pcapfile.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdlib.h>
#include <pcap.h>

#include <firestorm.h>
#include <plugin.h>
#include <packet.h>
#include <cleanup.h>
#include <args.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <capture.h>
#include <args.h>

PLUGIN_STD_DEFS();

struct fpcap_priv {
	pcap_t		*pcap_desc;
	struct packet	pkt;
	struct proto	*proto;
};

int cb_file(struct arg *, void *);
struct arg pf_args[]={
	{"file",ARGTYPE_STRING,cb_file},
	{NULL,ARGTYPE_NOP,NULL}
};

proc_args_parse args_parse;
proc_decode_subproto decode_subproto;
proc_serial_number serial_number;

int cb_file(struct arg *a, void *priv)
{
	struct fpcap_priv *p=priv;

	char ebuf[PCAP_ERRBUF_SIZE];
	unsigned int lnk;

	if ( !p ) return 0;

	if ( p->pcap_desc ) {
		mesg(M_ERR,"pcapfile: Can't specify two interfaces!");
		return 0;
	}

	if ( !(p->pcap_desc=pcap_open_offline(a->val.v_str, ebuf)) ) {
		mesg(M_ERR,"pcapfile: %s", ebuf);
		return 0;
	}

	lnk=pcap_datalink(p->pcap_desc);

	if ( !(p->proto=decode_subproto("__pcap_dlt",lnk)) ) {
		mesg(M_ERR,"pcapfile: %s: Dont support protocol 0x%x",
			a->val.v_str, lnk);
		pcap_close(p->pcap_desc);
		return 0;
	}

	return 1;
}

void *fpcap_init(char *args)
{
	struct fpcap_priv *p=NULL;

	if ( !args )
		return NULL;

	if ( !(p=calloc(1, sizeof(*p))) )
		return NULL;

	switch( args_parse(pf_args, args, p) ) {
	case -1:
		mesg(M_ERR,"pcapfile: parse error: %s", args);
	case 0: /* fall through */
		free(p);
		p=NULL;
		return 0;
	default:
		p->pkt.flags=FP_CLONE|FP_PROMISC;
		return p;
	}
}

void fpcap_end(void *priv)
{
	struct fpcap_priv *p=priv;

	if ( p && p->pcap_desc ) pcap_close(p->pcap_desc);
	if ( p ) free(p);
}

void lpf_callback(u_char *user, struct pcap_pkthdr *header, u_char *data)
{
	struct fpcap_priv *p;

	if ( !(p=(struct fpcap_priv *)user) ) return;

	/* Pointers */
	p->pkt.base=data;
	p->pkt.end=data;
	p->pkt.end+=header->caplen;

	/* Timestamp */
	p->pkt.time.tv_sec=header->ts.tv_sec;
	p->pkt.time.tv_usec=header->ts.tv_usec;

	/* length */
	p->pkt.caplen=header->caplen;
	p->pkt.len=header->len;

	/* first layer */
	p->pkt.layer[0].proto=p->proto;
	p->pkt.layer[0].h.raw=p->pkt.base;
	p->pkt.layer[0].flags=0;
	p->pkt.layer[0].session=NULL;
	p->pkt.llen=0;

	serial_number(&p->pkt.serial);
	p->proto->decode(&p->pkt);
}

void fpcap_go(void *priv, struct capture *c)
{
	struct fpcap_priv *p=priv;

	p->pkt.capture=c;

	while(c->state==CAP_STATE_CAPTURE) {
		if ( pcap_dispatch(p->pcap_desc, 1,
			(pcap_handler)lpf_callback, priv)<1 ) {
			c->state=CAP_STATE_STOP;
			break;
		}
	}
}

struct capdev pcapfile_cap={
	.name="pcapfile",
	.init=fpcap_init,
	.end=fpcap_end,
	.go=fpcap_go
};

int PLUGIN_CAPDEV (struct capture_api *c)
{
	object_check(c);

	serial_number=c->serial_number;
	decode_subproto=c->decode_subproto;
	args_parse=c->args_parse;

	if ( !c->capdev_add(&pcapfile_cap) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	/* validate input */
	plugin_check(in, out);

	/* tell firestorm who we are */
	PLUGIN_ID("capture.pcapfile", "Offline libpcap capture");
	PLUGIN_VERSION(1, 0);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}