static void *timeouts_thread ( void *p )
{
pthread_setcanceltype( PTHREAD_CANCEL_DEFERRED, 0 );
while ( 1 )
{
tcp_check_timeouts( (pntoh_tcp_session_t) p );
pthread_testcancel();
poll ( 0 , 0 , DEFAULT_TIMEOUT_DELAY );
}
pthread_exit( 0 );
//dummy return
return 0;
}
void nids_pcap_handler(u_char * par, struct pcap_pkthdr *hdr, u_char * data)
{
u_char *data_aligned;
#ifdef HAVE_LIBGTHREAD_2_0
struct cap_queue_item *qitem;
#endif
#ifdef DLT_IEEE802_11
unsigned short fc;
int linkoffset_tweaked_by_prism_code = 0;
#endif
/*
* Check for savagely closed TCP connections. Might
* happen only when nids_params.tcp_workarounds is non-zero;
* otherwise nids_tcp_timeouts is always NULL.
*/
if (NULL != nids_tcp_timeouts)
tcp_check_timeouts(&hdr->ts);
nids_last_pcap_header = hdr;
nids_last_pcap_data = data;
(void)par; /* warnings... */
switch (linktype) {
case DLT_EN10MB:
if (hdr->caplen < 14)
return;
/* Only handle IP packets and 802.1Q VLAN tagged packets below. */
if (data[12] == 8 && data[13] == 0) {
/* Regular ethernet */
nids_linkoffset = 14;
} else if (data[12] == 0x81 && data[13] == 0) {
/* Skip 802.1Q VLAN and priority information */
nids_linkoffset = 18;
} else
/* non-ip frame */
return;
break;
#ifdef DLT_PRISM_HEADER
#ifndef DLT_IEEE802_11
#error DLT_PRISM_HEADER is defined, but DLT_IEEE802_11 is not ???
#endif
case DLT_PRISM_HEADER:
nids_linkoffset = 144; //sizeof(prism2_hdr);
linkoffset_tweaked_by_prism_code = 1;
//now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11
case DLT_IEEE802_11:
/* I don't know why frame control is always little endian, but it
* works for tcpdump, so who am I to complain? (wam)
*/
if (!linkoffset_tweaked_by_prism_code)
nids_linkoffset = 0;
fc = EXTRACT_LE_16BITS(data + nids_linkoffset);
if (FC_TYPE(fc) != T_DATA || FC_WEP(fc)) {
return;
}
if (FC_TO_DS(fc) && FC_FROM_DS(fc)) {
/* a wireless distribution system packet will have another
* MAC addr in the frame
*/
nids_linkoffset += 30;
} else {
nids_linkoffset += 24;
}
if (hdr->len < nids_linkoffset + LLC_FRAME_SIZE)
return;
if (ETHERTYPE_IP !=
EXTRACT_16BITS(data + nids_linkoffset + LLC_OFFSET_TO_TYPE_FIELD)) {
/* EAP, LEAP, and other 802.11 enhancements can be
* encapsulated within a data packet too. Look only at
* encapsulated IP packets (Type field of the LLC frame).
*/
return;
}
nids_linkoffset += LLC_FRAME_SIZE;
break;
#endif
default:;
}
if (hdr->caplen < nids_linkoffset)
return;
/*
* sure, memcpy costs. But many EXTRACT_{SHORT, LONG} macros cost, too.
* Anyway, libpcap tries to ensure proper layer 3 alignment (look for
* handle->offset in pcap sources), so memcpy should not be called.
*/
#ifdef LBL_ALIGN
if ((unsigned long) (data + nids_linkoffset) & 0x3) {
data_aligned = alloca(hdr->caplen - nids_linkoffset + 4);
data_aligned -= (unsigned long) data_aligned % 4;
memcpy(data_aligned, data + nids_linkoffset, hdr->caplen - nids_linkoffset);
} else
#endif
data_aligned = data + nids_linkoffset;
#ifdef HAVE_LIBGTHREAD_2_0
if(nids_params.multiproc) {
/*
* Insert received fragment into the async capture queue.
* We hope that the overhead of memcpy
* will be saturated by the benefits of SMP - mcree
*/
qitem=malloc(sizeof(struct cap_queue_item));
if (qitem && (qitem->data=malloc(hdr->caplen - nids_linkoffset))) {
qitem->caplen=hdr->caplen - nids_linkoffset;
memcpy(qitem->data,data_aligned,qitem->caplen);
g_async_queue_lock(cap_queue);
/* ensure queue does not overflow */
if(g_async_queue_length_unlocked(cap_queue) > nids_params.queue_limit) {
/* queue limit reached: drop packet - should we notify user via syslog? */
free(qitem->data);
free(qitem);
} else {
/* insert packet to queue */
g_async_queue_push_unlocked(cap_queue,qitem);
}
g_async_queue_unlock(cap_queue);
}
} else { /* user requested simple passthru - no threading */
call_ip_frag_procs(data_aligned,hdr->caplen - nids_linkoffset, &hdr->ts);
}
#else
call_ip_frag_procs(data_aligned,hdr->caplen - nids_linkoffset, &hdr->ts);
#endif
}
