ngrep.h (3841B)
1 /* 2 * Copyright (c) 2017 Jordan Ritter <jpr5@darkridge.com> 3 * Copyright (c) 2020 Stephen Gregoratto <dev@sgregoratto.me> 4 * 5 * Please refer to the LICENSE file for more information. 6 * 7 */ 8 9 /* 10 * We cache the standard frame sizes here to save us time and 11 * additional dependencies on more operating system include files. 12 */ 13 #define ETHHDR_SIZE 14 14 #define TOKENRING_SIZE 22 15 #define PPPHDR_SIZE 4 16 #define SLIPHDR_SIZE 16 17 #define RAWHDR_SIZE 0 18 #define LOOPHDR_SIZE 4 19 #define FDDIHDR_SIZE 21 20 #define ISDNHDR_SIZE 16 21 #define IEEE80211HDR_SIZE 32 22 #define PFLOGHDR_SIZE 48 23 #define VLANHDR_SIZE 4 24 #define IPNETHDR_SIZE 24 25 26 #define BUF_TIMEOUT 100 27 28 #define EXTRACT_16BITS(p) \ 29 ((uint16_t)((uint16_t) * ((const uint8_t *)(p) + 0) << 8 | \ 30 (uint16_t) * ((const uint8_t *)(p) + 1))) 31 32 #define UNUSED __attribute__((__unused__)) 33 34 /* 35 * Default patterns for BPF and regular expression filters. 36 * 37 * When targeting IP frames with a BPF filter, optionally-present VLAN frames 38 * will be excluded by default, thus any IP traffic on a VLAN'd network is 39 * invisible to ngrep by default. This requires the user to specify "vlan" 40 * every time they are on a VLAN'd network, which gets irritating fast. 41 * 42 * In turn, this leads to a surprising behavior when working with pcap dump 43 * files created from a "vlan" filter: reading and re-processing them requires 44 * the same "vlan" filter to be specified, otherwise the traffic will be 45 * invisible. IOW, when the dump reader is targeting IP traffic in the dump but 46 * doesn't know (or remember) the "vlan" filter was specified, they will see 47 * nothing -- and mistakenly blame ngrep. 48 * 49 * While the behavior is technically consistent, to the user it can be 50 * surprising, confusing, and therefore Dumb As Shit. For convenience' sake, we 51 * fix this for them by including VLAN (optionally) back into the stream 52 * targeting IP traffic, and compensating for the variable offset in the packet 53 * decoder. 54 */ 55 #define BPF_FILTER_IP_TYPE "(ip || ip6)" 56 #define BPF_TEMPLATE_IP BPF_FILTER_IP_TYPE 57 #define BPF_TEMPLATE_IP_VLAN "(" BPF_FILTER_IP_TYPE " || (vlan && " BPF_FILTER_IP_TYPE "))" 58 59 #define WORD_REGEX "((^%s\\W)|(\\W%s$)|(\\W%s\\W))" 60 61 /* ANSI codes for expression highlighting. */ 62 #define RED "\33[01;31m" 63 #define RESET "\33[00m" 64 65 typedef void (*dump_func)(uint8_t *, uint32_t, size_t, size_t); 66 typedef int (*char_cmp_func)(int); 67 typedef bool (*match_func)(uint8_t *, uint32_t, size_t *, size_t *); 68 typedef void (*delay_func)(const struct pcap_pkthdr *); 69 typedef void (*ts_func)(const struct pcap_pkthdr *); 70 71 int setup_pcap_source(void); 72 int setup_bpf_filter(char **); 73 int hextoc(char d, char *c); 74 int setup_hex_match(void); 75 int setup_pattern_match(void); 76 int setup_matcher(void); 77 78 void process(uint8_t *, const struct pcap_pkthdr *, const uint8_t *); 79 80 __dead void usage(void); 81 void update_windowsize(int32_t); 82 __dead void clean_exit(int); 83 84 void dump_packet(const struct pcap_pkthdr *, const uint8_t *, uint8_t, 85 uint8_t *, uint32_t, const char *, const char *, uint16_t, 86 uint16_t, uint8_t, uint16_t, bool, uint16_t, uint32_t); 87 88 int byline_cmp(int); 89 void dump_unformatted(uint8_t *, uint32_t, size_t, size_t); 90 void dump_formatted(uint8_t *, uint32_t, size_t, size_t); 91 92 void dump_delay_proc_init(const struct pcap_pkthdr *); 93 void dump_delay_proc(const struct pcap_pkthdr *); 94 95 bool re_match_func(uint8_t *, uint32_t, size_t *, size_t *); 96 bool bin_match_func(uint8_t *, uint32_t, size_t *, size_t *); 97 bool blank_match_func(uint8_t *, uint32_t, size_t *, size_t *); 98 99 void print_time_absolute(const struct pcap_pkthdr *); 100 void print_time_diff(const struct pcap_pkthdr *); 101 void print_time_offset(const struct pcap_pkthdr *); 102 103 char *get_filter_from_file(void); 104 char *get_filter_from_argv(char **); 105 106 void drop_privs(void); 107