dsniff  2.4b2
About: A collection of tools for network auditing
  Fossies Dox: dsniff-2.4b2.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  
filenamesnarf.c
Go to the documentation of this file.
1 /*
2  FilenameSnarf
3  -------------
4  Utility to sniff filenames & paths of file being transfered through the machine.
5  Currently supports: FTP
6 
7  Largely based on other *snarf stuff from Dsniff so credits to Dug Song!
8 */
9 
10 #include "config.h"
11 
12 #include <sys/types.h>
13 #include <sys/queue.h>
14 #include <netinet/in.h>
15 
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <string.h>
19 #include <regex.h>
20 #include <err.h>
21 #include <libnet.h>
22 #include <nids.h>
23 #include <pcap.h>
24 #include <pcaputil.h>
25 
26 #include "version.h"
27 
28 static int pcap_off;
29 static u_char buf[BUFSIZ];
30 
31 libnet_t *l;
32 libnet_ptag_t ip_id;
33 libnet_ptag_t tcp_id;
34 
35 static void
36 usage(void)
37 {
38  fprintf(stderr, "Version: " VERSION "\n"
39  "Usage: filenamesnarf [-i interface] expression\n");
40  exit(1);
41 }
42 
43 static void
44 ftp_parse(struct libnet_ipv4_hdr *ip, struct libnet_tcp_hdr *tcp, int pkt_len) {
45  int data_len;
46  char tmp[6];
47  char command[1024];
48  unsigned int port_no;
49  data_len = pkt_len - (ip->ip_hl + tcp->th_off)*4;
50  unsigned int a1, a2, a3, a4, p1, p2;
51 
52  if (data_len > 5) {
53  //we are only interested in commands
54  //now we memcpy part of buf into tmp and add \0
55  memcpy(tmp,buf,5);
56  tmp[5] = 0x00;
57  //and we compare strings
58  if ((strcmp("RETR ",tmp) == 0) || (strcmp("STORE",tmp) == 0) ||(strcmp("226 T",tmp) == 0) ||(strcmp("450 ",tmp)
59 == 0)) {
60  //now we want the whole command printed out
61  memcpy(command,buf,data_len -1);
62  command[data_len -1] = 0x00;
63  printf("FTP [%s:%d] > [%s:%d] - %s\n",
64  libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport),
65  libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport),
66  command);
67  } else if (strcmp("PORT ",tmp) == 0) {
68  //we parse the command properly
69  memcpy(command, buf + 5,data_len - 6);
70  command[data_len - 6] = 0x00;
71  sscanf(command, "%u,%u,%u,%u,%u,%u",
72  &a1, &a2, &a3, &a4, &p1, &p2);
73  port_no = (p1 << 8) | p2;
74  printf("Conversion done\n");
75  printf("FTP [%s:%d] > [%s:%d] - PORT %u.%u.%u.%u:%u\n",
76  libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport),
77  libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport),
78  a1, a2, a3, a4, port_no);
79  }
80  }
81 
82 }
83 
84 static void
85 sniff_filename(u_char *user,const struct pcap_pkthdr *pcap, const u_char *pkt)
86 {
87  struct libnet_ipv4_hdr *ip;
88  struct libnet_tcp_hdr *tcp;
89  int len;
90  pkt += pcap_off;
91  len = pcap->caplen - pcap_off;
92  //we split TCP and UDP traffic
93  ip = (struct libnet_ipv4_hdr *)pkt;
94 
95  if (ip->ip_p == IPPROTO_TCP) {
96  //TCP protocols here
97  tcp = (struct libnet_tcp_hdr *)(pkt + ip->ip_hl * 4);
98 
99  if (!(tcp->th_flags & TH_PUSH))
100  return;
101  memset(buf,0x00,BUFSIZ);
102  memcpy(buf, pkt + ip->ip_hl*4 + tcp->th_off*4,len - ip->ip_hl*4 + tcp->th_off*4);
103  //now calling all the protocol parsers
104  ftp_parse(ip,tcp,len);
105 
106  } else if (ip->ip_p == IPPROTO_UDP) {
107  //UDP protocols here
108 
109  }
110 
111 
112 
113 
114 }
115 
116 int
117 main(int argc, char *argv[])
118 {
119  extern char *optarg;
120  extern int optind;
121  int c;
122  char *intf, *filter, ebuf[PCAP_ERRBUF_SIZE];
123  pcap_t *pd;
124  u_char *user;
125 
126  intf = NULL;
127 
128  char errbuf[LIBNET_ERRBUF_SIZE];
129 
130  l = libnet_init(
131  LIBNET_RAW4, /* or LIBNET_LINK or LIBNET_RAW6 */
132  NULL, /* or device if you using LIBNET_LINK */
133  errbuf);
134  ip_id = LIBNET_PTAG_INITIALIZER;
135 
136  while ((c = getopt(argc, argv, "i:")) != -1) {
137  switch (c) {
138  case 'i':
139  intf = optarg;
140  break;
141  default:
142  usage();
143  break;
144  }
145  }
146  if (intf == NULL && (intf = pcap_lookupdev(ebuf)) == NULL)
147  errx(1, "%s", ebuf);
148 
149  argc -= optind;
150  argv += optind;
151 /*
152  if (argc == 0)
153  usage();
154 */
155  filter = copy_argv(argv);
156 
157  if ((pd = pcap_init(intf, filter, 128)) == NULL)
158  errx(1, "couldn't initialize sniffing");
159 
160  if ((pcap_off = pcap_dloff(pd)) < 0)
161  errx(1, "couldn't determine link layer offset");
162 
163  libnet_seed_prand(l);
164 
165  warnx("listening on %s [%s]", intf, filter);
166 
167  pcap_loop(pd, -1, sniff_filename,user);
168 
169  /* NOTREACHED */
170 
171  exit(0);
172 }
173 
warnx
void warnx(const char *fmt,...)
Definition: err.c:89
main
int main(int argc, char *argv[])
Definition: filenamesnarf.c:117
pcap_init
pcap_t * pcap_init(char *intf, char *filter, int snaplen)
Definition: pcaputil.c:63
pcaputil.h
pcap_off
static int pcap_off
Definition: filenamesnarf.c:28
version.h
intf
static char * intf
Definition: arpspoof.c:32
pkt
static u_char pkt[4+8+262144]
Definition: ssh.c:87
errbuf
char errbuf[LIBNET_ERRBUF_SIZE]
Definition: arpspoof.c:35
err.h
pcap_dloff
int pcap_dloff(pcap_t *pd)
Definition: pcaputil.c:35
VERSION
#define VERSION
Definition: version.h:1
buf
Definition: buf.h:14
usage
static void usage(void)
Definition: filenamesnarf.c:36
queue.h
ip_id
libnet_ptag_t ip_id
Definition: filenamesnarf.c:32
copy_argv
char * copy_argv(char **argv)
Definition: pcaputil.c:101
errx
void errx(int eval, const char *fmt,...)
Definition: err.c:76
config.h
ftp_parse
static void ftp_parse(struct libnet_ipv4_hdr *ip, struct libnet_tcp_hdr *tcp, int pkt_len)
Definition: filenamesnarf.c:44
l
libnet_t * l
Definition: filenamesnarf.c:31
tcp_id
libnet_ptag_t tcp_id
Definition: filenamesnarf.c:33
sniff_filename
static void sniff_filename(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt)
Definition: filenamesnarf.c:85