2 * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
3 * ziffy.c - a promiscuous Z39.50 APDU sniffer for Ethernet
5 * Copyright (c) 1998-2001 R. Carbone <rocco@ntop.org>
6 * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 * Operating System include files
37 #include <sys/utsname.h>
39 #include <yaz/options.h>
41 #include "pcap.h" /* Packet Capture Library */
49 z3950apdu * pduhook (const struct pcap_pkthdr * h, const u_char * p);
52 #if defined(HAVE_XASN1)
53 void please_finsiel_help_me (z3950apdu * hook);
54 #endif /* HAVE_XASN1 */
57 void please_yaz_help_me (z3950apdu * hook);
60 #if defined(HAVE_SNACC)
61 void please_snacc_help_me (z3950apdu * hook);
62 #endif /* HAVE_SNACC */
68 time_t now; /* current time */
69 time_t start_time; /* time the program was started */
70 time_t firstapdu_time; /* time the first APDU was received */
71 time_t laststapdu_time; /* time the last APDU was received */
73 unsigned long int z3950_apduno = 0; /* # of z3950 apdus so far received */
74 u_char * z3950 = NULL; /* pointer to the last apdu received */
75 int z3950_size = 0; /* and its size */
78 * I currently tested the program at home in a null networked environment
79 * and on ethernet 10M lan. the following variable keeps the data-link
80 * encapsulation type. more info in net/bpf.h
84 int aflag = 0; /* attempt to convert numeric network addresses to FQDN */
93 * Length of saved portion of packet
95 #define DEFAULT_SNAPLEN 65536 /* This should be enough... */
96 static int snaplen = DEFAULT_SNAPLEN;
98 #define DEFAULT_MAXAPDUS -1 /* that means indefinite */
99 static int maxapdus = DEFAULT_MAXAPDUS;
102 * A handler for pcap, it needs to be global because there is no other way to
103 * pass it to the signal handler, the same can be said about the file descriptor
112 static char __copyright__ [] = "Copyright (c) 1998-2001";
113 static char __author__ [] = "R. Carbone <rocco@ntop.org>";
114 static char __version__ [] = "Version 0.0.3";
115 static char __released__ [] = "June 2001";
118 char ebuf [PCAP_ERRBUF_SIZE] = {0};
119 struct pcap_stat pcapstats = {0};
124 void on_signal (int signo)
127 * time for statistics
129 if (pcap_stats (ph, & pcapstats) != 0)
131 printf ("Cannot get the statistics due to %s\n", ebuf),
138 printf ("%u packets received by decoder\n", pcapstats . ps_recv);
139 printf ("%u packets dropped by kernel\n", pcapstats . ps_drop);
157 void welcome (char * progname)
159 time_t now = ((time_t) time ((time_t *) 0));
160 char * nowstring = ctime (& now);
161 struct utsname machine;
163 nowstring [24] = '\0';
166 printf ("This is %s %s of %s\n", progname, __version__, __released__);
167 printf ("%s %s\n", __copyright__, __author__);
168 printf ("Started at %s on %s\n\n", nowstring, machine . nodename);
176 * Wrong. Please try again accordingly to ....
178 void usage (char * progname)
182 printf ("Usage: %s [--help] [--version]\n\n", progname);
183 printf ("Options:\n");
184 printf (" h, --help display this help and exit\n");
185 printf (" v, --version output version information and exit\n");
187 printf (" , -- print filter code\n");
188 printf (" , -- print ethernet header\n");
189 printf (" , -- try to resolve ip addresses\n");
190 printf (" , -- remove domains from printed host names\n");
191 printf (" , -- don't translate _foreign_ IP address\n");
192 printf (" , -- print packet arrival time\n");
194 printf (" s, --snaplen \n");
195 printf (" N, --non-promiscuous capture APDUs addressed to the host machine\n");
196 printf (" C, --maxcount capture maxcount APDUs and then terminate\n");
198 printf (" D, --dropped-packets display number of packets dropped during capture\n");
204 * This is really the `main' function of the sniffer.
206 * Parse the incoming APDU, and when possible show all pertinent data.
208 * 'h' is the pointer to the packet header (independent from interfaces)
209 * 'p' is the pointer to the packet data
210 * 'caplen' is the number of bytes actually captured
211 * 'length' is the length of the packet off the wire
213 void parse_pdu (u_char * user_data,
214 const struct pcap_pkthdr * h,
220 if (! (hook = pduhook (h, p)))
224 * update the descriptor of the apdu
226 hook -> t = & h -> ts;
227 hook -> calling = srchost ();
228 hook -> srcport = srcport ();
229 hook -> called = dsthost ();
230 hook -> dstport = dstport ();
232 #if defined(HAVE_XASN1)
234 please_finsiel_help_me (hook);
236 #endif /* HAVE_XASN1 */
238 #if defined(HAVE_YAZ)
240 please_yaz_help_me (hook);
242 #endif /* HAVE_YAZ */
244 #if defined(HAVE_SNACC)
246 please_snacc_help_me (hook);
248 #endif /* HAVE_SNACC */
253 * Oh no! yet another main here
255 int main (int argc, char * argv [])
258 const char * optstr = "hvac:ef:i:lnprs:twxz";
263 char * interface = NULL;
264 char * filename = NULL;
266 char * filter = NULL;
267 struct bpf_program program = {0};
268 bpf_u_int32 network = {0};
269 bpf_u_int32 netmask = {0};
273 * notice the program name
275 progname = strrchr (argv [0], '/');
276 if (! progname || ! * progname)
282 * Parse command-line options
284 while ((option = options(optstr, argv, argc, &optarg)) != -2)
293 printf ("%s: unrecognized option %c\n", progname, optopt);
298 printf ("%s: missing parameter %c\n", progname, optopt);
311 maxapdus = atoi (optarg);
313 printf ("malformed max apdus counter %s", optarg), maxapdus = DEFAULT_MAXAPDUS;
321 filename = strdup (optarg);
325 interface = strdup (optarg);
341 snaplen = atoi (optarg);
343 printf ("malformed snaplen %s", optarg), snaplen = DEFAULT_SNAPLEN;
370 * build a string from all remaining arguments
375 while (optind < argc)
377 roomsize += (strlen (argv [optind]) + 1 + 1);
380 strcat (filter, " ");
381 filter = (char *) realloc (filter, roomsize);
382 strcat (filter, argv [optind ++]);
386 filter = (char *) malloc (roomsize);
387 strcpy (filter, argv [optind ++]);
394 * find a suitable interface, if i don't have one
396 if (! filename && ! interface && ! (interface = pcap_lookupdev (ebuf)))
398 printf ("No suitable interfaces found, please specify one with -i\n");
403 if ((getuid () && geteuid ()) || setuid (0))
405 printf ("Sorry, you must be root in order to run this program.\n");
410 * time to initialize the libpcap
412 ph = filename ? pcap_open_offline (filename, ebuf) :
413 pcap_open_live (interface, snaplen, 1, 1000, ebuf);
416 printf ("Cannot initialize the libpcap package due to %s\n", ebuf),
420 * get the interface network number and its mask
421 * (unless we are reading data from a file)
423 if (! filename && pcap_lookupnet (interface, & network, & netmask, ebuf) < 0)
424 printf ("Cannot lookup for the network due to %s\n", ebuf),
428 * determine the type of the underlying network and the data-link encapsulation method
429 * (unless we are reading data from a file)
431 dlt = pcap_datalink (ph);
433 if (! filename && dlt != DLT_NULL && dlt != DLT_IEEE802 && dlt != DLT_EN10MB)
434 printf ("Unsupported data-link encapsulation %d\n", dlt),
438 * compile an optional filter into a BPF program
440 if (filter && pcap_compile (ph, & program, filter, 1, netmask) == -1)
441 printf ("Cannot compile the filter %s\n", filter),
445 * apply the filter to the handler
447 if (filter && pcap_setfilter (ph, & program) == -1)
448 printf ("Cannot set the filter %s\n", filter),
452 * announce to the world
454 printf ("%s %s: listening on %s\n", progname, __version__, interface);
458 * Setup signal handlers
460 signal (SIGTERM, on_signal);
461 signal (SIGINT, on_signal);
465 * Go for fun! and handle any packet received
467 if (pcap_loop (ph, -1, parse_pdu, NULL) == -1)
468 printf ("%s: error while capturing packets due to %s\n", progname, pcap_geterr (ph)),