📄 sll.c
字号:
#include <stdlib.h>#include <stdio.h>#include <netinet/in.h>#include <firestorm.h>#include <packet.h>#include <args.h>#include <plugin.h>#include <alert.h>#include <signature.h>#include <decode.h>#include <preproc.h>PLUGIN_STD_DEFS();proc_dispatch dispatch;struct linux_sll { unsigned short sll_family; unsigned short sll_protocol; int sll_ifindex; unsigned short sll_hatype; unsigned char sll_pkttype; unsigned char sll_halen; unsigned char sll_addr[8];};/* SLL: Linux sockaddr link layer */void sll_decode(struct packet *);int sll_print(struct layer *, char *, int);void lsll_decode(struct packet *);int lsll_print(struct layer *, char *, int);struct proto sll_p=init_proto("sll", sll_decode, sll_print);struct proto lsll_p=init_proto("linux", lsll_decode, lsll_print);struct proto_req lsll_r[]={ null_request()};struct proto_req sll_r[]={ proto_request("__pcap_dlt", 0x71), null_request()};char *ptype[]={ "unicast", "broadcast", "multicast", "promisc", "outgoing", "loopback", "fastroute"};int sll_name(unsigned short hatype, char *buf, int buflen){ if ( !buf || !buflen ) return 0; if ( hatype==1) return snprintf(buf, buflen, "ethernet"); if ( hatype==772) return snprintf(buf, buflen, "loopback"); return snprintf(buf, sizeof(buf), "%u", hatype&0xffff);}int sll_print(struct layer *l, char *buf, int buflen){ struct pkt_sllhdr *sll=l->h.sll; char *type; u_int16_t pt; pt=ntohs(sll->sll_pkttype); type=(pt<7) ? ptype[pt] : "unknown"; return snprintf(buf, buflen,"%s proto=0x%.4x", type, ntohs(sll->sll_protocol));}int lsll_print(struct layer *l, char *buf, int buflen){ struct linux_sll *sll=(struct linux_sll *)l->h.raw; char hdr[32]; char *type; type=(sll->sll_pkttype<7) ? ptype[sll->sll_pkttype] : "unknown"; sll_name(sll->sll_hatype, hdr, sizeof(hdr)); return snprintf(buf, buflen, "if%i:%s - %s", sll->sll_ifindex, type, hdr);}void lsll_decode(struct packet *p){ struct proto_child *pc; struct layer *l=&p->layer[p->llen]; struct linux_sll *sll=(struct linux_sll *)l->h.raw; if ( (p->layer[p->llen+1].h.raw= l->h.raw+48) > p->end ) return; p->llen++; if ( p->llen >= PKT_LAYERS ) return; for(pc=l->proto->children; pc; pc=pc->next) { if ( sll->sll_protocol == pc->id ) { p->layer[p->llen].flags=0; p->layer[p->llen].session=NULL; p->layer[p->llen].proto=pc->proto; pc->proto->decode(p); return; } } if ( p->layer[p->llen].h.raw<p->end ) p->layer[p->llen++].proto=NULL; dispatch(p);}void sll_decode(struct packet *p){ struct proto_child *pc; struct layer *l=&p->layer[p->llen]; if ( (p->layer[p->llen+1].h.raw= l->h.raw+sizeof(struct pkt_sllhdr)) > p->end ) goto err; /* * If this is the first layer, then perhaps * we should set the packet type */ if ( p->llen==0 && !(p->flags|FP_PKTTYPE) ) { p->flags&=~FPMASK_PKTTYPE; p->flags|=FP_PKTTYPE; switch(htons(l->h.sll->sll_pkttype)) { case 0: p->flags|=FP_HOST; break; case 1: p->flags|=FP_BROADCAST; break; case 2: p->flags|=FP_MULTICAST; break; case 4: p->flags|=FP_OUTGOING; break; case 3: default: p->flags|=FP_PROMISC; break; } } p->llen++; if ( p->llen >= PKT_LAYERS ) goto err; for(pc=l->proto->children; pc; pc=pc->next) { if ( l->h.sll->sll_protocol == pc->id ) { p->layer[p->llen].flags=0; p->layer[p->llen].session=NULL; p->layer[p->llen].proto=pc->proto; pc->proto->decode(p); return; } } p->layer[p->llen].proto=NULL; dispatch(p);err: return;}int PLUGIN_DECODE (struct decode_api *d){ int ok=0; object_check(d); dispatch=d->dispatch; ok+=d->decode_add(&sll_p, sll_r); ok+=d->decode_add(&lsll_p, lsll_r); return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;}int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out){ plugin_check(in, out); PLUGIN_ID("decode.sll", "Linux SLL"); PLUGIN_VERSION(1, 0); PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk"); PLUGIN_LICENSE("GPL"); return PLUGIN_ERR_OK;}int PLUGIN_UNLOAD (int code) { return PLUGIN_ERR_OK;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -