int main(int argc, char *argv[]) { struct hooks_t hooks; struct files_t files; //int c; /* TODO: Parse command line arguments */ parse_commandline(argc, argv); /* TODO: Initialize hooks and files lists */ TAILQ_INIT(&hooks); TAILQ_INIT(&files); /* TODO: Load hooks */ set_hooks(&hooks); // TODO: Continuously check directory and timestamps //while(true){ char *timestamp = timestamp_string(); check_directory(directory, &hooks, &files, recursive,(time_t) timestamp); sleep(1); //} return (EXIT_SUCCESS); }
/* dump_UDP_packet() * * This routine parses a packet, expecting Ethernet, IP, and UDP headers. * It extracts the UDP source and destination port numbers along with the UDP * packet length by casting structs over a pointer that we move through * the packet. We can do this sort of casting safely because libpcap * guarantees that the pointer will be aligned. * * The "ts" argument is the timestamp associated with the packet. * * Note that "capture_len" is the length of the packet *as captured by the * tracing program*, and thus might be less than the full length of the * packet. However, the packet pointer only holds that much data, so * we have to be careful not to read beyond it. */ void dump_UDP_packet(const unsigned char *packet, struct timeval ts, unsigned int capture_len) { struct ip *ip; struct UDP_hdr *udp; unsigned int IP_header_length; /* For simplicity, we assume Ethernet encapsulation. */ if (capture_len < sizeof(struct ether_header)) { /* We didn't even capture a full Ethernet header, so we * can't analyze this any further. */ too_short(ts, "Ethernet header"); return; } /* Skip over the Ethernet header. */ packet += sizeof(struct ether_header); capture_len -= sizeof(struct ether_header); if (capture_len < sizeof(struct ip)) { /* Didn't capture a full IP header */ too_short(ts, "IP header"); return; } ip = (struct ip*) packet; IP_header_length = ip->ip_hl * 4; /* ip_hl is in 4-byte words */ if (capture_len < IP_header_length) { /* didn't capture the full IP header including options */ too_short(ts, "IP header with options"); return; } if (ip->ip_p != IPPROTO_UDP) { problem_pkt(ts, "non-UDP packet"); return; } /* Skip over the IP header to get to the UDP header. */ packet += IP_header_length; capture_len -= IP_header_length; if (capture_len < sizeof(struct UDP_hdr)) { too_short(ts, "UDP header"); return; } udp = (struct UDP_hdr*) packet; printf("%s UDP src_port=%d dst_port=%d length=%d\n", timestamp_string(ts), ntohs(udp->uh_sport), ntohs(udp->uh_dport), ntohs(udp->uh_ulen)); }
void too_short(struct timeval ts, const char *truncated_hdr) { fprintf(stderr, "packet with timestamp %s is truncated and lacks a full %s\n", timestamp_string(ts), truncated_hdr); }
void problem_pkt(struct timeval ts, const char *reason) { fprintf(stderr, "%s: %s\n", timestamp_string(ts), reason); }
void dump_TCP_packet(const unsigned char *packet, struct timeval ts, unsigned int capture_len) { struct ip *ip; struct TCP_hdr *tcp; unsigned int IP_header_length; unsigned int TCP_hdr_len = sizeof(struct TCP_hdr); /* For simplicity, we assume Ethernet encapsulation. */ if (capture_len < sizeof(struct ether_header)) { /* We didn't even capture a full Ethernet header, so we * can't analyze this any further. */ too_short(ts, "Ethernet header"); return; } /* Skip over the Ethernet header. */ packet += sizeof(struct ether_header); capture_len -= sizeof(struct ether_header); if (capture_len < sizeof(struct ip)) { /* Didn't capture a full IP header */ too_short(ts, "IP header"); return; } ip = (struct ip*) packet; IP_header_length = ip->ip_hl * 4; /* ip_hl is in 4-byte words */ if (capture_len < IP_header_length) { /* didn't capture the full IP header including options */ too_short(ts, "IP header with options"); return; } if (ip->ip_p != IPPROTO_TCP) { problem_pkt(ts, "non-TCP packet"); return; } /* Skip over the IP header to get to the UDP header.*/ packet += IP_header_length; capture_len -= IP_header_length; if (capture_len < sizeof(struct TCP_hdr)) { too_short(ts, "TCP header"); return; } tcp = (struct TCP_hdr*) packet; printf("%s UDP src_port=%d dst_port=%d length=%d\n", timestamp_string(ts), ntohs(tcp->th_sport), ntohs(tcp->th_dport), ntohs(tcp->th_seqnum)); switch(ntohs(udp->uh_sport)) { case TELNET: //Source port telnet packet += TCP_hdr_len; capture_len -= t TCP_hdr; process_telnet(packet, capture_len); break; case HTTP: break; default: //Unknown source port break; } switch(ntohs(udp->uh_dport)) { case TELNET: //Dest port telnet break; case HTTP: break; default: //Unknown dest port break; } }