Пример #1
0
void
raw_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
	u_int length = h->len;
	u_int caplen = h->caplen;

	ts_print(&h->ts);

	/*
	 * Some printers want to get back at the link level addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	packetp = p;
	snapend = p + caplen;

	if (eflag)
		printf("ip: ");

	ip_print(p, length);

	if (xflag)
		default_print(p, caplen);
	putchar('\n');
}
Пример #2
0
void
sl_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
        register u_int caplen = h->caplen;
        register u_int length = h->len;
        register const struct ip *ip;

        ts_print(&h->ts);

        if (caplen < SLIP_HDRLEN) {
                printf("[|slip]");
                goto out;
        }
        /*
         * Some printers want to get back at the link level addresses,
         * and/or check that they're not walking off the end of the packet.
         * Rather than pass them all the way down, we set these globals.
         */
        packetp = p;
        snapend = p + caplen;

        length -= SLIP_HDRLEN;

        ip = (struct ip *)(p + SLIP_HDRLEN);

        if (eflag)
                sliplink_print(p, ip, length);

        ip_print((u_char *)ip, length);

        if (xflag)
                default_print((u_char *)ip, caplen - SLIP_HDRLEN);
 out:
        putchar('\n');
}
Пример #3
0
void
pfsync_if_print(u_char *user, const struct pcap_pkthdr *h,
    register const u_char *p)
{
	u_int caplen = h->caplen;

	ts_print(&h->ts);

	if (caplen < PFSYNC_HDRLEN) {
		ND_PRINT((ndo, "[|pfsync]"));
		goto out;
	}

	pfsync_print((struct pfsync_header *)p,
	    p + sizeof(struct pfsync_header),
	    caplen - sizeof(struct pfsync_header));
out:
	if (xflag) {
		default_print((const u_char *)p, caplen);
	}
	safeputchar(ndo, '\n');
}
u_int
pfsync_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p)
{
	u_int caplen = h->caplen;

	ts_print(ndo, &h->ts);

	if (caplen < PFSYNC_HDRLEN) {
		ND_PRINT((ndo, "[|pfsync]"));
		goto out;
	}

	pfsync_print((struct pfsync_header *)p,
	    caplen - sizeof(struct pfsync_header));
out:
	if (xflag) {
		default_print((const u_char *)h, caplen);
	}
	//putchar('\n');

	return 0;
}
Пример #5
0
void
pfsync_if_print(u_char *user, const struct pcap_pkthdr *h,
    packetbody_t p)
{
	u_int caplen = h->caplen;

	ts_print(&h->ts);

	if (caplen < PFSYNC_HDRLEN) {
		printf("[|pfsync]");
		goto out;
	}

	pfsync_print((struct pfsync_header *)p,
	    p + sizeof(struct pfsync_header),
	    caplen - sizeof(struct pfsync_header));
out:
	if (xflag) {
		default_print((const u_char *)p, caplen);
	}
	putchar('\n');
}
Пример #6
0
static int LogPortscanAlert(Packet *p, char *msg, uint32_t event_id,
        uint32_t event_ref, uint32_t gen_id, uint32_t sig_id)
{
    char timebuf[TIMEBUF_SIZE];
    snort_ip_p src_addr;
    snort_ip_p dst_addr;

    if(!p->iph_api)
        return -1;

    /* Do not log if being suppressed */
    src_addr = GET_SRC_IP(p);
    dst_addr = GET_DST_IP(p);

    if( sfthreshold_test(gen_id, sig_id, src_addr, dst_addr, p->pkth->ts.tv_sec) )
    {
        return 0;
    }

    ts_print((struct timeval *)&p->pkth->ts, timebuf);

    fprintf(g_logfile, "Time: %s\n", timebuf);

    if(event_id)
        fprintf(g_logfile, "event_id: %u\n", event_id);
    else
        fprintf(g_logfile, "event_ref: %u\n", event_ref);

    fprintf(g_logfile, "%s ", inet_ntoa(GET_SRC_ADDR(p)));
    fprintf(g_logfile, "-> %s %s\n", inet_ntoa(GET_DST_ADDR(p)), msg);
    fprintf(g_logfile, "%.*s\n", p->dsize, p->data);

    fflush(g_logfile);

    return 0;
}
Пример #7
0
/* Standard PPP printer */
void
ppp_if_print(u_char *user, const struct pcap_pkthdr *h,
	     register const u_char *p)
{
	register u_int length = h->len;
	register u_int caplen = h->caplen;
	const struct ip *ip;

	ts_print(&h->ts);

	if (caplen < PPP_HDRLEN) {
		printf("[|ppp]");
		goto out;
	}

	/*
	 * Some printers want to get back at the link level addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	packetp = p;
	snapend = p + caplen;

	if (eflag)
		printf("%c %4d %02x %04x: ", p[0] ? 'O' : 'I', length,
		       p[1], ntohs(*(u_short *)&p[2]));

	length -= PPP_HDRLEN;
	ip = (struct ip *)(p + PPP_HDRLEN);
	ip_print((const u_char *)ip, length);

	if (xflag)
		default_print((const u_char *)ip, caplen - PPP_HDRLEN);
out:
	putchar('\n');
}
Пример #8
0
/*
 * This is the top level routine of the printer.  'p' is the points
 * to the LLC/SNAP header of the packet, 'tvp' is the timestamp,
 * 'length' is the length of the packet off the wire, and 'caplen'
 * is the number of bytes actually captured.
 */
void
atm_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
	u_int caplen = h->caplen;
	u_int length = h->len;
	u_short ethertype;

	ts_print(&h->ts);

	if (caplen < 8) {
		printf("[|atm]");
		goto out;
	}
	if (p[0] != 0xaa || p[1] != 0xaa || p[2] != 0x03) {
		/*XXX assume 802.6 MAC header from fore driver */
		if (eflag)
			printf("%04x%04x %04x%04x ",
			       p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3],
			       p[4] << 24 | p[5] << 16 | p[6] << 8 | p[7],
			       p[8] << 24 | p[9] << 16 | p[10] << 8 | p[11],
			       p[12] << 24 | p[13] << 16 | p[14] << 8 | p[15]);
		p += 20;
		length -= 20;
		caplen -= 20;
	}
	ethertype = p[6] << 8 | p[7];
	if (eflag)
		printf("%02x %02x %02x %02x-%02x-%02x %04x: ",
		       p[0], p[1], p[2], /* dsap/ssap/ctrl */
		       p[3], p[4], p[5], /* manufacturer's code */
		       ethertype);

	/*
	 * Some printers want to get back at the ethernet addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	packetp = p;
	snapend = p + caplen;

	length -= 8;
	caplen -= 8;
	p += 8;

	switch (ethertype) {

	case ETHERTYPE_IP:
		ip_print(p, length);
		break;

#ifdef INET6
	case ETHERTYPE_IPV6:
		ip6_print(p, length);
		break;
#endif /*INET6*/

		/*XXX this probably isn't right */
	case ETHERTYPE_ARP:
	case ETHERTYPE_REVARP:
		arp_print(p, length, caplen);
		break;
#ifdef notyet
	case ETHERTYPE_DN:
		decnet_print(p, length, caplen);
		break;

	case ETHERTYPE_ATALK:
		if (vflag)
			fputs("et1 ", stdout);
		atalk_print(p, length);
		break;

	case ETHERTYPE_AARP:
		aarp_print(p, length);
		break;

	case ETHERTYPE_LAT:
	case ETHERTYPE_MOPRC:
	case ETHERTYPE_MOPDL:
		/* default_print for now */
#endif
	default:
		/* ether_type not known, print raw packet */
		if (!eflag)
			printf("%02x %02x %02x %02x-%02x-%02x %04x: ",
			       p[0], p[1], p[2], /* dsap/ssap/ctrl */
			       p[3], p[4], p[5], /* manufacturer's code */
			       ethertype);
		if (!xflag && !qflag)
			default_print(p, caplen);
	}
	if (xflag)
		default_print(p, caplen);
 out:
	putchar('\n');
}
static int DecideHighEntropyFlow(FlowRecord * flow_record)
{
	int i = 0;
	int j = 0;
	int SEQSys = 0;
	int SkipPacket = 0;
	int repeat_packet = 0;
	int TotalPktNumber = 0;
	int TotalEncrypt = 0;
	int TotalNonEncrypt = 0;
	int SequentEncrypt = 0;
	int EncryptPktAfterSeq = 0;
	int NonEncryptPktAfterSeq = 0;
	int TotalZeroPayload = 0;
	int ZeroPayloadAfterSeq = 0;
	//printf("DecideHighEntropyFlow\n");
	if(flow_record->have_payload != 1)
	{
		return 0;
	}

	//the flow record has been labeled
	if(flow_record->labeled != -1)
	{
		return 0;
	}
	for(i=0; i < flow_record->packet_count; i++)
	{
		if(i >= PktsLimit)
		{
			break;
		}
		repeat_packet = 0;
		TotalPktNumber++;
		/*check whether packet has high entropy*/
		if(flow_record->pkt_entropy[i] == 1)
		{
			TotalEncrypt++;
			SequentEncrypt++;

			/*the first encrypted packet*/
			if(SequentEncrypt == 1)
			{
				EncryptPktAfterSeq++;
				ZeroPayloadAfterSeq = 0;
			}
			else if(SequentEncrypt < SEQ_HIGH_ENTROPY)
			{
				EncryptPktAfterSeq++;
			}
			else if(SequentEncrypt == SEQ_HIGH_ENTROPY)
			{
				/*set the flow as have N sequential high entropy packets*/
				SEQSys = 1;
				SkipPacket = TotalPktNumber - SEQ_HIGH_ENTROPY - ZeroPayloadAfterSeq;
				EncryptPktAfterSeq = SequentEncrypt;
			}
			else if(SequentEncrypt > SEQ_HIGH_ENTROPY)
			{
				EncryptPktAfterSeq++;
			}
		}
		/*the packet has low entropy*/
		else if( flow_record->pkt_entropy[i] == -1 )
		{
			TotalNonEncrypt++;
			/*the flow doesn't have N sequential high entropy packets*/
			if(SequentEncrypt < SEQ_HIGH_ENTROPY)
			{
				EncryptPktAfterSeq = 0;
				NonEncryptPktAfterSeq = 0;
				ZeroPayloadAfterSeq = 0;
				SequentEncrypt = 0;
			}
			/*the flow has N sequential high entropy packets*/
			else if(SequentEncrypt >= SEQ_HIGH_ENTROPY)
			{
				NonEncryptPktAfterSeq++;
			}
		}
		else if(flow_record->pkt_entropy[i] == 0)
		{
			TotalZeroPayload++;
			ZeroPayloadAfterSeq++;
		}
	}

	if((SEQSys == 1) && ( EncryptPktAfterSeq * 100 > ( EncryptPktAfterSeq + NonEncryptPktAfterSeq) * HEPercent))
	{
		flow_record->labeled = 1;
		OptTreeNode * otn = OtnLookup(snort_conf->otn_map, GENERATOR_SPP_ENTROPY, HE_TRAFFIC_DETECT);
		char log_timestamp[TIMEBUF_SIZE];
		struct timeval log_timeval;
		char proto[16];
		log_timeval.tv_sec = flow_record->first_sec;
		log_timeval.tv_usec = flow_record->first_usec;
		ts_print(&log_timeval, log_timestamp);
		if(flow_record->proto == 6)
		{
			strcpy(proto, "TCP");
		}
		else if(flow_record->proto == 17)
		{
			strcpy(proto, "UDP");
		}
		fprintf(LOG_FILE_DESCRIPTOR, "\n[**] [%d:%d:%d] %s [**]\n[Classification: %s] [Priority: %d]\n %s %s %s:%d <-> %s:%d\n", otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.message, otn->sigInfo.classType->name, otn->sigInfo.priority, log_timestamp, proto, flow_record->src_ip, flow_record->src_port, flow_record->dst_ip, flow_record->dst_port);
		TotalEncryptFlows++;
		return 1;
	}
	else
	{
		flow_record->labeled = 0;
		TotalNonEncryptFlows++;
		return -1;
	}
	return 0;
}
Пример #10
0
void
pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
     const u_char *p)
{
	u_int length = h->len;
	u_int hdrlen;
	u_int caplen = h->caplen;
	const struct ip *ip;
#ifdef INET6
	const struct ip6_hdr *ip6;
#endif
	const struct pfloghdr *hdr;
	u_int8_t af;

	ts_print(&h->ts);

	/* check length */
	if (caplen < sizeof(u_int8_t)) {
		printf("[|pflog]");
		goto out;
	}

#define MIN_PFLOG_HDRLEN	45
	hdr = (struct pfloghdr *)p;
	if (hdr->length < MIN_PFLOG_HDRLEN) {
		printf("[pflog: invalid header length!]");
		goto out;
	}
	hdrlen = (hdr->length + 3) & 0xfc;

	if (caplen < hdrlen) {
		printf("[|pflog]");
		goto out;
	}

	/*
	 * Some printers want to get back at the link level addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	packetp = p;
	snapend = p + caplen;

	hdr = (struct pfloghdr *)p;
	if (eflag) {
		printf("rule ");
		if (ntohl(hdr->rulenr) == (u_int32_t) -1)
			printf("def");
		else {
			printf("%u", ntohl(hdr->rulenr));
			if (hdr->ruleset[0]) {
				printf(".%s", hdr->ruleset);
				if (ntohl(hdr->subrulenr) == (u_int32_t) -1)
					printf(".def");
				else
					printf(".%u", ntohl(hdr->subrulenr));
			}
		}
		if (hdr->reason < PFRES_MAX)
			printf("/(%s) ", pf_reasons[hdr->reason]);
		else
			printf("/(unkn %u) ", (unsigned)hdr->reason);
		if (vflag)
			printf("[uid %u, pid %u] ", (unsigned)hdr->rule_uid,
			    (unsigned)hdr->rule_pid);

		switch (hdr->action) {
		case PF_MATCH:
			printf("match");
			break;
		case PF_SCRUB:
			printf("scrub");
			break;
		case PF_PASS:
			printf("pass");
			break;
		case PF_DROP:
			printf("block");
			break;
		case PF_NAT:
		case PF_NONAT:
			printf("nat");
			break;
		case PF_BINAT:
		case PF_NOBINAT:
			printf("binat");
			break;
		case PF_RDR:
		case PF_NORDR:
			printf("rdr");
			break;
		}
		printf(" %s on %s: ",
		    hdr->dir == PF_OUT ? "out" : "in",
		    hdr->ifname);
		if (vflag && hdr->pid != NO_PID)
			printf("[uid %u, pid %u] ", (unsigned)hdr->uid,
			    (unsigned)hdr->pid);
		if (vflag && hdr->rewritten) {
			char buf[48];

			if (inet_ntop(hdr->af, &hdr->saddr.v4, buf,
			    sizeof(buf)) == NULL)
				printf("[orig src ?, ");
			else
				printf("[orig src %s:%u, ", buf,
				    ntohs(hdr->sport));
			if (inet_ntop(hdr->af, &hdr->daddr.v4, buf,
			    sizeof(buf)) == NULL)
				printf("dst ?] ");
			else
				printf("dst %s:%u] ", buf,
				    ntohs(hdr->dport));
		}
	}
	af = hdr->naf;
	length -= hdrlen;
	if (af == AF_INET) {
		ip = (struct ip *)(p + hdrlen);
		ip_print((const u_char *)ip, length);
		if (xflag)
			default_print((const u_char *)ip,
			    caplen - hdrlen);
	} else {
#ifdef INET6
		ip6 = (struct ip6_hdr *)(p + hdrlen);
		ip6_print((const u_char *)ip6, length);
		if (xflag)
			default_print((const u_char *)ip6,
			    caplen - hdrlen);
#endif
	}

out:
	putchar('\n');
}
Пример #11
0
void send_packets(char *device, char *trace_file)
{
    FILE *fp; /* file pointer to trace file */
    struct pcap_file_header preamble;
    struct pcap_sf_pkthdr header;
    int pkt_len; /* packet length to send */
    int ret;
    int i;
	int it; // LC: iterator
    struct pcap_timeval p_ts;
    struct timeval ts;
    struct timeval sleep = {0,0};
    struct timeval cur_ts;
    struct timeval prev_ts = {0,0};
    struct timespec nsleep;
    sigset_t block_sig;
	
	// LC: variables
	unsigned int ipsourceT;
	struct  in_addr ipsource;
	u_char *pkt_ip;
	int pcount; // packet count
	
	pcount = 0;
	
    (void)sigemptyset(&block_sig);
    (void)sigaddset(&block_sig, SIGINT);

    notice("trace file: %s", trace_file);
    if ((fp = fopen(trace_file, "rb")) == NULL)
        error("fopen(): error reading %s", trace_file);

    /* preamble occupies the first 24 bytes of a trace file */
    if (fread(&preamble, sizeof(preamble), 1, fp) == 0)
        error("fread(): error reading %s", trace_file);
    if (preamble.magic != PCAP_MAGIC)
        error("%s is not a valid pcap based trace file", trace_file);

    /*
     * loop through the remaining data by reading the packet header first.
     * packet header (16 bytes) = timestamp + length
     */
    while ((ret = fread(&header, sizeof(header), 1, fp))) {
        if (ret == 0)
            error("fread(): error reading %s", trace_file);

        /* copy timestamp for current packet */
        memcpy(&p_ts, &header.ts, sizeof(p_ts));
        cur_ts.tv_sec = p_ts.tv_sec;
        cur_ts.tv_usec = p_ts.tv_usec;

        if (len < 0)        /* captured length */
            pkt_len = header.caplen;
        else if (len == 0)  /* actual length */
            pkt_len = header.len;
        else                /* user specified length */
            pkt_len = len;

        if (timerisset(&prev_ts)) { /* pass first packet */
            if (speed != 0) {
                if (interval > 0) {
                    /* user specified interval is in seconds only */
                    sleep.tv_sec = interval;
                    if (speed != 1)
                        timer_div(&sleep, speed); /* speed factor */
                }
                else {
                    /* grab captured interval */
                    timersub(&cur_ts, &prev_ts, &sleep);
                    if (speed != 1) {
                        if (sleep.tv_sec > SLEEP_MAX) /* to avoid integer overflow in timer_div() */
                            notice("ignoring speed due to large interval");
                        else
                            timer_div(&sleep, speed);
                    }
                }

                if (linerate > 0) {
                    i = linerate_interval(pkt_len);
                    /* check if we exceed line rate */
                    if ((sleep.tv_sec == 0) && (sleep.tv_usec < i))
                        sleep.tv_usec = i; /* exceeded -> adjust */
                }
            }
            else { /* send immediately */
                if (linerate > 0)
                    sleep.tv_usec = linerate_interval(pkt_len);
            }

            if (timerisset(&sleep)) {
                /* notice("sleep %d seconds %d microseconds", sleep.tv_sec, sleep.tv_usec); */
                TIMEVAL_TO_TIMESPEC(&sleep, &nsleep);
                if (nanosleep(&nsleep, NULL) == -1) /* create the artificial slack time */
                    notice("nanosleep(): %s", strerror(errno));
            }
        }

		// LC: force to skip the packet
		if(pkt_len < ETHER_MAX_LEN){
			for (i = 0; i < pkt_len; i++) {
				/* copy captured packet data starting from link-layer header */
				if (i < header.caplen) {
					if ((ret = fgetc(fp)) == EOF)
						error("fgetc(): error reading %s", trace_file);
					pkt_data[i] = ret;
				}
				else
					/* pad trailing bytes with zeros */
					pkt_data[i] = PKT_PAD;
			}
		

			(void)sigprocmask(SIG_BLOCK, &block_sig, NULL); /* hold SIGINT */

			// LC: find source ip
			//fprintf(stdout, "%d Sending %d bytes ", pcount++, pkt_len);
			
			if(pkt_len > 33){	// at least could be ip
				if( ((struct ether_header *)pkt_data)->ether_type == 8){
				
				pkt_ip = pkt_data+14;
				//fprintf(stdout, "Ether type = 8 ");
				
					//fprintf(stdout, "Ip v = %d \t", ((struct ip *)pkt_ip)->ip_v);
				
				ipsource = ((struct ip *)pkt_ip)->ip_src;
				ipsourceT = ntohl(ipsource.s_addr);
				
					 //fprintf(stdout, "Source %u %s ", ipsourceT, inet_ntoa(ipsource)); // 
					   //fprintf(stdout, " %s ", inet_ntoa(ipsource));
						
					for(it = 0; it < nentries; it++){
						
						//fprintf(stdout, "(%u %u %u) \t", (unsigned int)ipTable[(it * 3) + 0], ipsourceT, (unsigned int)ipTable[(it * 3) + 1]); // 
						
						if( ((unsigned int)ipTable[(it * 3) + 0] <= (unsigned int)ipsourceT ) && ((unsigned int)ipTable[(it * 3) + 1]) >= (unsigned int)ipsourceT ){
							//fprintf(stdout, "In range at if %s \r\n", ipTable[(it * 3) + 2]);
							//pcap_t *pd = ipTable[(it * 3) + 2];
							pd = pdl[it];
							break;
						}
					}
				}
			}
			
			// LC: checks
			if(pkt_len < ETHER_MAX_LEN && it != nentries){
			
				/* finish the injection and verbose output before we give way to SIGINT */
				if (pcap_sendpacket(pd, pkt_data, pkt_len) == -1) {
					notice("%s", pcap_geterr(pd));
					++failed;
				}
				else {
					++pkts_sent;
					bytes_sent += pkt_len;

					/* copy timestamp for previous packet sent */
					memcpy(&prev_ts, &cur_ts, sizeof(struct timeval));

					/* verbose output */
					if (vflag) {
						if (gettimeofday(&ts, NULL) == -1)
							notice("gettimeofday(): %s", strerror(errno));
						else
							ts_print(&ts);

						(void)printf("#%d (%d bytes)", pkts_sent, pkt_len);

						if (vflag > 1)
							hex_print(pkt_data, pkt_len);
						else
							putchar('\n');

						fflush(stdout);
					}
				}

				(void)sigprocmask(SIG_UNBLOCK, &block_sig, NULL); /* release SIGINT */

				if ((max_pkts > 0) && (pkts_sent >= max_pkts))
					cleanup(0);
				
			}
		}else{
			// LC: force skip
			// fprintf(stdout, "LC: Force Skip packet !\r\n");
			
			for (i = 0; i < pkt_len; i++) {
				/* copy captured packet data starting from link-layer header */
				if (i < header.caplen) {
					if ((ret = fgetc(fp)) == EOF)
						error("fgetc(): error reading %s", trace_file); 
				}
			}
		}
		
        /* move file pointer to the end of this packet data */
        if (i < header.caplen) {
            if (fseek(fp, header.caplen - pkt_len, SEEK_CUR) != 0)
                error("fseek(): error reading %s", trace_file);
        }
    } /* end while */

    (void)fclose(fp);
}
Пример #12
0
/*
 * This is the top level routine of the printer.  'p' is the points
 * to the ether header of the packet, 'tvp' is the timestamp,
 * 'length' is the length of the packet off the wire, and 'caplen'
 * is the number of bytes actually captured.
 */
void
ether_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
	u_int caplen = h->caplen;
	u_int length = h->len;
	struct ether_header *ep;
	u_short ether_type;
	extern u_short extracted_ethertype;

	ts_print(&h->ts);

	if (caplen < sizeof(struct ether_header)) {
		printf("[|ether]");
		goto out;
	}

	if (eflag)
		ether_print(p, length);

	/*
	 * Some printers want to get back at the ethernet addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	packetp = p;
	snapend = p + caplen;

	length -= sizeof(struct ether_header);
	caplen -= sizeof(struct ether_header);
	ep = (struct ether_header *)p;
	p += sizeof(struct ether_header);

	ether_type = ntohs(ep->ether_type);

	/*
	 * Is it (gag) an 802.3 encapsulation?
	 */
	extracted_ethertype = 0;
	if (ether_type <= ETHERMTU) {
		/* Try to print the LLC-layer header & higher layers */
		if (llc_print(p, length, caplen, ESRC(ep), EDST(ep)) == 0) {
			/* ether_type not known, print raw packet */
			if (!eflag)
				ether_print((u_char *)ep, length);
			if (extracted_ethertype) {
				printf("(LLC %s) ",
			       etherproto_string(htons(extracted_ethertype)));
			}
			if (!xflag && !qflag)
				default_print(p, caplen);
		}
	} else if (ether_encap_print(ether_type, p, length, caplen) == 0) {
		/* ether_type not known, print raw packet */
		if (!eflag)
			ether_print((u_char *)ep, length + sizeof(*ep));
		if (!xflag && !qflag)
			default_print(p, caplen);
	}
	if (xflag)
		default_print(p, caplen);
 out:
	putchar('\n');
}
Пример #13
0
/*
 * This is the top level routine of the printer.  'sp' is the points
 * to the FDDI header of the packet, 'tvp' is the timestamp,
 * 'length' is the length of the packet off the wire, and 'caplen'
 * is the number of bytes actually captured.
 */
void
fddi_if_print(u_char *pcap, const struct pcap_pkthdr *h,
	      register const u_char *p)
{
	u_int caplen = h->caplen;
	u_int length = h->len;
	const struct fddi_header *fddip = (struct fddi_header *)p;
	extern u_short extracted_ethertype;
	struct ether_header ehdr;

	ts_print(&h->ts);

	if (caplen < FDDI_HDRLEN) {
		printf("[|fddi]");
		goto out;
	}
	/*
	 * Get the FDDI addresses into a canonical form
	 */
	extract_fddi_addrs(fddip, (char *)ESRC(&ehdr), (char *)EDST(&ehdr));
	/*
	 * Some printers want to get back at the link level addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	snapend = p + caplen;
	/*
	 * Actually, the only printer that uses packetp is print-bootp.c,
	 * and it assumes that packetp points to an Ethernet header.  The
	 * right thing to do is to fix print-bootp.c to know which link
	 * type is in use when it excavates. XXX
	 */
	packetp = (u_char *)&ehdr;

	if (eflag)
		fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr));

	/* Skip over FDDI MAC header */
	length -= FDDI_HDRLEN;
	p += FDDI_HDRLEN;
	caplen -= FDDI_HDRLEN;

	/* Frame Control field determines interpretation of packet */
	extracted_ethertype = 0;
	if ((fddip->fddi_fc & FDDIFC_CLFF) == FDDIFC_LLC_ASYNC) {
		/* Try to print the LLC-layer header & higher layers */
		if (llc_print(p, length, caplen, ESRC(&ehdr), EDST(&ehdr))
		    == 0) {
			/*
			 * Some kinds of LLC packet we cannot
			 * handle intelligently
			 */
			if (!eflag)
				fddi_print(fddip, length,
				    ESRC(&ehdr), EDST(&ehdr));
			if (extracted_ethertype) {
				printf("(LLC %s) ",
			etherproto_string(htons(extracted_ethertype)));
			}
			if (!xflag && !qflag)
				default_print(p, caplen);
		}
	} else if ((fddip->fddi_fc & FDDIFC_CLFF) == FDDIFC_SMT)
		fddi_smt_print(p, caplen);
	else {
		/* Some kinds of FDDI packet we cannot handle intelligently */
		if (!eflag)
			fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr));
		if (!xflag && !qflag)
			default_print(p, caplen);
	}
	if (xflag)
		default_print(p, caplen);
out:
	putchar('\n');
}
Пример #14
0
/*--------------------------------------------------------------------
 * utility functions
 *--------------------------------------------------------------------
 */
void LogTimeStamp(TextLog* log, Packet* p)
{
    char timestamp[TIMEBUF_SIZE];
    ts_print((struct timeval*)&p->pkth->ts, timestamp);
    TextLog_Puts(log, timestamp);
}
Пример #15
0
/* BSD/OS specific PPP printer */
void
ppp_bsdos_if_print(u_char *user, const struct pcap_pkthdr *h,
	     register const u_char *p)
{
	register u_int length = h->len;
	register u_int caplen = h->caplen;
	register int hdrlength;
	u_short ptype;

	ts_print(&h->ts);

	if (caplen < PPP_BSDI_HDRLEN) {
		printf("[|ppp]");
		goto out;
	}

	/*
	 * Some printers want to get back at the link level addresses,
	 * and/or check that they're not walking off the end of the packet.
	 * Rather than pass them all the way down, we set these globals.
	 */
	packetp = p;
	snapend = p + caplen;
	hdrlength = 0;

	if (p[0] == PPP_ADDRESS && p[1] == PPP_CONTROL) {
		if (eflag) 
			printf("%02x %02x ", p[0], p[1]);
		p += 2;
		hdrlength = 2;
	}

	if (eflag) 
		printf("%d ", length);
	/* Retrieve the protocol type */
	if (*p & 01) {
		/* Compressed protocol field */
		ptype = *p;
		if (eflag) 
			printf("%02x ", ptype);
		p++;
		hdrlength += 1;
	} else {
		/* Un-compressed protocol field */
		ptype = ntohs(*(u_short *)p);
		if (eflag) 
			printf("%04x ", ptype);
		p += 2;
		hdrlength += 2;
	}
  
	length -= hdrlength;

	if (ptype == PPP_IP)
		ip_print(p, length);
	else
		printf("%s ", tok2str(ptype2str, "proto-#%d", ptype));

	if (xflag)
		default_print((const u_char *)p, caplen - hdrlength);
out:
	putchar('\n');
}