ssldump_0.9b3.orig.tar.gz Import

This commit is contained in:
Alexandre Dulaunoy 2015-01-31 10:13:33 +01:00
commit ea12dfe6d2
100 changed files with 22293 additions and 0 deletions

60
COPYRIGHT Normal file
View file

@ -0,0 +1,60 @@
SSLDUMP LICENSE
Copyright (C) 1999-2001 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE ERIC RESCORLA AND RTFM ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
TCPDUMP LICENSE
The manual page for this software is partially excerpted from
the tcpdump manual page, which is subject to the following license:
Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
The Regents of the University of California. All rights reserved.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that: (1) source code distributions
retain the above copyright notice and this paragraph in its entirety, (2)
distributions including binary code include the above copyright notice and
this paragraph in its entirety in the documentation or other materials
provided with the distribution, and (3) all advertising materials mentioning
features or use of this software display the following acknowledgement:
``This product includes software developed by the University of California,
Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
the University nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

20
CREDITS Normal file
View file

@ -0,0 +1,20 @@
ssldump was written by Eric Rescorla <ekr@rtfm.com>
The Windows port of ssldump was provided by Greg Stark.
The following people have provided bug fixes, bug reports, or suggestions.
Adam Cain
Pavel Curtis
Chris Jepeway
Alexander Fetke
Jeffrey Hafey
Lutz Jaenicke
Dave Jagoda
Norbert Klasen
Richard Levitte
Hugh Mandeville
Eric Murray
Henrik Nordstrom
If you think you should be on this list, send me mail at <ekr@rtfm.com>.

158
ChangeLog Normal file
View file

@ -0,0 +1,158 @@
Wed Aug 21 10:48:45 2002 EKR <ekr@rtfm.com>
* Installed Greg Stark's new Win32 patches.
* Added updated VLAN support (Jeffrey Hafey)
Fri Aug 16 16:56:23 2002 EKR <ekr@rtfm.com>
* Cleaned up 56-bit ciphersuites in ciphersuites.c
* Fixed memory errors in packet copying.
* Fixed bugs in processing of bogus SSLv2 messages.
* Fixed bugs in TCP packet reassembly code.
Tue Aug 13 13:03:41 2002 EKR <ekr@rtfm.com>
* Fixed EXPORT1024 DES cipher suites
Mon Aug 12 16:49:51 2002 EKR <ekr@rtfm.com>
* Added support for VLAN networks (Jeffrey Hafey)
* Fixed printing of data with embedded tabs (Pavel Curtis)
* Added support for non-promiscuous mode (-P flag)
(Bruce M Simpson)
* Fixed potential small overrun in RSA decryption.
Fri Sep 28 15:54:47 2001 EKR <ekr@rtfm.com>
* Fixed install so that we install in /usr/local/sbin
with mode 755. Bug report ssldump/22.
(Dave Jagoda)
* Fixed compilation warning about create_null_analyzer
Bug report ssldump/23.
Wed Sep 26 14:49:06 2001 EKR <ekr@rtfm.com>
* Fixed SYN & SYN/ACK detection to that it works with ECN.
(Henrik Nordstrom)
* Added /usr/include/pcap to the PCAP search path
(Henrik Nordstrom)
Sat Sep 15 13:41:10 2001 EKR <ekr@rtfm.com>
* Fix to ssldecode.c to remove error with empty
struct when compiling with VC++ and no OpenSSL
(Greg Stark)
* Change to vcwin32.mak to print out that you're not
using OpenSSL (Greg Stark)
* Automatic version changing courtesy of version-change.pl
Fri Sep 14 15:22:29 2001 EKR <ekr@rtfm.com>
* Fixed bug 4. Delete the MS after decrypting a PMS
to force new MS generation in the key generation phase.
This makes decryption of renegotiated connections work
correctly. This got broken when session resumption
was added.
2001-09-14 Eric Rescorla <ekr@rtfm.com>
* Imported Greg Stark's Win32 port
Sun Sep 2 15:53:06 2001 EKR <ekr@rtfm.com>
* Fixed the reassembler so it doesn't crash when
FIN/RST segments have data.
* closure/connection freeing now works, thus meaning less
memory leakage and less crashing.
* A bunch of trivial makefile/configure fixes.
Fri Jul 20 16:40:51 2001 EKR <ekr@rtfm.com>
* Removed loading of certificate file. This served
no real purpose. Fix for bug 5.
Fri Jul 20 11:02:09 2001 EKR <ekr@rtfm.com>
* Fixed initialization so that the key file is loaded
only once.
Removed default keyfile and password. You now must
specify them. You also get an error if you specify
a bad password or keyfile.
Fri Jul 20 10:17:36 2001 EKR <ekr@rtfm.com>
* Added support for session resumption.
Fri Jul 20 10:17:16 2001 EKR <ekr@rtfm.com>
* Fixed SEQ_LT problems on Linux and other compilation
problems.
Tue Mar 6 2001 EKR <ekr@rtfm.com>
* Removed statically allocated conn array. We can now
have an arbitrary number of
Thu Nov 9 12:14:15 2000 EKR <ekr@rtfm.com>
* Cleanups to the man page and cleaned up some cases
where printing didn't work quite right.
Mon Nov 6 10:22:25 2000 EKR <ekr@rtfm.com>
* Added the -X flag to force hex-only printing when
binary data is displayed as hex dumps.
Fri Nov 3 09:23:35 2000 EKR <ekr@rtfm.com>
* cleaned up the case where multiple handshake messages
are in the same SSL record.
Fri Nov 3 09:14:39 2000 EKR <ekr@rtfm.com>
* Modified printing so that when we're printing hex dumps
of application data traffic we also print the printable
sections of the data itself in a column on the side.
Thu Nov 2 14:14:21 2000 EKR <ekr@rtfm.com>
* Modified cipher suite printing so that the names have
SSL_ if we're doing SSLv3 and TLS_ if we're doing TLS.
Suggestion by Eric Murray.
Thu Nov 2 13:07:09 2000 EKR <ekr@rtfm.com>
* Fixed an ABW in ssldecode.c that caused crashes
on Solaris. Also, fixed a bunch of memory leaks
using Purify.
Thu Nov 2 08:45:42 2000 EKR <ekr@rtfm.com>
* Various Portability fixes
CC=gcc -> CC=@CC@ in Makefile
Removed FLAGS in Makefile (it was a noop)
in base/tcpconn.c, changed {} to {0} to appease HPUX's compiler
made create_null_analyzer.c static as it should be.
Removed the final (bogus) entry in null_vtbl.
made sslx__print_serial() static to match its prototype
Rearranged library order for better linkage
Thanks to Lutze Jainecke for these fixes.
Thu Nov 2 08:41:10 2000 EKR <ekr@rtfm.com>
* Added -r as a synonym for -f. -f will eventually
be removed and reused for some other option.
This was done for option compatibility with tcpdump
and on the theory that someday I might add a -w.
* Renamed -h to -H and added it to the documentation.
-h now triggers usage info.
Thu Nov 2 08:38:06 2000 EKR <ekr@rtfm.com>
* Removed blank lines in the man page. This confuses some
man page formatters. (Thanks to Hugh Mandeville for pointing
this one out)
Thu Nov 2 08:37:59 2000 EKR <ekr@rtfm.com>
* Wired up -N (it was unwired)
Thu Nov 2 08:37:47 2000 EKR <ekr@rtfm.com>
* Added -D_BSD_SOURCE=1 when you're compiling on Linux.
(Allowing it to compile)

9
FILES Normal file
View file

@ -0,0 +1,9 @@
record-fmt.txt
record_analyze.c
record_analyze.h
targets.mk
CVS:
Entries
Repository
Root

46
INSTALL Normal file
View file

@ -0,0 +1,46 @@
$Id: INSTALL,v 1.5 2001/09/14 22:29:13 ekr Exp $
If you don't have libpcap, you'll need to get it and install it. You
can obtain it from:
http://www.tcpdump.org/
If you want to be able to decrypt SSL traffic or view certificates,
get OpenSSL if you don't have it:
http://www.openssl.org/
Once you've built and installed libpcap and OpenSSL, you're ready to
build ssldump.
ssldump uses a GNU autoconf-based configuration to automatically
configure the build.
In the simplest form you can simply do:
./configure
If the configure script can't find libpcap, it will abort. If you've
installed it in unobvious place, you may need to give configure a hint
using the '--with-pcap' or '--with-pcap-{lib,inc}' switches.
If the configure script can't find OpenSSL, it will continue without
it. If your OpenSSL is in a nonstandard location, you may need to give
configure a hint with the '--with-openssl' or
'--with-openssl-{lib,include}' switches.
Once you've done the configure, you can simply run 'make'. Note that
on some platforms (HP/UX) you will have to use GNU make (gmake).
If the make succeeds, run a 'make install' (you will probably need to
be root to do this.)
TESTED PLATFORMS
FreeBSD 2.2.8, 3.4
HP/UX 10.20
Linux (Red Hat, Debian)
Solaris 2.x
If you get ssldump to work on a platform not listed above, please send mail
to ssldump@rtfm.com with the platform and any fixes you had to make.
INSTALLING ON WINDOWS
Read the file INSTALL.W32 in this directory for instructions on
installing on Windows.

114
INSTALL.W32 Normal file
View file

@ -0,0 +1,114 @@
Notes
First, make sure you've read the README file.
Build Environment
-----------------
The build environment is assumed to be Microsoft Visual C++ 6.0 SP4
(VC6), although earlier or later versions may work. In particular, the
make-like utility used to build this port of ssldump is NMAKE version
6.00.x from Microsoft.
The basis for this port is ssldump version 0.9b3. The win32 directory
contains the win32-specific stuff, including the NMAKE makefile
vcwin32.mak.
You need to have your environment variables and PATH correctly setup
to properly use the command-line VC6 tools. In the VC6\bin directory
is a batch file, VCVARS32.bat, which should set things up
correctly. You should run this batch file prior to attempting a build.
What you need (besides the ssldump source)
------------------------------------------
You must have downloaded and installed the following from the
WinPcap/Windump project:
1. The Winpcap developer's pack, version 2.3, from
http://winpcap.polito.it/install/bin/WPdpack_2_3.zip contains the
pcap.h and net/bpf.h files, and the pcap import library. Place these
in the win32 directory.
2. The Winpcap source code distribution, version 2.3, from
http://winpcap.polito.it/install/bin/WPcapSrc_2_3.zip. It contains
some .h files commonly found on UNIX systems that ssldump
expects. Place these in the win32 directory.
3. The Winpcap auto-installer, version 2.3, from
http://winpcap.polito.it/install/bin/WinPcap_2_3_nogui.exe. This is
only needed to run ssldump, not needed to build it. It is needed on
*any* windows system on which ssldump is run. It installs a device
driver and the pcap library DLL.
4. Possibly the Windump utility from
http://windump.polito.it/install/bin/WinDump.exe. This is essentially
a Windows port of tcpdump, with an extra -D option. This option
enumerates the interface names so that you at least have a clue to
what to supply the -i option (see below).
The win32 directory should look like the following after these files
are downloaded and extracted:
winpcap <directory>
WPdpack <directory>
Ssldump.html
vcwin32.mak
OpenSSL Support
---------------
By default, the OpenSSL libraries are not linked into ssldump. If you
want to link in the OpenSSL libraries, you'll need to customize the
makefile. First, look for the macro OPENSSL and change its value to
"yes". Next, look for the macro OPENSSL_DIR and make sure it points to
the openssl distribution on your machine. You must build a version(s)
of SSL that links to the static C run-time library; these are
distinguished by the use of the compiler flag /MT for release
versions, and /MTd for debug versions. Then you must set the
OPENSSL_RELEASE and OPENSSL_DEBUG macros to point to the directories
that contain the libraries for these versions. If you only intend to
build one of either the debug or release versions, you only need to
define the corresponding OPENSSL_ macro.
Building ssldump
----------------
To build, run (from the ssldump root directory):
nmake /f win32\vcwin32.mak all
this creates a directory, out32, which contains the object files and
the ssldump.exe executable. The build produces a simple command-line
ssldump.exe which must be run from a console window (i.e. a DOS
box). It builds the release version by default. Set the macro
CFG="debug" to build a debug version, e.g. nmake /f vcwin32.mak all
CFG="debug".
win32\ssldump.html contains an HTML version of the ssldump.1
manpage. You should read this to learn the options.
What are the names of the Interfaces?
-------------------------------------
One tricky aspect is choosing the correct interface name for the -i
option of ssldump. AFAIK, there is no standard windows utility that
will give you the correct names for the interfaces. For example, on my
system they are named PPPMAC (for the PPP adapter) and CBEN5 (for my
Ethernet Adapter). I did find these names in the registry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net\nnnn\NDIS\LogDriverName,
but this may be different on other Windows OSes. The Windump utility
from the WinPcap folks has an option, -D, to enumerate these interface
names. Use the Windump utility or hunt through the registry to find
the names of your interfaces. If you don't specify the interface
explicitly with the -i option, ssldump will select the 'first'
interface and this may be exactly what you want.

111
Makefile.in Normal file
View file

@ -0,0 +1,111 @@
# Copyright (C) 1999-2000 RTFM, Inc.
# All Rights Reserved
# This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
# <ekr\@rtfm.com> and licensed by RTFM, Inc.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
#
# This product includes software developed by Eric Rescorla for
# RTFM, Inc.
# 4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
# used to endorse or promote products derived from this
# software without specific prior written permission.
# THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
PLATFORM=freebsd31
CC=@CC@
all: ssldump
OBJSUFFIX=o
LIBSUFFIX=a
INSTALL=@INSTALL@
prefix=@prefix@
exec_prefix=@exec_prefix@
BINDIR=@sbindir@
MANDIR=@mandir@
RM=rm -f
ROOT=./
ANALYZE_SRCDIR=$(ROOT)base/
COMMONDIR=common/
COMMON_LIB_SRCDIR=$(COMMONDIR)lib/
ANALYZE_NULL_SRCDIR=$(ROOT)null/
ANALYZE_SSL_SRCDIR=$(ROOT)ssl/
ANALYZE_RECORD_SRCDIR=$(ROOT)@RECORD_MOD@/
include rules.mk
include $(COMMON_LIB_SRCDIR)/targets.mk
include $(ANALYZE_SRCDIR)targets.mk
include $(ANALYZE_NULL_SRCDIR)targets.mk
include $(ANALYZE_SSL_SRCDIR)targets.mk
include $(ANALYZE_RECORD_SRCDIR)targets.mk
INCLUDES += -I$(COMMONDIR)include/ -I$(ANALYZE_NULL_SRCDIR) -I$(ANALYZE_SSL_SRCDIR)
DEFINES += @DEFINES@
INCLUDES += @INCLUDES@
LIBS += @LDFLAGS@ @LIBS@
CFLAGS += @CFLAGS@ @DEFS@
ssldump: $(OBJECTS)
$(CC) $(OBJECTS) -o $@ $(LIBS)
clean:
rm -f $(OBJECTS) ssldump
install:
[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
$(INSTALL) -m 755 ssldump $(BINDIR)/ssldump
[ -d $(MANDIR) ] || mkdir -p $(MANDIR)/man1
$(INSTALL) -m 444 ssldump.1 $(MANDIR)/man1/ssldump.1
dist:
perl "./version-check.pl"
- name=ssldump-`cat VERSION`; \
rm -rf /dist/ship/$$name; \
mkdir /dist/ship/$$name; \
cp -pR * /dist/ship/$$name; \
cd /dist/ship/$$name; \
make -f Makefile.in clean; \
rm Makefile; \
find . -name '*~' -exec rm {} \; -print;\
find . -name '*.o' -exec rm {} \; -print;\
find . -name '#*#' -exec rm {} \; -print;\
find . -name 'CVS' -exec rm -rf {} \; -print;\
find . -name '*bak' -exec rm -rf {} \; -print;\
find . -name '*.core' -exec rm -rf {} \; -print;\
find . -name '*.tr' -exec rm -rf {} \; -print;\
find . -name '*.pl' -exec rm -rf {} \; -print;\
find . -name '*.pem' -exec rm -rf {} \; -print;\
find . -name '*orig' -exec rm -rf {} \; -print;\
find . -name '*.rej' -exec rm -rf {} \; -print;\
rm -f TODO TAGS; \
rm -f config.status config.log config.cache config.h; \
rm -f ssl/a.out all; \
cd /dist/ship; tar cf - $$name | gzip > $$name.tar.gz

85
README Normal file
View file

@ -0,0 +1,85 @@
$Id: README,v 1.9 2002/08/17 01:33:15 ekr Exp $
SSLDUMP 0.9b3
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP
connections on the chosen network interface and attempts to interpret
them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it
decodes the records and displays them in a textual form to stdout. If
provided with the appropriate keying material, it will also decrypt
the connections and display the application data traffic.
ssldump depends on the libpcap packet capture library. Some systems
(e.g. FreeBSD) now have libpcap as part of their standard install. On
other systems, you will need to install it. You can obtain the
distribution from:
http://www.tcpdump.org/
If linked with OpenSSL, ssldump can display certificates in decoded
form and decrypt traffic (provided that it has the appropriate keying
material). Again, OpenSSL may be installed on your system. Otherwise
you can obtain it from:
http://www.openssl.org/
See the file INSTALL for instructions on building and installing
ssldump.
STABILITY
This is a beta release of ssldump. The UNIX portions have received
extensive testing and are believed to be quite solid. The Windows
port is substantially less stable.
CHANGES SINCE 0.9b2
Security fix: some potential over and underflows
Added support for VLANs.
Added -P flag to disable promiscuous mode.
Fixed bugs in the TCP reassembly code.
A lot of bug fixes.
See the ChangeLog for a more complete list of changes.
MAILING LIST
For support questions and general discussion on ssldump, please
subscribe to the ssldump-users mailing list. Subscription is by
majordomo. To subscribe, send a message with no subject and a body
consisting of the single line:
subscribe ssldump-users
to majordomo@rtfm.com. Note, you cannot send messages to the list
unless you are subscribed.
BUG REPORTS
Please send bug reports either to the ssldump-users mailing list
or to ssldump@rtfm.com.
INTEROPERABILITY NOTE
Previous versions of ssldump automatically looked for the keyfile
in 'server.pem' and used the password 'password'. This version
removes those defaults. For decryption to work you MUST specify
the keyfile (and password if the keyfile is encrypted.)
NEW VERSIONS
Newer versions of ssldump can be found at:
http://www.rtfm.com/ssldump/
SSL REFERENCES
The SSLv3 specification can be found at:
http://home.netscape.com/eng/ssl3/draft302.txt
The TLS specification is in RFC 2246 and can be found at:
http://www.ietf.org/rfc/rfc2246.txt
SHAMELESS PLUG
Extremely detailed coverage of SSL/TLS can be found in
_SSL_and_TLS:_Designing_and_Building_Secure_Systems_
Eric Rescorla
Addison-Wesley, 2001
ISBN 0-201-61598-3
_SSL_and_TLS_ makes extensive use of ssldump to demonstrate real-life
SSL behavior. If you like ssldump and want to learn about SSL, you
might consider buying my book.

1
VERSION Normal file
View file

@ -0,0 +1 @@
0.9b3

66
base/common.c Normal file
View file

@ -0,0 +1,66 @@
/**
common.c
Copyright (C) 1999-2000 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
$Id: common.c,v 1.2 2000/10/17 16:09:57 ekr Exp $
ekr@rtfm.com Tue Dec 29 09:59:39 1998
*/
static char *RCSSTRING="$Id: common.c,v 1.2 2000/10/17 16:09:57 ekr Exp $";
#include <r_common.h>
int xdump(label,data,len)
char *label;
UCHAR *data;
int len;
{
int i;
printf("%s[%d]",label,len);
for(i=0;i<len;i++){
if((len>8) && !(i%20)) printf("\n");
printf("%.2x ",data[i]&255);
}
printf("\n");
return(0);
}

60
base/data Normal file
View file

@ -0,0 +1,60 @@
network.c:126: off=ntohs(p.ip->ip_off);
network.c:134: hlen=p.ip->ip_hl * 4;
network.c:136: p.len =ntohs(p.ip->ip_len)-hlen;
network.c:139: switch(p.ip->ip_p){
network.c:159: memcpy(&p->ts,&in->ts,sizeof(struct timeval));
network.c:160: if(!(p->base=(UCHAR *)malloc(in->_len)))
network.c:162: memcpy(p->base,in->base,p->_len=in->_len);
network.c:164: p->data=p->base + (in->data -> in->base);
network.c:165: p->len=in->len;
network.c:167: p->ip=(struct ip *)(p->base + ((UCHAR *)in->ip - in->base));
network.c:168: p->tcp=(struct tcphdr *)(p->base + ((UCHAR *)in->tcp - in->base));
network.c:186: FREE(p->base);
pcap-snoop.c:2: pcap-snoop.c
pcap-snoop.c:40: $Id: pcap-snoop.c,v 1.12 2002/01/21 17:36:51 ekr Exp $
pcap-snoop.c:47:static char *RCSSTRING="$Id: pcap-snoop.c,v 1.12 2002/01/21 17:36:51 ekr Exp $";
tcppack.c:84: p->tcp=(struct tcphdr *)p->data;
tcppack.c:88: if(r=tcp_find_conn(&conn,&direction,&p->ip->ip_src,
tcppack.c:89: ntohs(p->tcp->th_sport),&p->ip->ip_dst,ntohs(p->tcp->th_dport))){
tcppack.c:96: if((p->tcp->th_flags & (TH_SYN|TH_ACK))!=TH_SYN){
tcppack.c:104: conn->i2r.seq=ntohl(p->tcp->th_seq)+1;
tcppack.c:114: if((p->tcp->th_flags & (TH_SYN|TH_ACK))!=(TH_SYN|TH_ACK))
tcppack.c:116: conn->r2i.seq=ntohl(p->tcp->th_seq)+1;
tcppack.c:117: conn->r2i.ack=ntohl(p->tcp->th_ack)+1;
tcppack.c:127: conn->i2r.ack=ntohl(p->tcp->th_ack)+1;
tcppack.c:148: if(p->tcp->th_flags & TH_SYN)
tcppack.c:150: length=p->len - (p->tcp->th_off * 4);
tcppack.c:178: if(r=tcp_create_conn(&conn,&p->ip->ip_src,ntohs(p->tcp->th_sport),
tcppack.c:179: &p->ip->ip_dst,ntohs(p->tcp->th_dport)))
tcppack.c:183: memcpy(&conn->start_time,&p->ts,sizeof(struct timeval));
tcppack.c:184: if(r=create_proto_handler(handler,ctx,&conn->analyzer,conn,&p->ts))
tcppack.c:197: off=(s)->p->tcp->th_off*4; \
tcppack.c:198: if(l>((s)->p->len-off)) ERETURN(R_BAD_DATA);\
tcppack.c:199: (s)->data=(s)->p->data + off + (l) ; \
tcppack.c:200: (s)->len=(s)->p->len - off + (l); \
tcppack.c:227: l=p->len - p->tcp->th_off * 4;
tcppack.c:238: seq=ntohl(p->tcp->th_seq);
tcppack.c:241: if(p->tcp->th_flags & TH_ACK){
tcppack.c:245: acknum=ntohl(p->tcp->th_ack);
tcppack.c:250: if(r=timestamp_diff(&p->ts,&conn->start_time,&dt))
tcppack.c:268: if(!(p->tcp->th_flags & (TH_RST)) && SEQ_LT(seq,stream->seq))
tcppack.c:310: if(_seg.p->tcp->th_flags & (TH_RST)){
tcppack.c:311: stream->close=_seg.p->tcp->th_flags & (TH_RST);
tcppack.c:319: if(_seg.p->tcp->th_flags & (TH_FIN)){
tcppack.c:320: stream->close=_seg.p->tcp->th_flags & (TH_FIN);
tcppack.c:325: if(seg->p->tcp->th_flags & (TH_FIN)){
tcppack.c:326: stream->close=_seg.p->tcp->th_flags & (TH_FIN);
tcppack.c:338: if(seg->p->tcp->th_flags & (TH_FIN) ){
tcppack.c:374: lookuphostname(&p->ip->ip_src,&src);
tcppack.c:375: lookuphostname(&p->ip->ip_dst,&dst);
tcppack.c:379: ntohs(p->tcp->th_sport),
tcppack.c:381: ntohs(p->tcp->th_dport));
tcppack.c:384: ntohl(p->tcp->th_seq),
tcppack.c:385: p->len - p->tcp->th_off *4);
tcppack.c:387: if(p->tcp->th_flags & TH_ACK)
tcppack.c:388: printf("ACK %ld ",ntohl(p->tcp->th_ack));
tcppack.c:390: if(p->tcp->th_flags & TH_FIN)
tcppack.c:392: if(p->tcp->th_flags & TH_SYN)
tcppack.c:394: if(p->tcp->th_flags & TH_RST)
tcppack.c:396: if(p->tcp->th_flags & TH_PUSH)
tcppack.c:398: if(p->tcp->th_flags & TH_URG)

68
base/debug.c Normal file
View file

@ -0,0 +1,68 @@
/**
debug.c
Copyright (C) 1999-2000 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
$Id: debug.c,v 1.2 2000/10/17 16:09:57 ekr Exp $
ekr@rtfm.com Wed Jan 6 17:08:58 1999
*/
static char *RCSSTRING="$Id: debug.c,v 1.2 2000/10/17 16:09:57 ekr Exp $";
#ifdef DEBUG
#include <stdarg.h>
#include <stdio.h>
int debug(int class,char *format,...)
{
va_list ap;
va_start(ap,format);
vfprintf(stderr,format,ap);
fprintf(stderr,"\n");
return(0);
}
#endif

58
base/debug.h Normal file
View file

@ -0,0 +1,58 @@
/**
debug.h
Copyright (C) 1999-2000 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
$Id: debug.h,v 1.2 2000/10/17 16:09:57 ekr Exp $
ekr@rtfm.com Wed Jan 6 17:13:00 1999
*/
#ifndef _debug_h
#define _debug_h
#ifdef DEBUG
#define DBG(a) debug a
int debug(int class,char *format,...);
#else
#define DBG(a)
#endif
#endif

241
base/network.c Normal file
View file

@ -0,0 +1,241 @@
/**
network.c
Copyright (C) 1999-2000 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
$Id: network.c,v 1.10 2002/09/09 21:02:58 ekr Exp $
ekr@rtfm.com Tue Dec 29 09:52:54 1998
*/
static char *RCSSTRING="$Id: network.c,v 1.10 2002/09/09 21:02:58 ekr Exp $";
#include <sys/types.h>
#include <r_common.h>
#include "network.h"
#ifndef _WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#include "tcppack.h"
#ifdef STDC_HEADERS
#include <string.h>
#endif
UINT4 NET_print_flags;
struct network_handler_ {
proto_mod *mod;
proto_ctx *ctx;
};
int network_handler_create(mod,handlerp)
proto_mod *mod;
n_handler **handlerp;
{
int r,_status;
n_handler *handler=0;
if(!(handler=(n_handler *)malloc(sizeof(n_handler))))
ABORT(R_NO_MEMORY);
if(mod->vtbl->create_ctx){
if(r=mod->vtbl->create_ctx(mod->handle,&handler->ctx))
ABORT(r);
}
handler->mod=mod;
*handlerp=handler;
_status=0;
abort:
if(_status){
network_handler_destroy(&handler);
}
return(_status);
}
int network_handler_destroy(handlerp)
n_handler **handlerp;
{
if(!handlerp || !*handlerp)
return(0);
free(*handlerp);
*handlerp=0;
return(0);
}
int network_process_packet(handler,timestamp,data,length)
n_handler *handler;
struct timeval *timestamp;
UCHAR *data;
int length;
{
int r;
int hlen;
packet p;
u_short off;
/*We can pretty much ignore all the options*/
memcpy(&p.ts,timestamp,sizeof(struct timeval));
p.base=data;
p._len=length;
p.data=data;
p.len=length;
p.ip=(struct ip *)data;
/*Handle, or rather mishandle, fragmentation*/
off=ntohs(p.ip->ip_off);
if((off & 0x1fff) || /*Later fragment*/
(off & 0x2000)){ /*More fragments*/
/* fprintf(stderr,"Fragmented packet! rejecting\n"); */
return(0);
}
hlen=p.ip->ip_hl * 4;
p.data += hlen;
p.len =ntohs(p.ip->ip_len)-hlen;
switch(p.ip->ip_p){
case IPPROTO_TCP:
if(r=process_tcp_packet(handler->mod,handler->ctx,&p))
ERETURN(r);
break;
}
return(0);
}
int packet_copy(in,out)
packet *in;
packet **out;
{
int _status;
packet *p=0;
if(!(p=(packet *)calloc(sizeof(packet),1)))
ABORT(R_NO_MEMORY);
memcpy(&p->ts,&in->ts,sizeof(struct timeval));
if(!(p->base=(UCHAR *)malloc(in->_len)))
ABORT(R_NO_MEMORY);
memcpy(p->base,in->base,p->_len=in->_len);
p->data=p->base + (in->data - in->base);
p->len=in->len;
p->ip=(struct ip *)(p->base + ((UCHAR *)in->ip - in->base));
p->tcp=(struct tcphdr *)(p->base + ((UCHAR *)in->tcp - in->base));
*out=p;
_status=0;
abort:
if(_status){
packet_destroy(p);
}
return(_status);
}
int packet_destroy(p)
packet *p;
{
if(!p)
return(0);
FREE(p->base);
return(0);
}
int timestamp_diff(t1,t0,diff)
struct timeval *t1;
struct timeval *t0;
struct timeval *diff;
{
long d;
if(t0->tv_sec > t1->tv_sec)
ERETURN(R_BAD_ARGS);
/*Easy case*/
if(t0->tv_usec <= t1->tv_usec){
diff->tv_sec=t1->tv_sec - t0->tv_sec;
diff->tv_usec=t1->tv_usec - t0->tv_usec;
return(0);
}
/*Hard case*/
d=t0->tv_usec - t1->tv_usec;
if(t1->tv_sec < (t0->tv_sec + 1))
ERETURN(R_BAD_ARGS);
diff->tv_sec=t1->tv_sec - (t0->tv_sec + 1);
diff->tv_usec=1000000 - d;
return(0);
}
int lookuphostname(addr,namep)
struct in_addr *addr;
char **namep;
{
struct hostent *ne=0;
if(!(NET_print_flags & NET_PRINT_NO_RESOLVE)){
ne=gethostbyaddr((char *)addr,4,AF_INET);
}
if(!ne){
*namep=strdup((char *)inet_ntoa(*addr));
}
else{
*namep=strdup(ne->h_name);
}
return(0);
}

106
base/network.h Normal file
View file

@ -0,0 +1,106 @@
/**
network.h
Copyright (C) 1999-2000 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
$Id: network.h,v 1.3 2001/09/14 22:29:14 ekr Exp $
ekr@rtfm.com Tue Dec 29 09:53:50 1998
*/
#ifndef _network_h
#define _network_h
#include <stdlib.h>
#include <string.h>
#include <r_common.h>
#include <sys/types.h>
#ifndef _WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#else
#include <winsock2.h>
#endif
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <r_time.h>
#include <r_data.h>
typedef struct network_handler_ n_handler;
typedef struct proto_mod_ proto_mod;
typedef struct proto_handler_ proto_handler;
typedef struct packet_ packet;
int network_handler_create PROTO_LIST((proto_mod *mod,
n_handler **handlerp));
int network_handler_destroy PROTO_LIST((n_handler **handlerp));
int network_process_packet PROTO_LIST((n_handler *handler,
struct timeval *timestamp,UCHAR *data,int length));
int packet_copy PROTO_LIST((packet *in,packet **out));
int packet_destroy PROTO_LIST((packet *p));
int timestamp_diff PROTO_LIST(( struct timeval *t1,struct timeval *t0,
struct timeval *diff));
int lookuphostname PROTO_LIST((struct in_addr *addr,char **name));
struct packet_ {
struct timeval ts;
UCHAR *base; /*The base of the packet*/
int _len;
UCHAR *data; /*The data ptr appropriate to this layer*/
int len; /*The length of the data segment*/
/*These just save us the effort of doing casts to the data
segments*/
struct ip *ip; /*The IP header*/
struct tcphdr *tcp; /*The TCP header*/
};
#include "tcpconn.h"
#include "proto_mod.h"
extern UINT4 NET_print_flags;
#define NET_PRINT_TCP_HDR 1
#define NET_PRINT_TYPESET 2
#define NET_PRINT_ACKS 4
#define NET_PRINT_NO_RESOLVE 8
#endif

365
base/pcap-snoop.c Normal file
View file

@ -0,0 +1,365 @@
/**
pcap-snoop.c
Copyright (C) 1999-2001 RTFM, Inc.
All Rights Reserved
This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
<ekr@rtfm.com> and licensed by RTFM, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Eric Rescorla for
RTFM, Inc.
4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH DAMAGE.
$Id: pcap-snoop.c,v 1.14 2002/09/09 21:02:58 ekr Exp $
ekr@rtfm.com Tue Dec 29 10:17:41 1998
*/
static char *RCSSTRING="$Id: pcap-snoop.c,v 1.14 2002/09/09 21:02:58 ekr Exp $";
#include <pcap.h>
#include <unistd.h>
#include <net/bpf.h>
#ifndef _WIN32
#include <sys/param.h>
#endif
#include <sys/types.h>
#ifndef _WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#else
#include <winsock2.h>
#include <bittypes.h>
#endif
#include <signal.h>
#include <net/if.h>
#include <netinet/if_ether.h>
#include "network.h"
#include <r_common.h>
#include <r_time.h>
#include "null_analyze.h"
#include "ssl_analyze.h"
#ifdef ENABLE_RECORD
#include "record_analyze.h"
#endif
#ifndef ETHERTYPE_8021Q
# define ETHERTYPE_8021Q 0x8100
#endif
char *collapse_args PROTO_LIST((int argc,char **argv));
static int pcap_if_type=DLT_NULL;
int err_exit PROTO_LIST((char *str,int num));
int usage PROTO_LIST((void));
int print_version PROTO_LIST((void));
RETSIGTYPE sig_handler PROTO_LIST((void));
void pcap_cb PROTO_LIST((u_char *ptr,struct pcap_pkthdr *hdr,u_char *data));
int main PROTO_LIST((int argc,char **argv));
int err_exit(str,num)
char *str;
int num;
{
fprintf(stderr,"ERROR: %s\n",str);
exit(num);
}
int usage()
{
fprintf(stderr,"Usage: ssldump [-r dumpfile] [-i interface] \n");
fprintf(stderr," [-k keyfile] [-p password] [-vtaTnsAxVNde]\n");
fprintf(stderr," [filter]\n");
exit(0);
}
int print_version()
{
printf("ssldump 0.9b3\n");
printf("Copyright (C) 1998-2001 RTFM, Inc.\n");
printf("All rights reserved.\n");
#ifdef OPENSSL
printf("Compiled with OpenSSL: decryption enabled\n");
#endif
exit(0);
}
RETSIGTYPE sig_handler()
{
fflush(stdout);
exit(0);
}
void pcap_cb(ptr,hdr,data)
u_char *ptr;
struct pcap_pkthdr *hdr;
u_char *data;
{
n_handler *n;
int len;
struct ether_header *e_hdr=(struct ether_header *)data;
int type;
n=(n_handler *)ptr;
if(hdr->caplen!=hdr->len) err_exit("Length mismatch",-1);
len=hdr->len;
switch(pcap_if_type){
case DLT_NULL:
data+=4;
len-=4;
break;
case DLT_EN10MB:
type=ntohs(e_hdr->ether_type);
data+=sizeof(struct ether_header);
len-=sizeof(struct ether_header);
/* if vlans, push past VLAN header (4 bytes) */
if(type==ETHERTYPE_8021Q) {
type=ntohs(*(u_int16_t *)(data + 2));
data+=4;
len+=4;
}
if(type!=ETHERTYPE_IP)
return;
break;
}
network_process_packet(n,&hdr->ts,data,len);
}
typedef struct module_def_ {
char *name;
proto_mod *mod;
} module_def;
static module_def modules[]={
{"SSL",&ssl_mod},
{"NULL",&null_mod},
#ifdef ENABLE_RECORD
{"RECORD",&record_mod},
#endif
{0,0}
};
int parse_ssl_flag PROTO_LIST((int c));
int main(argc,argv)
int argc;
char **argv;
{
pcap_t *p;
int r;
n_handler *n;
#ifdef _WIN32
__declspec(dllimport) char *optarg;
__declspec(dllimport) int optind;
#else
extern char *optarg;
extern int optind;
#endif
char *interface_name=0;
char *file=0;
char *filter=0;
proto_mod *mod=&ssl_mod;
bpf_u_int32 localnet,netmask;
int c;
module_def *m=0;
int no_promiscuous=0;
char errbuf[PCAP_ERRBUF_SIZE];
signal(SIGINT,sig_handler);
while((c=getopt(argc,argv,"vr:f:S:Ttai:k:p:nsAxXhHVNdqem:P"))!=EOF){
switch(c){
case 'v':
print_version();
break;
case 'f':
fprintf(stderr,"-f option replaced by -r. Use that in the future\n");
case 'r':
file=strdup(optarg);
break;
case 'S':
ssl_mod.vtbl->parse_flags(optarg);
break;
case 'y':
NET_print_flags|=NET_PRINT_TYPESET;
/*Kludge*/
SSL_print_flags |= SSL_PRINT_NROFF;
break;
case 'a':
NET_print_flags |= NET_PRINT_ACKS;
break;
case 'T':
NET_print_flags |= NET_PRINT_TCP_HDR;
break;
case 'i':
interface_name=strdup(optarg);
break;
case 'k':
SSL_keyfile=strdup(optarg);
break;
case 'p':
SSL_password=strdup(optarg);
break;
case 'P':
++no_promiscuous;
break;
case 'n':
NET_print_flags |= NET_PRINT_NO_RESOLVE;
break;
case 'm':
for(m=modules;m->name!=0;m++){
if(!strcmp(m->name,optarg)){
mod=m->mod;
break;
}
}
if(!m->name){
fprintf(stderr,"Request analysis module %s not found\n",
optarg);
exit(1);
}
break;
case 'h':
usage();
printf("Do 'man ssldump' for documentation\n");
exit(1);
case '?':
usage();
exit(1);
/* must be an SSL flag. This is kind of a gross
special case */
default:
parse_ssl_flag(c);
break;
}
}
argv+=optind;
argc-=optind;
if(!file){
if(!interface_name){
interface_name=pcap_lookupdev(errbuf);
if(!interface_name){
fprintf(stderr,"PCAP: %s\n",errbuf);
err_exit("Aborting",-1);
}
}
if(!(p=pcap_open_live(interface_name,5000,!no_promiscuous,1000,errbuf))){
fprintf(stderr,"PCAP: %s\n",errbuf);
err_exit("Aborting",-1);
}
if (pcap_lookupnet(interface_name, &localnet, &netmask, errbuf) < 0)
verr_exit("PCAP: %s\n",errbuf);
}
else{
if(!(p=pcap_open_offline(file,errbuf))){
fprintf(stderr,"PCAP: %s\n",errbuf);
err_exit("Aborting",-1);
}
netmask=0;
localnet=0;
}
if(argc!=0)
filter=collapse_args(argc,argv);
if(filter){
struct bpf_program fp;
if(pcap_compile(p,&fp,filter,0,netmask)<0)
verr_exit("PCAP: %s\n",pcap_geterr(p));
if(pcap_setfilter(p,&fp)<0)
verr_exit("PCAP: %s\n",pcap_geterr(p));
}
pcap_if_type=pcap_datalink(p);
if(NET_print_flags & NET_PRINT_TYPESET)
printf("\n