From 49fb3de2423196a8e1c6e5acbbe2ff18dd80b0dc Mon Sep 17 00:00:00 2001 From: Kaian Date: Wed, 15 Nov 2017 18:38:14 +0100 Subject: [PATCH] capture: add support for NFLOG linktype headers #222 If DLT_NFLOG is available (libpcap >1.6.0) standard libpcap structs will be used. Othewise, a fallback minimum implementation is provided in capture headers. Thanks as always to wireshak team for the sources to implement this :) --- src/capture.c | 21 ++++++++++++++++++++- src/capture.h | 9 +++++++++ tlssaved.pcap | Bin 0 -> 8254 bytes 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 tlssaved.pcap diff --git a/src/capture.c b/src/capture.c index 7f5adb7..11a0f2b 100644 --- a/src/capture.c +++ b/src/capture.c @@ -392,7 +392,7 @@ capture_packet_reasm_ip(capture_info_t *capinfo, const struct pcap_pkthdr *heade frame_t *frame; uint32_t len_data = 0; //! Link + Extra header size - int8_t link_hl = capinfo->link_hl; + uint16_t link_hl = capinfo->link_hl; // Skip VLAN header if present if (capinfo->link == DLT_EN10MB) { @@ -411,7 +411,24 @@ capture_packet_reasm_ip(capture_info_t *capinfo, const struct pcap_pkthdr *heade } #endif + // Skip NFLOG header if present + if (capinfo->link == DLT_NFLOG) { + // Parse NFLOG TLV headers + while (link_hl + 8 <= *caplen) { + nflog_tlv_t *tlv = (nflog_tlv_t *) (packet + link_hl); + if (!tlv) break; + + if (tlv->tlv_type == NFULA_PAYLOAD) { + link_hl += 4; + break; + } + + if (tlv->tlv_length >= 4) { + link_hl += ((tlv->tlv_length + 3) & ~3); /* next TLV aligned to 4B */ + } + } + } // Get IP header ip4 = (struct ip *) (packet + link_hl); @@ -1073,6 +1090,8 @@ datalink_size(int datalink) return 21; case DLT_ENC: return 12; + case DLT_NFLOG: + return 4; #ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: return 16; diff --git a/src/capture.h b/src/capture.h index 5ebe732..a8cdeae 100644 --- a/src/capture.h +++ b/src/capture.h @@ -92,6 +92,15 @@ #define ETHERTYPE_8021Q 0x8100 #endif +//! NFLOG Support (for libpcap <1.6.0) +#define DLT_NFLOG 239 +#define NFULA_PAYLOAD 9 + +typedef struct nflog_tlv { + u_int16_t tlv_length; + u_int16_t tlv_type; +} nflog_tlv_t; + //! Define Websocket Transport codes #define WH_FIN 0x80 #define WH_RSV 0x70 diff --git a/tlssaved.pcap b/tlssaved.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3386e4ea86f55f39adea9e9d75b63205ac72715f GIT binary patch literal 8254 zcmaKxWl$UHwuVD+3GPs&xLbkZR@^1HwG=7tt_f14IJ8)CcXxMaafjkAMT-@=(0$Lo zv(K4(GP8bU=9~Qap7&X6eVOX6$^-)70RQ?tJ^}zRPhT|QMKvB?q63&=0e=dBFM+jp z1OT-rM|L9tBrRacU^+wrA_xR~C@3(IC@9GEIHNed3F3EGO^s!){)7|&E2XDjfl2~qpqK(njD@5(-czOFPltdVA)O&f zd{>BZsUIdM`D;|hcM5foLnT2@bhxdDzdlEDiCoo-H ze>dwrc|Z^Sja6RY#dIa1XTr+tZlx}MVR;wt?pUaAXijxp9I}sZrY32G+^zq43zIx< z`&3$jH%q6F8ec&PV`_@ecOop)=CrV*59?gQsaka=n2?7nh~Fng(i4=Z7|A59LrM`g z^!PoHc2#tjCuWnN$HJ_}_Zg_pf&=@kO5YpLG~`ksMJ*^*=W%4i zCAB%xiPQD=kxb)S@W!-d9co~5JqEzw8$Dl$J#N7( zqwCHaG#9aDwcYY<^K~m-BVhg*A2kxMWdTe1WM;s^_e_lB1_92te-V|D$5|m^ewV#u zMJipPz8IR~?6ddOVOV#R)|8*BQ|`e@PiS}_(RpZ5wKjm#_)0nAk!RCuZ2g@kSyJ7* z23nKc$Bx;%Ov}lKcaGk78FsV|m66f%>OkG*RxW(pGZlxV0yK#-aAAD?qy|+{pVSU4 zmw&VagF88_wM^n8&%Ks%CrW5iBxZil}SwxJPJBTF> z-rM`GKM$NK+m8m?wq@mvleG^K48enF@0y>p1IR`Pcmn}{>aW!Nm7u5W0D!hcPuUSg z0Kh!w<~ct&y*Q&yjg=G$5-?W&gaAcK#=o-jlpCVw{QSud+-o~3Jd^3xn)#bOqtD^O ztTh%J%`OH90TGmO6l#S8&)LD8>7G}eYD1IpbS0=bP@g|fRM>h1E?z#&5VM6ZM3_-) zZkx;>I)SA1S;CnYpxE2#aWiGG6-}F1Rh&0SGhPT<0p7+wUjoFXu4jY~j5NEFmsQ0h z!L1$iaE^1yK4rjjgOXwikQX%e1IVdseS#87_J&~@)TcSna-*2=K6Pj$b*zk9%`x|- zy?A4mlS_e8uJQM-!prSA3>wRErpN74=OG%a1I>dGO}!B!w^&n!RTADUjI@@nLV?rG z>(u)6IdrU6O^868P`mk>WABN5;6xhTpnAVzcOEwW@s~BvjZZxduYD$z$cT>j)P~fV zm~F$<_-rO^IUukK$%1zA4Sg;N#w**1yVtW^?e|c3IerI}HmfFfCd58u81?4mEqi*A z-&^rx!it@aBt|12FCih;x!w`ZTUK2v_rSSd)ZFJNg7ATtV@YcyMRDQT!)SPvQz$lj zEd|l#IVT!rG5DbL1}B3{bE z6!2njh+E{QK5U;5`M6P%#hEqzbh=e#Ux?9pX0hlM#((p8*B_7X{KMl<95yvp>ppv& zZeFI9;b#Ld+Y2U?q})iXLq+{1*-n0LBX=x2M;>!7 zpC_WS&V$Pym5+pACe$NBdS1PjQvA$4YXx15K-IpOZq!1I-{)quihMAXLhIORAy;6P z(<&fE)r4oYlr&*_rEx*&P-X5^uWCd_G?Qg~ig4DAggyyb`_*5YUDigo9u!-`Li<+j zo+zDEZQ>$Uibmu*0=8D38@~KeS*PR*xc6a!WqinnST&8|&4#-ffI94#X`V-Vh{QMJ zvG^`RisXbBHkHZLTlc)O8t~;k5|YjAvmYtG2fBXfrU=Ek2w+(?NHO0`!;t9vbpPta zRDY`-OaFFl(e}W@-D@?Ou9ClHlaEfKDcRz_h|i|K!YAC7CJB8b*w|G6h>D2+i&DHi z;T&Eb?5lJa=ko)D8^{sa#f|f6XsKF#j1!p-=ynTIj&XZDS) zX|A5)?XB{lrtMb@hbpb|aYxf%DrP^WJxVEqfEGqAq$#@GzprtRGKkA`(xSvhLvw=; z16kg$Y@dw4-}jtmCrD{7)+*n`uz{T4{P-42BoyELvPk+D-vua$GG);Y);?FP>=Ofx zeJIb#yME(1mz?^SFL$8+(TL2pkG_kV#~GI+O!%1&?rt<8c-Lh|w8wP!BE*EWx*=b> zW3U4TXJTHz!;ggYVws#DX4cCvQ+He@Ydv^Z?~+sm&7x%P7xK8x#D0#@MaPIj{K$K| zfguRS{~6brnyhDjeRG;fav_X!*tKQ`$H-F0WFb2&FPvUX#Pznbv5M3?;^VZQuzJeT zqX1pHyX|kF9vHId{o8lmY1bZsGWFv~7Q5*WvLoIo^}`6pc#nIPAptdJ!715F1E*A! z?{=-9gKjFA1Lvyc(T6(MYlR+J38{cuPubz+1^`l@JpNq&;qgeK&S#H5uKd&E)w&51 zaNsA8>rl%5?Qy!lJuX$*7Z%5{vRj;Egqn&9hcXBdi&f_%M+-ulde^#Qp!1v^b};=< zH&d>;mF+Fkm?}iwH-xLu|q1t{y$^}K~G1xn8e&69@S(;eBMMtZBDYDk3JE=OHEr)|e>PB34KkqIimTRDaGCuR-tt=|9<5nWD z;;o5U!+4HK`>;CRcJr$$Az%7qN!n2o2sKNNa)mw2wU3DAXMYh?Et|j>BqtgVDbR9@ z>?0~H#=1Q7QLXF6MlAFBU-9w5i~N}K!9{0-vt}em1dFttRGd5{5dSFLk&ssm+y-3O z2$t{nygdoebCu$Lwe|sA+$+Mxxh+iDqC~`?4CoCh)u}3}!t5xlQc(|?N=~myWCT45 zKHHfN=ZM(4X&sL*xyPlAs~BZwYO1*PtPhv@44uqN4>I@qgZHO2GtqLCE>1lz=}4`W zJ^<}=;Wv7hGGb9ByXt__M-5f7vyoIfn{~V_RV*WC$8EOdw?(E3=foO-s30#n!RoZs z;V2ZhP>5LI7Eh99JErDlvnW(3G*=e6WJ9pS%)I(1m)bIH4{Tg=7`zYKeN5K27vz*k zNYpYBF{F)S;3i

8FTk<=z7B)*B%wEHDnCu|Ez9|4Xg>?1P7%$y5JrffTqwb3rOl zm|C(eQ6|@@@Wi1m*-Ja(BG^vrUUqhuc0HiRHe=#NO)v_7%(LeQ7|;QSPnxc0=VIA!wRtYZJos$F>n@+_U>N5H|VZ6B%1z_Ka9*QKx$(K|Is zV`cAx>StE{AElwKgqPD@W?|E?(H(DZyB0eNUmW#s!o(6nYkcMCHI+QG!#p%2*qjlU zH`}GEIoPnarW7dh6=7I+A$XA{B^3($Z6cd`VvEe|_(eTs5@zsOJ+PN9`1Rsrbg~7X znBAqTY#W@Ha_6?IgfT)Fl&w~|S06?|%3X03W>Z$t zQ=K8)^lG#3_=kw>hq+19&R@IDb1Ld4>B|@528va zYeIWfLfAd+Av!#kDbmYjv|d0<`QrG1a4f@fE;S>DMGEnZH^JUo4n`?en-|=eGST`q zR+5r&>~z4t_vJyo!g}z%kZbnbI#Y|GIy_0Of$*&p>pAbw8EO(st;}~h@jK-Ra2g|p zJ+4Tto(=1Zx6@Q!*>>*yZ`$WED3CZ+*EGf!d}`*Jh;s;R)vC3Fqbc?H9X9d$v5(SL zG5BWYyz-Ub;G%b%J;2E$!Vq20VwnF5cmp$uhoM9@Utv&3^oW6B{rV7#W)(vK4R_K~ z^BTnMX*gwt%!Ma-!JJD*ORu3jE@Ou0f}ddEf~n7CjE&~SF#`7k=w9^c7hb}eXbkckJY9b z;F~5lW)&HE3+Q2PlnWZ%dG*=Q(6#8)ZZVEFddA+SSzylQN?m5PN)9M3uQ6J?#d!&q z@J57i@=G2jvz&m(w6i^7aT|%Zquze2FzW_t6PopcwRe8+P0sQ0u4e-FEEd2SUO6wM zg+3rtqbqGA)2EIpw%n08K#Vu_jHo(ugD@q*haOB~d|#Nha&^@Y&c#@ zb_ELQ2YCJ{o|U`D*cG~gIhn;QC&+bsg=3kw(pCl|UA1m9T9uV%siF=a-HU4fErWU~ zij_@^+wvRwG_JSo=B9SjtJ~kJotS?X^XtIK*{$X{E_w~AsNlBf$SVoz znG?4|qmeg)_&)sQux@s7a8BzJ59#n2uL%UT987tGvX!%>nBzlo98x587*^cJD|>9| z6LFlY+Dlu%B;5KJ^wVPvezjLW?L_P+NM!3h;&Pi)p9Vwv5WJ#xQAX0kD|1NH^<+?? zdl4GbBtabUVQwt`D*dry;M>k@tXi8_Vg4Mv#R>hHN4NkcO~~1g&or*Z<#H;PFR4NN z(*AFyR8EZ6Hf#m!`34s8a?0(ILR6Xka(U6-O~%5(ov|EcHd`d6&8tY(h#%RzDpZOp zQ!2XWldp#re5|k=Ti1TqtY96w`!8jlOND!q}c zwN6abpg5rA8yq3SvO3pR)!V3JTPX9yZW(cQR^E`Cx5Kl@Oia-+>QirljY@wZA?L8o5@3cd~X61gj8Pi}G`l zNvePIMZ=9cfK*^%rH11EUZ$Byit`jP#nZ_|xNw(^ZrU+d;*o+$oNmTDae)7U3Ft26 z>q@(y>?Ff@Tg|F>!sS<8m>VGyK1WT7TMPZfgcEcsspIb^a(ah~J?CEzs)smYMh#tc zpvA8r+oHK)VoEZcF+f2e)(j!0TrPaBANr+i4PhSyonMb)w=U{CxAs{oA>%SDsYVeCB zBK)RQH6|w!TcV#gb%?aW1l300hp(>>Lt4)>7%i3i6m^~ zM{5ST{kzDviVL4IawPUj$M-{7DxW71Wb#0T@Iml0FLtURZ}etWE)RjF^6unxcA$r@ zrmop|1DEe~E<;7>90>%rj9G4exz&!`dUWSQZD(^aW;qn8fa9LLmc1D(o~yVVQyvAb zVISsC>}NSb#`cO9@;k46yS^V6*MT>sv)fT20T&v)yR z|8%!spJz6t2Ap0`<8>CsG&*;GLiBgd!hhW@ES%&=*0I|2XJx4vLOe7qo39)`o~pQ7 z^XYdOP0MM@&~Xcw4u2ZlRpsIt1U9*0)?2kiEJY#Wu3CkHn{{Y66v){9e^+BmCBvnu zlEqmH&E{sCf72|DkF~yxHn8gi>@#T!Ba@y4om%8RP-^>Xl#O_em#6W$RL7_VngFN! zdX1X%`>nQozo!=OB1friRggfTT_=dkzEg%?H2h@dgry7^;?ZTks4&aS0-~Fv*j{F` z$srw5g=D|bkxbtoT>a|UL(M6tq@_Al$lHv|A;4gB&vTlS-d$|kWrUJq&?n=VO!k#; zx`f+Ez?s+|Z{l=u~pJ*O^=wVp)&xxbx_RhTo;Qoo`+>fwO~ z1nHIezCS0;7@-}07K32u%ILg3$#3mwZ@odgZKbEbkV5m;_k!5^dt35OWkz4o85W-TYojfT)ouXwh`SiDvqpfMPXDbnfmVHVh}0O0nD|B`$Mm7b37nDkOhi zA4sb>uHVXVz~wG|WRMPtVT?K?2_9}f{8V(?sM`_530v>0QA$^cY{P?j;p`koUR$`k z-YPAIU(gT>Gu6>EAfUG%l=jnCe(X1g<(h1t!j~l!@;BCy5h{gq^RrCx^IpYvJ&IOc zo+FJBq&vQt_%9!^i3im(0`Z!2D5Yh*8q5G$@MJfS^pJ8ZRn>Df`AxC(00-Vh<12<< zYb%?IhJzex(X&dDHIHvJnb_Omr=PSXhj{$g-mi0Se23Q5S!26e6HlLegdWxeHuLwl zdrU1N<92g=ea2L*6ZBu6GGj8H+wVur|6MD-;`AalJR|C9ya{<)D?}*y|Fu@s-aMoF zM?p5s`zR|Tb3ESj%RNX(Bpi#vy1La+5G5YBUx%&6q}wygm^Sy|Q*wqVJ?Jfh)Ac!m zpG_lfo>>~!B`-V4fhaub94ioZ{H`AcM8_|xBTXAEc3$pvhd8FEv9kaXk0uz)cxzra zR{9ZJY$Sr(gpAyaNm=&8cSp2ks$pekM4RBw?GhHpiMZ;FtiAd|7E-}qS64IC2!0l3 z5+0l$ndw@`#Gsxx7ef2_ils=V1|J!^TAjA;Azq$a83jI*_S}mJFN4g{YYr;K&g>eF zn64~cwIj;DH2V24m|c=u7Ss-^+viR*9&8@ik>vT$8mm`_l90L{M$h{c1)bh}a3o(S zfMq_e<6&eOlxi!r1}M8?=<=?;q)w_V<-2ObjrM6y5l=|sc^<-eS`2h#eq)Ca%9L%T4 zrE|tBJzt_;OiYbr*VrMcji!f4>#fGY%f^Sp{a7ifv-WTaa%9C& z9Mc6CMdWhyHI0r56{yMcN_w7qG|^$&`VUQD)R>%wQq)56%b9I?t*MI9Eeic* zCyf1yd6{dxa>J1$q()&v)NhP|jvyp}B`Dx}eC*2EogOr6zM*^PLlKemHT9XrT}BK5 z@6%sW&-L%hgk{JH`=d(Tw|MdvBzwh=-)1XRL``D7>Tn0C^+Mk5FL?j3pxs3`WA0^8*7hj`4bPM8 zs2P9|o!r~?A%1l16ExYFxnA~h2Y5>?K%VLqI5Zf4a@F-Xst`Qjc14bK`NULK_NXt_yb%aepQ62xDL#u>eVg7#pMWdUy$f$tb#WG?2Z>L zmW2qH34O=s{Ul_fcB44MZA&)qS<+7mWVovBEp7;lWM|KQ&7g(BQ~h{2d$>zluGP(H@wWZ=^*rwx2R4%-Pdsfk3e}Er@ss4%%5Pku~}KwFBebS8!Yp z7fEQOi+cSaWAQys$VCf@Yy!JhYgtyaU*6G$9DDO2$Hg2qJmA}JQF*h1)CvqH(a^n1 zVK}#%cGlH6kj)-DIAkUnJpsi<5=1+yr!x(QWt2?HDxm3AxhqW(yJ6-J8gY=2&BlsB z{SuTOtVNF1FUbi(OoPxQ7juWX2SNz;b>B?1INad-sZm{wR_=K}7 z;12pdzJ?d~9t-c0fW*7^!j?R;VHML+Kyv*SgHV7^z!;qcKd|OA!law&M9Axok{_{l z6il*(zs$kpHuH~V#vFBSoQFgL)6pB>_hI1)ingJM@O1K&m8+!9WwFatdB|ldn6g6BLMoqQw7`l15PX_Cp6fqeidbVZ|0rGgpGs$_@-*IYds4bQ#qGb8 zUWfUl^w>X2|6$Tp>J~;reM%B(tx)Vx#9nUQ6b5~rs;UDN=16H^dO8F%)(m&D1Nvrx zO7|Gif=fh8uQ~jan$qz6(+q$8*jQ3WVxqJ>RD_bMw$KzrJ2F%$@ks+h8v1>U4*Q+? zTc5`K_@d3)4D%N+Md^%+_{J$>Gi7nH5`J2EE*+RwzR><{Tf;Bu+KQ{oC;+r#Icw5?<6q*35BQP`nMOKyv z9riAem}CW32KJ!~t@*6Ra85 zrM){;R@{xMzXu0*_&3P#yyF`6htV(W#vyo v#@3ah&;6n5D4uQQ7=rP#&-90)KH;rcZ&=Dqik_*Ny|?UX8FrXEX5an?9~$Vk literal 0 HcmV?d00001