From: Pierre Chifflier <chifflier@edenwall.com>
To: netfilter-devel@vger.kernel.org
Cc: eleblond@edenwall.com, Pierre Chifflier <chifflier@edenwall.com>
Subject: [PATCH 2/2] Add helper script pcap2ulog
Date: Fri, 26 Feb 2010 21:54:40 +0100 [thread overview]
Message-ID: <1267217680-22677-3-git-send-email-chifflier@edenwall.com> (raw)
In-Reply-To: <1267217680-22677-1-git-send-email-chifflier@edenwall.com>
This script uses the Net::Pcap Perl library to parse an pcap file and
send packets to ulogd2 throught the UNIXSOCK input module.
Signed-off-by: Pierre Chifflier <chifflier@edenwall.com>
---
contrib/pcap2ulog | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 166 insertions(+), 0 deletions(-)
create mode 100755 contrib/pcap2ulog
diff --git a/contrib/pcap2ulog b/contrib/pcap2ulog
new file mode 100755
index 0000000..65fd5ab
--- /dev/null
+++ b/contrib/pcap2ulog
@@ -0,0 +1,166 @@
+#!/usr/bin/perl -w
+
+# Copyright (C) 2009-2010 Pierre Chifflier <chifflier@inl.fr>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the same terms as Perl itself, either Perl version 5.8.4 or,
+# at your option, any later version of Perl 5 you may have available.
+
+use strict;
+
+use IO::Socket;
+use Net::Pcap;
+
+my $ULOGD_SOCKET_MARK = 0x41c90fd4;
+
+my $dumpfile = shift or die "Unable to open pcap file";
+my($pcap_t, $err);
+my($ulogd_client);
+my $socketfile = "/var/run/ulogd2.sock";
+my $data_buffer;
+my $linktype;
+my $proto_offset;
+
+my %linktype_to_offset = (
+ Net::Pcap::DLT_LINUX_SLL => 14,
+ Net::Pcap::DLT_EN10MB => 12,
+);
+
+sub connect_ulogd2 {
+ (-S $socketfile) or die "ulogd2 socket $socketfile does not exist - is ulogd running ?";
+
+ $ulogd_client = IO::Socket::UNIX->new(Peer => $socketfile,
+ Type => SOCK_STREAM ) or die $!;
+ $ulogd_client->autoflush(0);
+}
+
+sub print_padding
+{
+ my ($offset) = @_;
+ my $padding;
+ my $align = 8;
+ my $data;
+
+ $padding = ($align - ($offset % $align)) % $align;
+ #print "offset: $offset padding $padding\n";
+
+ $data = "\0" x $padding;
+ $data_buffer .= $data;
+}
+
+sub process_pkt {
+ my($user, $hdr, $pkt) = @_;
+
+ if (($user ne "xyz") or !defined($hdr) or !defined($pkt)) {
+ print("Bad args passed to callback\n");
+ print("Bad user data\n"), if ($user ne "xyz");
+ print("Bad pkthdr\n"), if (!defined($hdr));
+ print("Bad pkt data\n"), if (!defined($pkt));
+ print("not ok\n");
+ exit;
+ }
+
+ #print "Header: len $hdr->{len}\n";
+ #my $len = length $pkt;
+ #print "Packet length: $len\n";
+
+ my $size = length($pkt) - ($proto_offset+2);
+
+ #my $pcaphdr = unpack ("H*", substr ($pkt, 0, 16));
+ #printf("pcap hdr: $pcaphdr\n");
+ my $proto = unpack ("H*", substr ($pkt, $proto_offset, 2));
+ #printf("proto: $proto\n");
+
+ if ($proto ne "0800") {
+ print "ignoring packet with proto $proto\n";
+ return;
+ }
+
+ #my $ip_firstbyte = unpack ("H*", substr ($pkt, $proto_offset+2, 2));
+ #printf("ip_firstbyte: $ip_firstbyte\n");
+
+ # decode packet for a SLL:
+ # packet type (sent by us: 4)
+ # link layer address type: 1
+ # link layer address length: 6
+ # src dst
+ # protocol (IP, ARP, PPP, SNMP ...)
+ # data
+ my $srcmac = substr ($pkt, 6, 6);
+
+ (my $hex_src = unpack("H*", $srcmac)) =~ s/(..)/$1:/g;
+ chop $hex_src;
+ #printf "source mac: $hex_src\n";
+
+ my $hex_dst = "\0";
+
+ # format data
+ my $data;
+
+ $data_buffer = undef;
+
+ # ulogd packet signature
+ $data = pack ('N', $ULOGD_SOCKET_MARK);
+
+ $data_buffer .= $data;
+
+ my $options_num=2;
+ my $options_len=length($hex_src) + length($hex_dst);
+ # total length (will be filled later)
+ my $total_size = 0;
+ $data = pack ('n', $total_size);
+ $data_buffer .= $data;
+
+ # payload length + reserved + payload
+ $data = pack ('nNa*', $size, 0, substr($pkt,$proto_offset+2,$size));
+ $data_buffer .= $data;
+ print_padding($size);
+
+ # options
+ my $OOB_IN = 2;
+ $data = pack ('nna*', $OOB_IN, length($hex_src), $hex_src);
+ $data_buffer .= $data;
+ print_padding(length($hex_src));
+ my $OOB_OUT = 3;
+ $data = pack ('nna*', $OOB_OUT, length($hex_dst), $hex_dst);
+ $data_buffer .= $data;
+ print_padding(length($hex_dst));
+
+ # replace total size in buffer
+ my $l = length($data_buffer) - 4;
+ substr($data_buffer, 4, 2) = pack('n', $l);
+
+ #(my $hex = unpack("H*", $data_buffer)) =~ s/(..)/$1 /g;
+ #print "$l will be encoded as " . unpack("H*", pack('n', $l)) . "\n";
+ #print $hex, "\n";
+
+ print $ulogd_client $data_buffer;
+
+ $ulogd_client->flush;
+
+ #exit;
+}
+
+
+connect_ulogd2 or die $!;
+
+$pcap_t = Net::Pcap::open_offline($dumpfile, \$err);
+if (!defined($pcap_t)) {
+ print("Net::Pcap::dump_open failed: ", Net::Pcap::geterr($pcap_t), "\n");
+ exit;
+}
+
+$linktype = Net::Pcap::pcap_datalink($pcap_t);
+
+if (not exists $linktype_to_offset{$linktype}) {
+ print("Unsupported link type ", Net::Pcap::pcap_datalink_val_to_name($linktype), "\n");
+ exit 1;
+}
+
+$proto_offset = $linktype_to_offset{$linktype};
+
+Net::Pcap::loop($pcap_t, -1, \&process_pkt, "xyz");
+Net::Pcap::close($pcap_t);
+
+
+
--
1.7.0
next prev parent reply other threads:[~2010-02-26 20:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-26 20:54 [ULOGD2] UNIXSOCK plugin (v5) Pierre Chifflier
2010-02-26 20:54 ` [PATCH 1/2] Add new input plugin UNIXSOCK Pierre Chifflier
2010-02-27 13:55 ` Pablo Neira Ayuso
2010-02-28 14:06 ` Pierre Chifflier
2010-02-28 16:28 ` Pablo Neira Ayuso
2010-02-28 17:29 ` Jan Engelhardt
2010-02-28 18:05 ` Pierre Chifflier
2010-03-01 19:33 ` Pablo Neira Ayuso
2010-03-01 22:16 ` [ULOGD2] UNIXSOCK plugin (v6) Pierre Chifflier
2010-03-01 22:16 ` [PATCH 1/2] Add new input plugin UNIXSOCK Pierre Chifflier
2010-03-01 22:16 ` [PATCH 2/2] Add helper script pcap2ulog Pierre Chifflier
2010-03-03 17:42 ` [PATCH 1/2] Add new input plugin UNIXSOCK Jan Engelhardt
2010-03-03 18:14 ` Jan Engelhardt
2010-03-05 10:25 ` libnetfilter_conntrack alignment issue [was Re: [PATCH 1/2] Add new input plugin UNIXSOCK] Pablo Neira Ayuso
2010-03-07 19:30 ` Jan Engelhardt
2010-03-05 11:15 ` [PATCH 1/2] Add new input plugin UNIXSOCK Patrick McHardy
2010-03-05 17:10 ` Pablo Neira Ayuso
2010-03-08 11:13 ` Patrick McHardy
2010-02-26 20:54 ` Pierre Chifflier [this message]
2010-02-27 10:46 ` [ULOGD2] UNIXSOCK plugin (v5) Eric Leblond
-- strict thread matches above, loose matches on Subject: below --
2010-10-20 11:44 [ULOGD2] UNIXSOCK plugin (v5b) Pierre Chifflier
2010-10-20 11:44 ` [PATCH 2/2] Add helper script pcap2ulog Pierre Chifflier
2010-01-14 19:41 [ULOGD2] UNIXSOCK plugin (v4) Pierre Chifflier
2010-01-14 19:41 ` [PATCH 2/2] Add helper script pcap2ulog Pierre Chifflier
2009-11-01 10:53 [ULOGD2] UNIXSOCK plugin (v3) Pierre Chifflier
2009-11-01 10:53 ` [PATCH 2/2] Add helper script pcap2ulog Pierre Chifflier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1267217680-22677-3-git-send-email-chifflier@edenwall.com \
--to=chifflier@edenwall.com \
--cc=eleblond@edenwall.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.