📄 ether.c
字号:
#include <stdlib.h>#include <stdio.h>#include <string.h>#include <netinet/in.h>#include <firestorm.h>#include <args.h>#include <packet.h>#include <plugin.h>#include <alert.h>#include <signature.h>#include <decode.h>#include <preproc.h>PLUGIN_STD_DEFS();proc_dispatch dispatch;#define DLT_EN10MB 1void ether_decode(struct packet *);void null_decode(struct packet *);void llc_decode(struct packet *);void snap_decode(struct packet *);int ether_dprint(struct layer *, char *, int);int llc_dprint(struct layer *, char *, int);int snap_dprint(struct layer *, char *, int);/* * These are to be registered using the "decode.add" function. * These structures cannot be declared const, they must also be * initialised with the macros provided. */struct proto ether_p=init_proto("ethernet", ether_decode, ether_dprint);/* * These structures tell firestorm what relation our * protocols have to existing protocols. They must * be initialised with the provided macros. Arrays * must be terminated with a null element. */struct proto_req ether_r[]={ proto_request("__pcap_dlt", DLT_EN10MB), null_request()};struct proto_req snap_r[]={ proto_request("llc", 0xaa), null_request()};/* 802.3 MAC hacks */struct proto_req mac_r[]={null_request()};struct proto mac_p=init_proto("802.3", null_decode, ether_dprint);struct proto nw_p=init_proto("802.3-novell", null_decode, ether_dprint);struct proto llc_p=init_proto("llc", llc_decode, llc_dprint);struct proto snap_p=init_proto("snap", snap_decode, snap_dprint);/* Print out a description of an ethernet header */int ether_dprint(struct layer *l, char *buf, int buflen){ char *b=buf; char *x=l->h.raw+6; u_int16_t proto; int c; /* SRC */ for(c=0; c<6; c++, x++) b+=sprintf(b, "%02x%c", *x&0xFF, c==5 ? ' ' : ':'); b+=sprintf(b, "> "); /* DST */ x=l->h.raw; for(c=0; c<6; c++, x++) b+=sprintf(b, "%02x%c", *x&0xFF, c==5 ? ' ' : ':'); proto=htons(l->h.eth->proto); if ( proto <= 1500 ) { b+=sprintf(b, "length=%u", proto); }else{ b+=sprintf(b, "proto=0x%.4x", proto); } return buflen;}int llc_dprint(struct layer *l, char *buf, int buflen){ return snprintf(buf, buflen, "dsap=0x%x lsap=0x%x", l->h.llc->dsap&0xff, l->h.llc->lsap&0xff);}/* LLC Decoding, usually a SNAP header next */void llc_decode(struct packet *p){ struct proto_child *pc; struct layer *l=&p->layer[p->llen]; /* Fill in the next layers pointer */ if ( (p->layer[p->llen+1].h.raw= l->h.raw+sizeof(struct pkt_llchdr)) > p->end ) return; p->llen++; if ( p->llen >= PKT_LAYERS ) return; /* Find a relevent child */ for(pc=l->proto->children; pc; pc=pc->next) { /* FIXME: Is checking the DSAP correct behaivour? */ if ( l->h.llc->dsap== (u_int8_t)(pc->id&0xff) ) { /* Recurse to the child protocol */ p->layer[p->llen].flags=0; p->layer[p->llen].session=NULL; p->layer[p->llen].proto=pc->proto; pc->proto->decode(p); return; } } if ( p->layer[p->llen].h.raw<p->end ) p->layer[p->llen++].proto=NULL; dispatch(p);}int snap_dprint(struct layer *l, char *buf, int buflen){ return snprintf(buf, buflen, "org=%.2x%.2x%.2x", l->h.snap->org[0], l->h.snap->org[1], l->h.snap->org[2]);}void snap_decode(struct packet *p){ struct proto_child *pc; struct layer *l=&p->layer[p->llen]; /* Fill in the next layers pointer */ if ( (p->layer[p->llen+1].h.raw= l->h.raw+sizeof(struct pkt_snaphdr)) > p->end ) return; p->llen++; if ( p->llen >= PKT_LAYERS ) return; /* SNAP has the same children as ethernet II */ for(pc=ether_p.children; pc; pc=pc->next) { if ( l->h.snap->proto == pc->id ) { /* Recurse to the child protocol */ p->layer[p->llen].flags=0; p->layer[p->llen].session=NULL; p->layer[p->llen].proto=pc->proto; pc->proto->decode(p); return; } } if ( p->layer[p->llen].h.raw<p->end ) p->layer[p->llen++].proto=NULL; dispatch(p);}void null_decode(struct packet *p){ mesg(M_DEBUG,"ether: null decode called!"); return;}/* This function actually does the decoding */void ether_decode(struct packet *p){ struct proto_child *pc; struct layer *l=&p->layer[p->llen]; int i=p->llen; /* Fill in the next layers pointer */ if ( (p->layer[p->llen+1].h.raw= l->h.raw+sizeof(struct pkt_ethhdr)) > p->end ) return; p->llen++; /* Check if we are 802.3 and change accordingly */ if ( htons(l->h.eth->proto)<=1500 ) { /* Ugly hack for Novell Netware IPX frames */ if ( (p->layer[i].h.raw+2 < p->end) && ((unsigned char *)p->layer[i].h.raw)[0]==0xff && ((unsigned char *)p->layer[i].h.raw)[1]==0xff ) { l->proto=&nw_p; }else{ /* We are 802.3 and so the next header * will always be LLC */ l->proto=&mac_p; if ( p->llen >= PKT_LAYERS ) return; p->layer[p->llen].flags=0; p->layer[p->llen].session=NULL; p->layer[p->llen].proto=&llc_p; llc_p.decode(p); return; } } if ( p->llen >= PKT_LAYERS ) return; /* Find a relevent child */ for(pc=l->proto->children; pc; pc=pc->next) { if ( l->proto==&nw_p || l->h.eth->proto == pc->id ) { /* Recurse to the child protocol */ p->layer[p->llen].flags=0; p->layer[p->llen].session=NULL; p->layer[p->llen].proto=pc->proto; pc->proto->decode(p); return; } } /* Just data */ if ( p->layer[p->llen].h.raw<p->end ) p->layer[p->llen++].proto=NULL; dispatch(p);}int PLUGIN_DECODE (struct decode_api *d){ int ok=0; object_check(d); dispatch=d->dispatch; ok+=d->decode_add(ðer_p, ether_r); ok+=d->decode_add(&mac_p, mac_r); ok+=d->decode_add(&nw_p, mac_r); ok+=d->decode_add(&llc_p, mac_r); ok+=d->decode_add(&snap_p, snap_r); return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;}/* Plugin entry point. This function is called straight away * after firestorm loads us */int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out){ /* Must call the plugin_check() macro before all else, * it bails us if the plugin protocol is violated */ plugin_check(in, out); /* Tell firestorm who we are */ PLUGIN_ID("decode.ether", "Ethernet II, 802.3, LLC and SNAP"); PLUGIN_VERSION(2, 1); PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk"); PLUGIN_LICENSE("GPL"); /* Tell firestorm all went well */ return PLUGIN_ERR_OK;}/* If we had anything to clean up, we would * do it here, this is called just before being * unloaded */int PLUGIN_UNLOAD (int code) { return PLUGIN_ERR_OK;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -