static int
extract_header_length(u_int16_t fc)
{
int len;
switch (FC_TYPE(fc)) {
case T_MGMT:
return MGMT_HDRLEN;
case T_CTRL:
switch (FC_SUBTYPE(fc)) {
case CTRL_PS_POLL:
return CTRL_PS_POLL_HDRLEN;
case CTRL_RTS:
return CTRL_RTS_HDRLEN;
case CTRL_CTS:
return CTRL_CTS_HDRLEN;
case CTRL_ACK:
return CTRL_ACK_HDRLEN;
case CTRL_CF_END:
return CTRL_END_HDRLEN;
case CTRL_END_ACK:
return CTRL_END_ACK_HDRLEN;
default:
return 0;
}
case T_DATA:
len = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc)))
len += 2;
return len;
default:
printf("unknown IEEE802.11 frame type (%d)", FC_TYPE(fc));
return 0;
}
}
/*
* Print the 802.11 MAC header if eflag is set, and set "*srcp" and "*dstp"
* to point to the source and destination MAC addresses in any case if
* "srcp" and "dstp" aren't null.
*/
static void
ieee_802_11_hdr_print(u_int16_t fc, const u_char *p, u_int hdrlen,
u_int meshdrlen, const u_int8_t **srcp, const u_int8_t **dstp)
{
if (vflag) {
if (FC_MORE_DATA(fc))
printf("More Data ");
if (FC_MORE_FLAG(fc))
printf("More Fragments ");
if (FC_POWER_MGMT(fc))
printf("Pwr Mgmt ");
if (FC_RETRY(fc))
printf("Retry ");
if (FC_ORDER(fc))
printf("Strictly Ordered ");
if (FC_WEP(fc))
printf("WEP Encrypted ");
if (FC_TYPE(fc) != T_CTRL || FC_SUBTYPE(fc) != CTRL_PS_POLL)
printf("%dus ",
EXTRACT_LE_16BITS(
&((const struct mgmt_header_t *)p)->duration));
}
if (meshdrlen != 0) {
const struct meshcntl_t *mc =
(const struct meshcntl_t *)&p[hdrlen - meshdrlen];
int ae = mc->flags & 3;
printf("MeshData (AE %d TTL %u seq %u", ae, mc->ttl,
EXTRACT_LE_32BITS(mc->seq));
if (ae > 0)
printf(" A4:%s", etheraddr_string(mc->addr4));
if (ae > 1)
printf(" A5:%s", etheraddr_string(mc->addr5));
if (ae > 2)
printf(" A6:%s", etheraddr_string(mc->addr6));
printf(") ");
}
switch (FC_TYPE(fc)) {
case T_MGMT:
mgmt_header_print(p, srcp, dstp);
break;
case T_CTRL:
ctrl_header_print(fc, p, srcp, dstp);
break;
case T_DATA:
data_header_print(fc, p, srcp, dstp);
break;
default:
printf("(header) unknown IEEE802.11 frame type (%d)",
FC_TYPE(fc));
*srcp = NULL;
*dstp = NULL;
break;
}
}
static inline void
ieee_802_11_hdr_print(u_int16_t fc, const u_char *p, const u_int8_t **srcp,
const u_int8_t **dstp)
{
if (vflag) {
if (FC_MORE_DATA(fc))
printf("More Data ");
if (FC_MORE_FLAG(fc))
printf("More Fragments ");
if (FC_POWER_MGMT(fc))
printf("Pwr Mgmt ");
if (FC_RETRY(fc))
printf("Retry ");
if (FC_ORDER(fc))
printf("Strictly Ordered ");
if (FC_WEP(fc))
printf("WEP Encrypted ");
if (FC_TYPE(fc) != T_CTRL || FC_SUBTYPE(fc) != CTRL_PS_POLL)
printf("%dus ",
EXTRACT_LE_16BITS(
&((const struct mgmt_header_t *)p)->duration));
}
switch (FC_TYPE(fc)) {
case T_MGMT:
mgmt_header_print(p, srcp, dstp);
break;
case T_CTRL:
ctrl_header_print(fc, p, srcp, dstp);
break;
case T_DATA:
data_header_print(fc, p, srcp, dstp);
break;
default:
printf("(header) unknown IEEE802.11 frame type (%d)",
FC_TYPE(fc));
*srcp = NULL;
*dstp = NULL;
break;
}
}
static u_int ieee802_11_print(struct smartconfig *sc, const u_char * p,
u_int length, u_int orig_caplen, uint16_t channel)
{
uint16_t fc;
fc = EXTRACT_LE_16BITS(p);
uint32_t fcs = *(uint32_t *) (p + length - 4);
uint32_t crc = getcrc32(p, length - 4);
if (fcs == crc) {
if (FC_TYPE(fc) == T_DATA) {
data_header_print(sc, fc, p, channel);
}
}
return 0;
}
void nids_pcap_handler(u_char * par, struct pcap_pkthdr *hdr, u_char * data)
{
u_char *data_aligned;
#ifdef HAVE_LIBGTHREAD_2_0
struct cap_queue_item *qitem;
#endif
#ifdef DLT_IEEE802_11
unsigned short fc;
int linkoffset_tweaked_by_prism_code = 0;
#endif
/*
* Check for savagely closed TCP connections. Might
* happen only when nids_params.tcp_workarounds is non-zero;
* otherwise nids_tcp_timeouts is always NULL.
*/
if (NULL != nids_tcp_timeouts)
tcp_check_timeouts(&hdr->ts);
nids_last_pcap_header = hdr;
nids_last_pcap_data = data;
(void)par; /* warnings... */
switch (linktype) {
case DLT_EN10MB:
if (hdr->caplen < 14)
return;
/* Only handle IP packets and 802.1Q VLAN tagged packets below. */
if (data[12] == 8 && data[13] == 0) {
/* Regular ethernet */
nids_linkoffset = 14;
} else if (data[12] == 0x81 && data[13] == 0) {
/* Skip 802.1Q VLAN and priority information */
nids_linkoffset = 18;
} else
/* non-ip frame */
return;
break;
#ifdef DLT_PRISM_HEADER
#ifndef DLT_IEEE802_11
#error DLT_PRISM_HEADER is defined, but DLT_IEEE802_11 is not ???
#endif
case DLT_PRISM_HEADER:
nids_linkoffset = 144; //sizeof(prism2_hdr);
linkoffset_tweaked_by_prism_code = 1;
//now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11
case DLT_IEEE802_11:
/* I don't know why frame control is always little endian, but it
* works for tcpdump, so who am I to complain? (wam)
*/
if (!linkoffset_tweaked_by_prism_code)
nids_linkoffset = 0;
fc = EXTRACT_LE_16BITS(data + nids_linkoffset);
if (FC_TYPE(fc) != T_DATA || FC_WEP(fc)) {
return;
}
if (FC_TO_DS(fc) && FC_FROM_DS(fc)) {
/* a wireless distribution system packet will have another
* MAC addr in the frame
*/
nids_linkoffset += 30;
} else {
nids_linkoffset += 24;
}
if (hdr->len < nids_linkoffset + LLC_FRAME_SIZE)
return;
if (ETHERTYPE_IP !=
EXTRACT_16BITS(data + nids_linkoffset + LLC_OFFSET_TO_TYPE_FIELD)) {
/* EAP, LEAP, and other 802.11 enhancements can be
* encapsulated within a data packet too. Look only at
* encapsulated IP packets (Type field of the LLC frame).
*/
return;
}
nids_linkoffset += LLC_FRAME_SIZE;
break;
#endif
default:;
}
if (hdr->caplen < nids_linkoffset)
return;
/*
* sure, memcpy costs. But many EXTRACT_{SHORT, LONG} macros cost, too.
* Anyway, libpcap tries to ensure proper layer 3 alignment (look for
* handle->offset in pcap sources), so memcpy should not be called.
*/
#ifdef LBL_ALIGN
if ((unsigned long) (data + nids_linkoffset) & 0x3) {
data_aligned = alloca(hdr->caplen - nids_linkoffset + 4);
data_aligned -= (unsigned long) data_aligned % 4;
memcpy(data_aligned, data + nids_linkoffset, hdr->caplen - nids_linkoffset);
} else
#endif
data_aligned = data + nids_linkoffset;
#ifdef HAVE_LIBGTHREAD_2_0
if(nids_params.multiproc) {
/*
* Insert received fragment into the async capture queue.
* We hope that the overhead of memcpy
* will be saturated by the benefits of SMP - mcree
*/
qitem=malloc(sizeof(struct cap_queue_item));
if (qitem && (qitem->data=malloc(hdr->caplen - nids_linkoffset))) {
qitem->caplen=hdr->caplen - nids_linkoffset;
memcpy(qitem->data,data_aligned,qitem->caplen);
g_async_queue_lock(cap_queue);
/* ensure queue does not overflow */
if(g_async_queue_length_unlocked(cap_queue) > nids_params.queue_limit) {
/* queue limit reached: drop packet - should we notify user via syslog? */
free(qitem->data);
free(qitem);
} else {
/* insert packet to queue */
g_async_queue_push_unlocked(cap_queue,qitem);
}
g_async_queue_unlock(cap_queue);
}
} else { /* user requested simple passthru - no threading */
call_ip_frag_procs(data_aligned,hdr->caplen - nids_linkoffset, &hdr->ts);
}
#else
call_ip_frag_procs(data_aligned,hdr->caplen - nids_linkoffset, &hdr->ts);
#endif
}
static void pcap_hand(u_char * par, struct pcap_pkthdr *hdr, u_char * data)
{
struct proc_node *i;
u_char *data_aligned;
int id=0;
if(par) {
id=*((unsigned int *)par);
}
#ifdef DLT_IEEE802_11
unsigned short fc;
int linkoffset_tweaked_by_prism_code = 0;
#endif
nids_last_pcap_header = hdr;
(void)par; /* warnings... */
switch (linktype[id]) {
case DLT_EN10MB:
if (hdr->caplen < 14)
return;
/* Only handle IP packets and 802.1Q VLAN tagged packets below. */
if (data[12] == 8 && data[13] == 0) {
/* Regular ethernet */
linkoffset[id] = 14;
} else if (data[12] == 0x81 && data[13] == 0) {
/* Skip 802.1Q VLAN and priority information */
linkoffset[id] = 18;
} else
/* non-ip frame */
return;
break;
#ifdef DLT_PRISM_HEADER
#ifndef DLT_IEEE802_11
#error DLT_PRISM_HEADER is defined, but DLT_IEEE802_11 is not ???
#endif
case DLT_PRISM_HEADER:
linkoffset[id] = 144; //sizeof(prism2_hdr);
linkoffset_tweaked_by_prism_code = 1;
//now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11
case DLT_IEEE802_11:
/* I don't know why frame control is always little endian, but it
* works for tcpdump, so who am I to complain? (wam)
*/
if (!linkoffset_tweaked_by_prism_code)
linkoffset[id] = 0;
fc = EXTRACT_LE_16BITS(data + linkoffset[id]);
if (FC_TYPE(fc) != T_DATA || FC_WEP(fc)) {
return;
}
if (FC_TO_DS(fc) && FC_FROM_DS(fc)) {
/* a wireless distribution system packet will have another
* MAC addr in the frame
*/
linkoffset[id] += 30;
} else {
linkoffset[id] += 24;
}
if (hdr->len < linkoffset[id] + LLC_FRAME_SIZE)
return;
if (ETHERTYPE_IP !=
EXTRACT_16BITS(data + linkoffset[id] + LLC_OFFSET_TO_TYPE_FIELD)) {
/* EAP, LEAP, and other 802.11 enhancements can be
* encapsulated within a data packet too. Look only at
* encapsulated IP packets (Type field of the LLC frame).
*/
return;
}
linkoffset[id] += LLC_FRAME_SIZE;
break;
#endif
default:;
}
if (hdr->caplen < linkoffset[id])
return;
/*
* sure, memcpy costs. But many EXTRACT_{SHORT, LONG} macros cost, too.
* Anyway, libpcap tries to ensure proper layer 3 alignment (look for
* handle->offset in pcap sources), so memcpy should not be called.
*/
#ifdef LBL_ALIGN
if ((unsigned long) (data + linkoffset[id]) & 0x3) {
data_aligned = alloca(hdr->caplen - linkoffset[id] + 4);
data_aligned -= (unsigned long) data_aligned % 4;
memcpy(data_aligned, data + linkoffset[id], hdr->caplen - linkoffset[id]);
} else
#endif
data_aligned = data + linkoffset[id];
for (i = ip_frag_procs[id]; i; i = i->next) {
(i->item) (data_aligned, hdr->caplen - linkoffset[id],id);
}
}
static u_int
ieee802_11_print(const u_char *p, u_int length, u_int caplen, int pad)
{
u_int16_t fc;
u_int hdrlen;
const u_int8_t *src, *dst;
u_short extracted_ethertype;
if (caplen < IEEE802_11_FC_LEN) {
printf("[|802.11]");
return caplen;
}
fc = EXTRACT_LE_16BITS(p);
hdrlen = extract_header_length(fc);
if (pad)
hdrlen = roundup2(hdrlen, 4);
if (caplen < hdrlen) {
printf("[|802.11]");
return hdrlen;
}
ieee_802_11_hdr_print(fc, p, &src, &dst);
/*
* Go past the 802.11 header.
*/
length -= hdrlen;
caplen -= hdrlen;
p += hdrlen;
switch (FC_TYPE(fc)) {
case T_MGMT:
if (!mgmt_body_print(fc,
(const struct mgmt_header_t *)(p - hdrlen), p)) {
printf("[|802.11]");
return hdrlen;
}
break;
case T_CTRL:
if (!ctrl_body_print(fc, p - hdrlen)) {
printf("[|802.11]");
return hdrlen;
}
break;
case T_DATA:
if (DATA_FRAME_IS_NULL(FC_SUBTYPE(fc)))
return hdrlen; /* no-data frame */
/* There may be a problem w/ AP not having this bit set */
if (FC_WEP(fc)) {
if (!wep_print(p)) {
printf("[|802.11]");
return hdrlen;
}
} else if (llc_print(p, length, caplen, dst, src,
&extracted_ethertype) == 0) {
/*
* Some kinds of LLC packet we cannot
* handle intelligently
*/
if (!eflag)
ieee_802_11_hdr_print(fc, p - hdrlen, NULL,
NULL);
if (extracted_ethertype)
printf("(LLC %s) ",
etherproto_string(
htons(extracted_ethertype)));
if (!suppress_default_print)
default_print(p, caplen);
}
break;
default:
printf("unknown 802.11 frame type (%d)", FC_TYPE(fc));
break;
}
return hdrlen;
}
void
BCMROMFN(aes_ccmp_cal_params)(struct dot11_header *h, bool legacy,
uint8 nonce_1st_byte, uint8 *nonce, uint8 *aad, uint *la, uint *lh)
{
uint8 *iv_data;
uint16 fc, subtype;
uint16 seq, qc = 0;
uint addlen = 0;
bool wds, qos;
memset(nonce, 0, AES_CCMP_NONCE_LEN);
memset(aad, 0, AES_CCMP_AAD_MAX_LEN);
fc = ltoh16(h->fc);
subtype = (fc & FC_SUBTYPE_MASK) >> FC_SUBTYPE_SHIFT;
wds = ((fc & (FC_TODS | FC_FROMDS)) == (FC_TODS | FC_FROMDS));
/* all QoS subtypes have the FC_SUBTYPE_QOS_DATA bit set */
qos = (FC_TYPE(fc) == FC_TYPE_DATA) && (subtype & FC_SUBTYPE_QOS_DATA);
if (qos) {
qc = ltoh16(*((uint16 *)((uchar *)h +
(wds ? DOT11_A4_HDR_LEN : DOT11_A3_HDR_LEN))));
}
if (wds) {
dbg(("aes_ccmp_cal_params: A4 present\n"));
addlen += ETHER_ADDR_LEN;
}
if (qos) {
dbg(("aes_ccmp_cal_params: QC present\n"));
addlen += DOT11_QOS_LEN;
}
/* length of MPDU header, including IV */
*lh = DOT11_A3_HDR_LEN + DOT11_IV_AES_CCM_LEN + addlen;
/* length of AAD */
*la = AES_CCMP_AAD_MIN_LEN + addlen;
/* pointer to IV */
iv_data = (uint8 *)h + DOT11_A3_HDR_LEN + addlen;
*nonce++ = nonce_1st_byte;
memcpy(nonce, (uchar *)&h->a2, ETHER_ADDR_LEN);
nonce += ETHER_ADDR_LEN;
/* PN[5] */
*nonce++ = iv_data[7];
/* PN[4] */
*nonce++ = iv_data[6];
/* PN[3] */
*nonce++ = iv_data[5];
/* PN[2] */
*nonce++ = iv_data[4];
/* PN[1] */
*nonce++ = iv_data[1];
/* PN[0] */
*nonce++ = iv_data[0];
pres("aes_ccmp_cal_params: nonce:", AES_CCM_NONCE_LEN, nonce - AES_CCM_NONCE_LEN);
/* B1..B2 = l(aad) || aad || pad(aad) */
/* aad: maskedFC || A1 || A2 || A3 || maskedSC || A4 || maskedQC */
if (!legacy) {
#ifdef MFP
/* For a management frame, don't mask the the subtype bits */
if (nonce_1st_byte & AES_CCMP_NF_MANAGEMENT)
fc &= (FC_SUBTYPE_MASK | AES_CCMP_FC_MASK);
else
#endif /* MFP */
fc &= AES_CCMP_FC_MASK;
} else {
/* 802.11i Draft 3 inconsistencies:
* Clause 8.3.4.4.3: "FC - MPDU Frame Control field, with Retry bit masked
* to zero." (8.3.4.4.3).
* Figure 29: "FC - MPDU Frame Control field, with Retry, MoreData, CF-ACK,
* CF-POLL bits masked to zero."
* F.10.4.1: "FC - MPDU Frame Control field, with Retry, MoreData,
* PwrMgmt bits masked to zero."
*/
/* Our implementation: match 8.3.4.4.3 */
fc &= AES_CCMP_LEGACY_FC_MASK;
}
*aad++ = (uint8)(fc & 0xff);
*aad++ = (uint8)((fc >> 8) & 0xff);
memcpy(aad, (uchar *)&h->a1, 3*ETHER_ADDR_LEN);
aad += 3*ETHER_ADDR_LEN;
seq = ltoh16(h->seq);
if (!legacy) {
seq &= AES_CCMP_SEQ_MASK;
} else {
seq &= AES_CCMP_LEGACY_SEQ_MASK;
}
*aad++ = (uint8)(seq & 0xff);
*aad++ = (uint8)((seq >> 8) & 0xff);
if (wds) {
memcpy(aad, (uchar *)&h->a4, ETHER_ADDR_LEN);
aad += ETHER_ADDR_LEN;
}
if (qos) {
if (!legacy) {
/* 802.11i Draft 7.0 inconsistencies:
* Clause 8.3.3.3.2: "QC - The Quality of Service Control, a
* two-octet field that includes the MSDU priority, reserved
* for future use."
* I.7.4: TID portion of QoS
*/
/* Our implementation: match the test vectors */
qc &= AES_CCMP_QOS_MASK;
*aad++ = (uint8)(qc & 0xff);
*aad++ = (uint8)((qc >> 8) & 0xff);
} else {
int mac_header_parser(unsigned char * p,
int pkt_len,
int cap_len,
int path_type,
int radiotap_len)
{
unsigned char * p_start ;
p_start = p;
if (debug_mode) {
if (path_type ==1 ) {
p += radiotap_len ; // HOMESAW_TX_FRAME_HEADER;
if (*(p+1)==0x0 && *(p) ==0x50)
return 0; //mgmt frames transmitted by router
if (*(p+1)==0x0 && *(p) ==0x84)
return 0; //control frames transmitted by router
if (*(p+1)==0x42 && *(p) ==0x8)
return 0; //control frames transmitted by router
if(*(p)==0xc0 && *(p+1)==0x0 )
return 0 ; //mgmt type but is 0c (deauth)
//printf("\nin mp: mac header: %02x %02x %d \n", *p, *(p+1),pkt_len );
}
else{
p += radiotap_len ; //HOMESAW_RX_FRAME_HEADER;
}
}
p += radiotap_len ; //HOMESAW_RX/TX_FRAME_HEADER;
memset(&clh,0,sizeof(struct control_layer_header));
memset(&mlh,0,sizeof(struct mgmt_beacon_layer_header));
memset(&mlh_t,0,sizeof(struct mgmt_layer_err_header));
memset(&dlh,0,sizeof(struct data_layer_header));
u_int16_t fc = EXTRACT_LE_16BITS(p);
struct mgmt_header_t *mgmt_h =NULL;
struct ctrl_ps_poll_t * c_poll = NULL ;
struct ctrl_bar_t * c_bar =NULL;
struct ctrl_rts_t * rts = NULL;
struct ctrl_cts_t *cts= NULL;
switch (FC_TYPE(fc)) {
case MGT_FRAME:
mgmt_h = (struct mgmt_header_t *) p;
switch(FC_SUBTYPE(fc)){
case ST_BEACON:
memcpy(mlh.src_mac,mgmt_h->sa,6);
mlh.pkt_len=pkt_len;
mlh.frame_control = fc ;
mlh.seq_ctrl = pletohs(&(mgmt_h->seq_ctrl));
parse_beacon(p+MGT_FRAME_HDR_LEN, (unsigned int)cap_len, &mlh );
mgmt_beacon_count++;
if(mgmt_beacon_count<512){
address_mgmt_beacon_table_update(&mgmt_beacon_address_table, p_start, &mlh);
break;
}
default :
memcpy(mlh_t.src_mac,mgmt_h->sa,6);
mlh_t.pkt_len=pkt_len;
mlh_t.frame_control = fc ;
mlh_t.seq_ctrl = pletohs(&(mgmt_h->seq_ctrl)); //EXTRACT_LE_16BITS(mgmt_h->seq_ctrl);
address_mgmt_common_table_update(&mgmt_common_address_table, p_start, &mlh_t);
break ;
}
break ;
case CONTROL_FRAME:
clh.pkt_len= pkt_len;
clh.frame_control =fc ;
switch(FC_SUBTYPE(fc)){
case CTRL_BAR:
c_bar = (struct ctrl_bar_t *)p;
memcpy(clh.src_mac,c_bar->ra,6);
address_control_table_update(&control_address_table , p_start, &clh);
break ;
case CTRL_PS_POLL :
c_poll = (struct ctrl_ps_poll_t *)p;
memcpy(clh.src_mac,c_poll->bssid,6);
address_control_table_update(&control_address_table , p_start, &clh);
break ;
case CTRL_RTS :
rts = (struct ctrl_rts_t *) p;
memcpy(clh.src_mac,rts->ra,6);
address_control_table_update(&control_address_table , p_start, &clh);
if (debug_mode) {
print_mac(rts->ta,"rts ta ");
}
break;
/* Not used as all kinds of packets are not useful and then we were
case CTRL_ACK :
cts= (struct ctrl_cts_t * ) p;
print_mac(cts->ra, "ack frames\n ");
break ;
case CTRL_END_ACK:
cts= (struct ctrl_cts_t * ) p;
print_mac(cts->ra, "end ack\n ");
break ;
case CTRL_CF_END:
cts= (struct ctrl_cts_t *) p;
print_mac(cts->ra, "cf end ack\n ");
*/
default : // Use the common structure of rest
cts= (struct ctrl_cts_t * ) p;
memcpy(clh.src_mac,cts->ra,6);
address_control_table_update(&control_address_table, p_start, &clh);
if (debug_mode) {
print_mac(cts->ra, "default control err\n ");
}
break;
}
break ;
case DATA_FRAME : {
// printf("data frame \n");
struct ieee80211_hdr * sc = (struct ieee80211_hdr *)p;
// printf("control sequence = %u \n", pletohs(&(sc->seq_ctrl)) );
dlh.pkt_len=pkt_len;
dlh.frame_control =fc ;
if (debug_mode) {
if( DATA_FRAME_IS_NULL(FC_SUBTYPE(fc))){
printf("null type\n");
}
else if (DATA_FRAME_IS_CF_ACK(FC_SUBTYPE(fc))){
printf("cf-type\n");
}
else if (DATA_FRAME_IS_CF_POLL(FC_SUBTYPE(fc))){
printf("poll type\n");
}
else if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))){
printf("qos type\n");
}
if(IS_DATA_DATA(FC_SUBTYPE(fc))){
printf(" data-data\n");
}else if(IS_DATA_DATA_CF_ACK(FC_SUBTYPE(fc))){
printf("cf-ack\n");
}else if(IS_DATA_DATA_CF_POLL(FC_SUBTYPE(fc))){
printf("cf-poll\n");
}else if(IS_DATA_DATA_CF_ACK_POLL(FC_SUBTYPE(fc))){
printf("cf-poll-ack\n");
}else if(IS_DATA_NODATA(FC_SUBTYPE(fc))){
printf("no data\n");
}else if(IS_DATA_NODATA_CF_ACK(FC_SUBTYPE(fc))){
printf("nodata cf ack\n");
}else if(IS_DATA_NODATA_CF_POLL (FC_SUBTYPE(fc))){
printf("nodata cf poll\n");
}else if(IS_DATA_NODATA_CF_ACK_POLL (FC_SUBTYPE(fc))){
printf(" cf ack poll\n");
}
printf("subtype:%02x \n",FC_SUBTYPE(fc));
printf("seq ctrl : %d \n", dlh.seq_ctrl );
}
dlh.seq_ctrl = pletohs(&(sc->seq_ctrl));
int hdrlen = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc)))
hdrlen += 2;
// but there is 8 bytes offset after mac header of 26 bytes, thats for qos data packet
#define ADDR1 (p + 4)
#define ADDR2 (p + 10)
#define ADDR3 (p + 16)
if (!FC_TO_DS(fc) && !FC_FROM_DS(fc)) {
memcpy(dlh.src_mac,ADDR2,6);
memcpy(dlh.dest_mac,ADDR1,6);
#ifdef DEBUG
print_mac(ADDR2,"1 addr2");
print_mac(ADDR1,"1 addr1");
#endif
} else if (!FC_TO_DS(fc) && FC_FROM_DS(fc)) {
if (radiotap_len ==HOMESAW_TX_FRAME_HEADER )
mac_address_map(&devices,ADDR1);
memcpy(dlh.src_mac,ADDR3,6);
memcpy(dlh.dest_mac,ADDR1,6);
// printf("f in anon 2 \n");
if (debug_mode) {
print_mac(ADDR3,"2 src");
print_mac(ADDR1,"2 dest");
}
} else if (FC_TO_DS(fc) && !FC_FROM_DS(fc)) {
memcpy(dlh.src_mac,ADDR2,6);
memcpy(dlh.dest_mac,ADDR3,6);
if (debug_mode) {
print_mac(ADDR2,"3 src");
print_mac(ADDR3,"3 dest");
}
} else if (FC_TO_DS(fc) && FC_FROM_DS(fc)) {
#define ADDR4 (p + 24)
memcpy(dlh.src_mac,ADDR4,6);
memcpy(dlh.dest_mac,ADDR3,6);
if (debug_mode) {
print_mac(ADDR4,"4 src");
print_mac(ADDR3,"4 dest");
}
#undef ADDR4
}
#undef ADDR1
#undef ADDR2
#undef ADDR3
address_data_table_update(&data_address_table ,p_start, &dlh,path_type, 0); // is_more flag: write tcp/udp headers to file
#ifdef TRANSPORT_LAYER_CAPTURE
transport_header_parser(fc,p_start,p+hdrlen,pkt_len,path_type,&dlh);
#endif
break ;
}
break;
default :
printf("imposs pkt ! pkt len is %d\n ",pkt_len);
exit(EXIT_FAILURE);
}
return 0 ;
}
int mac_header_err_parser(unsigned char *p,
int pkt_len,
int cap_len)
{
u_char * p_start = p ;
p += HOMESAW_RX_FRAME_HEADER;
struct mgmt_header_t *mgmt_h =NULL;
memset(&clh,0,sizeof(struct control_layer_header));
memset(&mlh_t,0,sizeof(struct mgmt_layer_err_header));
memset(&dlh_t,0,sizeof(struct data_layer_err_header));
u_int16_t fc = EXTRACT_LE_16BITS(p);
struct ctrl_ps_poll_t * c_poll = NULL ;
struct ctrl_bar_t * c_bar =NULL;
struct ctrl_rts_t * rts = NULL;
struct ctrl_cts_t *cts= NULL;
if (debug_mode) {
printf("macheader err_parser: %02x %02x\n", *p, *(p+1));
}
switch (FC_TYPE(fc)) {
case MGT_FRAME: {
mgmt_h = (struct mgmt_header_t *) p;
memcpy(mlh_t.src_mac,mgmt_h->sa,6);
mlh_t.frame_control = fc ;
mlh_t.pkt_len= pkt_len;
mlh_t.seq_ctrl = pletohs(&(mgmt_h->seq_ctrl)); //EXTRACT_LE_16BITS(mgmt_h->seq_ctrl); /*Copied the common portions */
address_mgmt_err_table_update(&mgmt_address_table_err, p_start, &mlh_t);
}
break ;
case CONTROL_FRAME: {
clh.frame_control = fc ;
clh.pkt_len=pkt_len;
switch(FC_SUBTYPE(fc)){
case CTRL_BAR:
c_bar = (struct ctrl_bar_t *)p;
memcpy(c_bar->ra,clh.src_mac,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
break ;
case CTRL_PS_POLL :
c_poll = (struct ctrl_ps_poll_t *)p;
memcpy(c_poll->bssid,clh.src_mac,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
break ;
case CTRL_RTS :
rts = (struct ctrl_rts_t *) p;
memcpy(clh.src_mac,rts->ra,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
#ifdef DEBUG
print_mac(rts->ra,"rts ra");
print_mac(rts->ta,"rts ta ");
#endif
break;
default : // Use the common structure of rest
cts= (struct ctrl_cts_t * ) p;
memcpy(clh.src_mac,cts->ra,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
#ifdef DEBUG
print_mac(cts->ra, "ack ");
#endif
break;
}
}
break ;
case DATA_FRAME : {
struct ieee80211_hdr * sc = (struct ieee80211_hdr *)p;
// printf("control sequence = %u \n", pletohs(&(sc->seq_ctrl)) );
dlh_t.frame_control =fc ;
dlh_t.pkt_len=pkt_len;
dlh_t.seq_ctrl = pletohs(&(sc->seq_ctrl));
int hdrlen = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc)))
hdrlen += 2;
// but there is 8 bytes offset after mac header of 26 bytes, thats for qos data packet
#define ADDR1 (p + 4)
#define ADDR2 (p + 10)
#define ADDR3 (p + 16)
if (!FC_TO_DS(fc) && !FC_FROM_DS(fc)) {
memcpy(dlh_t.src_mac,ADDR2,6);
memcpy(dlh_t.dest_mac,ADDR1,6);
if (debug_mode ){
print_mac(ADDR2,"1 addr2");
print_mac(ADDR1,"1 addr1");
}
} else if (!FC_TO_DS(fc) && FC_FROM_DS(fc)) {
memcpy(dlh_t.src_mac,ADDR3,6);
memcpy(dlh_t.dest_mac,ADDR1,6);
// printf("f in anon 2 \n");
if (debug_mode ){
print_mac(ADDR3,"2 src");
print_mac(dlh_t.src_mac,"anon src");
print_mac(ADDR1,"2 dest");
print_mac(dlh_t.dest_mac, " anon dest");
}
} else if (FC_TO_DS(fc) && !FC_FROM_DS(fc)) {
memcpy(dlh_t.src_mac,ADDR2,6);
memcpy(dlh_t.dest_mac,ADDR3,6);
if (debug_mode ){
print_mac(ADDR2,"3 src");
print_mac(ADDR3,"3 dest");
}
} else if (FC_TO_DS(fc) && FC_FROM_DS(fc)) {
#define ADDR4 (p + 24)
memcpy(dlh_t.src_mac,ADDR4,6);
memcpy(dlh_t.dest_mac,ADDR3,6);
if (debug_mode ){
print_mac(ADDR4,"4 src");
print_mac(ADDR3,"4 dest");
}
#undef ADDR4
}
#undef ADDR1
#undef ADDR2
#undef ADDR3
address_data_err_table_update(&data_address_table_err ,p_start, &dlh_t);
break ;
}
break;
default :
// TODO: XXX classify it as different kinds of packets depending on packet length and other features
/*
* CONTROL PKT SIZE : 14 + custom header
*BEACON PKT SIZE : can be as large as (11n) 320 bytes. Atleast 100 bytes (a/g) 110 bytes
*LAB BEACONS : 156-231 bytes ; check for fffffffff
*PROBES SIZE : 101,149,219,225 , 204, 83
*DATA PKT SIZE : anything greater than 400 bytes is data packet
*check the fields of FS,DS to get the mac address offset
* Can be 55 size packets too !
*/
if(pkt_len>400 ){ // DATA FRAME 48 byte RADIOTAP header
struct ieee80211_hdr * sc = (struct ieee80211_hdr *)p;
// printf("control sequence = %u \n", pletohs(&(sc->seq_ctrl)) );
dlh_t.frame_control =fc ;
dlh_t.pkt_len=pkt_len;
dlh_t.seq_ctrl = pletohs(&(sc->seq_ctrl));
int hdrlen = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc)))
hdrlen += 2;
// but there is 8 bytes offset after mac header of 26 bytes, thats for qos data packet
#define ADDR1 (p + 4)
#define ADDR2 (p + 10)
#define ADDR3 (p + 16)
if (!FC_TO_DS(fc) && !FC_FROM_DS(fc)) {
memcpy(dlh_t.src_mac,ADDR2,6);
memcpy(dlh_t.dest_mac,ADDR1,6);
if (debug_mode) {
print_mac(ADDR2,"1 addr2");
print_mac(ADDR1,"1 addr1");
}
} else if (!FC_TO_DS(fc) && FC_FROM_DS(fc)) {
memcpy(dlh_t.src_mac,ADDR3,6);
memcpy(dlh_t.dest_mac,ADDR1,6);
// printf("f in anon 2 \n");
if (debug_mode) {
print_mac(ADDR3,"2 src");
print_mac(dlh_t.src_mac,"anon src");
print_mac(ADDR1,"2 dest");
print_mac(dlh_t.dest_mac, " anon dest");
}
} else if (FC_TO_DS(fc) && !FC_FROM_DS(fc)) {
memcpy(dlh_t.src_mac,ADDR2,6);
memcpy(dlh_t.dest_mac,ADDR3,6);
if (debug_mode) {
print_mac(ADDR2,"3 src");
print_mac(ADDR3,"3 dest");
}
} else if (FC_TO_DS(fc) && FC_FROM_DS(fc)) {
#define ADDR4 (p + 24)
memcpy(dlh_t.src_mac,ADDR4,6);
memcpy(dlh_t.dest_mac,ADDR3,6);
if (debug_mode) {
print_mac(ADDR4,"4 src");
print_mac(ADDR3,"4 dest");
}
#undef ADDR4
}
#undef ADDR1
#undef ADDR2
#undef ADDR3
//TODO: XXX Just update with this much info
address_data_err_table_update(&data_address_table_err ,p_start, &dlh_t);
}else if(pkt_len>110 && pkt_len <360){ // MGMT FRAME
mgmt_h = (struct mgmt_header_t *) p;
memcpy(mlh_t.src_mac,mgmt_h->sa,6);
mlh_t.pkt_len=pkt_len;
mlh_t.frame_control =fc ;
mlh_t.seq_ctrl = pletohs(&(mgmt_h->seq_ctrl)); // EXTRACT_LE_16BITS(mgmt_h->seq_ctrl);//Copied the common portions
address_mgmt_err_table_update(&mgmt_address_table_err, p_start, &mlh_t);
}
else if ( pkt_len <72){ //CONTROL FRAME : 48+14 : 62 bytes
clh.frame_control = fc ;
clh.pkt_len=pkt_len;
switch FC_SUBTYPE(fc) {
case CTRL_BAR:
c_bar = (struct ctrl_bar_t *)p;
memcpy(clh.src_mac,c_bar->ra,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
break ;
case CTRL_PS_POLL :
c_poll = (struct ctrl_ps_poll_t *)p;
memcpy(clh.src_mac,c_poll->bssid,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
break ;
case CTRL_RTS :
rts = (struct ctrl_rts_t *) p;
memcpy(clh.src_mac,rts->ra,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
if (debug_mode) {
print_mac(rts->ra,"rts ra");
print_mac(rts->ta,"rts ta ");
}
break;
default : // Use the common structure of rest
cts= (struct ctrl_cts_t * ) p;
memcpy(clh.src_mac,cts->ra,6);
address_control_err_table_update(&control_address_table_err , p_start, &clh);
#ifdef DEBUG
print_mac(cts->ra, "default control\n");
#endif
break;
}
}else {
void HttpSniffer::got_packet(const struct pcap_pkthdr *header, const u_char *packet)
{
/* Declare pointers to packet headers */
const struct radiotap_header *radiotap; /* The Radiotap header */
const struct wifi_header *hdr80211; /* The 802.11 header */
const struct snap_llc_header *snap_llc; /* The SNAP LLC header */
const struct sniff_ethernet *ethernet; /* The Ethernet header [1] */
const struct sniff_ip *ip = NULL; /* The IP header */
const struct sniff_ip6 *ip6 = NULL; /* The IPv6 header */
const struct sniff_tcp *tcp; /* The TCP header */
const char *payload; /* Packet payload */
/* Declare header lengths */
int size_ip; /* Size of IP header in bytes */
int size_tcp; /* Size of TCP header */
int size_payload; /* Size of data in bytes */
int size_radiotap; /* Size of Radiotap header */
int size_80211; /* Size of 802.11 header */
/* Layer 3 header offset */
int l3hdr_off = SIZE_ETHERNET;
/* Total IP packet length */
int ip_len;
u_int16_t fc;
u_short ether_type;
string from;
string to;
WifiInfo wifi_info;
/* 802.11 monitor support... */
if (m_wifimon) {
/* Get Radiotap header length (variable) */
radiotap = (struct radiotap_header*)(packet);
size_radiotap = radiotap->it_len;
/* Calculate 802.11 header length (variable) */
hdr80211 = (struct wifi_header*)(packet + size_radiotap);
fc = hdr80211->fc;
if (FC_TYPE(fc) == T_DATA) {
size_80211 = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24;
if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) {
size_80211 += 2;
}
} else {
cerr << (boost::format("Ignoring non-data frame 0x%x\n") % fc);
return;
}
/* Set Layer 3 header offset (snap_llc_header has standard length) */
l3hdr_off = size_80211 + size_radiotap + sizeof(struct snap_llc_header);
/* Check ether_type */
snap_llc = (struct snap_llc_header*)(packet + size_80211 + size_radiotap);
ether_type = ntohs(snap_llc->ether_type);
if (ether_type != ETHERTYPE_IP) {
cerr << (boost::format("Ignoring unknown ethernet packet with type 0x%x\n") % ether_type);
return;
}
/* Check and set IP header size and total packet length */
ip = (struct sniff_ip*)(packet + l3hdr_off);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
/* Don't throw exception because on 802.11 monitor interfaces
* we can have malformed packets, just skip it */
cerr << (boost::format("Bad IP length: %d\n") % size_ip);
return;
}
ip_len = ntohs(ip->ip_len);
wifi_info = WifiInfo(hdr80211, radiotap);
} else {
/* Define ethernet header */
ethernet = (struct sniff_ethernet*)(packet);
/* Check ether_type */
ether_type = ntohs(ethernet->ether_type);
switch (ether_type) {
case ETHERTYPE_IP:
/* Check and set IP header size and total packet length */
ip = (struct sniff_ip*)(packet + l3hdr_off);
size_ip = IP_HL(ip)*4;
if (size_ip < 20)
throw runtime_error(str(boost::format("Invalid IPv4 header length: %u bytes") % size_ip));
ip_len = ntohs(ip->ip_len);
break;
case ETHERTYPE_IPV6:
/* Check and set IP header size and total packet length */
// FIXME: Support IPv6 extension headers?
ip6 = (struct sniff_ip6*)(packet + l3hdr_off);
size_ip = 40;
ip_len = ntohs(ip6->ip6_plen);
break;
default:
cerr << (boost::format("Ignoring unknown ethernet packet with type %x\n") % ether_type);
return;
}
}
/* Ignore non tcp packets */
if (ip->ip_p != IPPROTO_TCP && ip6->ip6_nxt != IPPROTO_TCP)
return;
/* Check and set TCP header size */
tcp = (struct sniff_tcp*)(packet + l3hdr_off + size_ip);
size_tcp = TH_OFF(tcp)*4;
if (size_tcp < 20) {
/* Don't throw exception because on 802.11 monitor interfaces
* we can have malformed packets, just skip it */
if (!m_wifimon)
throw runtime_error(str(boost::format("Invalid TCP header length: %u bytes") % size_tcp));
else
cerr << (boost::format("Invalid TCP header length: %u bytes") % size_tcp);
return;
}
/* Get source/dest */
if (ether_type == ETHERTYPE_IP) {
from = str(boost::format("%s:%d") % inet_ntoa(ip->ip_src) % ntohs(tcp->th_sport));
to = str(boost::format("%s:%d") % inet_ntoa(ip->ip_dst) % ntohs(tcp->th_dport));
} else {
char src_addr_buf[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, &ip6->ip6_src, src_addr_buf, sizeof(src_addr_buf));
char dst_addr_buf[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, &ip6->ip6_dst, dst_addr_buf, sizeof(src_addr_buf));
from = str(boost::format("[%s]:%d") % string(src_addr_buf) % ntohs(tcp->th_sport));
to = str(boost::format("[%s]:%d") % string(dst_addr_buf) % ntohs(tcp->th_dport));
}
/* Define/compute tcp payload (segment) offset */
payload = (const char *)(packet + l3hdr_off + size_ip + size_tcp);
/* Compute tcp payload (segment) size */
size_payload = ip_len - (size_ip + size_tcp);
string key;
key.append(from);
key.append("-");
key.append(to);
HttpPacket *http_packet = 0;
PacketCacheMap::iterator iter;
iter = m_pending_packets.find(key);
if (iter == m_pending_packets.end()) {
http_packet = new HttpPacket(from, to, wifi_info);
} else {
http_packet = iter->second;
m_pending_packets.erase(iter);
}
if (http_packet->parse(payload, size_payload)) {
if (http_packet->isComplete()) {
m_callback(http_packet);
delete http_packet;
} else {
m_pending_packets[key] = http_packet;
}
} else {
delete http_packet;
}
}
