
enabled_layers[3] = 100;
break;
case 'b':
bpf_expr = optarg;
break;
case 'c':
num_pkts = atoi(optarg);
break;
case 'd':
tsfmt = TS_CTIME;
break;
case 'f':
print_fcs = 1;
break;
case 'h':
printf(usage);
printf(
" -1 print data-link header (e.g. Ethernet)\n"
" -2 print network header (e.g. IP)\n"
" -3 print transport header (e.g. TCP)\n"
" -4 print application header (e.g. HTTP)\n"
" -a print ALL headers, with maximum verbosity\n"
" -b specify a BPF filter\n"
" -c print only first N packets\n"
" -d print absolute timestamp in date format\n"
" -f print FCS for MAC headers\n"
" -h print usage information and quit\n"
" -i network interface on which to capture packets"
" (default: %s)\n"
" -m set rfmon mode on interface\n"
" -N number packets as they are printed\n"
" -q suppress printing of packet-parsing errors\n"
" -r read from pcap file instead of live capture\n"
" -s capture size in bytes (default: %d)\n"
" -t print absolute timestamp\n"
" -V print pcap version and quit\n"
" -y datalink type for capturing interface (default: %s)\n",
PCAPPRINT_DEF_IFNAME, PCAPPRINT_DEF_SNAPLEN, PCAPPRINT_DEF_DLTNAME);
exit(0);
break;
case 'i':
if_name = optarg;
break;
case 'm':
rfmon = 1;
break;
case 'N':
use_numbering = 1;
break;
case 'q':
quiet = 1;
break;
case 'r':
pcap_filename = optarg;
break;
case 's':
snaplen = (int)strtol(optarg, (char **)NULL, 10);
break;
case 't':
tsfmt = TS_ABS;
break;
case 'V':
printf("%s\n", pcap_lib_version());
exit(0);
break;
case 'y':
dlt_name = optarg;
break;
case ':':
errx(1, "option -%c requires an operand", optopt);
break;
case '?':
errx(1, "unrecognized option: -%c", optopt);
break;
default:
/* unhandled option indicates programming error */
assert(0);
}
}
/* if no layers we specified, use defaults (hard-coded) */
if (! (enabled_layers[0] || enabled_layers[1] || enabled_layers[2] ||
enabled_layers[3])) {
enabled_layers[1] = 1;
enabled_layers[2] = 1;
}
/* create pcap handle (either from file or from live capture) */
char ebuf[PCAP_ERRBUF_SIZE];
*ebuf = '\0';
/* used only if a BPF program (filter) is specified */
bpf_u_int32 netnum = 0, netmask = 0;
if (pcap_filename != NULL) {
/* "capture" from file */
if (strcmp(if_name, PCAPPRINT_DEF_IFNAME) != 0)
warnx("warning: -i option ignored when -f option is present");
if (snaplen != PCAPPRINT_DEF_SNAPLEN)
warnx("warning: -s option ignored when -f option is present");
if (strcmp(dlt_name, PCAPPRINT_DEF_DLTNAME) != 0)
warnx("warning: -y option ignored when -f option is present");
pcap_h = pcap_open_offline(pcap_filename, ebuf);
if (pcap_h == NULL)
errx(1, "pcap_open_offline: %s", ebuf);
else if (*ebuf)
warnx("pcap_open_offline: %s", ebuf);
/* read dlt from file */
dlt = pcap_datalink(pcap_h);
} else {
/* live capture */
dlt = pcap_datalink_name_to_val(dlt_name);
if (dlt < 0)
err(1, "invalid data link type %s", dlt_name);
pcap_h = pcap_create(if_name, ebuf);
if (pcap_h == NULL)
errx(1, "pcap_create: %s", ebuf);
if (pcap_set_snaplen(pcap_h, snaplen) != 0)
errx(1, "pcap_set_snaplen: %s", pcap_geterr(pcap_h));
if (pcap_set_promisc(pcap_h, 1) != 0)
errx(1, "pcap_set_promisc: %s", pcap_geterr(pcap_h));
if (rfmon) {
if (pcap_can_set_rfmon(pcap_h) == 0)
errx(1, "cannot set rfmon mode on device %s", if_name);
if (pcap_set_rfmon(pcap_h, 1) != 0)
errx(1, "pcap_set_rfmon: %s", pcap_geterr(pcap_h));
}
if (pcap_set_buffer_size(pcap_h, PCAPPRINT_BPF_BUFSIZE) != 0)
errx(1, "pcap_set_buffer_size: %s", pcap_geterr(pcap_h));
if (pcap_set_timeout(pcap_h, PCAPPRINT_READ_TIMEOUT) != 0)
errx(1, "pcap_set_timeout: %s", pcap_geterr(pcap_h));
if (pcap_lookupnet(if_name, &netnum, &netmask, ebuf) == -1)
errx(1, "pcap_lookupnet: %s", ebuf);
if (pcap_activate(pcap_h) != 0)
errx(1, "pcap_activate: %s", pcap_geterr(pcap_h));
/*
* the following calls must be done AFTER pcap_activate():
* pcap_setfilter
* pcap_setdirection
* pcap_set_datalink
* pcap_getnonblock
* pcap_setnonblock
* pcap_stats
* all reads/writes
*/
if (pcap_set_datalink(pcap_h, dlt) == -1)
errx(1, "pcap_set_datalink: %s", pcap_geterr(pcap_h));
int r, yes = 1;
int pcap_fd = pcap_get_selectable_fd(pcap_h);
if ((r = ioctl(pcap_fd, BIOCIMMEDIATE, &yes)) == -1)
err(1, "BIOCIMMEDIATE");
else if (r != 0)
warnx("BIOCIMMEDIATE returned %d", r);
/* set up signal handlers */
if (signal(SIGINT, SIG_IGN) != SIG_IGN)
signal(SIGINT, signal_handler);
if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
signal(SIGTERM, signal_handler);
}
/* apply BPF filter (if one was specified) */
if (bpf_expr != NULL) {
struct bpf_program bpf;
if (pcap_compile(pcap_h, &bpf, bpf_expr, 1 /*optimize*/, netmask) == -1)
errx(1, "pcap_compile: %s", pcap_geterr(pcap_h));
if (pcap_setfilter(pcap_h, &bpf) == -1)
errx(1, "pcap_setfilter: %s", pcap_geterr(pcap_h));
}
/* start reading packets */
if (pcap_loop(pcap_h, num_pkts, handle_packet, NULL) == -1)
errx(1, "pcap_loop: %s", pcap_geterr(pcap_h));
if (pcap_filename == NULL) { /* if live capture.. */
printf("%u packets captured\n", pkt_count);
struct pcap_stat stats;
if (pcap_stats(pcap_h, &stats) != 0) {
warnx("pcap_stats: %s", pcap_geterr(pcap_h));
} else {
printf("%u packets received by filter\n"
"%u packets dropped by kernel\n", stats.ps_recv, stats.ps_drop);
}
}
pcap_close(pcap_h);
return 0;
}
