void dl_null(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
uint32_t family = *(uint32_t *)p;
if (length != caplen) {
DEBUG(6) ("warning: only captured %d bytes of %d byte null frame",
caplen, length);
}
if (caplen < NULL_HDRLEN) {
DEBUG(6) ("warning: received incomplete null frame");
return;
}
/* One of the symptoms of a broken DLT_NULL is that this value is
* not set correctly, so we don't check for it -- instead, just
* assume everything is IP. --JE 20 April 1999
*/
#ifndef DLT_NULL_BROKEN
/* make sure this is AF_INET */
if (family != AF_INET && family != AF_INET6) {
DEBUG(6)("warning: received null frame with unknown type (type 0x%x) (AF_INET=%x; AF_INET6=%x)",
family,AF_INET,AF_INET6);
return;
}
#endif
struct timeval tv;
be13::packet_info pi(DLT_NULL,h,p,tvshift(tv,h->ts),p+NULL_HDRLEN,caplen - NULL_HDRLEN);
be13::plugin::process_packet_info(pi);
}
void dl_ethernet(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
struct be13::ether_header *eth_header = (struct be13::ether_header *) p;
/* Variables to support VLAN */
const u_short *ether_type = ð_header->ether_type; /* where the ether type is located */
const u_char *ether_data = p+sizeof(struct be13::ether_header); /* where the data is located */
if (length != caplen) {
DEBUG(6) ("warning: only captured %d bytes of %d byte ether frame",
caplen, length);
}
/* Handle basic VLAN packets */
if (ntohs(*ether_type) == ETHERTYPE_VLAN) {
//vlan = ntohs(*(u_short *)(p+sizeof(struct ether_header)));
ether_type += 2; /* skip past VLAN header (note it skips by 2s) */
ether_data += 4; /* skip past VLAN header */
caplen -= 4;
}
if (caplen < sizeof(struct be13::ether_header)) {
DEBUG(6) ("warning: received incomplete ethernet frame");
return;
}
/* Create a packet_info structure with ip data and data length */
struct timeval tv;
be13::packet_info pi(DLT_IEEE802,h,p,tvshift(tv,h->ts),
ether_data, caplen - sizeof(struct be13::ether_header));
switch (ntohs(*ether_type)){
case ETHERTYPE_IP:
case ETHERTYPE_IPV6:
be13::plugin::process_packet_info(pi);
break;
#ifdef ETHERTYPE_ARP
case ETHERTYPE_ARP:
/* What should we do for ARP? */
break;
#endif
#ifdef ETHERTYPE_LOOPBACK
case ETHERTYPE_LOOPBACK:
/* What do do for loopback? */
break;
#endif
#ifdef ETHERTYPE_REVARP
case ETHERTYPE_REVARP:
/* What to do for REVARP? */
break;
#endif
default:
/* Unknown Ethernet Frame Type */
DEBUG(6) ("warning: received ethernet frame with unknown type 0x%x", ntohs(eth_header->ether_type));
break;
}
}
/* DLT_RAW: just a raw IP packet, no encapsulation or link-layer
* headers. Used for PPP connections under some OSs including Linux
* and IRIX. */
void dl_raw(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
if (h->caplen != h->len) {
DEBUG(6) ("warning: only captured %d bytes of %d byte raw frame",
h->caplen, h->len);
}
struct timeval tv;
be13::packet_info pi(DLT_RAW,h,p,tvshift(tv,h->ts),p, h->caplen);
process_packet_info(pi);
}
void Handle80211DataToAP(const struct timeval& t, const data_hdr_t *hdr, const u_char *rest, int len) {
if (opt_enforce_80211_frame_checksum && !fcs_ok) return;
#ifdef DEBUG_WIFI
cout << " " << "802.11 data to AP:\t"
<< hdr->sa << " -> " << hdr->da << "\t" << len << endl;
#endif
struct timeval tv;
/* TK1: Does the pcap header make sense? */
/* TK2: How do we get and preserve the the three MAC addresses? */
be13::packet_info pi(DLT_IEEE802_11,(const pcap_pkthdr *)0,(const u_char *)0,tvshift(tv,t),rest,len);
process_packet_info(pi);
}
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p){
u_int caplen = h->caplen;
u_int length = h->len;
if (length != caplen) {
DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame",
caplen, length);
}
if (caplen < SLL_HDR_LEN) {
DEBUG(6) ("warning: received incomplete Linux cooked frame");
return;
}
struct timeval tv;
be13::packet_info pi(DLT_LINUX_SLL,h,p,tvshift(tv,h->ts),p + SLL_HDR_LEN, caplen - SLL_HDR_LEN);
process_packet_info(pi);
}
void dl_ppp(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
if (length != caplen) {
DEBUG(6) ("warning: only captured %d bytes of %d byte PPP frame",
caplen, length);
}
if (caplen < PPP_HDRLEN) {
DEBUG(6) ("warning: received incomplete PPP frame");
return;
}
struct timeval tv;
be13::packet_info pi(DLT_PPP,h,p,tvshift(tv,h->ts),p + PPP_HDRLEN, caplen - PPP_HDRLEN);
be13::plugin::process_packet_info(pi);
}
void dl_linux_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
u_int caplen = h->caplen;
u_int length = h->len;
if (length != caplen) {
DEBUG(6) ("warning: only captured %d bytes of %d byte Linux cooked frame",
caplen, length);
}
if (caplen < SLL_HDR_LEN) {
DEBUG(6) ("warning: received incomplete Linux cooked frame");
return;
}
struct _sll_header {
u_int16_t sll_pkttype; /* packet type */
u_int16_t sll_hatype; /* link-layer address type */
u_int16_t sll_halen; /* link-layer address length */
u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
u_int16_t sll_protocol; /* protocol */
};
_sll_header *sllp = (_sll_header*)p;
u_int mpls_sz = 0;
if (ntohs(sllp->sll_protocol) == ETHERTYPE_MPLS) {
// unwind MPLS stack
do {
if(caplen < SLL_HDR_LEN + mpls_sz + 4){
DEBUG(6) ("warning: MPLS stack overrun");
return;
}
mpls_sz += 4;
caplen -= 4;
} while ((p[SLL_HDR_LEN + mpls_sz - 2] & 1) == 0 );
}
struct timeval tv;
be13::packet_info pi(DLT_LINUX_SLL,h,p,tvshift(tv,h->ts),p + SLL_HDR_LEN + mpls_sz, caplen - SLL_HDR_LEN);
be13::plugin::process_packet_info(pi);
}
void Handle80211DataFromAP(const struct timeval& t, const data_hdr_t *hdr, const u_char *rest, int len) {
if (opt_enforce_80211_frame_checksum && !fcs_ok) return;
#ifdef DEBUG_WIFI
cout << hdr->sa;
cout << " " << "802.11 data from AP:\t"
<< hdr->sa << " -> " << hdr->da << "\t" << len << endl;
#endif
struct timeval tv;
/* TK1: Does the pcap header make sense? */
/* TK2: How do we get and preserve the the three MAC addresses? */
printf("DATA_HDRLEN=%d DATA_WDS_HDRLEN=%d\n",DATA_HDRLEN,DATA_WDS_HDRLEN);
sbuf_t sb(pos0_t(),rest,len,len,0);
sb.hex_dump(std::cout);
rest += 10; // where does 10 come from?
len -= 10;
be13::packet_info pi(DLT_IEEE802_11,(const pcap_pkthdr *)0,(const u_char *)0,tvshift(tv,t),rest,len);
printf("pi.ip_version=%d\n",pi.ip_version());
process_packet_info(pi);
}
