1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
Author: Hilko Bengen <bengen@debian.org>
Description: urlsnarf: use timestamps from pcap file if available.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573365
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
@@ -36,6 +36,7 @@
u_short Opt_dns = 1;
int Opt_invert = 0;
regex_t *pregex = NULL;
+time_t tt = 0;
static void
usage(void)
@@ -57,9 +58,12 @@
{
static char tstr[32], sign;
struct tm *t, gmt;
- time_t tt = time(NULL);
int days, hours, tz, len;
+ if (!nids_params.filename) {
+ tt = time(NULL);
+ }
+
gmt = *gmtime(&tt);
t = localtime(&tt);
@@ -312,9 +316,48 @@
nids_register_chksum_ctl(&chksum_ctl, 1);
- nids_run();
-
- /* NOTREACHED */
+ pcap_t *p;
+ char pcap_errbuf[PCAP_ERRBUF_SIZE];
+ if (nids_params.filename == NULL) {
+ /* adapted from libnids.c:open_live() */
+ if (strcmp(nids_params.device, "all") == 0)
+ nids_params.device = "any";
+ p = pcap_open_live(nids_params.device, 16384,
+ (nids_params.promisc != 0),
+ 0, pcap_errbuf);
+ if (!p) {
+ fprintf(stderr, "pcap_open_live(): %s\n",
+ pcap_errbuf);
+ exit(1);
+ }
+ }
+ else {
+ p = pcap_open_offline(nids_params.filename,
+ pcap_errbuf);
+ if (!p) {
+ fprintf(stderr, "pcap_open_offline(%s): %s\n",
+ nids_params.filename, pcap_errbuf);
+ }
+ }
+
+ struct pcap_pkthdr *h;
+ u_char *d;
+ int rc;
+ while ((rc = pcap_next_ex(p, &h, &d)) == 1) {
+ tt = h->ts.tv_sec;
+ nids_pcap_handler(NULL, h, d);
+ }
+ switch (rc) {
+ case(-2): /* end of pcap file */
+ case(0): /* timeout on live capture */
+ break;
+ case(-1):
+ default:
+ fprintf(stderr, "rc = %i\n", rc);
+ pcap_perror(p, "pcap_read_ex()");
+ exit(1);
+ break;
+ }
exit(0);
}
|
