[Snort-devel] Reviving a patch to decode ipencap

Chris Kuethe chris.kuethe at ...2499...
Fri Dec 31 10:11:06 EST 2004


As it seems to have been lost in the mists of time, I'd like to
request that the ipencap decoder posted by Jason Ish be included in
the next release of snort.
(http://sourceforge.net/mailarchive/message.php?msg_id=1000380)

Except for the fact that I can't just set the bpf options to "tcp" to
watch only tcp (I have to use something icky like "ip[(4*(ip[0] &
0x0f))+9] = 6") It seems to be working correctly with 2.1.2 and the
cvs version. Then again, that's a failing of BPF and not snort...

Index: decode.c
===================================================================
RCS file: /cvsroot/snort/src/decode.c,v
retrieving revision 1.109
diff -u -r1.109 decode.c
--- decode.c	14 Dec 2004 19:47:22 -0000	1.109
+++ decode.c	31 Dec 2004 17:58:21 -0000
@@ -1820,7 +1820,50 @@
     return;
 }
 
+#ifdef DLT_ENC
+/* see http://sourceforge.net/mailarchive/message.php?msg_id=1000380 */
+/*
+ * Function: DecodeEncPkt(Packet *, struct pcap_pkthdr *, u_int8_t *)
+ *
+ * Purpose: Decapsulate packets of type DLT_ENC.
+ *          XXX Are these always going to be IP in IP?
+ *
+ * Arguments: p => pointer to decoded packet struct
+ *            pkthdr => pointer to the packet header
+ *            pkt => pointer to the real live packet data
+ */
+void DecodeEncPkt(Packet *p, struct pcap_pkthdr *pkthdr, u_int8_t *pkt)
+{
+    struct enc_header *enc_h;
+
+    bzero((char *)p, sizeof(Packet));
+    p->pkth = pkthdr;
+    p->pkt = pkt;
+
+    if (p->pkth->caplen < ENC_HEADER_LEN)
+    {
+        if (pv.verbose_flag)
+        {
+            ErrorMessage("Captured data length < Encap header length!
(%d bytes)\n", p->pkth->caplen);
+        }
+        return;
+    }
+
+    enc_h = (struct enc_header *)p->pkt;
+    if (enc_h->af == AF_INET)
+    {
+        DecodeIP(p->pkt + ENC_HEADER_LEN + IP_HEADER_LEN,
+                 pkthdr->caplen - ENC_HEADER_LEN - IP_HEADER_LEN, p);
+    }
+    else
+    {
+        ErrorMessage("[!] WARNING: Unknown address family! (af: 0x%x)\n",
+                enc_h->af);
+    }
 
+    return;
+}
+#endif /* DLT_ENC */
 
 /*
  * Function: DecodeIP(u_int8_t *, const u_int32_t, Packet *)
Index: decode.h
===================================================================
RCS file: /cvsroot/snort/src/decode.h,v
retrieving revision 1.81
diff -u -r1.81 decode.h
--- decode.h	14 Dec 2004 19:47:22 -0000	1.81
+++ decode.h	31 Dec 2004 17:58:21 -0000
@@ -176,6 +176,14 @@
 /* NULL aka LoopBack interfaces */
 #define NULL_HDRLEN             4
 
+/* enc interface */
+struct enc_header {
+    u_int32_t af;
+    u_int32_t spi;
+    u_int32_t flags;
+};
+#define ENC_HEADER_LEN          12
+
 /* otherwise defined in /usr/include/ppp_defs.h */
 #define IP_HEADER_LEN           20
 #define TCP_HEADER_LEN          20
@@ -1192,6 +1200,7 @@
 void DecodeTCPOptions(u_int8_t *, u_int32_t, Packet *);
 void DecodeIPOptions(u_int8_t *, u_int32_t, Packet *);
 void DecodePPPoEPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
+void DecodeEncPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
 #ifdef GIDS
 #ifndef IPFW
 void DecodeIptablesPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
Index: snort.c
===================================================================
RCS file: /cvsroot/snort/src/snort.c,v
retrieving revision 1.214
diff -u -r1.214 snort.c
--- snort.c	14 Dec 2004 21:01:59 -0000	1.214
+++ snort.c	31 Dec 2004 17:58:22 -0000
@@ -1508,7 +1508,21 @@
             grinder = DecodeIEEE80211Pkt;
             break;
 #endif
-        case 13:
+#ifdef DLT_ENC
+        case DLT_ENC:           /* Encapsulated data */
+            if (!pv.readmode_flag)
+            {
+                if (!pv.quiet_flag)
+                    LogMessage("Decoding Encapsulated data on interface %s\n",
+                           PRINT_INTERFACE(pv.interface));
+            }
+
+            grinder = DecodeEncPkt;
+            break;
+
+#else
+         case 13:
+#endif /* DLT_ENC */
         case DLT_IEEE802:                /* Token Ring */
             if(!pv.readmode_flag)
             {

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?




More information about the Snort-devel mailing list