📄 decode.c
字号:
pkt_len -= dataoff;
cap_len -= dataoff;
switch (htons(p->fddiiparp->ethertype))
{
case ETHERNET_TYPE_IP:
#ifdef DEBUG
printf("Decoding IP\n");
#endif
DecodeIP(p->pkt+dataoff, cap_len, p);
return;
case ETHERNET_TYPE_ARP:
case ETHERNET_TYPE_REVARP:
#ifdef DEBUG
printf("Decoding ARP\n");
#endif
pc.arp++;
return;
default:
#ifdef DEBUG
printf("Unknown network protocol: %d\n",
htons(p->fddiiparp->ethertype));
#endif
pc.other++;
return;
}
return;
}
/****************************************************************************
*
* Function: DecodePppPkt(char *, struct pcap_pkthdr*, u_char*)
*
* Purpose: For future expansion
*
* Arguments: user => I don't know what this is for, I don't use it but it has
* to be there
* pkthdr => ptr to the packet header
* pkt => pointer to the real live packet data
*
* Returns: void function
*
****************************************************************************/
void DecodePppPkt(Packet *p, struct pcap_pkthdr *pkthdr, u_char *pkt)
{
u_int len;
u_int cap_len;
bzero((char *)p, sizeof(Packet));
p->pkth = pkthdr;
p->pkt = pkt;
len = pkthdr->len;
cap_len = pkthdr->caplen;
#ifdef DEBUG
printf("Packet!\n");
#endif
/* do a little validation */
if (cap_len < PPP_HDRLEN)
{
ErrorMessage( "PPP header length < captured len! (%d bytes)\n",
cap_len);
return;
}
DecodeIP(p->pkt + PPP_HDRLEN, cap_len - PPP_HDRLEN, p);
}
/****************************************************************************
*
* Function: DecodeSlipPkt(char *, struct pcap_pkthdr*, u_char*)
*
* Purpose: For future expansion
*
* Arguments: user => I don't know what this is for, I don't use it but it has
* to be there
* pkthdr => ptr to the packet header
* pkt => pointer to the real live packet data
*
* Returns: void function
*
****************************************************************************/
void DecodeSlipPkt(Packet *p, struct pcap_pkthdr *pkthdr, u_char *pkt)
{
u_int len;
u_int cap_len;
bzero((char *)p, sizeof(Packet));
p->pkth = pkthdr;
p->pkt = pkt;
len = pkthdr->len;
cap_len = pkthdr->caplen;
#ifdef DEBUG
printf("Packet!\n");
#endif
/* do a little validation */
if (cap_len < SLIP_HEADER_LEN)
{
ErrorMessage( "SLIP header length < captured len! (%d bytes)\n",
cap_len);
return;
}
DecodeIP(p->pkt + SLIP_HEADER_LEN, cap_len - SLIP_HEADER_LEN, p);
}
/****************************************************************************
*
* Function: DecodeRawPkt(char *, struct pcap_pkthdr*, u_char*)
*
* Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and
* in by Jed Pickle (thanks Jed!) and modified for a few little tweaks
* by me.
*
* Arguments: user => I don't know what this is for, I don't use it but it has
* to be there
* pkthdr => ptr to the packet header
* pkt => pointer to the real live packet data
*
* Returns: void function
*
****************************************************************************/
void DecodeRawPkt(Packet *p, struct pcap_pkthdr *pkthdr, u_char *pkt)
{
bzero((char *)p, sizeof(Packet));
p->pkth = pkthdr;
p->pkt = pkt;
#ifdef DEBUG
printf("Packet!\n");
#endif
DecodeIP(pkt, p->pkth->caplen, p);
return;
}
/****************************************************************************
*
* Function: DecodeRawPkt(char *, struct pcap_pkthdr*, u_char*)
*
* Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and
* in by Jed Pickle (thanks Jed!) and modified for a few little tweaks
* by me.
*
* Arguments: user => I don't know what this is for, I don't use it but it has
* to be there
* pkthdr => ptr to the packet header
* pkt => pointer to the real live packet data
*
* Returns: void function
*
****************************************************************************/
void DecodeI4LRawIPPkt(Packet *p, struct pcap_pkthdr *pkthdr, u_char *pkt)
{
bzero((char *)p, sizeof(Packet));
p->pkth = pkthdr;
p->pkt = pkt;
#ifdef DEBUG
printf("Packet!\n");
#endif
DecodeIP(pkt + 2, p->pkth->len - 2, p);
return;
}
/****************************************************************************
*
* Function: DecodeRawPkt(char *, struct pcap_pkthdr*, u_char*)
*
* Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and
* in by Jed Pickel (thanks Jed!) and modified for a few little tweaks
* by me.
*
* Arguments: user => I don't know what this is for, I don't use it but it has
* to be there
* pkthdr => ptr to the packet header
* pkt => pointer to the real live packet data
*
* Returns: void function
*
****************************************************************************/
void DecodeI4LCiscoIPPkt(Packet *p, struct pcap_pkthdr *pkthdr, u_char *pkt)
{
bzero((char *)p, sizeof(Packet));
p->pkth = pkthdr;
p->pkt = pkt;
#ifdef DEBUG
printf("Packet!\n");
#endif
DecodeIP(pkt + 4, p->pkth->len - 4, p);
return;
}
/****************************************************************************
*
* Function: DecodeIP(u_char *, int)
*
* Purpose: Decode the IP network layer
*
* Arguments: pkt => ptr to the packet data
* len => length from here to the end of the packet
*
* Returns: void function
*
****************************************************************************/
void DecodeIP(u_char *pkt, const int len, Packet *p)
{
u_int ip_len; /* length from the start of the ip hdr to the pkt end */
u_int hlen; /* ip header length */
/* lay the IP struct over the raw data */
p->iph = (IPHdr *) pkt;
#ifdef DEBUG
printf("ip header starts at: %p, length is: %d\n", p->iph, len);
#endif
/* do a little validation */
if (len < IP_HEADER_LEN)
{
if (pv.verbose_flag)
{
ErrorMessage("[!] WARNING: IP header truncated! (%d bytes)\n", len);
}
p->iph=NULL;
return;
}
/*
* with datalink DLT_RAW it's impossible to differ ARP datagrams
* from IP. So we are just ignoring non IP datagrams
*/
if (p->iph->ip_ver != 4)
{
if (pv.verbose_flag)
{
ErrorMessage("[!] WARNING: Not IPv4 datagram! ([ver: 0x%x][len: 0x%x])\n", p->iph->ip_ver,p->iph->ip_len);
}
p->iph=NULL;
return;
}
ip_len = ntohs(p->iph->ip_len);
/* set the IP header length */
hlen = p->iph->ip_hlen << 2;
/* test for IP options */
if (p->iph->ip_hlen > 5)
{
DecodeIPOptions((pkt + IP_HEADER_LEN), hlen - IP_HEADER_LEN, p);
}
else
{
p->ip_option_count=0;
}
/* set the remaining packet length */
ip_len -= hlen;
p->sip = p->iph->ip_src.s_addr;
p->dip = p->iph->ip_dst.s_addr;
/* check for fragmented packets */
p->frag_offset = ntohs(p->iph->ip_off);
/* get the values of the more fragments and don't fragment flags */
p->df = (p->frag_offset & 0x4000) >> 14;
p->mf = (p->frag_offset & 0x2000) >> 13;
/* mask off the high bits in the fragment offset field */
p->frag_offset &= 0x1FFF;
if (p->frag_offset || p->mf)
{
/* set the packet fragment flag */
p->frag_flag = 1;
}
/* if this packet isn't a fragment */
if (!(p->frag_flag))
{
/* set the packet fragment flag */
p->frag_flag = 0;
#ifdef DEBUG
printf("IP header length: %d\n", hlen);
#endif
switch (p->iph->ip_proto)
{
case IPPROTO_TCP:
pc.tcp++;
DecodeTCP(pkt + hlen, ip_len, p);
ClearDumpBuf();
return;
case IPPROTO_UDP:
pc.udp++;
DecodeUDP(pkt + hlen, ip_len, p);
ClearDumpBuf();
return;
case IPPROTO_ICMP:
pc.icmp++;
DecodeICMP(pkt + hlen, ip_len, p);
ClearDumpBuf();
return;
default:
pc.other++;
p->data = pkt + hlen;
p->dsize = ip_len;
ClearDumpBuf();
return;
}
}
else /* if the packet is fragmented */
{
pc.frags++;
/* increment the packet counter */
switch (p->iph->ip_proto)
{
case IPPROTO_TCP:
pc.tcp++;
break;
case IPPROTO_UDP:
pc.udp++;
break;
case IPPROTO_ICMP:
pc.icmp++;
break;
default:
pc.other++;
break;
}
/* set the payload pointer and payload size */
p->data = pkt + hlen;
p->dsize = ip_len;
}
}
/****************************************************************************
*
* Function: DecodeTCP(u_char *, int)
*
* Purpose: Decode the TCP transport layer
*
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -