1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
|
#include "config.h"
#include <libtrace.h>
#include <err.h>
#include <time.h>
#include "libpacketdump.h"
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#include <sys/socket.h>
#ifdef HAVE_NETINET_ETHER
# include <netinet/ether.h>
#endif
#ifdef HAVE_INTTYPES_H
# include <inttypes.h>
#else
# error "Can't find inttypes.h"
#endif
#ifdef HAVE_LIMITS_H
# include <limits.h>
#endif
#ifdef HAVE_SYS_LIMITS_H
# include <sys/limits.h>
#endif
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#include <net/if.h>
#include <netinet/in.h>
#include <stdio.h>
#include <net/if_arp.h>
#ifdef HAVE_NETINET_IF_ETHER_H
# include <netinet/if_ether.h>
#endif
#include <dlfcn.h>
#include <map>
#include <string>
#include <ctype.h>
#include "libpacketdump.h"
extern "C"{
#include "grammar.h"
}
enum decode_style_t {
DECODE_NORMAL,
DECODE_PARSER
};
typedef void (*decode_norm_t)(uint16_t type,const char *packet,int len);
typedef void (*decode_parser_t)(uint16_t type,const char *packet,int len, element_t* el);
typedef union decode_funcs {
decode_norm_t decode_n;
decode_parser_t decode_p;
} decode_funcs_t;
typedef struct decoder {
enum decode_style_t style;
decode_funcs_t *func;
element_t *el; // make a union of structs with all args in it for all funcs?
} decode_t;
static std::map<std::string,std::map<uint16_t,decode_t> > decoders;
#define WIDTH 16
#ifndef DIRNAME
#define DIRNAME "./"
#warning "No DIRNAME set!"
#endif
static void formatted_hexdump(const char *packet, int len) {
int i;
for(i=0;i<len; /* Nothing */ ) {
int j;
printf("\n ");
for(j=0;j<WIDTH;j++) {
if (i+j<len)
printf(" %02x",(unsigned char)packet[i+j]);
else
printf(" ");
}
printf(" ");
for(j=0;j<WIDTH;j++) {
if (i+j<len)
if (isprint((unsigned char)packet[i+j]))
printf("%c",(unsigned char)packet[i+j]);
else
printf(".");
else
printf(" ");
}
if (i+WIDTH>len)
break;
else
i+=WIDTH;
}
printf("\n");
}
void trace_hexdump_packet(struct libtrace_packet_t *packet) {
libtrace_linktype_t linktype;
uint32_t length;
const char *pkt_ptr = (char *)trace_get_packet_buffer(packet, &linktype, NULL);
time_t sec = (time_t)trace_get_seconds(packet);
length = trace_get_capture_length(packet);
if (pkt_ptr == NULL || length == 0) {
printf(" [No packet payload]\n");
return;
}
printf("\n%s",ctime(&sec));
printf(" Capture: Packet Length: %i/%i Direction Value: %i\n",
(int)length,
(int)trace_get_wire_length(packet),
(int)trace_get_direction(packet));
formatted_hexdump(pkt_ptr, (int)length);
return;
}
void trace_dump_packet(struct libtrace_packet_t *packet)
{
time_t sec = (time_t)trace_get_seconds(packet);
libtrace_linktype_t linktype;
uint32_t length;
const char *link=(char *)trace_get_packet_buffer(packet,&linktype,NULL);
length = trace_get_capture_length(packet);
printf("\n%s",ctime(&sec));
printf(" Capture: Packet Length: %i/%i Direction Value: %i\n",
(int)length,
(int)trace_get_wire_length(packet),
(int)trace_get_direction(packet));
if (!link)
printf(" [No link layer available]\n");
else
decode_next(link,length, "link",
linktype);
}
static void generic_decode(uint16_t type,const char *packet, int len) {
printf(" Unknown Protocol: %i",type);
formatted_hexdump(packet, len);
}
static void *open_so_decoder(const char *name,int type)
{
char path[1024];
void *hdl;
/* Only check LIBPKTDUMPDIR if we're not setuid. Not bulletproof, but hopefully anyone who
* sets uid == euid will also clear the environment (eg sudo).
*/
if (getuid() == geteuid() && getenv("LIBPKTDUMPDIR")) {
snprintf(path,sizeof(path),"%s/%s_%i.so",getenv("LIBPKTDUMPDIR"),name,type);
hdl = dlopen(path,RTLD_LAZY);
if (hdl)
return hdl;
}
/* If the variable isn't set, *or* if we don't find anything, try the system location. */
snprintf(path,sizeof(path),DIRNAME "/%s_%i.so",name,type);
hdl = dlopen(path,RTLD_LAZY);
if (hdl)
return hdl;
return hdl;
}
static void *open_protocol_decoder(const char *name, int type)
{
char path[1024];
void *hdl;
/* Only check LIBPKTDUMPDIR if we're not setuid. Not bulletproof, but hopefully anyone who
* sets uid == euid will also clear the environment (eg sudo).
*/
if (getuid() == geteuid() && getenv("LIBPKTDUMPDIR")) {
snprintf(path,sizeof(path),"%s/%s_%i.protocol",getenv("LIBPKTDUMPDIR"),name,type);
hdl = parse_protocol_file(path);
if (hdl)
return hdl;
}
/* Try the system directory */
snprintf(path,sizeof(path),DIRNAME "/%s_%i.protocol",
name,type);
hdl = parse_protocol_file(path);
if (!hdl)
return hdl;
return hdl;
}
void decode_next(const char *packet,int len,const char *proto_name,int type)
{
std::string sname(proto_name);
// if we haven't worked out how to decode this type yet, load the
// appropriate files to do so
if (decoders[sname].find(type)==decoders[sname].end()) {
void *hdl;
decode_funcs_t *func = new decode_funcs_t;
decode_t dec;
/* Try and find a .so to handle this protocol */
hdl = open_so_decoder(sname.c_str(),type);
if (hdl) {
void *s=dlsym(hdl,"decode");
if (s) {
// use the shared library
func->decode_n = (decode_norm_t)s;
dec.style = DECODE_NORMAL;
dec.el = NULL;
}
else {
dlclose(hdl);
hdl = NULL;
}
}
/* We didn't successfully open the .so, try finding a .protocol that we can use */
if (!hdl) {
hdl = open_protocol_decoder(sname.c_str(),type);
if (hdl) {
// use the protocol file
func->decode_p = decode_protocol_file;
dec.style = DECODE_PARSER;
dec.el = (element_t*)hdl;
}
}
/* No matches found, fall back to the generic decoder. */
/* TODO: We should have a variety of fallback decoders based on the protocol. */
if(!hdl)
{
// no protocol file either, use a generic one
func->decode_n = generic_decode;
dec.style = DECODE_NORMAL;
dec.el = NULL;
}
dec.func = func;
decoders[sname][type] = dec;
}
/* TODO: Instead of haxing this here, we should provide a series of generic_decode's
* and let the code above deal with it.
*/
if (decoders[sname][type].func->decode_n == generic_decode) {
/* We can't decode a link, so lets skip that and see if libtrace
* knows how to find us the ip header
*/
/* Also, don't try to skip if the linktype is not valid,
* because libtrace will just assert fail and that's never
* good */
if (sname=="link" && type != -1) {
uint16_t newtype;
uint32_t newlen=len;
const char *network=(const char*)trace_get_payload_from_link((void*)packet,
(libtrace_linktype_t)type,
&newtype,&newlen);
if (network) {
printf("skipping unknown link header of type %i to network type %i\n",type,newtype);
/* Should hex dump this too. */
decode_next(network,newlen,"eth",newtype);
return;
}
}
else {
printf("unknown protocol %s/%i\n",sname.c_str(),type);
}
}
// decode using the appropriate function
switch(decoders[sname][type].style)
{
case DECODE_NORMAL:
decoders[sname][type].func->decode_n(type,packet,len);
break;
case DECODE_PARSER:
decoders[sname][type].func->decode_p(type,packet,len,
decoders[sname][type].el);
break;
};
}
|
