void dl_null(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; uint32_t family = *(uint32_t *)p; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte null frame", caplen, length); } if (caplen < NULL_HDRLEN) { DEBUG(6) ("warning: received incomplete null frame"); return; } /* One of the symptoms of a broken DLT_NULL is that this value is * not set correctly, so we don't check for it -- instead, just * assume everything is IP. --JE 20 April 1999 */ #ifndef DLT_NULL_BROKEN /* make sure this is AF_INET */ if (family != AF_INET && family != AF_INET6) { DEBUG(6)("warning: received null frame with unknown type (type 0x%x) (AF_INET=%x; AF_INET6=%x)", family,AF_INET,AF_INET6); return; } #endif struct timeval tv; be13::packet_info pi(DLT_NULL,h,p,tvshift(tv,h->ts),p+NULL_HDRLEN,caplen - NULL_HDRLEN); be13::plugin::process_packet_info(pi); }
void dl_ethernet(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; struct be13::ether_header *eth_header = (struct be13::ether_header *) p; /* Variables to support VLAN */ const u_short *ether_type = ð_header->ether_type; /* where the ether type is located */ const u_char *ether_data = p+sizeof(struct be13::ether_header); /* where the data is located */ if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte ether frame", caplen, length); } /* Handle basic VLAN packets */ if (ntohs(*ether_type) == ETHERTYPE_VLAN) { //vlan = ntohs(*(u_short *)(p+sizeof(struct ether_header))); ether_type += 2; /* skip past VLAN header (note it skips by 2s) */ ether_data += 4; /* skip past VLAN header */ caplen -= 4; } if (caplen < sizeof(struct be13::ether_header)) { DEBUG(6) ("warning: received incomplete ethernet frame"); return; } /* Create a packet_info structure with ip data and data length */ struct timeval tv; be13::packet_info pi(DLT_IEEE802,h,p,tvshift(tv,h->ts), ether_data, caplen - sizeof(struct be13::ether_header)); switch (ntohs(*ether_type)){ case ETHERTYPE_IP: case ETHERTYPE_IPV6: be13::plugin::process_packet_info(pi); break; #ifdef ETHERTYPE_ARP case ETHERTYPE_ARP: /* What should we do for ARP? */ break; #endif #ifdef ETHERTYPE_LOOPBACK case ETHERTYPE_LOOPBACK: /* What do do for loopback? */ break; #endif #ifdef ETHERTYPE_REVARP case ETHERTYPE_REVARP: /* What to do for REVARP? */ break; #endif default: /* Unknown Ethernet Frame Type */ DEBUG(6) ("warning: received ethernet frame with unknown type 0x%x", ntohs(eth_header->ether_type)); break; } }
/* DLT_RAW: just a raw IP packet, no encapsulation or link-layer * headers. Used for PPP connections under some OSs including Linux * and IRIX. */ void dl_raw(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { if (h->caplen != h->len) { DEBUG(6) ("warning: only captured %d bytes of %d byte raw frame", h->caplen, h->len); } struct timeval tv; be13::packet_info pi(DLT_RAW,h,p,tvshift(tv,h->ts),p, h->caplen); process_packet_info(pi); }
void Handle80211DataToAP(const struct timeval& t, const data_hdr_t *hdr, const u_char *rest, int len) { if (opt_enforce_80211_frame_checksum && !fcs_ok) return; #ifdef DEBUG_WIFI cout << " " << "802.11 data to AP:\t" << hdr->sa << " -> " << hdr->da << "\t" << len << endl; #endif struct timeval tv; /* TK1: Does the pcap header make sense? */ /* TK2: How do we get and preserve the the three MAC addresses? */ be13::packet_info pi(DLT_IEEE802_11,(const pcap_pkthdr *)0,(const u_char *)0,tvshift(tv,t),rest,len); process_packet_info(pi); }
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p){ u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame", caplen, length); } if (caplen < SLL_HDR_LEN) { DEBUG(6) ("warning: received incomplete Linux cooked frame"); return; } struct timeval tv; be13::packet_info pi(DLT_LINUX_SLL,h,p,tvshift(tv,h->ts),p + SLL_HDR_LEN, caplen - SLL_HDR_LEN); process_packet_info(pi); }
void dl_ppp(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte PPP frame", caplen, length); } if (caplen < PPP_HDRLEN) { DEBUG(6) ("warning: received incomplete PPP frame"); return; } struct timeval tv; be13::packet_info pi(DLT_PPP,h,p,tvshift(tv,h->ts),p + PPP_HDRLEN, caplen - PPP_HDRLEN); be13::plugin::process_packet_info(pi); }
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { u_int caplen = h->caplen; u_int length = h->len; if (length != caplen) { DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame", caplen, length); } if (caplen < SLL_HDR_LEN) { DEBUG(6) ("warning: received incomplete Linux cooked frame"); return; } struct _sll_header { u_int16_t sll_pkttype; /* packet type */ u_int16_t sll_hatype; /* link-layer address type */ u_int16_t sll_halen; /* link-layer address length */ u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */ u_int16_t sll_protocol; /* protocol */ }; _sll_header *sllp = (_sll_header*)p; u_int mpls_sz = 0; if (ntohs(sllp->sll_protocol) == ETHERTYPE_MPLS) { // unwind MPLS stack do { if(caplen < SLL_HDR_LEN + mpls_sz + 4){ DEBUG(6) ("warning: MPLS stack overrun"); return; } mpls_sz += 4; caplen -= 4; } while ((p[SLL_HDR_LEN + mpls_sz - 2] & 1) == 0 ); } struct timeval tv; be13::packet_info pi(DLT_LINUX_SLL,h,p,tvshift(tv,h->ts),p + SLL_HDR_LEN + mpls_sz, caplen - SLL_HDR_LEN); be13::plugin::process_packet_info(pi); }
void Handle80211DataFromAP(const struct timeval& t, const data_hdr_t *hdr, const u_char *rest, int len) { if (opt_enforce_80211_frame_checksum && !fcs_ok) return; #ifdef DEBUG_WIFI cout << hdr->sa; cout << " " << "802.11 data from AP:\t" << hdr->sa << " -> " << hdr->da << "\t" << len << endl; #endif struct timeval tv; /* TK1: Does the pcap header make sense? */ /* TK2: How do we get and preserve the the three MAC addresses? */ printf("DATA_HDRLEN=%d DATA_WDS_HDRLEN=%d\n",DATA_HDRLEN,DATA_WDS_HDRLEN); sbuf_t sb(pos0_t(),rest,len,len,0); sb.hex_dump(std::cout); rest += 10; // where does 10 come from? len -= 10; be13::packet_info pi(DLT_IEEE802_11,(const pcap_pkthdr *)0,(const u_char *)0,tvshift(tv,t),rest,len); printf("pi.ip_version=%d\n",pi.ip_version()); process_packet_info(pi); }