Merge branch 'master' into traceroute

author: Laurent Ghigonis <laurent@p1sec.com> 2013-06-05 15:23:45 +0200
committer: Laurent Ghigonis <laurent@p1sec.com> 2013-06-05 15:23:45 +0200
commit: c2df624fae9cd08c662f5f611044094f35bb8f63 (patch)
tree: 1e1f7b7fb6b86fc73cb6da21e6eabd3c5151069e /gg_sniff
parent: Merge branch 'master' into traceroute (diff)
parent: gg_map: fix dependencies description (diff)
download: glouglou-c2df624fae9cd08c662f5f611044094f35bb8f63.tar.xz
glouglou-c2df624fae9cd08c662f5f611044094f35bb8f63.zip
4 files changed, 40 insertions, 22 deletions
diff --git a/gg_sniff/README.txt b/gg_sniff/README.txt
index 2a43d02..fddbb3f 100644
--- a/gg_sniff/README.txt
+++ b/gg_sniff/README.txt
@@ -1,7 +1,5 @@
 gg_sniff - glouglou probe client for network activity
 
-WARNING: Work in progress, don't expect this to work !
-
 Requirements
 ============
 
@@ -13,14 +11,28 @@ Requirements
 Installation
 ============
 
-git clone git@meg:glouglou
-cd gg_sniff
 make && sudo make install
 
 Usage
 =====
 
-gg_sniff -i eth0
+sudo gg_sniff
+
+sudo gg_sniff -i eth0
+
+sudo gg_sniff -i eth0 10.137.2.9
+
+sudo gg_sniff -v -f "not port 4430 and not port 4431 and net 10.137.2.0/24" 10.137.2.9
+
+(10.137.2.9 is where glougloud is)
+
+Notes on capture
+================
+
+By default gg_sniff captures on any interfaces (works on Linux only).
+By default the capture filter is "not port 4430 and not port 4431 and not port 53".
+You can change it via -f, but dont forget to keep filtering out port 4430 and
+port 4431 because those are the ports used by glouglou itself !
 
 Notes on architecture and security
 ==================================
diff --git a/gg_sniff/gg_sniff.c b/gg_sniff/gg_sniff.c
index cd2d2c5..8ee6de1 100644
--- a/gg_sniff/gg_sniff.c
+++ b/gg_sniff/gg_sniff.c
@@ -39,7 +39,7 @@ usage(void)
 {
 	extern char *__progname;
 
-  fprintf(stderr, "usage: %s [-hv] [-i interface] [ip [port]]\n", __progname);
+  fprintf(stderr, "usage: %s [-hv] [-f filter] [-i interface] [ip [port]]\n", __progname);
   exit(1);
 }
 
@@ -60,6 +60,7 @@ main(int argc, char **argv)
 	struct event *ev_sigint, *ev_sigterm, *ev_sigchld, *ev_sighup;
 	char ggserv_ip[30] = "127.0.0.1";
 	char *iface = NULL;
+	char *filter = NULL;
 	int ggserv_port = GLOUGLOU_PROBE_DEFAULT_PORT;
 	int pcap_init = 0;
 	int loglevel = 0;
@@ -70,11 +71,14 @@ main(int argc, char **argv)
 	if (geteuid() != 0)
 		errx(1, "must be root");
 
-	while ((op = getopt(argc, argv, "ahi:v")) != -1) {
+	while ((op = getopt(argc, argv, "af:hi:v")) != -1) {
 		switch (op) {
       case 'a':
         active = 1;
         break;
+			case 'f':
+                filter = strndup(optarg, 256);
+                break;
 			case 'h':
 				usage();
 				/* NOTREACHED */
@@ -90,8 +94,8 @@ main(int argc, char **argv)
 		}
 	}
 	switch (argc - optind) {
-  case 2: ggserv_port = atoi(argv[3]);
-  case 1: strncpy(ggserv_ip, argv[2], sizeof(ggserv_ip));
+  case 2: ggserv_port = atoi(argv[optind+1]);
+  case 1: strncpy(ggserv_ip, argv[optind], sizeof(ggserv_ip));
   case 0:
     break;
   default:
@@ -110,7 +114,7 @@ main(int argc, char **argv)
 	ggcli = gg_client_connect(_ev_base, ggserv_ip, ggserv_port, NULL, NULL, NULL);
 	if (!ggcli)
 	  goto quit;
-  pcap_init = ggsniff_pcap_init(_ev_base, ggcli, net, iface, active);
+  pcap_init = ggsniff_pcap_init(_ev_base, ggcli, net, iface, active, filter);
 	if (!pcap_init)
 	  goto quit;
 
diff --git a/gg_sniff/gg_sniff.h b/gg_sniff/gg_sniff.h
index f848c88..5cbd1fd 100644
--- a/gg_sniff/gg_sniff.h
+++ b/gg_sniff/gg_sniff.h
@@ -1,5 +1,5 @@
 /* pcap.c */
 
 int ggsniff_pcap_init(struct event_base *, struct gg_client *,
-                      struct ggnet *, char *, int);
+                      struct ggnet *, char *, int, char *);
 void ggsniff_pcap_shutdown(void);
diff --git a/gg_sniff/pcap.c b/gg_sniff/pcap.c
index fc5b978..7456e67 100644
--- a/gg_sniff/pcap.c
+++ b/gg_sniff/pcap.c
@@ -99,7 +99,7 @@ static struct _cap_t _cap;
 
   int
 ggsniff_pcap_init(struct event_base *ev_base, struct gg_client *ggcli,
-    struct ggnet *net, char *iface, int active)
+    struct ggnet *net, char *iface, int active, char *filter)
 {
   char errbuf[PCAP_ERRBUF_SIZE];
   struct bpf_program bprog;
@@ -115,9 +115,11 @@ ggsniff_pcap_init(struct event_base *ev_base, struct gg_client *ggcli,
     err(1, "capture: pcap_open_live failed on interface %s\n"
         "with snaplen %d : %s",
         iface, PCAP_SNAPLEN, errbuf);
-  if (pcap_compile(pcap, &bprog, PCAP_FILTER, 0, 0) < 0)
+  if (!filter)
+      filter = strndup(PCAP_FILTER, 256);
+  if (pcap_compile(pcap, &bprog, filter, 0, 0) < 0)
     err(1, "capture: pcap_compile failed with filter %s : %s",
-        PCAP_FILTER, pcap_geterr(pcap));
+        filter, pcap_geterr(pcap));
   if (pcap_setfilter(pcap, &bprog) < 0)
     err(1, "capture: pcap_setfilter failed : %s",
         pcap_geterr(pcap));
@@ -284,7 +286,7 @@ my_pcap_open_live(const char *dev, int slen, int promisc, int to_ms,
   static void
 cb_pcap(int fd, short why, void *data)
 {
-  gg_log_tmp("cb_pcap");
+  //gg_log_tmp("cb_pcap");
   pcap_dispatch(_cap.pcap, PCAP_COUNT, _cap.handler, NULL);
 
   /* reschedule */
@@ -492,7 +494,7 @@ ip_handle(struct ip *ip, const u_char *pend, u_int wirelen)
      * if this isn't the first frag, we're missing the
      * next level protocol header.
      */
-    gg_log_tmp("user: got a fragmented ip packet !");
+    gg_log_debug("user: got a fragmented ip packet !");
   }
 
   pkt.ver = PACKET_VERSION;
@@ -547,16 +549,16 @@ ether_handle(struct ether_header *ether, const u_char *pend, u_int wirelen)
 
   ether_type = ntohs(ether->ether_type);
   if (ether_type <= ETHERMTU)
-    gg_log_tmp("llc packet !");
+    gg_log_debug("llc packet !");
   else {
     switch (ether_type) {
       case ETHERTYPE_IP:
-        gg_log_tmp("loop family AF_LINK IP");
+        gg_log_debug("loop family AF_LINK IP");
         ip = (struct ip *)((u_char *)ether + sizeof(struct ether_header));
         ip_handle(ip, pend, wirelen);
         break;
       default:
-        gg_log_tmp("loop non ip packet !");
+        gg_log_debug("loop non ip packet !");
         break;
     }
   }
@@ -630,7 +632,7 @@ phandler_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
         ep = (struct ether_header *)((u_char *)p + SLL_HDR_LEN);
         ether_handle(ep, pend, len);
       default:
-        gg_log_tmp("unknown family %x !", family);
+        gg_log_debug("unknown family %x !", family);
         break;
     }
   } else {
@@ -667,7 +669,7 @@ phandler_loop(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
   family = ntohl(family);
   switch (family) {
     case AF_INET:
-      gg_log_tmp("loop family AF_INET");
+      gg_log_debug("loop family AF_INET");
       ip = (struct ip *)(p + NULL_HDRLEN);
       ip_handle(ip, pend, len);
       break;
@@ -676,7 +678,7 @@ phandler_loop(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
       ether_handle(ep, pend, len);
       break;
     default:
-      gg_log_tmp("unknown family %x !", family);
+      gg_log_debug("unknown family %x !", family);
       break;
   }
 }
author	Laurent Ghigonis <laurent@p1sec.com>	2013-06-05 15:23:45 +0200
committer	Laurent Ghigonis <laurent@p1sec.com>	2013-06-05 15:23:45 +0200
commit	c2df624fae9cd08c662f5f611044094f35bb8f63 (patch)
tree	1e1f7b7fb6b86fc73cb6da21e6eabd3c5151069e /gg_sniff
parent	Merge branch 'master' into traceroute (diff)
parent	gg_map: fix dependencies description (diff)
download	glouglou-c2df624fae9cd08c662f5f611044094f35bb8f63.tar.xz glouglou-c2df624fae9cd08c662f5f611044094f35bb8f63.zip