Initial commit from project. lib dependencies need checking

[packeteer.git] / pcap.c

/*
 * Packeteer 
 * Copyright August 2007 TJ <linux@tjworld.net>
 *
 * Checks that network packets seen by libpcap are seen at the netfilters
 * level and haven't been silently discarded by the kernel.
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program in the file LICENSE-GPLv3.txt;
 * if not, you can view it online at http://www.gnu.org/copyleft/gpl.html
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/time.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ether.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netinet/if_ether.h>
#include <pcap.h>
#include <pthread.h>
#include "packeteer.h"

extern int size_ethernet; // sizes calculated once
extern int size_ip;
extern int size_tcp;
extern int verbose; // flag controlling debugging messages
extern unsigned int headers_done;
extern struct in_addr_filter *ip_addr_filters; // linked-list of source IP addresses to match
extern unsigned char tcp_flags_filter; // TCP flags to match (bitwise-OR)

unsigned long pcap_count = 0; // packet counter

int pcap_control = 0; // thread-running control signal
pthread_t pcap_thread_id;
pthread_mutex_t pcap_mutex = PTHREAD_MUTEX_INITIALIZER;

pcap_t *descr=NULL; // descriptor for pcap 

/* replacement for strcpy() that allocates the required memory internally */
char *my_strcpy(const char *src) {
 int count = 0, length = 0;
 char *dest=NULL;
 
 // find the length of the zero-terminated string
 for (length=0; src[length] != 0; length++);

 dest = (char *)malloc(length+1);
 if (dest != NULL) {
  for (count=0; count <= length; count++) {
   dest[count] = src[count];
  }
 }
 else
  fprintf(stderr, "my_strcpy(): malloc() failed\n");
 
 return dest;
}

/* Called from pcap with pointer to a new packet */
void pcap_callback(u_char *useless, const struct pcap_pkthdr *pkthdr, const u_char *packet) {
 int ip_addr_match = 0;
 unsigned char tcp_flags_match = 0;
 struct in_addr_filter *ip_walk = ip_addr_filters;
 unsigned char *pos;
 
 struct pcap_pkthdr hdr;     /* pcap.h */
 struct in_addr s;

 const struct ether_header *ethernet; /* The ethernet header */
 const struct iphdr *ip; /* The IP header */
 const struct tcphdr *tcp; /* The TCP header */
 const char *payload; /* Packet payload */

 ethernet = (struct ether_header*)(packet);
 ip = (struct iphdr*)(packet + size_ethernet);
 tcp = (struct tcphdr*)(packet + size_ethernet + size_ip);
 payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);

 s.s_addr = ip->saddr;
 
 if (ip_addr_filters == NULL) 
  ip_addr_match++; // no filter set, so report everything
 else {
  while(ip_walk != NULL) {
   if (ip_walk->ip_addr.s_addr == s.s_addr) {
    ip_addr_match++; // got a match
    if (verbose) fprintf(stderr, "pcap: matched IP %s\n", inet_ntoa(ip_walk->ip_addr));
   }
   ip_walk = ip_walk->next;
  }
 }

 if (ip_addr_match) { // IP address matches filter 
 
  // because tcphdr defines flags individually, to get the flags byte we have to index into the header
  tcp_flags_match = *( ((unsigned char *)tcp) + 13)  & tcp_flags_filter;
  if (verbose) fprintf(stderr, "pcap: result TCP flags 0x%2.2X, filter 0x%2.2X, TCP packet flags 0x%2.2X\n", tcp_flags_match, tcp_flags_filter,  *( ((unsigned char *)tcp) + 13) );
 
  if (tcp_flags_match) { // TCP flags match filter

   if (!headers_done)
    headers_print();
 
   fprintf(stderr, "pcap: %10s %10u %15s %4.4X %4.4X  %1d   %1d  %10u %10u %6d\n", 
                   print_time(NULL), ++pcap_count, inet_ntoa(s), ntohs(ip->check), ntohs(tcp->check),
                   tcp->syn, tcp->ack, tcp->seq, tcp->ack_seq, pkthdr->len);
   fflush(stderr);

   packet_pcap(pcap_count, ethernet, ip, tcp, pkthdr->len); // register the packet with the tracker
  }
 }
}

/* main loop runs in its own thread. Waits on data available for read on a pcap file descriptor.
   When new data is available causes pcap to invoke the callback function.
 */
void *pcap_thread(void *data) {
 fd_set fd_wait;
 struct timeval st;
 int t, fd;

 if (verbose) fprintf(stderr, "pcap_thread(): running\n");
 fd = pcap_fileno(descr);
 if (verbose) fprintf(stderr, "pcap: fd=%d\n", fd);

 for(;;) {
  FD_ZERO(&fd_wait);
  FD_SET(fd, &fd_wait);

  st.tv_sec  = 1;
  st.tv_usec = 0;   /* 1000 = 1 second */

  // wait up to 1 second for input
  t=select(fd+1, &fd_wait, NULL, NULL, &st);

  switch(t) {
   case -1: // error
    if (errno == EINTR || errno == EAGAIN) continue;
    fprintf(stderr, "pcap: Error in main loop\n");
    pcap_control = 0; // force loop to end
    break;

   case  0: // timed out, no trafffic
    // fprintf(stderr, "p"); // for debugging: prove the timer is running
    break;

   default: // packets available
    pcap_dispatch(descr, 1, (void *) pcap_callback, NULL);
  }
  if (pcap_control == 0) // parent thread's signal to quit
   break;
  
 } // End of for(;;) 
 
 pthread_exit(NULL);
}

/*
 * Prepares libpcap for capturing
 * 
 * @device select the device name: "eth1"
 * @pcap_filter set a filter rule of the form: "dst host 10.2.3.4 and tcp port 80"
 * @return 1 if successful; 0 if failed 
 */
int pcap_init(char *device, char *pcap_filter) {
 int i;
 const u_char *packet;
 bpf_u_int32 maskp;
 bpf_u_int32 netp;
 pcap_if_t *this_dev, *alldevsp;
 int ret=1; // default return value, failed
 char *dev=NULL; 
 char *filter=NULL;
 char errbuf[PCAP_ERRBUF_SIZE];
 struct bpf_program fp;

 if (verbose) fprintf(stderr, "calling pcap_findalldevs()\n");
 if (pcap_findalldevs(&alldevsp, errbuf) == 0) {
         if (verbose) fprintf(stderr, "pcap_findalldevs() done.\n");
  this_dev = alldevsp;
  while (this_dev != NULL) {
          if (verbose) fprintf(stderr, "device %s\n",this_dev->name);
   if (strcmp(device, this_dev->name) == 0) {
        dev = this_dev->name;
        break;
   }
   this_dev = this_dev->next;
  } 
 }
 else {
  fprintf(stderr, "Error: pcap_findalldevs()\n");        
 }
 if (dev) { // system has a device matching the one we want
  if (verbose) fprintf(stderr, "pcap: initialising %s with rule \"%s\"\n", dev, pcap_filter);
  pcap_lookupnet(dev, &netp, &maskp, errbuf);    
  if (verbose) fprintf(stderr, "pcap_lookupnet() done\n");
  /* open device for reading */
  descr = pcap_open_live(dev, BUFSIZ, 0, 1024, errbuf);
  if (verbose) fprintf(stderr, "pcap_open_live() done\n");

  pcap_freealldevs(alldevsp); // free list memory
  alldevsp=NULL;
  if (verbose) fprintf(stderr, "pcap_freealldevs() done\n");

  if(descr != NULL) {
   // compile the 'filter' program
          if (verbose) fprintf(stderr, "my_strcpy(\"%s\")\n", pcap_filter);
   filter = my_strcpy(pcap_filter);
   if (verbose) fprintf(stderr, "filter@%lx=%lx=\"%s\")\n",&filter, filter, filter);
   if (verbose) fprintf(stderr, "pcap_compile(%lx, %lx, \"%s\", %d, %d)\n", descr, &fp, filter, 1, htonl(0xFFFF0000));
   if(pcap_compile(descr, &fp, filter, 0, 0) != -1)     { // compile the rule
           if (verbose) fprintf(stderr, "pcap_compile() done\n");
    // set the compiled program as the filter
    if(pcap_setfilter(descr, &fp) != -1) {
     pcap_freecode(&fp); // release memory
     free(filter); // release memory allocated by my_strcpy()
     filter=NULL;
     
     // non-blocking mode
     if (verbose) fprintf(stderr, "pcap_setnonblock()\n"); 
     if(pcap_setnonblock(descr, 1, errbuf) != -1) {
          ret = 0; // success
     }
     else {
      fprintf(stderr, "Error pcap_setnonblock(): %s\n", dev, errbuf);
      ret = 5;
     }
    }
    else {
         fprintf(stderr, "Error pcap_setfilter()\n");
         ret = 4;
    }  
   }
   else {
    fprintf(stderr, "Error pcap_compile(): %s\n", pcap_geterr(descr));
    ret = 3;
   }
  }
  else { 
   fprintf(stderr, "Error pcap_open_live(): %s\n",errbuf);
   ret = 2;
  }
 }
 else {
  fprintf(stderr, "Error device %d not found\n", device);
  ret = 1;
 }
 // clean-up if errors occurred
 if (ret > 2) pcap_close(descr);
 
 if (verbose) fprintf (stderr, "leaving pcap_init()\n");
 return ret;
}

/* Create and start main-loop thread */
int pcap_start(void) {
 if (verbose) fprintf(stderr, "pcap_start(): starting\n");
 pcap_control = 1; // run thread
 if (verbose) fprintf(stderr, "pcap_start(): creating thread\n");
 pthread_create(&pcap_thread_id, NULL, pcap_thread, NULL);      
 if (verbose) fprintf(stderr, "pcap_start(): done\n");
 return 0; // success
}

/* Stop main-loop thread and clean up */
void pcap_exit(void) {
 if (verbose) fprintf(stderr, "pcap_exit(): exiting\n");
 if (pcap_control != 0) {
  if (verbose) fprintf(stderr, "pcap: stopping thread\n");
  pthread_mutex_lock(&pcap_mutex);
  pcap_control = 0; // signal thread to stop
  pthread_mutex_unlock(&pcap_mutex);

  // blocks until thread ends
  pthread_join(pcap_thread_id, NULL);
 }
 pcap_close(descr);
 if (verbose) fprintf(stderr, "pcap_exit(): done\n");
 }