arp.c

Nast是一个基于Libnet 和Libpcap的sniffer包和LAN分析器。它可以在通常模式或混合模式下检查通过网络接口的数据包

/*
    Pktsant -

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

*/

#include "include/nast.h"

void handle_ARP (FILE *output)
{
   struct nast_arp_hdr *arp;
   struct libnet_ethernet_hdr *eptr;
   u_short ether_type;

   eptr = (struct libnet_ethernet_hdr *) packet;
   arp = (struct nast_arp_hdr *) (packet+offset);
   ether_type = ntohs(eptr->ether_type);

   if (ether_type == ETHERTYPE_ARP)
     {
	fprintf(output, "\n---[ ARP ]-----------------------------------------------------------\n");
	fprintf(output, "%s -> ", nast_hex_ntoa (eptr->ether_shost));
	fprintf(output, "%s\n", nast_hex_ntoa (eptr->ether_dhost));

	switch (ntohs(arp->ar_op))
	  {
	   case 1:
	       {
		  fprintf(output, "Type: ARP request: ");
		  fprintf(output, "Who has %d.%d.%d.%d? ",arp->__ar_tip[0],arp->__ar_tip[1],arp->__ar_tip[2],arp->__ar_tip[3]);
		  fprintf(output, "Tell %d.%d.%d.%d\n",arp->__ar_sip[0],arp->__ar_sip[1],arp->__ar_sip[2],arp->__ar_sip[3]);
	       }
	     break;
	   case 2:
	       {
		  fprintf(output, "Type: ARP reply: ");
		  fprintf(output, "%d.%d.%d.%d is at %s\n",arp->__ar_sip[0],arp->__ar_sip[1],arp->__ar_sip[2],arp->__ar_sip[3], nast_hex_ntoa (eptr->ether_shost));
	       }
	     break;
	   case 8:
	     fprintf(output, "Type: InARP request");
	     break;
	   case 9:
	     fprintf(output, "Type: InARP reply\t");
	     break;
	   default:
	     fprintf(output, "Type: Unknown Opcode");
	     break;
	  }

	fprintf(output, "Hardware size: %d - ", arp->ar_hln);
	fprintf(output, "Protocol size: %d\n", arp->ar_pln);

     }

   else  if (eptr->ether_type == ETHERTYPE_REVARP)
     {
	fprintf(output, "\n---[ RARP ]----------------------------------------------------------\n");
	fprintf(output, "%s -> " , nast_hex_ntoa (eptr->ether_shost));
	fprintf(output, "%s\n", nast_hex_ntoa (eptr->ether_dhost));
	switch (ntohs(arp->ar_op))
	  {
	   case 3:
	     fprintf(output, "Type: RARP request");
	     break;
	   case 4:
	     fprintf(output, "Type: RARP reply\t");
	     break;
	   case 8:
	     fprintf(output, "Type: InARP request");
	     break;
	   case 9:
	     fprintf(output, "Type: InARP reply\t");
	     break;
	   default:
	     fprintf(output, "Type: Unknown Opcode");
	     break;

	  }

	fprintf(output, "\tHardware size: %d - ",arp->ar_hln);
	fprintf(output, "Protocol size: %d\n",arp->ar_pln);

     }
}

/* This function is important: control ARP response and verify that no-one is making arp-poisoning in LAN
 * NB_ It's important that you run this function when U are sure that no-one is making arp-poisoning, so I can
 * retrive a truly ip-mac list to confront the next ARP response with
 *
 * PS: ARP_RESPONSE have not broadcast destination like REQUEST
 */

/* car : control arp response */
int car (char *dev,int lg)
{
   struct host *list;
   u_short i,n;
   char ebuf[PCAP_ERRBUF_SIZE];
   struct nast_arp_hdr *arp;

   if (lg)
     {
	openfile();
	printf ("Waiting please...\n");
     }

   if (log!=stdout)
     fprintf(log, "NAST Control ARP Poisoning Report\n\n");

   list = malloc (sizeof (struct host) * 255); /* to implement like list */

   printf ("%sMake sure that now no-one is making arp poisoning,\nI'll build a truly MAC-IP list to confront me to...%s\n\n", BOLD, NORMAL);
   printf ("(Press a key)\n");
   getchar();
   printf ("Wait please... ");
   fflush (stdout);

   if ((list = map_lan(dev, 0, &n))==NULL)
     {
	fprintf (stderr, "\nCan't build truly host list! mmhhh!\nReport bug to author please\n\n");
	return -1;
     }
   if (n==0)
     {
	fprintf (stderr, "\nWhat are you doing? You are alone in this network!\n\n");
	return -1;
     }

   fprintf (log, "ok\nNow let me sniff arp-response on the network...\n\n");

   /* open pcap sniffer */
   if ((pcap_lookupnet(dev, &netp, &maskp, ebuf))==-1)
     {
	fprintf (stderr, "pcap_lookupnet error: %s\n", ebuf);
	return -1;
     }
   if ((descr = pcap_open_live(dev, BUFSIZ, PROMISC, 10, ebuf))==NULL)
     {
	fprintf (stderr, "pcap_open_live error: %s\n", ebuf);
	return -1;
     }
   if ((pcap_compile (descr, &fp, "ether proto \\arp", 0, netp))==-1)
     {
	fprintf (stderr, "pcap_compile error\n");
	return -1;
     }
   if ((pcap_setfilter (descr, &fp))==-1)
     {
	fprintf (stderr, "pcap_setfilter error\n");
	return -1;
     }

   /* demonize */
   if (demonize)
     bkg();

   /* now sniff */
   while (1)
     {
	if ((packet = (u_char *) pcap_next (descr, &hdr))==NULL) continue;

	if (handle_ethernet(packet)!=ETHERTYPE_ARP) continue; /* this is a paranoic test */
	arp = (struct nast_arp_hdr *) (packet+offset);

	if (ntohs (arp->ar_op)==2)
	  {
	     for (i=0; i<n; i++)
	       {
	          /* ricerco nel db l'ip di interesse (i) */
		  if (!(strcmp(arp->__ar_sip, list[i].ip)))
		    {
		       fprintf (log, "Verifing %d.%d.%d.%d, ", arp->__ar_sip[0], arp->__ar_sip[1], arp->__ar_sip[2], arp->__ar_sip[3]);
		       fprintf (log, "Is %s?\t", arp->__ar_sha );

		       if (memcmp(arp->__ar_sha, list[i].mac, ETHER_ADDR_LEN))
			 fprintf (log, "%sWarning! Truly is %s, possible ARP-Poisoning!!!%s\n", BOLD, nast_hex_ntoa (list[i].mac), NORMAL);
		       else
			 fprintf (log, "Correct\n");

		       break;
		    }
	       }
	  }
     }

   if (lg) printf ("\ndone\n");
   return 0;
}