?? listen.c
字號:
#include <stdio.h>#include <unistd.h>#include <errno.h>#include <string.h>#include <stdlib.h>#include <time.h>#include <sys/time.h>/* Local defines */#include "netconfig.h"#include "functions.h"#include <netinet/udp.h>#include <netinet/tcp.h>extern int FlgDebug;extern int FlgExtraDebug;extern u_short PcapOffset;extern u_long TO;extern struct icmp_item *ICMP_Recv;extern struct udp_item *UDP_Recv;extern struct tcp_item *TCP_Recv;u_short ICMPMIN=sizeof(struct icmp) + sizeof(struct ip);u_short UDPMIN=sizeof(struct udphdr) + sizeof(struct ip);u_short TCPMIN=sizeof(struct tcphdr) + sizeof(struct ip);void dolisten(pcap_t *pd){u_char *recvpack;struct timeval now;struct timeval start;int n; if(FlgExtraDebug) printf("Starting listener. Data offset = %d\n", PcapOffset); gettimeofday(&start, NULL); now.tv_sec = start.tv_sec; now.tv_usec = start.tv_usec; while(getppid()!=1){ do { switch(pcap_dispatch(pd, 1, (pcap_handler )read_processor, recvpack)) { case 0: /* read nothing. decrement counter below */ gettimeofday(&now, NULL); break; case -1: /* Error */ fprintf(stderr, "pcap_dispatch error: %s\n", pcap_geterr(pd)); gettimeofday(&now, NULL); break; default: /* Read something. reset timer */ gettimeofday(&start, NULL); break; now.tv_sec=start.tv_sec; now.tv_usec=start.tv_usec; break; } } while(TIMEVAL_SUBTRACT(now, start) < (TO*3000000)); }}void read_processor(u_char *disp, struct pcap_pkthdr *h, u_char *data){struct ip *srcip; data+=PcapOffset; /* Skip device header */ srcip = (struct ip *)data; if((long)srcip & 3){ printf("Fragmented packet encountered. I don't deal with these.\n"); return; } switch(srcip->ip_p){ case IPPROTO_ICMP: check_icmp(data, h->caplen - PcapOffset); break; case IPPROTO_UDP: check_udp(data, h->caplen - PcapOffset); break; case IPPROTO_TCP: check_tcp(data, h->caplen - PcapOffset); break; /* Not satisfactory but working to detect Stacheldraht V4 Agents (per CERTA) */ case IPPROTO_EGP: check_icmp(data, h->caplen - PcapOffset); break; default: break; }}void check_tcp(u_char *data, u_short len){struct tcphdr *itcp;struct ip *sip;struct tcp_item *current;char *temp;int status; current=TCP_Recv; sip = (struct ip *)data; itcp = (struct tcphdr *) (data + (sip->ip_hl << 2)); while(current){ status=0; if(ntohs(itcp->th_sport) == current->sport) status++; if(ntohs(itcp->th_dport) == current->dport) status++; if(len > TCPMIN && current->string != NULL){ temp = (char *) itcp + (itcp->th_off << 2); if(strstr(temp, current->string) != NULL) status++; } if(FlgExtraDebug) printf("%s TCP Status: %d\n", inet_ntoa(sip->ip_src), status); if(status >=current->nmatch) { printf("**** %s infected with %s\n", inet_ntoa(sip->ip_src), current->name); fflush(NULL); } current=current->Next; }}void check_udp(u_char *data, u_short len){struct udphdr *iudp;struct ip *sip;struct udp_item *current;char *temp;int status; current=UDP_Recv; sip = (struct ip *)data; iudp = (struct udphdr *) (data + (sizeof(struct ip))); while(current){ status=0; if(ntohs(iudp->uh_sport) == current->sport) status++; if(ntohs(iudp->uh_dport) == current->dport) status++; if(len > UDPMIN && current->string != NULL){ temp = (char *) iudp + sizeof(struct udphdr); if(strstr(temp, current->string) != NULL) status++; } if(FlgExtraDebug) printf("%s UDP Status: %d\n", inet_ntoa(sip->ip_src), status); if(status >=current->nmatch) { printf("**** %s infected with %s\n", inet_ntoa(sip->ip_src), current->name); fflush(NULL); } current=current->Next; }}void check_icmp(u_char *data, u_short len){struct icmp *icp;struct ip *sip;struct icmp_item *current;char *temp;int status; /* Status of check */ current = ICMP_Recv; sip=(struct ip *)data; icp = (struct icmp *) (data + (sizeof(struct ip))); while(current){ status = 0; if(icp->icmp_type == current->type) status++; if(ntohs(icp->icmp_id) == current->id) status++; if(ntohs(icp->icmp_seq) == current->seq) status++; if(icp->icmp_code == current->code) status++; if(len > ICMPMIN && current->string!=NULL){ temp = (char *) icp + sizeof(struct icmp); if(strstr(temp, current->string) != NULL) status++; } if(FlgExtraDebug) printf("%s ICMP status: %d\n", inet_ntoa(sip->ip_src), status); if(status >=current->nmatch) { printf("**** %s infected with %s\n", inet_ntoa(sip->ip_src), current->name); fflush(NULL); } current=current->Next; }}?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -