252 lines
6.5 KiB
C
252 lines
6.5 KiB
C
/*-
|
|
* Copyright (c) 2017 Michael Tuexen
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
*/
|
|
|
|
/*
|
|
* Compile: cc -Wall -Werror -pedantic pcap2corpus.c -lpcap -o pcap2corpus
|
|
*
|
|
* Usage: pcap2corpus infile outfile_prefix [expression]
|
|
* if no expression, a pcap filter, is provided, sctp is used.
|
|
*/
|
|
#define _GNU_SOURCE
|
|
#include <sys/types.h>
|
|
#include <net/ethernet.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/ip6.h>
|
|
#include <pcap/pcap.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
static unsigned long nr_read = 0;
|
|
static unsigned long nr_decaps = 0;
|
|
|
|
#define PRE_PADDING 1
|
|
|
|
struct args {
|
|
struct bpf_program bpf_prog;
|
|
char *filename_prefix;
|
|
int (*is_ipv4)(const void *);
|
|
int (*is_ipv6)(const void *);
|
|
int linktype;
|
|
unsigned int offset;
|
|
};
|
|
|
|
/*
|
|
* SCTP protocol - RFC4960.
|
|
*/
|
|
struct sctphdr {
|
|
uint16_t src_port; /* source port */
|
|
uint16_t dest_port; /* destination port */
|
|
uint32_t v_tag; /* verification tag of packet */
|
|
uint32_t checksum; /* CRC32C checksum */
|
|
/* chunks follow... */
|
|
} __attribute__((packed));
|
|
|
|
static int
|
|
loopback_is_ipv4(const void *bytes)
|
|
{
|
|
uint32_t family;
|
|
|
|
family = *(const uint32_t *)bytes;
|
|
return (family == 2);
|
|
}
|
|
|
|
static int
|
|
loopback_is_ipv6(const void *bytes)
|
|
{
|
|
uint32_t family;
|
|
|
|
family = *(const uint32_t *)bytes;
|
|
return (family == 24 || family == 28 || family == 30);
|
|
}
|
|
|
|
static int
|
|
ethernet_is_ipv4(const void *bytes)
|
|
{
|
|
const struct ether_header *ether_hdr;
|
|
|
|
ether_hdr = (const struct ether_header *)bytes;
|
|
return (ntohs(ether_hdr->ether_type) == ETHERTYPE_IP);
|
|
}
|
|
|
|
static int
|
|
ethernet_is_ipv6(const void *bytes)
|
|
{
|
|
const struct ether_header *ether_hdr;
|
|
|
|
ether_hdr = (const struct ether_header *)bytes;
|
|
return (ntohs(ether_hdr->ether_type) == ETHERTYPE_IPV6);
|
|
}
|
|
|
|
static void
|
|
packet_handler(u_char *user, const struct pcap_pkthdr *pkthdr, const u_char *bytes_in)
|
|
{
|
|
struct args *args;
|
|
const u_char *bytes_out;
|
|
FILE *file;
|
|
char *filename;
|
|
const struct ip *ip4_hdr_in;
|
|
const struct ip6_hdr *ip6_hdr_in;
|
|
size_t offset, length;
|
|
int null = 0;
|
|
|
|
args = (struct args *)(void *)user;
|
|
bytes_out = NULL;
|
|
if (pcap_offline_filter(&args->bpf_prog, pkthdr, bytes_in) == 0) {
|
|
goto out;
|
|
}
|
|
if (pkthdr->caplen < args->offset) {
|
|
goto out;
|
|
}
|
|
if (args->is_ipv4(bytes_in)) {
|
|
offset = args->offset + sizeof(struct ip) + sizeof(struct sctphdr);
|
|
if (pkthdr->caplen < offset) {
|
|
goto out;
|
|
}
|
|
ip4_hdr_in = (const struct ip *)(const void *)(bytes_in + args->offset);
|
|
if (ip4_hdr_in->ip_p == IPPROTO_SCTP) {
|
|
unsigned int ip4_hdr_len;
|
|
|
|
ip4_hdr_len = ip4_hdr_in->ip_hl << 2;
|
|
offset = args->offset + ip4_hdr_len + sizeof(struct sctphdr);
|
|
if (pkthdr->caplen < offset) {
|
|
goto out;
|
|
}
|
|
bytes_out = bytes_in + offset;
|
|
length = pkthdr->caplen - offset;
|
|
}
|
|
}
|
|
if (args->is_ipv6(bytes_in)) {
|
|
offset = args->offset + sizeof(struct ip6_hdr) + sizeof(struct sctphdr);
|
|
if (pkthdr->caplen < offset) {
|
|
goto out;
|
|
}
|
|
ip6_hdr_in = (const struct ip6_hdr *)(bytes_in + args->offset);
|
|
if (ip6_hdr_in->ip6_nxt == IPPROTO_SCTP) {
|
|
bytes_out = bytes_in + offset;
|
|
length = pkthdr->caplen - offset;
|
|
}
|
|
}
|
|
out:
|
|
nr_read++;
|
|
if (bytes_out != NULL) {
|
|
if (asprintf(&filename, "%s-%06lu", args->filename_prefix, nr_decaps) < 0) {
|
|
return;
|
|
}
|
|
file = fopen(filename, "w");
|
|
fwrite(&null, 1, PRE_PADDING, file);
|
|
fwrite(bytes_out, length, 1, file);
|
|
fclose(file);
|
|
free(filename);
|
|
nr_decaps++;
|
|
}
|
|
}
|
|
|
|
static char *
|
|
get_filter(int argc, char *argv[])
|
|
{
|
|
char *result, *c;
|
|
size_t len;
|
|
int i;
|
|
|
|
if (argc == 3) {
|
|
if (asprintf(&result, "%s", "sctp") < 0) {
|
|
return (NULL);
|
|
}
|
|
} else {
|
|
len = 0;
|
|
for (i = 3; i < argc; i++) {
|
|
len += strlen(argv[i]) + 1;
|
|
}
|
|
len -= 1;
|
|
result = malloc(len);
|
|
c = result;
|
|
for (i = 3; i < argc; i++) {
|
|
size_t arg_len;
|
|
|
|
arg_len = strlen(argv[i]);
|
|
memcpy(c, argv[i], arg_len);
|
|
c += arg_len;
|
|
if (i < argc - 1) {
|
|
*c++ = ' ';
|
|
}
|
|
}
|
|
}
|
|
return (result);
|
|
}
|
|
|
|
int
|
|
main(int argc, char *argv[])
|
|
{
|
|
char errbuf[PCAP_ERRBUF_SIZE];
|
|
pcap_t *pcap_reader;
|
|
char *filter;
|
|
struct args args;
|
|
|
|
if (argc < 3) {
|
|
fprintf(stderr, "Usage: %s infile outfile_prefix [expression]\n", argv[0]);
|
|
return (-1);
|
|
}
|
|
args.filename_prefix = argv[2];
|
|
pcap_reader = pcap_open_offline(argv[1], errbuf);
|
|
if (pcap_reader == NULL) {
|
|
fprintf(stderr, "Can't open input file %s: %s\n", argv[1], errbuf);
|
|
return (-1);
|
|
}
|
|
args.linktype = pcap_datalink(pcap_reader);
|
|
switch (args.linktype) {
|
|
case DLT_NULL:
|
|
args.is_ipv4 = loopback_is_ipv4;
|
|
args.is_ipv6 = loopback_is_ipv6;
|
|
args.offset = sizeof(uint32_t);
|
|
break;
|
|
case DLT_EN10MB:
|
|
args.is_ipv4 = ethernet_is_ipv4;
|
|
args.is_ipv6 = ethernet_is_ipv6;
|
|
args.offset = sizeof(struct ether_header);
|
|
break;
|
|
default:
|
|
fprintf(stderr, "Datalink type %d not supported\n", args.linktype);
|
|
pcap_close(pcap_reader);
|
|
return (-1);
|
|
}
|
|
filter = get_filter(argc, argv);
|
|
if (pcap_compile(pcap_reader, &args.bpf_prog, filter, 0, PCAP_NETMASK_UNKNOWN) < 0) {
|
|
fprintf(stderr, "Can't compile filter %s: %s\n", filter, pcap_geterr(pcap_reader));
|
|
free(filter);
|
|
pcap_close(pcap_reader);
|
|
return (-1);
|
|
}
|
|
free(filter);
|
|
pcap_dispatch(pcap_reader, 0, packet_handler, (u_char *)&args);
|
|
pcap_close(pcap_reader);
|
|
fprintf(stderr, "%lu packets processed\n", nr_read);
|
|
fprintf(stderr, "%lu packets decapsulated\n", nr_decaps);
|
|
return (0);
|
|
}
|