void
raw_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int length = h->len;
u_int caplen = h->caplen;
ts_print(&h->ts);
/*
* Some printers want to get back at the link level addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
if (eflag)
printf("ip: ");
ip_print(p, length);
if (xflag)
default_print(p, caplen);
putchar('\n');
}
void
sl_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
register u_int caplen = h->caplen;
register u_int length = h->len;
register const struct ip *ip;
ts_print(&h->ts);
if (caplen < SLIP_HDRLEN) {
printf("[|slip]");
goto out;
}
/*
* Some printers want to get back at the link level addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
length -= SLIP_HDRLEN;
ip = (struct ip *)(p + SLIP_HDRLEN);
if (eflag)
sliplink_print(p, ip, length);
ip_print((u_char *)ip, length);
if (xflag)
default_print((u_char *)ip, caplen - SLIP_HDRLEN);
out:
putchar('\n');
}
void
pfsync_if_print(u_char *user, const struct pcap_pkthdr *h,
register const u_char *p)
{
u_int caplen = h->caplen;
ts_print(&h->ts);
if (caplen < PFSYNC_HDRLEN) {
ND_PRINT((ndo, "[|pfsync]"));
goto out;
}
pfsync_print((struct pfsync_header *)p,
p + sizeof(struct pfsync_header),
caplen - sizeof(struct pfsync_header));
out:
if (xflag) {
default_print((const u_char *)p, caplen);
}
safeputchar(ndo, '\n');
}
u_int
pfsync_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
ts_print(ndo, &h->ts);
if (caplen < PFSYNC_HDRLEN) {
ND_PRINT((ndo, "[|pfsync]"));
goto out;
}
pfsync_print((struct pfsync_header *)p,
caplen - sizeof(struct pfsync_header));
out:
if (xflag) {
default_print((const u_char *)h, caplen);
}
//putchar('\n');
return 0;
}
void
pfsync_if_print(u_char *user, const struct pcap_pkthdr *h,
packetbody_t p)
{
u_int caplen = h->caplen;
ts_print(&h->ts);
if (caplen < PFSYNC_HDRLEN) {
printf("[|pfsync]");
goto out;
}
pfsync_print((struct pfsync_header *)p,
p + sizeof(struct pfsync_header),
caplen - sizeof(struct pfsync_header));
out:
if (xflag) {
default_print((const u_char *)p, caplen);
}
putchar('\n');
}
static int LogPortscanAlert(Packet *p, char *msg, uint32_t event_id,
uint32_t event_ref, uint32_t gen_id, uint32_t sig_id)
{
char timebuf[TIMEBUF_SIZE];
snort_ip_p src_addr;
snort_ip_p dst_addr;
if(!p->iph_api)
return -1;
/* Do not log if being suppressed */
src_addr = GET_SRC_IP(p);
dst_addr = GET_DST_IP(p);
if( sfthreshold_test(gen_id, sig_id, src_addr, dst_addr, p->pkth->ts.tv_sec) )
{
return 0;
}
ts_print((struct timeval *)&p->pkth->ts, timebuf);
fprintf(g_logfile, "Time: %s\n", timebuf);
if(event_id)
fprintf(g_logfile, "event_id: %u\n", event_id);
else
fprintf(g_logfile, "event_ref: %u\n", event_ref);
fprintf(g_logfile, "%s ", inet_ntoa(GET_SRC_ADDR(p)));
fprintf(g_logfile, "-> %s %s\n", inet_ntoa(GET_DST_ADDR(p)), msg);
fprintf(g_logfile, "%.*s\n", p->dsize, p->data);
fflush(g_logfile);
return 0;
}
/* Standard PPP printer */
void
ppp_if_print(u_char *user, const struct pcap_pkthdr *h,
register const u_char *p)
{
register u_int length = h->len;
register u_int caplen = h->caplen;
const struct ip *ip;
ts_print(&h->ts);
if (caplen < PPP_HDRLEN) {
printf("[|ppp]");
goto out;
}
/*
* Some printers want to get back at the link level addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
if (eflag)
printf("%c %4d %02x %04x: ", p[0] ? 'O' : 'I', length,
p[1], ntohs(*(u_short *)&p[2]));
length -= PPP_HDRLEN;
ip = (struct ip *)(p + PPP_HDRLEN);
ip_print((const u_char *)ip, length);
if (xflag)
default_print((const u_char *)ip, caplen - PPP_HDRLEN);
out:
putchar('\n');
}
/*
* This is the top level routine of the printer. 'p' is the points
* to the LLC/SNAP header of the packet, 'tvp' is the timestamp,
* 'length' is the length of the packet off the wire, and 'caplen'
* is the number of bytes actually captured.
*/
void
atm_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
u_short ethertype;
ts_print(&h->ts);
if (caplen < 8) {
printf("[|atm]");
goto out;
}
if (p[0] != 0xaa || p[1] != 0xaa || p[2] != 0x03) {
/*XXX assume 802.6 MAC header from fore driver */
if (eflag)
printf("%04x%04x %04x%04x ",
p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3],
p[4] << 24 | p[5] << 16 | p[6] << 8 | p[7],
p[8] << 24 | p[9] << 16 | p[10] << 8 | p[11],
p[12] << 24 | p[13] << 16 | p[14] << 8 | p[15]);
p += 20;
length -= 20;
caplen -= 20;
}
ethertype = p[6] << 8 | p[7];
if (eflag)
printf("%02x %02x %02x %02x-%02x-%02x %04x: ",
p[0], p[1], p[2], /* dsap/ssap/ctrl */
p[3], p[4], p[5], /* manufacturer's code */
ethertype);
/*
* Some printers want to get back at the ethernet addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
length -= 8;
caplen -= 8;
p += 8;
switch (ethertype) {
case ETHERTYPE_IP:
ip_print(p, length);
break;
#ifdef INET6
case ETHERTYPE_IPV6:
ip6_print(p, length);
break;
#endif /*INET6*/
/*XXX this probably isn't right */
case ETHERTYPE_ARP:
case ETHERTYPE_REVARP:
arp_print(p, length, caplen);
break;
#ifdef notyet
case ETHERTYPE_DN:
decnet_print(p, length, caplen);
break;
case ETHERTYPE_ATALK:
if (vflag)
fputs("et1 ", stdout);
atalk_print(p, length);
break;
case ETHERTYPE_AARP:
aarp_print(p, length);
break;
case ETHERTYPE_LAT:
case ETHERTYPE_MOPRC:
case ETHERTYPE_MOPDL:
/* default_print for now */
#endif
default:
/* ether_type not known, print raw packet */
if (!eflag)
printf("%02x %02x %02x %02x-%02x-%02x %04x: ",
p[0], p[1], p[2], /* dsap/ssap/ctrl */
p[3], p[4], p[5], /* manufacturer's code */
ethertype);
if (!xflag && !qflag)
default_print(p, caplen);
}
if (xflag)
default_print(p, caplen);
out:
putchar('\n');
}
static int DecideHighEntropyFlow(FlowRecord * flow_record)
{
int i = 0;
int j = 0;
int SEQSys = 0;
int SkipPacket = 0;
int repeat_packet = 0;
int TotalPktNumber = 0;
int TotalEncrypt = 0;
int TotalNonEncrypt = 0;
int SequentEncrypt = 0;
int EncryptPktAfterSeq = 0;
int NonEncryptPktAfterSeq = 0;
int TotalZeroPayload = 0;
int ZeroPayloadAfterSeq = 0;
//printf("DecideHighEntropyFlow\n");
if(flow_record->have_payload != 1)
{
return 0;
}
//the flow record has been labeled
if(flow_record->labeled != -1)
{
return 0;
}
for(i=0; i < flow_record->packet_count; i++)
{
if(i >= PktsLimit)
{
break;
}
repeat_packet = 0;
TotalPktNumber++;
/*check whether packet has high entropy*/
if(flow_record->pkt_entropy[i] == 1)
{
TotalEncrypt++;
SequentEncrypt++;
/*the first encrypted packet*/
if(SequentEncrypt == 1)
{
EncryptPktAfterSeq++;
ZeroPayloadAfterSeq = 0;
}
else if(SequentEncrypt < SEQ_HIGH_ENTROPY)
{
EncryptPktAfterSeq++;
}
else if(SequentEncrypt == SEQ_HIGH_ENTROPY)
{
/*set the flow as have N sequential high entropy packets*/
SEQSys = 1;
SkipPacket = TotalPktNumber - SEQ_HIGH_ENTROPY - ZeroPayloadAfterSeq;
EncryptPktAfterSeq = SequentEncrypt;
}
else if(SequentEncrypt > SEQ_HIGH_ENTROPY)
{
EncryptPktAfterSeq++;
}
}
/*the packet has low entropy*/
else if( flow_record->pkt_entropy[i] == -1 )
{
TotalNonEncrypt++;
/*the flow doesn't have N sequential high entropy packets*/
if(SequentEncrypt < SEQ_HIGH_ENTROPY)
{
EncryptPktAfterSeq = 0;
NonEncryptPktAfterSeq = 0;
ZeroPayloadAfterSeq = 0;
SequentEncrypt = 0;
}
/*the flow has N sequential high entropy packets*/
else if(SequentEncrypt >= SEQ_HIGH_ENTROPY)
{
NonEncryptPktAfterSeq++;
}
}
else if(flow_record->pkt_entropy[i] == 0)
{
TotalZeroPayload++;
ZeroPayloadAfterSeq++;
}
}
if((SEQSys == 1) && ( EncryptPktAfterSeq * 100 > ( EncryptPktAfterSeq + NonEncryptPktAfterSeq) * HEPercent))
{
flow_record->labeled = 1;
OptTreeNode * otn = OtnLookup(snort_conf->otn_map, GENERATOR_SPP_ENTROPY, HE_TRAFFIC_DETECT);
char log_timestamp[TIMEBUF_SIZE];
struct timeval log_timeval;
char proto[16];
log_timeval.tv_sec = flow_record->first_sec;
log_timeval.tv_usec = flow_record->first_usec;
ts_print(&log_timeval, log_timestamp);
if(flow_record->proto == 6)
{
strcpy(proto, "TCP");
}
else if(flow_record->proto == 17)
{
strcpy(proto, "UDP");
}
fprintf(LOG_FILE_DESCRIPTOR, "\n[**] [%d:%d:%d] %s [**]\n[Classification: %s] [Priority: %d]\n %s %s %s:%d <-> %s:%d\n", otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.message, otn->sigInfo.classType->name, otn->sigInfo.priority, log_timestamp, proto, flow_record->src_ip, flow_record->src_port, flow_record->dst_ip, flow_record->dst_port);
TotalEncryptFlows++;
return 1;
}
else
{
flow_record->labeled = 0;
TotalNonEncryptFlows++;
return -1;
}
return 0;
}
void
pflog_if_print(u_char *user, const struct pcap_pkthdr *h,
const u_char *p)
{
u_int length = h->len;
u_int hdrlen;
u_int caplen = h->caplen;
const struct ip *ip;
#ifdef INET6
const struct ip6_hdr *ip6;
#endif
const struct pfloghdr *hdr;
u_int8_t af;
ts_print(&h->ts);
/* check length */
if (caplen < sizeof(u_int8_t)) {
printf("[|pflog]");
goto out;
}
#define MIN_PFLOG_HDRLEN 45
hdr = (struct pfloghdr *)p;
if (hdr->length < MIN_PFLOG_HDRLEN) {
printf("[pflog: invalid header length!]");
goto out;
}
hdrlen = (hdr->length + 3) & 0xfc;
if (caplen < hdrlen) {
printf("[|pflog]");
goto out;
}
/*
* Some printers want to get back at the link level addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
hdr = (struct pfloghdr *)p;
if (eflag) {
printf("rule ");
if (ntohl(hdr->rulenr) == (u_int32_t) -1)
printf("def");
else {
printf("%u", ntohl(hdr->rulenr));
if (hdr->ruleset[0]) {
printf(".%s", hdr->ruleset);
if (ntohl(hdr->subrulenr) == (u_int32_t) -1)
printf(".def");
else
printf(".%u", ntohl(hdr->subrulenr));
}
}
if (hdr->reason < PFRES_MAX)
printf("/(%s) ", pf_reasons[hdr->reason]);
else
printf("/(unkn %u) ", (unsigned)hdr->reason);
if (vflag)
printf("[uid %u, pid %u] ", (unsigned)hdr->rule_uid,
(unsigned)hdr->rule_pid);
switch (hdr->action) {
case PF_MATCH:
printf("match");
break;
case PF_SCRUB:
printf("scrub");
break;
case PF_PASS:
printf("pass");
break;
case PF_DROP:
printf("block");
break;
case PF_NAT:
case PF_NONAT:
printf("nat");
break;
case PF_BINAT:
case PF_NOBINAT:
printf("binat");
break;
case PF_RDR:
case PF_NORDR:
printf("rdr");
break;
}
printf(" %s on %s: ",
hdr->dir == PF_OUT ? "out" : "in",
hdr->ifname);
if (vflag && hdr->pid != NO_PID)
printf("[uid %u, pid %u] ", (unsigned)hdr->uid,
(unsigned)hdr->pid);
if (vflag && hdr->rewritten) {
char buf[48];
if (inet_ntop(hdr->af, &hdr->saddr.v4, buf,
sizeof(buf)) == NULL)
printf("[orig src ?, ");
else
printf("[orig src %s:%u, ", buf,
ntohs(hdr->sport));
if (inet_ntop(hdr->af, &hdr->daddr.v4, buf,
sizeof(buf)) == NULL)
printf("dst ?] ");
else
printf("dst %s:%u] ", buf,
ntohs(hdr->dport));
}
}
af = hdr->naf;
length -= hdrlen;
if (af == AF_INET) {
ip = (struct ip *)(p + hdrlen);
ip_print((const u_char *)ip, length);
if (xflag)
default_print((const u_char *)ip,
caplen - hdrlen);
} else {
#ifdef INET6
ip6 = (struct ip6_hdr *)(p + hdrlen);
ip6_print((const u_char *)ip6, length);
if (xflag)
default_print((const u_char *)ip6,
caplen - hdrlen);
#endif
}
out:
putchar('\n');
}
void send_packets(char *device, char *trace_file)
{
FILE *fp; /* file pointer to trace file */
struct pcap_file_header preamble;
struct pcap_sf_pkthdr header;
int pkt_len; /* packet length to send */
int ret;
int i;
int it; // LC: iterator
struct pcap_timeval p_ts;
struct timeval ts;
struct timeval sleep = {0,0};
struct timeval cur_ts;
struct timeval prev_ts = {0,0};
struct timespec nsleep;
sigset_t block_sig;
// LC: variables
unsigned int ipsourceT;
struct in_addr ipsource;
u_char *pkt_ip;
int pcount; // packet count
pcount = 0;
(void)sigemptyset(&block_sig);
(void)sigaddset(&block_sig, SIGINT);
notice("trace file: %s", trace_file);
if ((fp = fopen(trace_file, "rb")) == NULL)
error("fopen(): error reading %s", trace_file);
/* preamble occupies the first 24 bytes of a trace file */
if (fread(&preamble, sizeof(preamble), 1, fp) == 0)
error("fread(): error reading %s", trace_file);
if (preamble.magic != PCAP_MAGIC)
error("%s is not a valid pcap based trace file", trace_file);
/*
* loop through the remaining data by reading the packet header first.
* packet header (16 bytes) = timestamp + length
*/
while ((ret = fread(&header, sizeof(header), 1, fp))) {
if (ret == 0)
error("fread(): error reading %s", trace_file);
/* copy timestamp for current packet */
memcpy(&p_ts, &header.ts, sizeof(p_ts));
cur_ts.tv_sec = p_ts.tv_sec;
cur_ts.tv_usec = p_ts.tv_usec;
if (len < 0) /* captured length */
pkt_len = header.caplen;
else if (len == 0) /* actual length */
pkt_len = header.len;
else /* user specified length */
pkt_len = len;
if (timerisset(&prev_ts)) { /* pass first packet */
if (speed != 0) {
if (interval > 0) {
/* user specified interval is in seconds only */
sleep.tv_sec = interval;
if (speed != 1)
timer_div(&sleep, speed); /* speed factor */
}
else {
/* grab captured interval */
timersub(&cur_ts, &prev_ts, &sleep);
if (speed != 1) {
if (sleep.tv_sec > SLEEP_MAX) /* to avoid integer overflow in timer_div() */
notice("ignoring speed due to large interval");
else
timer_div(&sleep, speed);
}
}
if (linerate > 0) {
i = linerate_interval(pkt_len);
/* check if we exceed line rate */
if ((sleep.tv_sec == 0) && (sleep.tv_usec < i))
sleep.tv_usec = i; /* exceeded -> adjust */
}
}
else { /* send immediately */
if (linerate > 0)
sleep.tv_usec = linerate_interval(pkt_len);
}
if (timerisset(&sleep)) {
/* notice("sleep %d seconds %d microseconds", sleep.tv_sec, sleep.tv_usec); */
TIMEVAL_TO_TIMESPEC(&sleep, &nsleep);
if (nanosleep(&nsleep, NULL) == -1) /* create the artificial slack time */
notice("nanosleep(): %s", strerror(errno));
}
}
// LC: force to skip the packet
if(pkt_len < ETHER_MAX_LEN){
for (i = 0; i < pkt_len; i++) {
/* copy captured packet data starting from link-layer header */
if (i < header.caplen) {
if ((ret = fgetc(fp)) == EOF)
error("fgetc(): error reading %s", trace_file);
pkt_data[i] = ret;
}
else
/* pad trailing bytes with zeros */
pkt_data[i] = PKT_PAD;
}
(void)sigprocmask(SIG_BLOCK, &block_sig, NULL); /* hold SIGINT */
// LC: find source ip
//fprintf(stdout, "%d Sending %d bytes ", pcount++, pkt_len);
if(pkt_len > 33){ // at least could be ip
if( ((struct ether_header *)pkt_data)->ether_type == 8){
pkt_ip = pkt_data+14;
//fprintf(stdout, "Ether type = 8 ");
//fprintf(stdout, "Ip v = %d \t", ((struct ip *)pkt_ip)->ip_v);
ipsource = ((struct ip *)pkt_ip)->ip_src;
ipsourceT = ntohl(ipsource.s_addr);
//fprintf(stdout, "Source %u %s ", ipsourceT, inet_ntoa(ipsource)); //
//fprintf(stdout, " %s ", inet_ntoa(ipsource));
for(it = 0; it < nentries; it++){
//fprintf(stdout, "(%u %u %u) \t", (unsigned int)ipTable[(it * 3) + 0], ipsourceT, (unsigned int)ipTable[(it * 3) + 1]); //
if( ((unsigned int)ipTable[(it * 3) + 0] <= (unsigned int)ipsourceT ) && ((unsigned int)ipTable[(it * 3) + 1]) >= (unsigned int)ipsourceT ){
//fprintf(stdout, "In range at if %s \r\n", ipTable[(it * 3) + 2]);
//pcap_t *pd = ipTable[(it * 3) + 2];
pd = pdl[it];
break;
}
}
}
}
// LC: checks
if(pkt_len < ETHER_MAX_LEN && it != nentries){
/* finish the injection and verbose output before we give way to SIGINT */
if (pcap_sendpacket(pd, pkt_data, pkt_len) == -1) {
notice("%s", pcap_geterr(pd));
++failed;
}
else {
++pkts_sent;
bytes_sent += pkt_len;
/* copy timestamp for previous packet sent */
memcpy(&prev_ts, &cur_ts, sizeof(struct timeval));
/* verbose output */
if (vflag) {
if (gettimeofday(&ts, NULL) == -1)
notice("gettimeofday(): %s", strerror(errno));
else
ts_print(&ts);
(void)printf("#%d (%d bytes)", pkts_sent, pkt_len);
if (vflag > 1)
hex_print(pkt_data, pkt_len);
else
putchar('\n');
fflush(stdout);
}
}
(void)sigprocmask(SIG_UNBLOCK, &block_sig, NULL); /* release SIGINT */
if ((max_pkts > 0) && (pkts_sent >= max_pkts))
cleanup(0);
}
}else{
// LC: force skip
// fprintf(stdout, "LC: Force Skip packet !\r\n");
for (i = 0; i < pkt_len; i++) {
/* copy captured packet data starting from link-layer header */
if (i < header.caplen) {
if ((ret = fgetc(fp)) == EOF)
error("fgetc(): error reading %s", trace_file);
}
}
}
/* move file pointer to the end of this packet data */
if (i < header.caplen) {
if (fseek(fp, header.caplen - pkt_len, SEEK_CUR) != 0)
error("fseek(): error reading %s", trace_file);
}
} /* end while */
(void)fclose(fp);
}
/*
* This is the top level routine of the printer. 'p' is the points
* to the ether header of the packet, 'tvp' is the timestamp,
* 'length' is the length of the packet off the wire, and 'caplen'
* is the number of bytes actually captured.
*/
void
ether_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
struct ether_header *ep;
u_short ether_type;
extern u_short extracted_ethertype;
ts_print(&h->ts);
if (caplen < sizeof(struct ether_header)) {
printf("[|ether]");
goto out;
}
if (eflag)
ether_print(p, length);
/*
* Some printers want to get back at the ethernet addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
length -= sizeof(struct ether_header);
caplen -= sizeof(struct ether_header);
ep = (struct ether_header *)p;
p += sizeof(struct ether_header);
ether_type = ntohs(ep->ether_type);
/*
* Is it (gag) an 802.3 encapsulation?
*/
extracted_ethertype = 0;
if (ether_type <= ETHERMTU) {
/* Try to print the LLC-layer header & higher layers */
if (llc_print(p, length, caplen, ESRC(ep), EDST(ep)) == 0) {
/* ether_type not known, print raw packet */
if (!eflag)
ether_print((u_char *)ep, length);
if (extracted_ethertype) {
printf("(LLC %s) ",
etherproto_string(htons(extracted_ethertype)));
}
if (!xflag && !qflag)
default_print(p, caplen);
}
} else if (ether_encap_print(ether_type, p, length, caplen) == 0) {
/* ether_type not known, print raw packet */
if (!eflag)
ether_print((u_char *)ep, length + sizeof(*ep));
if (!xflag && !qflag)
default_print(p, caplen);
}
if (xflag)
default_print(p, caplen);
out:
putchar('\n');
}
/*
* This is the top level routine of the printer. 'sp' is the points
* to the FDDI header of the packet, 'tvp' is the timestamp,
* 'length' is the length of the packet off the wire, and 'caplen'
* is the number of bytes actually captured.
*/
void
fddi_if_print(u_char *pcap, const struct pcap_pkthdr *h,
register const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
const struct fddi_header *fddip = (struct fddi_header *)p;
extern u_short extracted_ethertype;
struct ether_header ehdr;
ts_print(&h->ts);
if (caplen < FDDI_HDRLEN) {
printf("[|fddi]");
goto out;
}
/*
* Get the FDDI addresses into a canonical form
*/
extract_fddi_addrs(fddip, (char *)ESRC(&ehdr), (char *)EDST(&ehdr));
/*
* Some printers want to get back at the link level addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
snapend = p + caplen;
/*
* Actually, the only printer that uses packetp is print-bootp.c,
* and it assumes that packetp points to an Ethernet header. The
* right thing to do is to fix print-bootp.c to know which link
* type is in use when it excavates. XXX
*/
packetp = (u_char *)&ehdr;
if (eflag)
fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr));
/* Skip over FDDI MAC header */
length -= FDDI_HDRLEN;
p += FDDI_HDRLEN;
caplen -= FDDI_HDRLEN;
/* Frame Control field determines interpretation of packet */
extracted_ethertype = 0;
if ((fddip->fddi_fc & FDDIFC_CLFF) == FDDIFC_LLC_ASYNC) {
/* Try to print the LLC-layer header & higher layers */
if (llc_print(p, length, caplen, ESRC(&ehdr), EDST(&ehdr))
== 0) {
/*
* Some kinds of LLC packet we cannot
* handle intelligently
*/
if (!eflag)
fddi_print(fddip, length,
ESRC(&ehdr), EDST(&ehdr));
if (extracted_ethertype) {
printf("(LLC %s) ",
etherproto_string(htons(extracted_ethertype)));
}
if (!xflag && !qflag)
default_print(p, caplen);
}
} else if ((fddip->fddi_fc & FDDIFC_CLFF) == FDDIFC_SMT)
fddi_smt_print(p, caplen);
else {
/* Some kinds of FDDI packet we cannot handle intelligently */
if (!eflag)
fddi_print(fddip, length, ESRC(&ehdr), EDST(&ehdr));
if (!xflag && !qflag)
default_print(p, caplen);
}
if (xflag)
default_print(p, caplen);
out:
putchar('\n');
}
/*--------------------------------------------------------------------
* utility functions
*--------------------------------------------------------------------
*/
void LogTimeStamp(TextLog* log, Packet* p)
{
char timestamp[TIMEBUF_SIZE];
ts_print((struct timeval*)&p->pkth->ts, timestamp);
TextLog_Puts(log, timestamp);
}
/* BSD/OS specific PPP printer */
void
ppp_bsdos_if_print(u_char *user, const struct pcap_pkthdr *h,
register const u_char *p)
{
register u_int length = h->len;
register u_int caplen = h->caplen;
register int hdrlength;
u_short ptype;
ts_print(&h->ts);
if (caplen < PPP_BSDI_HDRLEN) {
printf("[|ppp]");
goto out;
}
/*
* Some printers want to get back at the link level addresses,
* and/or check that they're not walking off the end of the packet.
* Rather than pass them all the way down, we set these globals.
*/
packetp = p;
snapend = p + caplen;
hdrlength = 0;
if (p[0] == PPP_ADDRESS && p[1] == PPP_CONTROL) {
if (eflag)
printf("%02x %02x ", p[0], p[1]);
p += 2;
hdrlength = 2;
}
if (eflag)
printf("%d ", length);
/* Retrieve the protocol type */
if (*p & 01) {
/* Compressed protocol field */
ptype = *p;
if (eflag)
printf("%02x ", ptype);
p++;
hdrlength += 1;
} else {
/* Un-compressed protocol field */
ptype = ntohs(*(u_short *)p);
if (eflag)
printf("%04x ", ptype);
p += 2;
hdrlength += 2;
}
length -= hdrlength;
if (ptype == PPP_IP)
ip_print(p, length);
else
printf("%s ", tok2str(ptype2str, "proto-#%d", ptype));
if (xflag)
default_print((const u_char *)p, caplen - hdrlength);
out:
putchar('\n');
}