📄 op_decode.c
字号:
/* set the IP header length */ hlen = IP_HLEN(p->iph) << 2; if(len < hlen) { if(pv.verbose >= 3) LogMessage("[!] WARNING: ICMP Unreachable IP len (%d bytes) " "< IP hdr len (%d bytes), packet discarded\n", ip_len, hlen); p->iph = NULL; return(0); } p->ip_option_count = 0; /* set the remaining packet length */ ip_len = len - hlen; /* check for fragmented packets */ p->frag_offset = ntohs(p->iph->ip_off); /* * get the values of the reserved, more * fragments and don't fragment flags */ if(((p->frag_offset & 0x8000) >> 15)) p->pkt_flags |= PKT_RB_FLAG; if(((p->frag_offset & 0x4000) >> 14)) p->pkt_flags |= PKT_DF_FLAG; if(((p->frag_offset & 0x2000) >> 13)) p->pkt_flags |= PKT_MF_FLAG; /* mask off the high bits in the fragment offset field */ p->frag_offset &= 0x1FFF; if(p->frag_offset || (p->pkt_flags & PKT_MF_FLAG)) { /* set the packet fragment flag */ p->pkt_flags |= PKT_FRAG_FLAG; /* set the payload pointer and payload size */ p->data = pkt + hlen; p->dsize = ip_len; } else { switch(p->iph->ip_proto) { case IPPROTO_TCP: /* decode the interesting part of the header */ if(ip_len > 4) { p->tcph =(TCPHdr *)(pkt + hlen); /* stuff more data into the printout data struct */ p->sp = ntohs(p->tcph->th_sport); p->dp = ntohs(p->tcph->th_dport); } break; case IPPROTO_UDP: if(ip_len > 4) { p->udph = (UDPHdr *)(pkt + hlen); /* fill in the printout data structs */ p->sp = ntohs(p->udph->uh_sport); p->dp = ntohs(p->udph->uh_dport); } break; } } return(1);}/* * Function: DecodeTCP(u_int8_t *, const u_int32_t, Packet *) * * Purpose: Decode the TCP transport layer * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * p => Pointer to packet decode struct * * Returns: void function */void DecodeTCP(u_int8_t * pkt, const u_int32_t len, Packet * p){ u_int32_t hlen; /* TCP header length */ //u_short csum; /* checksum */ if(len < 20) { if(pv.verbose >= 3) LogMessage("[!] WARNING: TCP packet (len = %d) cannot contain " "20 byte header\n", len); p->tcph = NULL; } /* lay TCP on top of the data cause there is enough of it! */ p->tcph = (TCPHdr *) pkt; /* multiply the payload offset value by 4 */ hlen = TCP_OFFSET(p->tcph) << 2; if(hlen < 20) { if(pv.verbose >= 3) LogMessage("[!] WARNING: TCP Data Offset %d < 5 \n", TCP_OFFSET(p->tcph)); hlen = 20; return; } /* Return if we do not have enough data to finish decoding the * TCP header */ if(len < hlen) return; /* if options are present, decode them */ p->tcp_options_len = hlen - 20; if(p->tcp_options_len > 0) { p->tcp_options_data = pkt + 20; DecodeTCPOptions((u_int8_t *) (pkt + 20), p->tcp_options_len, p); } else { p->tcp_option_count = 0; } /* stuff more data into the printout data struct */ p->sp = ntohs(p->tcph->th_sport); p->dp = ntohs(p->tcph->th_dport); /* set the data pointer and size */ p->data = (u_int8_t *) (pkt + hlen); if(hlen < len) { p->dsize = len - hlen; } else { p->dsize = 0; }}/* * Function: DecodeUDP(u_int8_t *, const u_int32_t, Packet *) * * Purpose: Decode the UDP transport layer * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * p => pointer to decoded packet struct * * Returns: void function */void DecodeUDP(u_int8_t * pkt, const u_int32_t len, Packet * p){ if(len < sizeof(UDPHdr)) { if(pv.verbose >= 3) LogMessage("[!] WARNING: Truncated UDP header (%d bytes)\n", len); p->udph = NULL; return; } /* set the ptr to the start of the UDP header */ p->udph = (UDPHdr *) pkt; /* fill in the printout data structs */ p->sp = ntohs(p->udph->uh_sport); p->dp = ntohs(p->udph->uh_dport); p->data = (u_int8_t *) (pkt + UDP_HEADER_LEN); if((len - UDP_HEADER_LEN) > 0) { p->dsize = len - UDP_HEADER_LEN; } else { p->dsize = 0; }}/* * Function: DecodeICMP(u_int8_t *, const u_int32_t, Packet *) * * Purpose: Decode the ICMP transport layer * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * p => pointer to the decoded packet struct * * Returns: void function */void DecodeICMP(u_int8_t * pkt, const u_int32_t len, Packet * p){ if(len < ICMP_HEADER_LEN) { if(pv.verbose >= 3) LogMessage("[!] WARNING: Truncated ICMP header(%d bytes)\n", len); p->icmph = NULL; return; } /* set the header ptr first */ p->icmph = (ICMPHdr *) pkt; p->dsize = len - ICMP_HEADER_LEN; p->data = pkt + ICMP_HEADER_LEN; switch(p->icmph->icmp_type) { case ICMP_ECHOREPLY: case ICMP_ECHO: if(len < 8) { if(pv.verbose >= 3) LogMessage("[!] WARNING: Truncated ICMP-UNREACH " "header (%d bytes)\n", len); p->icmph = NULL; } p->dsize -= 4; p->data += 4; break; case ICMP_DEST_UNREACH: /* if unreach packet is smaller than expected! */ if(len < 16) { if(pv.verbose >= 3) LogMessage("[!] WARNING: Truncated ICMP-UNREACH " "header (%d bytes)\n", len); p->icmph = NULL; } break; } return;}/* * Function: DecodeARP(u_int8_t *, u_int32_t, Packet *) * * Purpose: Decode ARP stuff * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * p => pointer to decoded packet struct * * Returns: void function */void DecodeARP(u_int8_t * pkt, u_int32_t len, Packet * p){ p->ah = (EtherARP *) pkt; if(len < sizeof(EtherARP)) { if(pv.verbose >= 3) LogMessage("Truncated ARP packet\n"); return; } return;}/* * Function: DecodeIPV6(u_int8_t *, u_int32_t) * * Purpose: Just like IPX, it's just for counting. * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * * Returns: void function */void DecodeIPV6(u_int8_t *pkt, u_int32_t len){ /* total placeholder */ return;}/* * Function: DecodeIPX(u_int8_t *, u_int32_t) * * Purpose: Well, it doesn't do much of anything right now... * * Arguments: pkt => ptr to the packet data * len => length from here to the end of the packet * * Returns: void function * */void DecodeIPX(u_int8_t *pkt, u_int32_t len){ /* another placeholder */ return;}/* * Function: DecodeTCPOptions(u_int8_t *, u_int32_t, Packet *) * * Purpose: Fairly self explainatory name, don't you think? * * Arguments: o_list => ptr to the option list * o_len => length of the option list * p => pointer to decoded packet struct * * Returns: void function */void DecodeTCPOptions(u_int8_t *o_list, u_int32_t o_len, Packet *p){ u_int8_t *option_ptr; u_int32_t bytes_processed; u_int32_t current_option; u_char done = 0; option_ptr = o_list; bytes_processed = 0; current_option = 0; while((bytes_processed < o_len) && (current_option < 40) && !done) { p->tcp_options[current_option].code = *option_ptr; switch(*option_ptr) { case TCPOPT_NOP: case TCPOPT_EOL: if(*option_ptr == TCPOPT_EOL) done = 1; p->tcp_options[current_option].len = 0; p->tcp_options[current_option].data = NULL; bytes_processed++; current_option++; option_ptr++; break; case TCPOPT_SACKOK: p->tcp_options[current_option].len = 0; p->tcp_options[current_option].data = NULL; bytes_processed += 2; option_ptr += 2; current_option++; break; case TCPOPT_WSCALE: p->tcp_options[current_option].len = 3; p->tcp_options[current_option].data = option_ptr + 2; option_ptr += 3; bytes_processed += 3; current_option++; break; default: p->tcp_options[current_option].len = *(option_ptr + 1); if(p->tcp_options[current_option].len > 40) { p->tcp_options[current_option].len = 40; } else if( p->tcp_options[current_option].len == 0) { /* got a bad option, we're all done */ done = 1; p->pkt_flags |= PKT_TCPOPTS_BAD; } p->tcp_options[current_option].data = option_ptr + 2; option_ptr += p->tcp_options[current_option].len; bytes_processed += p->tcp_options[current_option].len; current_option++; break; } } if(bytes_processed > o_len) { p->tcp_options[current_option].len = p->tcp_options[current_option].len - (bytes_processed - o_len); /* * in reality shouldn't happen until we got the option type and len * on the packet header boundary.. then we just drop last option (as * it is corrupted anyway). */ if(p->tcp_options[current_option].len < 0) current_option--; } p->tcp_option_count = current_option; return;}/* * Function: DecodeIPOptions(u_int8_t *, u_int32_t, Packet *) * * Purpose: Once again, a fairly self-explainatory name * * Arguments: o_list => ptr to the option list * o_len => length of the option list * p => pointer to decoded packet struct * * Returns: void function */void DecodeIPOptions(u_int8_t *o_list, u_int32_t o_len, Packet *p){ u_int8_t *option_ptr; u_int32_t bytes_processed; u_int32_t current_option; u_char done = 0; option_ptr = o_list; bytes_processed = 0; current_option = 0; while((bytes_processed < o_len) && (current_option < 40) && !done) { p->ip_options[current_option].code = *option_ptr; switch(*option_ptr) { case IPOPT_RTRALT: case IPOPT_NOP: case IPOPT_EOL: /* if we hit an EOL, we're done */ if(*option_ptr == IPOPT_EOL) done = 1; p->ip_options[current_option].len = 0; p->ip_options[current_option].data = NULL; bytes_processed++; current_option++; option_ptr++; break; default: p->ip_options[current_option].len = *(option_ptr + 1); if(p->ip_options[current_option].len > 40) { p->ip_options[current_option].len = 40; } else if(p->ip_options[current_option].len == 0) { /* * this shouldn't happen, indicates a bad option list * so we bail */ done = 1; p->pkt_flags |= PKT_IPOPTS_BAD; } p->ip_options[current_option].data = option_ptr + 2; option_ptr += p->ip_options[current_option].len; bytes_processed += p->ip_options[current_option].len; current_option++; break; } } if(bytes_processed > o_len) { p->ip_options[current_option].len = p->ip_options[current_option].len - (bytes_processed - o_len); if(p->ip_options[current_option].len < 0) current_option--; } p->ip_option_count = current_option; return;}/* for anyone that needs to print a TCP flag string... */void CreateTCPFlagString(Packet *p, char *flagBuffer){ memset(flagBuffer, '\0', 9); /* parse TCP flags */ *flagBuffer++ = (char) ((p->tcph->th_flags & TH_RES1) ? '1' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_RES2) ? '2' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_URG) ? 'U' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_ACK) ? 'A' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_PUSH) ? 'P' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_RST) ? 'R' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_SYN) ? 'S' : '*'); *flagBuffer++ = (char) ((p->tcph->th_flags & TH_FIN) ? 'F' : '*');}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -