void raw_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int length = h->len; u_int caplen = h->caplen; ts_print(&h->ts); /* * Some printers want to get back at the link level addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; if (eflag) printf("ip: "); ip_print(p, length); if (xflag) default_print(p, caplen); putchar('\n'); }
void sl_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { register u_int caplen = h->caplen; register u_int length = h->len; register const struct ip *ip; ts_print(&h->ts); if (caplen < SLIP_HDRLEN) { printf("[|slip]"); goto out; } /* * Some printers want to get back at the link level addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; length -= SLIP_HDRLEN; ip = (struct ip *)(p + SLIP_HDRLEN); if (eflag) sliplink_print(p, ip, length); ip_print((u_char *)ip, length); if (xflag) default_print((u_char *)ip, caplen - SLIP_HDRLEN); out: putchar('\n'); }
void pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, register const u_char *p) { u_int caplen = h->caplen; ts_print(&h->ts); if (caplen < PFSYNC_HDRLEN) { ND_PRINT((ndo, "[|pfsync]")); goto out; } pfsync_print((struct pfsync_header *)p, p + sizeof(struct pfsync_header), caplen - sizeof(struct pfsync_header)); out: if (xflag) { default_print((const u_char *)p, caplen); } safeputchar(ndo, '\n'); }
u_int pfsync_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; ts_print(ndo, &h->ts); if (caplen < PFSYNC_HDRLEN) { ND_PRINT((ndo, "[|pfsync]")); goto out; } pfsync_print((struct pfsync_header *)p, caplen - sizeof(struct pfsync_header)); out: if (xflag) { default_print((const u_char *)h, caplen); } //putchar('\n'); return 0; }
void pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, packetbody_t p) { u_int caplen = h->caplen; ts_print(&h->ts); if (caplen < PFSYNC_HDRLEN) { printf("[|pfsync]"); goto out; } pfsync_print((struct pfsync_header *)p, p + sizeof(struct pfsync_header), caplen - sizeof(struct pfsync_header)); out: if (xflag) { default_print((const u_char *)p, caplen); } putchar('\n'); }
static int LogPortscanAlert(Packet *p, char *msg, uint32_t event_id, uint32_t event_ref, uint32_t gen_id, uint32_t sig_id) { char timebuf[TIMEBUF_SIZE]; snort_ip_p src_addr; snort_ip_p dst_addr; if(!p->iph_api) return -1; /* Do not log if being suppressed */ src_addr = GET_SRC_IP(p); dst_addr = GET_DST_IP(p); if( sfthreshold_test(gen_id, sig_id, src_addr, dst_addr, p->pkth->ts.tv_sec) ) { return 0; } ts_print((struct timeval *)&p->pkth->ts, timebuf); fprintf(g_logfile, "Time: %s\n", timebuf); if(event_id) fprintf(g_logfile, "event_id: %u\n", event_id); else fprintf(g_logfile, "event_ref: %u\n", event_ref); fprintf(g_logfile, "%s ", inet_ntoa(GET_SRC_ADDR(p))); fprintf(g_logfile, "-> %s %s\n", inet_ntoa(GET_DST_ADDR(p)), msg); fprintf(g_logfile, "%.*s\n", p->dsize, p->data); fflush(g_logfile); return 0; }
/* Standard PPP printer */ void ppp_if_print(u_char *user, const struct pcap_pkthdr *h, register const u_char *p) { register u_int length = h->len; register u_int caplen = h->caplen; const struct ip *ip; ts_print(&h->ts); if (caplen < PPP_HDRLEN) { printf("[|ppp]"); goto out; } /* * Some printers want to get back at the link level addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; if (eflag) printf("%c %4d %02x %04x: ", p[0] ? 'O' : 'I', length, p[1], ntohs(*(u_short *)&p[2])); length -= PPP_HDRLEN; ip = (struct ip *)(p + PPP_HDRLEN); ip_print((const u_char *)ip, length); if (xflag) default_print((const u_char *)ip, caplen - PPP_HDRLEN); out: putchar('\n'); }
/* * This is the top level routine of the printer. 'p' is the points * to the LLC/SNAP header of the packet, 'tvp' is the timestamp, * 'length' is the length of the packet off the wire, and 'caplen' * is the number of bytes actually captured. */ void atm_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; u_short ethertype; ts_print(&h->ts); if (caplen < 8) { printf("[|atm]"); goto out; } if (p[0] != 0xaa || p[1] != 0xaa || p[2] != 0x03) { /*XXX assume 802.6 MAC header from fore driver */ if (eflag) printf("%04x%04x %04x%04x ", p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3], p[4] << 24 | p[5] << 16 | p[6] << 8 | p[7], p[8] << 24 | p[9] << 16 | p[10] << 8 | p[11], p[12] << 24 | p[13] << 16 | p[14] << 8 | p[15]); p += 20; length -= 20; caplen -= 20; } ethertype = p[6] << 8 | p[7]; if (eflag) printf("%02x %02x %02x %02x-%02x-%02x %04x: ", p[0], p[1], p[2], /* dsap/ssap/ctrl */ p[3], p[4], p[5], /* manufacturer's code */ ethertype); /* * Some printers want to get back at the ethernet addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; length -= 8; caplen -= 8; p += 8; switch (ethertype) { case ETHERTYPE_IP: ip_print(p, length); break; #ifdef INET6 case ETHERTYPE_IPV6: ip6_print(p, length); break; #endif /*INET6*/ /*XXX this probably isn't right */ case ETHERTYPE_ARP: case ETHERTYPE_REVARP: arp_print(p, length, caplen); break; #ifdef notyet case ETHERTYPE_DN: decnet_print(p, length, caplen); break; case ETHERTYPE_ATALK: if (vflag) fputs("et1 ", stdout); atalk_print(p, length); break; case ETHERTYPE_AARP: aarp_print(p, length); break; case ETHERTYPE_LAT: case ETHERTYPE_MOPRC: case ETHERTYPE_MOPDL: /* default_print for now */ #endif default: /* ether_type not known, print raw packet */ if (!eflag) printf("%02x %02x %02x %02x-%02x-%02x %04x: ", p[0], p[1], p[2], /* dsap/ssap/ctrl */ p[3], p[4], p[5], /* manufacturer's code */ ethertype); if (!xflag && !qflag) default_print(p, caplen); } if (xflag) default_print(p, caplen); out: putchar('\n'); }
static int DecideHighEntropyFlow(FlowRecord * flow_record) { int i = 0; int j = 0; int SEQSys = 0; int SkipPacket = 0; int repeat_packet = 0; int TotalPktNumber = 0; int TotalEncrypt = 0; int TotalNonEncrypt = 0; int SequentEncrypt = 0; int EncryptPktAfterSeq = 0; int NonEncryptPktAfterSeq = 0; int TotalZeroPayload = 0; int ZeroPayloadAfterSeq = 0; //printf("DecideHighEntropyFlow\n"); if(flow_record->have_payload != 1) { return 0; } //the flow record has been labeled if(flow_record->labeled != -1) { return 0; } for(i=0; i < flow_record->packet_count; i++) { if(i >= PktsLimit) { break; } repeat_packet = 0; TotalPktNumber++; /*check whether packet has high entropy*/ if(flow_record->pkt_entropy[i] == 1) { TotalEncrypt++; SequentEncrypt++; /*the first encrypted packet*/ if(SequentEncrypt == 1) { EncryptPktAfterSeq++; ZeroPayloadAfterSeq = 0; } else if(SequentEncrypt < SEQ_HIGH_ENTROPY) { EncryptPktAfterSeq++; } else if(SequentEncrypt == SEQ_HIGH_ENTROPY) { /*set the flow as have N sequential high entropy packets*/ SEQSys = 1; SkipPacket = TotalPktNumber - SEQ_HIGH_ENTROPY - ZeroPayloadAfterSeq; EncryptPktAfterSeq = SequentEncrypt; } else if(SequentEncrypt > SEQ_HIGH_ENTROPY) { EncryptPktAfterSeq++; } } /*the packet has low entropy*/ else if( flow_record->pkt_entropy[i] == -1 ) { TotalNonEncrypt++; /*the flow doesn't have N sequential high entropy packets*/ if(SequentEncrypt < SEQ_HIGH_ENTROPY) { EncryptPktAfterSeq = 0; NonEncryptPktAfterSeq = 0; ZeroPayloadAfterSeq = 0; SequentEncrypt = 0; } /*the flow has N sequential high entropy packets*/ else if(SequentEncrypt >= SEQ_HIGH_ENTROPY) { NonEncryptPktAfterSeq++; } } else if(flow_record->pkt_entropy[i] == 0) { TotalZeroPayload++; ZeroPayloadAfterSeq++; } } if((SEQSys == 1) && ( EncryptPktAfterSeq * 100 > ( EncryptPktAfterSeq + NonEncryptPktAfterSeq) * HEPercent)) { flow_record->labeled = 1; OptTreeNode * otn = OtnLookup(snort_conf->otn_map, GENERATOR_SPP_ENTROPY, HE_TRAFFIC_DETECT); char log_timestamp[TIMEBUF_SIZE]; struct timeval log_timeval; char proto[16]; log_timeval.tv_sec = flow_record->first_sec; log_timeval.tv_usec = flow_record->first_usec; ts_print(&log_timeval, log_timestamp); if(flow_record->proto == 6) { strcpy(proto, "TCP"); } else if(flow_record->proto == 17) { strcpy(proto, "UDP"); } fprintf(LOG_FILE_DESCRIPTOR, "\n[**] [%d:%d:%d] %s [**]\n[Classification: %s] [Priority: %d]\n %s %s %s:%d <-> %s:%d\n", otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.message, otn->sigInfo.classType->name, otn->sigInfo.priority, log_timestamp, proto, flow_record->src_ip, flow_record->src_port, flow_record->dst_ip, flow_record->dst_port); TotalEncryptFlows++; return 1; } else { flow_record->labeled = 0; TotalNonEncryptFlows++; return -1; } return 0; }
void pflog_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int length = h->len; u_int hdrlen; u_int caplen = h->caplen; const struct ip *ip; #ifdef INET6 const struct ip6_hdr *ip6; #endif const struct pfloghdr *hdr; u_int8_t af; ts_print(&h->ts); /* check length */ if (caplen < sizeof(u_int8_t)) { printf("[|pflog]"); goto out; } #define MIN_PFLOG_HDRLEN 45 hdr = (struct pfloghdr *)p; if (hdr->length < MIN_PFLOG_HDRLEN) { printf("[pflog: invalid header length!]"); goto out; } hdrlen = (hdr->length + 3) & 0xfc; if (caplen < hdrlen) { printf("[|pflog]"); goto out; } /* * Some printers want to get back at the link level addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; hdr = (struct pfloghdr *)p; if (eflag) { printf("rule "); if (ntohl(hdr->rulenr) == (u_int32_t) -1) printf("def"); else { printf("%u", ntohl(hdr->rulenr)); if (hdr->ruleset[0]) { printf(".%s", hdr->ruleset); if (ntohl(hdr->subrulenr) == (u_int32_t) -1) printf(".def"); else printf(".%u", ntohl(hdr->subrulenr)); } } if (hdr->reason < PFRES_MAX) printf("/(%s) ", pf_reasons[hdr->reason]); else printf("/(unkn %u) ", (unsigned)hdr->reason); if (vflag) printf("[uid %u, pid %u] ", (unsigned)hdr->rule_uid, (unsigned)hdr->rule_pid); switch (hdr->action) { case PF_MATCH: printf("match"); break; case PF_SCRUB: printf("scrub"); break; case PF_PASS: printf("pass"); break; case PF_DROP: printf("block"); break; case PF_NAT: case PF_NONAT: printf("nat"); break; case PF_BINAT: case PF_NOBINAT: printf("binat"); break; case PF_RDR: case PF_NORDR: printf("rdr"); break; } printf(" %s on %s: ", hdr->dir == PF_OUT ? "out" : "in", hdr->ifname); if (vflag && hdr->pid != NO_PID) printf("[uid %u, pid %u] ", (unsigned)hdr->uid, (unsigned)hdr->pid); if (vflag && hdr->rewritten) { char buf[48]; if (inet_ntop(hdr->af, &hdr->saddr.v4, buf, sizeof(buf)) == NULL) printf("[orig src ?, "); else printf("[orig src %s:%u, ", buf, ntohs(hdr->sport)); if (inet_ntop(hdr->af, &hdr->daddr.v4, buf, sizeof(buf)) == NULL) printf("dst ?] "); else printf("dst %s:%u] ", buf, ntohs(hdr->dport)); } } af = hdr->naf; length -= hdrlen; if (af == AF_INET) { ip = (struct ip *)(p + hdrlen); ip_print((const u_char *)ip, length); if (xflag) default_print((const u_char *)ip, caplen - hdrlen); } else { #ifdef INET6 ip6 = (struct ip6_hdr *)(p + hdrlen); ip6_print((const u_char *)ip6, length); if (xflag) default_print((const u_char *)ip6, caplen - hdrlen); #endif } out: putchar('\n'); }
void send_packets(char *device, char *trace_file) { FILE *fp; /* file pointer to trace file */ struct pcap_file_header preamble; struct pcap_sf_pkthdr header; int pkt_len; /* packet length to send */ int ret; int i; int it; // LC: iterator struct pcap_timeval p_ts; struct timeval ts; struct timeval sleep = {0,0}; struct timeval cur_ts; struct timeval prev_ts = {0,0}; struct timespec nsleep; sigset_t block_sig; // LC: variables unsigned int ipsourceT; struct in_addr ipsource; u_char *pkt_ip; int pcount; // packet count pcount = 0; (void)sigemptyset(&block_sig); (void)sigaddset(&block_sig, SIGINT); notice("trace file: %s", trace_file); if ((fp = fopen(trace_file, "rb")) == NULL) error("fopen(): error reading %s", trace_file); /* preamble occupies the first 24 bytes of a trace file */ if (fread(&preamble, sizeof(preamble), 1, fp) == 0) error("fread(): error reading %s", trace_file); if (preamble.magic != PCAP_MAGIC) error("%s is not a valid pcap based trace file", trace_file); /* * loop through the remaining data by reading the packet header first. * packet header (16 bytes) = timestamp + length */ while ((ret = fread(&header, sizeof(header), 1, fp))) { if (ret == 0) error("fread(): error reading %s", trace_file); /* copy timestamp for current packet */ memcpy(&p_ts, &header.ts, sizeof(p_ts)); cur_ts.tv_sec = p_ts.tv_sec; cur_ts.tv_usec = p_ts.tv_usec; if (len < 0) /* captured length */ pkt_len = header.caplen; else if (len == 0) /* actual length */ pkt_len = header.len; else /* user specified length */ pkt_len = len; if (timerisset(&prev_ts)) { /* pass first packet */ if (speed != 0) { if (interval > 0) { /* user specified interval is in seconds only */ sleep.tv_sec = interval; if (speed != 1) timer_div(&sleep, speed); /* speed factor */ } else { /* grab captured interval */ timersub(&cur_ts, &prev_ts, &sleep); if (speed != 1) { if (sleep.tv_sec > SLEEP_MAX) /* to avoid integer overflow in timer_div() */ notice("ignoring speed due to large interval"); else timer_div(&sleep, speed); } } if (linerate > 0) { i = linerate_interval(pkt_len); /* check if we exceed line rate */ if ((sleep.tv_sec == 0) && (sleep.tv_usec < i)) sleep.tv_usec = i; /* exceeded -> adjust */ } } else { /* send immediately */ if (linerate > 0) sleep.tv_usec = linerate_interval(pkt_len); } if (timerisset(&sleep)) { /* notice("sleep %d seconds %d microseconds", sleep.tv_sec, sleep.tv_usec); */ TIMEVAL_TO_TIMESPEC(&sleep, &nsleep); if (nanosleep(&nsleep, NULL) == -1) /* create the artificial slack time */ notice("nanosleep(): %s", strerror(errno)); } } // LC: force to skip the packet if(pkt_len < ETHER_MAX_LEN){ for (i = 0; i < pkt_len; i++) { /* copy captured packet data starting from link-layer header */ if (i < header.caplen) { if ((ret = fgetc(fp)) == EOF) error("fgetc(): error reading %s", trace_file); pkt_data[i] = ret; } else /* pad trailing bytes with zeros */ pkt_data[i] = PKT_PAD; } (void)sigprocmask(SIG_BLOCK, &block_sig, NULL); /* hold SIGINT */ // LC: find source ip //fprintf(stdout, "%d Sending %d bytes ", pcount++, pkt_len); if(pkt_len > 33){ // at least could be ip if( ((struct ether_header *)pkt_data)->ether_type == 8){ pkt_ip = pkt_data+14; //fprintf(stdout, "Ether type = 8 "); //fprintf(stdout, "Ip v = %d \t", ((struct ip *)pkt_ip)->ip_v); ipsource = ((struct ip *)pkt_ip)->ip_src; ipsourceT = ntohl(ipsource.s_addr); //fprintf(stdout, "Source %u %s ", ipsourceT, inet_ntoa(ipsource)); // //fprintf(stdout, " %s ", inet_ntoa(ipsource)); for(it = 0; it < nentries; it++){ //fprintf(stdout, "(%u %u %u) \t", (unsigned int)ipTable[(it * 3) + 0], ipsourceT, (unsigned int)ipTable[(it * 3) + 1]); // if( ((unsigned int)ipTable[(it * 3) + 0] <= (unsigned int)ipsourceT ) && ((unsigned int)ipTable[(it * 3) + 1]) >= (unsigned int)ipsourceT ){ //fprintf(stdout, "In range at if %s \r\n", ipTable[(it * 3) + 2]); //pcap_t *pd = ipTable[(it * 3) + 2]; pd = pdl[it]; break; } } } } // LC: checks if(pkt_len < ETHER_MAX_LEN && it != nentries){ /* finish the injection and verbose output before we give way to SIGINT */ if (pcap_sendpacket(pd, pkt_data, pkt_len) == -1) { notice("%s", pcap_geterr(pd)); ++failed; } else { ++pkts_sent; bytes_sent += pkt_len; /* copy timestamp for previous packet sent */ memcpy(&prev_ts, &cur_ts, sizeof(struct timeval)); /* verbose output */ if (vflag) { if (gettimeofday(&ts, NULL) == -1) notice("gettimeofday(): %s", strerror(errno)); else ts_print(&ts); (void)printf("#%d (%d bytes)", pkts_sent, pkt_len); if (vflag > 1) hex_print(pkt_data, pkt_len); else putchar('\n'); fflush(stdout); } } (void)sigprocmask(SIG_UNBLOCK, &block_sig, NULL); /* release SIGINT */ if ((max_pkts > 0) && (pkts_sent >= max_pkts)) cleanup(0); } }else{ // LC: force skip // fprintf(stdout, "LC: Force Skip packet !\r\n"); for (i = 0; i < pkt_len; i++) { /* copy captured packet data starting from link-layer header */ if (i < header.caplen) { if ((ret = fgetc(fp)) == EOF) error("fgetc(): error reading %s", trace_file); } } } /* move file pointer to the end of this packet data */ if (i < header.caplen) { if (fseek(fp, header.caplen - pkt_len, SEEK_CUR) != 0) error("fseek(): error reading %s", trace_file); } } /* end while */ (void)fclose(fp); }
/* * This is the top level routine of the printer. 'p' is the points * to the ether header of the packet, 'tvp' is the timestamp, * 'length' is the length of the packet off the wire, and 'caplen' * is the number of bytes actually captured. */ void ether_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; struct ether_header *ep; u_short ether_type; extern u_short extracted_ethertype; ts_print(&h->ts); if (caplen < sizeof(struct ether_header)) { printf("[|ether]"); goto out; } if (eflag) ether_print(p, length); /* * Some printers want to get back at the ethernet addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; length -= sizeof(struct ether_header); caplen -= sizeof(struct ether_header); ep = (struct ether_header *)p; p += sizeof(struct ether_header); ether_type = ntohs(ep->ether_type); /* * Is it (gag) an 802.3 encapsulation? */ extracted_ethertype = 0; if (ether_type <= ETHERMTU) { /* Try to print the LLC-layer header & higher layers */ if (llc_print(p, length, caplen, ESRC(ep), EDST(ep)) == 0) { /* ether_type not known, print raw packet */ if (!eflag) ether_print((u_char *)ep, length); if (extracted_ethertype) { printf("(LLC %s) ", etherproto_string(htons(extracted_ethertype))); } if (!xflag && !qflag) default_print(p, caplen); } } else if (ether_encap_print(ether_type, p, length, caplen) == 0) { /* ether_type not known, print raw packet */ if (!eflag) ether_print((u_char *)ep, length + sizeof(*ep)); if (!xflag && !qflag) default_print(p, caplen); } if (xflag) default_print(p, caplen); out: putchar('\n'); }
/* * This is the top level routine of the printer. 'sp' is the points * to the FDDI header of the packet, 'tvp' is the timestamp, * 'length' is the length of the packet off the wire, and 'caplen' * is the number of bytes actually captured. */ void fddi_if_print(u_char *pcap, const struct pcap_pkthdr *h, register const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; const struct fddi_header *fddip = (struct fddi_header *)p; extern u_short extracted_ethertype; struct ether_header ehdr; ts_print(&h->ts); if (caplen < FDDI_HDRLEN) { printf("[|fddi]"); goto out; } /* * Get the FDDI addresses into a canonical form */ extract_fddi_addrs(fddip, (char *)ESRC(&ehdr), (char *)EDST(&ehdr)); /* * Some printers want to get back at the link level addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ snapend = p + caplen; /* * Actually, the only printer that uses packetp is print-bootp.c, * and it assumes that packetp points to an Ethernet header. The * right thing to do is to fix print-bootp.c to know which link * type is in use when it excavates. XXX */ packetp = (u_char *)&ehdr; if (eflag) fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr)); /* Skip over FDDI MAC header */ length -= FDDI_HDRLEN; p += FDDI_HDRLEN; caplen -= FDDI_HDRLEN; /* Frame Control field determines interpretation of packet */ extracted_ethertype = 0; if ((fddip->fddi_fc & FDDIFC_CLFF) == FDDIFC_LLC_ASYNC) { /* Try to print the LLC-layer header & higher layers */ if (llc_print(p, length, caplen, ESRC(&ehdr), EDST(&ehdr)) == 0) { /* * Some kinds of LLC packet we cannot * handle intelligently */ if (!eflag) fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr)); if (extracted_ethertype) { printf("(LLC %s) ", etherproto_string(htons(extracted_ethertype))); } if (!xflag && !qflag) default_print(p, caplen); } } else if ((fddip->fddi_fc & FDDIFC_CLFF) == FDDIFC_SMT) fddi_smt_print(p, caplen); else { /* Some kinds of FDDI packet we cannot handle intelligently */ if (!eflag) fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr)); if (!xflag && !qflag) default_print(p, caplen); } if (xflag) default_print(p, caplen); out: putchar('\n'); }
/*-------------------------------------------------------------------- * utility functions *-------------------------------------------------------------------- */ void LogTimeStamp(TextLog* log, Packet* p) { char timestamp[TIMEBUF_SIZE]; ts_print((struct timeval*)&p->pkth->ts, timestamp); TextLog_Puts(log, timestamp); }
/* BSD/OS specific PPP printer */ void ppp_bsdos_if_print(u_char *user, const struct pcap_pkthdr *h, register const u_char *p) { register u_int length = h->len; register u_int caplen = h->caplen; register int hdrlength; u_short ptype; ts_print(&h->ts); if (caplen < PPP_BSDI_HDRLEN) { printf("[|ppp]"); goto out; } /* * Some printers want to get back at the link level addresses, * and/or check that they're not walking off the end of the packet. * Rather than pass them all the way down, we set these globals. */ packetp = p; snapend = p + caplen; hdrlength = 0; if (p[0] == PPP_ADDRESS && p[1] == PPP_CONTROL) { if (eflag) printf("%02x %02x ", p[0], p[1]); p += 2; hdrlength = 2; } if (eflag) printf("%d ", length); /* Retrieve the protocol type */ if (*p & 01) { /* Compressed protocol field */ ptype = *p; if (eflag) printf("%02x ", ptype); p++; hdrlength += 1; } else { /* Un-compressed protocol field */ ptype = ntohs(*(u_short *)p); if (eflag) printf("%04x ", ptype); p += 2; hdrlength += 2; } length -= hdrlength; if (ptype == PPP_IP) ip_print(p, length); else printf("%s ", tok2str(ptype2str, "proto-#%d", ptype)); if (xflag) default_print((const u_char *)p, caplen - hdrlength); out: putchar('\n'); }