2 * netsniff-ng - the packet sniffing beast
3 * Copyright (C) 2009, 2010 Daniel Borkmann
4 * Copyright (C) 2012 Christoph Jaeger <christoph@netsniff-ng.org>
5 * Subject to the GPL, version 2.
10 #include <netinet/in.h> /* for ntohs() */
11 #include <arpa/inet.h> /* for inet_ntop() */
15 #include "dissector_eth.h"
21 #define FRAG_OFF_RESERVED_FLAG(x) ((x) & 0x8000)
22 #define FRAG_OFF_NO_FRAGMENT_FLAG(x) ((x) & 0x4000)
23 #define FRAG_OFF_MORE_FRAGMENT_FLAG(x) ((x) & 0x2000)
24 #define FRAG_OFF_FRAGMENT_OFFSET(x) ((x) & 0x1fff)
26 /* IP Option Numbers (http://www.iana.org/assignments/ip-parameters) */
27 #define IP_OPT_EOOL 0x00
28 #define IP_OPT_NOP 0x01
30 #define IP_OPT_COPIED_FLAG(x) ((x) & 0x80)
31 #define IP_OPT_CLASS(x) (((x) & 0x60) >> 5)
32 #define IP_OPT_NUMBER(x) ((x) & 0x1F)
34 static void ipv4(struct pkt_buff
*pkt
)
36 uint16_t csum
, frag_off
, h_tot_len
;
37 char src_ip
[INET_ADDRSTRLEN
];
38 char dst_ip
[INET_ADDRSTRLEN
];
39 struct ipv4hdr
*ip
= (struct ipv4hdr
*) pkt_pull(pkt
, sizeof(*ip
));
40 uint8_t *opt
, *trailer
;
41 unsigned int trailer_len
= 0;
42 ssize_t opts_len
, opt_len
;
43 const char *city
, *region
, *country
;
48 frag_off
= ntohs(ip
->h_frag_off
);
49 h_tot_len
= ntohs(ip
->h_tot_len
);
50 csum
= calc_csum(ip
, ip
->h_ihl
* 4);
52 inet_ntop(AF_INET
, &ip
->h_saddr
, src_ip
, sizeof(src_ip
));
53 inet_ntop(AF_INET
, &ip
->h_daddr
, dst_ip
, sizeof(dst_ip
));
55 if ((pkt_len(pkt
) + sizeof(*ip
)) > h_tot_len
) {
56 trailer_len
= pkt_len(pkt
) + sizeof(*ip
) - h_tot_len
;
57 trailer
= pkt
->data
+ h_tot_len
+ trailer_len
;
61 tprintf(" [ Eth trailer ");
62 while (trailer_len
--) {
63 tprintf("%x", *(trailer
- trailer_len
));
69 tprintf("Addr (%s => %s), ", src_ip
, dst_ip
);
70 tprintf("Proto (%u), ", ip
->h_protocol
);
71 tprintf("TTL (%u), ", ip
->h_ttl
);
72 tprintf("TOS (%u), ", ip
->h_tos
);
73 tprintf("Ver (%u), ", ip
->h_version
);
74 tprintf("IHL (%u), ", ip
->h_ihl
);
75 tprintf("Tlen (%u), ", ntohs(ip
->h_tot_len
));
76 tprintf("ID (%u), ", ntohs(ip
->h_id
));
77 tprintf("Res (%u), NoFrag (%u), MoreFrag (%u), FragOff (%u), ",
78 FRAG_OFF_RESERVED_FLAG(frag_off
) ? 1 : 0,
79 FRAG_OFF_NO_FRAGMENT_FLAG(frag_off
) ? 1 : 0,
80 FRAG_OFF_MORE_FRAGMENT_FLAG(frag_off
) ? 1 : 0,
81 FRAG_OFF_FRAGMENT_OFFSET(frag_off
));
82 tprintf("CSum (0x%.4x) is %s", ntohs(ip
->h_check
),
83 csum
? colorize_start_full(black
, red
) "bogus (!)"
84 colorize_end() : "ok");
86 tprintf("%s should be 0x%.4x%s", colorize_start_full(black
, red
),
87 csum_expected(ip
->h_check
, csum
), colorize_end());
90 if (geoip_working()) {
91 struct sockaddr_in sas
, sad
;
93 memset(&sas
, 0, sizeof(sas
));
94 sas
.sin_family
= PF_INET
;
95 sas
.sin_addr
.s_addr
= ip
->h_saddr
;
97 memset(&sad
, 0, sizeof(sad
));
98 sad
.sin_family
= PF_INET
;
99 sad
.sin_addr
.s_addr
= ip
->h_daddr
;
101 tprintf("\t[ Geo (");
102 if ((country
= geoip4_country_name(&sas
))) {
103 tprintf("%s", country
);
104 if ((region
= geoip4_region_name(&sas
)))
105 tprintf(" / %s", region
);
106 if ((city
= geoip4_city_name(&sas
)))
107 tprintf(" / %s", city
);
112 if ((country
= geoip4_country_name(&sad
))) {
113 tprintf("%s", country
);
114 if ((region
= geoip4_region_name(&sad
)))
115 tprintf(" / %s", region
);
116 if ((city
= geoip4_city_name(&sad
)))
117 tprintf(" / %s", city
);
124 opts_len
= max_t(uint8_t, ip
->h_ihl
, sizeof(*ip
) / sizeof(uint32_t)) *
125 sizeof(uint32_t) - sizeof(*ip
);
127 for (opt
= pkt_pull(pkt
, opts_len
); opt
&& opts_len
> 0; opt
++) {
128 tprintf(" [ Option Copied (%u), Class (%u), Number (%u)",
129 IP_OPT_COPIED_FLAG(*opt
) ? 1 : 0, IP_OPT_CLASS(*opt
),
130 IP_OPT_NUMBER(*opt
));
140 * Assuming that EOOL and NOP are the only single-byte
141 * options, treat all other options as variable in
142 * length with a minimum of 2.
144 * TODO: option length might be incorrect in malformed packets,
145 * check and handle that
148 if (opt_len
> opts_len
) {
149 tprintf(", Len (%zd, invalid) ]\n", opt_len
);
152 tprintf(", Len (%zd) ]\n", opt_len
);
154 tprintf(" [ Data hex ");
155 for (opt_len
-= 2; opt_len
> 0; opt_len
--)
156 tprintf(" %.2x", *(++opt
));
162 /* cut off everything that is not part of IPv4 payload */
163 /* XXX there could still be an Ethernet trailer included or others */
165 pkt_trim(pkt
, pkt_len(pkt
) - min(pkt_len(pkt
),
166 (ntohs(ip
->h_tot_len
) - ip
->h_ihl
* sizeof(uint32_t))));
168 pkt_set_dissector(pkt
, ð_lay3
, ip
->h_protocol
);
171 static void ipv4_less(struct pkt_buff
*pkt
)
173 char src_ip
[INET_ADDRSTRLEN
];
174 char dst_ip
[INET_ADDRSTRLEN
];
175 struct ipv4hdr
*ip
= (struct ipv4hdr
*) pkt_pull(pkt
, sizeof(*ip
));
180 inet_ntop(AF_INET
, &ip
->h_saddr
, src_ip
, sizeof(src_ip
));
181 inet_ntop(AF_INET
, &ip
->h_daddr
, dst_ip
, sizeof(dst_ip
));
183 tprintf(" %s/%s Len %u", src_ip
, dst_ip
,
184 ntohs(ip
->h_tot_len
));
186 /* cut off IP options and everything that is not part of IPv4 payload */
187 pkt_pull(pkt
, max_t(uint8_t, ip
->h_ihl
, sizeof(*ip
) / sizeof(uint32_t))
188 * sizeof(uint32_t) - sizeof(*ip
));
189 /* XXX there could still be an Ethernet trailer included or others */
191 pkt_trim(pkt
, pkt_len(pkt
) - min(pkt_len(pkt
),
192 (ntohs(ip
->h_tot_len
) - ip
->h_ihl
* sizeof(uint32_t))));
194 pkt_set_dissector(pkt
, ð_lay3
, ip
->h_protocol
);
197 struct protocol ipv4_ops
= {
200 .print_less
= ipv4_less
,