summaryrefslogtreecommitdiffstats
path: root/contrib/impcap
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/impcap')
-rw-r--r--contrib/impcap/Makefile.am22
-rw-r--r--contrib/impcap/Makefile.in949
-rw-r--r--contrib/impcap/arp_parser.c163
-rw-r--r--contrib/impcap/dns_parser.c372
-rw-r--r--contrib/impcap/eth_parser.c179
-rw-r--r--contrib/impcap/ftp_parser.c152
-rw-r--r--contrib/impcap/http_parser.c159
-rw-r--r--contrib/impcap/icmp_parser.c79
-rw-r--r--contrib/impcap/impcap.c748
-rw-r--r--contrib/impcap/ipv4_parser.c101
-rw-r--r--contrib/impcap/ipv6_parser.c305
-rw-r--r--contrib/impcap/ipx_parser.c97
-rw-r--r--contrib/impcap/llc_parser.c109
-rw-r--r--contrib/impcap/parsers.h189
-rw-r--r--contrib/impcap/smb_parser.c145
-rw-r--r--contrib/impcap/tcp_parser.c121
-rw-r--r--contrib/impcap/udp_parser.c90
17 files changed, 3980 insertions, 0 deletions
diff --git a/contrib/impcap/Makefile.am b/contrib/impcap/Makefile.am
new file mode 100644
index 0000000..e1c80e5
--- /dev/null
+++ b/contrib/impcap/Makefile.am
@@ -0,0 +1,22 @@
+pkglib_LTLIBRARIES = impcap.la
+
+impcap_la_SOURCES = impcap.c
+impcap_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS)
+impcap_la_LDFLAGS = -module -avoid-version
+impcap_la_LIBADD = -lpcap
+
+impcap_la_SOURCES += arp_parser.c
+impcap_la_SOURCES += eth_parser.c
+impcap_la_SOURCES += icmp_parser.c
+impcap_la_SOURCES += ipv4_parser.c
+impcap_la_SOURCES += ipv6_parser.c
+impcap_la_SOURCES += ipx_parser.c
+impcap_la_SOURCES += llc_parser.c
+impcap_la_SOURCES += udp_parser.c
+impcap_la_SOURCES += dns_parser.c
+impcap_la_SOURCES += tcp_parser.c
+impcap_la_SOURCES += smb_parser.c
+impcap_la_SOURCES += ftp_parser.c
+impcap_la_SOURCES += http_parser.c
+
+EXTRA_DIST=parsers.h
diff --git a/contrib/impcap/Makefile.in b/contrib/impcap/Makefile.in
new file mode 100644
index 0000000..506aaef
--- /dev/null
+++ b/contrib/impcap/Makefile.in
@@ -0,0 +1,949 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = contrib/impcap
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ac_check_define.m4 \
+ $(top_srcdir)/m4/atomic_operations.m4 \
+ $(top_srcdir)/m4/atomic_operations_64bit.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(pkglibdir)"
+LTLIBRARIES = $(pkglib_LTLIBRARIES)
+impcap_la_DEPENDENCIES =
+am_impcap_la_OBJECTS = impcap_la-impcap.lo impcap_la-arp_parser.lo \
+ impcap_la-eth_parser.lo impcap_la-icmp_parser.lo \
+ impcap_la-ipv4_parser.lo impcap_la-ipv6_parser.lo \
+ impcap_la-ipx_parser.lo impcap_la-llc_parser.lo \
+ impcap_la-udp_parser.lo impcap_la-dns_parser.lo \
+ impcap_la-tcp_parser.lo impcap_la-smb_parser.lo \
+ impcap_la-ftp_parser.lo impcap_la-http_parser.lo
+impcap_la_OBJECTS = $(am_impcap_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+impcap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(impcap_la_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/impcap_la-arp_parser.Plo \
+ ./$(DEPDIR)/impcap_la-dns_parser.Plo \
+ ./$(DEPDIR)/impcap_la-eth_parser.Plo \
+ ./$(DEPDIR)/impcap_la-ftp_parser.Plo \
+ ./$(DEPDIR)/impcap_la-http_parser.Plo \
+ ./$(DEPDIR)/impcap_la-icmp_parser.Plo \
+ ./$(DEPDIR)/impcap_la-impcap.Plo \
+ ./$(DEPDIR)/impcap_la-ipv4_parser.Plo \
+ ./$(DEPDIR)/impcap_la-ipv6_parser.Plo \
+ ./$(DEPDIR)/impcap_la-ipx_parser.Plo \
+ ./$(DEPDIR)/impcap_la-llc_parser.Plo \
+ ./$(DEPDIR)/impcap_la-smb_parser.Plo \
+ ./$(DEPDIR)/impcap_la-tcp_parser.Plo \
+ ./$(DEPDIR)/impcap_la-udp_parser.Plo
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(impcap_la_SOURCES)
+DIST_SOURCES = $(impcap_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+APU_CFLAGS = @APU_CFLAGS@
+APU_LIBS = @APU_LIBS@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CIVETWEB_LIBS = @CIVETWEB_LIBS@
+CONF_FILE_PATH = @CONF_FILE_PATH@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CURL_CFLAGS = @CURL_CFLAGS@
+CURL_LIBS = @CURL_LIBS@
+CYGPATH_W = @CYGPATH_W@
+CZMQ_CFLAGS = @CZMQ_CFLAGS@
+CZMQ_LIBS = @CZMQ_LIBS@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DL_LIBS = @DL_LIBS@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FAUP_LIBS = @FAUP_LIBS@
+FGREP = @FGREP@
+GLIB_CFLAGS = @GLIB_CFLAGS@
+GLIB_LIBS = @GLIB_LIBS@
+GNUTLS_CFLAGS = @GNUTLS_CFLAGS@
+GNUTLS_LIBS = @GNUTLS_LIBS@
+GREP = @GREP@
+GSS_LIBS = @GSS_LIBS@
+GT_KSI_LS12_CFLAGS = @GT_KSI_LS12_CFLAGS@
+GT_KSI_LS12_LIBS = @GT_KSI_LS12_LIBS@
+HASH_XXHASH_LIBS = @HASH_XXHASH_LIBS@
+HIREDIS_CFLAGS = @HIREDIS_CFLAGS@
+HIREDIS_LIBS = @HIREDIS_LIBS@
+IMUDP_LIBS = @IMUDP_LIBS@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IP = @IP@
+JAVA = @JAVA@
+JAVAC = @JAVAC@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBCAPNG_CFLAGS = @LIBCAPNG_CFLAGS@
+LIBCAPNG_LIBS = @LIBCAPNG_LIBS@
+LIBCAPNG_PRESENT_CFLAGS = @LIBCAPNG_PRESENT_CFLAGS@
+LIBCAPNG_PRESENT_LIBS = @LIBCAPNG_PRESENT_LIBS@
+LIBDBI_CFLAGS = @LIBDBI_CFLAGS@
+LIBDBI_LIBS = @LIBDBI_LIBS@
+LIBESTR_CFLAGS = @LIBESTR_CFLAGS@
+LIBESTR_LIBS = @LIBESTR_LIBS@
+LIBEVENT_CFLAGS = @LIBEVENT_CFLAGS@
+LIBEVENT_LIBS = @LIBEVENT_LIBS@
+LIBFASTJSON_CFLAGS = @LIBFASTJSON_CFLAGS@
+LIBFASTJSON_LIBS = @LIBFASTJSON_LIBS@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBLOGGING_CFLAGS = @LIBLOGGING_CFLAGS@
+LIBLOGGING_LIBS = @LIBLOGGING_LIBS@
+LIBLOGGING_STDLOG_CFLAGS = @LIBLOGGING_STDLOG_CFLAGS@
+LIBLOGGING_STDLOG_LIBS = @LIBLOGGING_STDLOG_LIBS@
+LIBLOGNORM_CFLAGS = @LIBLOGNORM_CFLAGS@
+LIBLOGNORM_LIBS = @LIBLOGNORM_LIBS@
+LIBLZ4_CFLAGS = @LIBLZ4_CFLAGS@
+LIBLZ4_LIBS = @LIBLZ4_LIBS@
+LIBM = @LIBM@
+LIBMONGOC_CFLAGS = @LIBMONGOC_CFLAGS@
+LIBMONGOC_LIBS = @LIBMONGOC_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBRDKAFKA_CFLAGS = @LIBRDKAFKA_CFLAGS@
+LIBRDKAFKA_LIBS = @LIBRDKAFKA_LIBS@
+LIBS = @LIBS@
+LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@
+LIBSYSTEMD_JOURNAL_CFLAGS = @LIBSYSTEMD_JOURNAL_CFLAGS@
+LIBSYSTEMD_JOURNAL_LIBS = @LIBSYSTEMD_JOURNAL_LIBS@
+LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@
+LIBTOOL = @LIBTOOL@
+LIBUUID_CFLAGS = @LIBUUID_CFLAGS@
+LIBUUID_LIBS = @LIBUUID_LIBS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQL_CFLAGS = @MYSQL_CFLAGS@
+MYSQL_CONFIG = @MYSQL_CONFIG@
+MYSQL_LIBS = @MYSQL_LIBS@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
+OPENSSL_LIBS = @OPENSSL_LIBS@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PGSQL_CFLAGS = @PGSQL_CFLAGS@
+PGSQL_LIBS = @PGSQL_LIBS@
+PG_CONFIG = @PG_CONFIG@
+PID_FILE_PATH = @PID_FILE_PATH@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PROTON_CFLAGS = @PROTON_CFLAGS@
+PROTON_LIBS = @PROTON_LIBS@
+PROTON_PROACTOR_CFLAGS = @PROTON_PROACTOR_CFLAGS@
+PROTON_PROACTOR_LIBS = @PROTON_PROACTOR_LIBS@
+PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
+PTHREADS_LIBS = @PTHREADS_LIBS@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RABBITMQ_CFLAGS = @RABBITMQ_CFLAGS@
+RABBITMQ_LIBS = @RABBITMQ_LIBS@
+RANLIB = @RANLIB@
+READLINK = @READLINK@
+REDIS = @REDIS@
+RELP_CFLAGS = @RELP_CFLAGS@
+RELP_LIBS = @RELP_LIBS@
+RSRT_CFLAGS = @RSRT_CFLAGS@
+RSRT_CFLAGS1 = @RSRT_CFLAGS1@
+RSRT_LIBS = @RSRT_LIBS@
+RSRT_LIBS1 = @RSRT_LIBS1@
+RST2MAN = @RST2MAN@
+RT_LIBS = @RT_LIBS@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SNMP_CFLAGS = @SNMP_CFLAGS@
+SNMP_LIBS = @SNMP_LIBS@
+SOL_LIBS = @SOL_LIBS@
+STRIP = @STRIP@
+TCL_BIN_DIR = @TCL_BIN_DIR@
+TCL_INCLUDE_SPEC = @TCL_INCLUDE_SPEC@
+TCL_LIB_FILE = @TCL_LIB_FILE@
+TCL_LIB_FLAG = @TCL_LIB_FLAG@
+TCL_LIB_SPEC = @TCL_LIB_SPEC@
+TCL_PATCH_LEVEL = @TCL_PATCH_LEVEL@
+TCL_SRC_DIR = @TCL_SRC_DIR@
+TCL_STUB_LIB_FILE = @TCL_STUB_LIB_FILE@
+TCL_STUB_LIB_FLAG = @TCL_STUB_LIB_FLAG@
+TCL_STUB_LIB_SPEC = @TCL_STUB_LIB_SPEC@
+TCL_VERSION = @TCL_VERSION@
+UDPSPOOF_CFLAGS = @UDPSPOOF_CFLAGS@
+UDPSPOOF_LIBS = @UDPSPOOF_LIBS@
+VALGRIND = @VALGRIND@
+VERSION = @VERSION@
+WARN_CFLAGS = @WARN_CFLAGS@
+WARN_LDFLAGS = @WARN_LDFLAGS@
+WARN_SCANNERFLAGS = @WARN_SCANNERFLAGS@
+WGET = @WGET@
+YACC = @YACC@
+YACC_FOUND = @YACC_FOUND@
+YFLAGS = @YFLAGS@
+ZLIB_CFLAGS = @ZLIB_CFLAGS@
+ZLIB_LIBS = @ZLIB_LIBS@
+ZSTD_CFLAGS = @ZSTD_CFLAGS@
+ZSTD_LIBS = @ZSTD_LIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+moddirs = @moddirs@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+pkglib_LTLIBRARIES = impcap.la
+impcap_la_SOURCES = impcap.c arp_parser.c eth_parser.c icmp_parser.c \
+ ipv4_parser.c ipv6_parser.c ipx_parser.c llc_parser.c \
+ udp_parser.c dns_parser.c tcp_parser.c smb_parser.c \
+ ftp_parser.c http_parser.c
+impcap_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS)
+impcap_la_LDFLAGS = -module -avoid-version
+impcap_la_LIBADD = -lpcap
+EXTRA_DIST = parsers.h
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu contrib/impcap/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu contrib/impcap/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \
+ }
+
+uninstall-pkglibLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \
+ done
+
+clean-pkglibLTLIBRARIES:
+ -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
+ @list='$(pkglib_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+impcap.la: $(impcap_la_OBJECTS) $(impcap_la_DEPENDENCIES) $(EXTRA_impcap_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(impcap_la_LINK) -rpath $(pkglibdir) $(impcap_la_OBJECTS) $(impcap_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-arp_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-dns_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-eth_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ftp_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-http_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-icmp_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-impcap.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ipv4_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ipv6_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ipx_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-llc_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-smb_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-tcp_parser.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-udp_parser.Plo@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+ @$(MKDIR_P) $(@D)
+ @echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+impcap_la-impcap.lo: impcap.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-impcap.lo -MD -MP -MF $(DEPDIR)/impcap_la-impcap.Tpo -c -o impcap_la-impcap.lo `test -f 'impcap.c' || echo '$(srcdir)/'`impcap.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-impcap.Tpo $(DEPDIR)/impcap_la-impcap.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='impcap.c' object='impcap_la-impcap.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-impcap.lo `test -f 'impcap.c' || echo '$(srcdir)/'`impcap.c
+
+impcap_la-arp_parser.lo: arp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-arp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-arp_parser.Tpo -c -o impcap_la-arp_parser.lo `test -f 'arp_parser.c' || echo '$(srcdir)/'`arp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-arp_parser.Tpo $(DEPDIR)/impcap_la-arp_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='arp_parser.c' object='impcap_la-arp_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-arp_parser.lo `test -f 'arp_parser.c' || echo '$(srcdir)/'`arp_parser.c
+
+impcap_la-eth_parser.lo: eth_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-eth_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-eth_parser.Tpo -c -o impcap_la-eth_parser.lo `test -f 'eth_parser.c' || echo '$(srcdir)/'`eth_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-eth_parser.Tpo $(DEPDIR)/impcap_la-eth_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='eth_parser.c' object='impcap_la-eth_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-eth_parser.lo `test -f 'eth_parser.c' || echo '$(srcdir)/'`eth_parser.c
+
+impcap_la-icmp_parser.lo: icmp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-icmp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-icmp_parser.Tpo -c -o impcap_la-icmp_parser.lo `test -f 'icmp_parser.c' || echo '$(srcdir)/'`icmp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-icmp_parser.Tpo $(DEPDIR)/impcap_la-icmp_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='icmp_parser.c' object='impcap_la-icmp_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-icmp_parser.lo `test -f 'icmp_parser.c' || echo '$(srcdir)/'`icmp_parser.c
+
+impcap_la-ipv4_parser.lo: ipv4_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ipv4_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ipv4_parser.Tpo -c -o impcap_la-ipv4_parser.lo `test -f 'ipv4_parser.c' || echo '$(srcdir)/'`ipv4_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ipv4_parser.Tpo $(DEPDIR)/impcap_la-ipv4_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipv4_parser.c' object='impcap_la-ipv4_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ipv4_parser.lo `test -f 'ipv4_parser.c' || echo '$(srcdir)/'`ipv4_parser.c
+
+impcap_la-ipv6_parser.lo: ipv6_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ipv6_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ipv6_parser.Tpo -c -o impcap_la-ipv6_parser.lo `test -f 'ipv6_parser.c' || echo '$(srcdir)/'`ipv6_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ipv6_parser.Tpo $(DEPDIR)/impcap_la-ipv6_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipv6_parser.c' object='impcap_la-ipv6_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ipv6_parser.lo `test -f 'ipv6_parser.c' || echo '$(srcdir)/'`ipv6_parser.c
+
+impcap_la-ipx_parser.lo: ipx_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ipx_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ipx_parser.Tpo -c -o impcap_la-ipx_parser.lo `test -f 'ipx_parser.c' || echo '$(srcdir)/'`ipx_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ipx_parser.Tpo $(DEPDIR)/impcap_la-ipx_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipx_parser.c' object='impcap_la-ipx_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ipx_parser.lo `test -f 'ipx_parser.c' || echo '$(srcdir)/'`ipx_parser.c
+
+impcap_la-llc_parser.lo: llc_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-llc_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-llc_parser.Tpo -c -o impcap_la-llc_parser.lo `test -f 'llc_parser.c' || echo '$(srcdir)/'`llc_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-llc_parser.Tpo $(DEPDIR)/impcap_la-llc_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='llc_parser.c' object='impcap_la-llc_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-llc_parser.lo `test -f 'llc_parser.c' || echo '$(srcdir)/'`llc_parser.c
+
+impcap_la-udp_parser.lo: udp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-udp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-udp_parser.Tpo -c -o impcap_la-udp_parser.lo `test -f 'udp_parser.c' || echo '$(srcdir)/'`udp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-udp_parser.Tpo $(DEPDIR)/impcap_la-udp_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='udp_parser.c' object='impcap_la-udp_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-udp_parser.lo `test -f 'udp_parser.c' || echo '$(srcdir)/'`udp_parser.c
+
+impcap_la-dns_parser.lo: dns_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-dns_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-dns_parser.Tpo -c -o impcap_la-dns_parser.lo `test -f 'dns_parser.c' || echo '$(srcdir)/'`dns_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-dns_parser.Tpo $(DEPDIR)/impcap_la-dns_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='dns_parser.c' object='impcap_la-dns_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-dns_parser.lo `test -f 'dns_parser.c' || echo '$(srcdir)/'`dns_parser.c
+
+impcap_la-tcp_parser.lo: tcp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-tcp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-tcp_parser.Tpo -c -o impcap_la-tcp_parser.lo `test -f 'tcp_parser.c' || echo '$(srcdir)/'`tcp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-tcp_parser.Tpo $(DEPDIR)/impcap_la-tcp_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tcp_parser.c' object='impcap_la-tcp_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-tcp_parser.lo `test -f 'tcp_parser.c' || echo '$(srcdir)/'`tcp_parser.c
+
+impcap_la-smb_parser.lo: smb_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-smb_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-smb_parser.Tpo -c -o impcap_la-smb_parser.lo `test -f 'smb_parser.c' || echo '$(srcdir)/'`smb_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-smb_parser.Tpo $(DEPDIR)/impcap_la-smb_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='smb_parser.c' object='impcap_la-smb_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-smb_parser.lo `test -f 'smb_parser.c' || echo '$(srcdir)/'`smb_parser.c
+
+impcap_la-ftp_parser.lo: ftp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ftp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ftp_parser.Tpo -c -o impcap_la-ftp_parser.lo `test -f 'ftp_parser.c' || echo '$(srcdir)/'`ftp_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ftp_parser.Tpo $(DEPDIR)/impcap_la-ftp_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ftp_parser.c' object='impcap_la-ftp_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ftp_parser.lo `test -f 'ftp_parser.c' || echo '$(srcdir)/'`ftp_parser.c
+
+impcap_la-http_parser.lo: http_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-http_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-http_parser.Tpo -c -o impcap_la-http_parser.lo `test -f 'http_parser.c' || echo '$(srcdir)/'`http_parser.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-http_parser.Tpo $(DEPDIR)/impcap_la-http_parser.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='http_parser.c' object='impcap_la-http_parser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-http_parser.lo `test -f 'http_parser.c' || echo '$(srcdir)/'`http_parser.c
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(pkglibdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pkglibLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -f ./$(DEPDIR)/impcap_la-arp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-dns_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-eth_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ftp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-http_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-icmp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-impcap.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ipv4_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ipv6_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ipx_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-llc_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-smb_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-tcp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-udp_parser.Plo
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-pkglibLTLIBRARIES
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f ./$(DEPDIR)/impcap_la-arp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-dns_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-eth_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ftp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-http_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-icmp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-impcap.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ipv4_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ipv6_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-ipx_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-llc_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-smb_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-tcp_parser.Plo
+ -rm -f ./$(DEPDIR)/impcap_la-udp_parser.Plo
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pkglibLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
+ clean-generic clean-libtool clean-pkglibLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pkglibLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pkglibLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/contrib/impcap/arp_parser.c b/contrib/impcap/arp_parser.c
new file mode 100644
index 0000000..5d8ce6e
--- /dev/null
+++ b/contrib/impcap/arp_parser.c
@@ -0,0 +1,163 @@
+/* arp_parser.c
+ *
+ * This file contains functions to parse ARP and RARP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+struct arp_header_s {
+ uint16_t hwType;
+ uint16_t pType;
+ uint8_t hwAddrLen;
+ uint8_t pAddrLen;
+ uint16_t opCode;
+ uint8_t pAddr[];
+};
+
+typedef struct arp_header_s arp_header_t;
+
+/*
+ * This function parses the bytes in the received packet to extract ARP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the ARP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where ARP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *arp_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("arp_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 28) { /* too small for ARP header*/
+ DBGPRINTF("ARP packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0);
+ }
+
+ /* Union to prevent cast from uchar to arp_header_t */
+ union {
+ const uchar *pck;
+ arp_header_t *hdr;
+ } arp_header_to_char;
+
+ arp_header_to_char.pck = packet;
+ arp_header_t *arp_header = arp_header_to_char.hdr;
+
+ char pAddrSrc[20], pAddrDst[20];
+
+ json_object_object_add(jparent, "ARP_hwType", json_object_new_int(ntohs(arp_header->hwType)));
+ json_object_object_add(jparent, "ARP_pType", json_object_new_int(ntohs(arp_header->pType)));
+ json_object_object_add(jparent, "ARP_op", json_object_new_int(ntohs(arp_header->opCode)));
+
+ if (ntohs(arp_header->hwType) == 1) { /* ethernet addresses */
+ char hwAddrSrc[20], hwAddrDst[20];
+
+ ether_ntoa_r((struct ether_addr *)arp_header->pAddr, hwAddrSrc);
+ ether_ntoa_r((struct ether_addr *)(arp_header->pAddr + arp_header->hwAddrLen + arp_header->pAddrLen),
+ hwAddrDst);
+
+ json_object_object_add(jparent, "ARP_hwSrc", json_object_new_string((char *)hwAddrSrc));
+ json_object_object_add(jparent, "ARP_hwDst", json_object_new_string((char *)hwAddrDst));
+ }
+
+ if (ntohs(arp_header->pType) == ETHERTYPE_IP) {
+ inet_ntop(AF_INET, (void *)(arp_header->pAddr + arp_header->hwAddrLen), pAddrSrc, 20);
+ inet_ntop(AF_INET, (void *)(arp_header->pAddr + 2 * arp_header->hwAddrLen + arp_header->pAddrLen),
+ pAddrDst, 20);
+
+ json_object_object_add(jparent, "ARP_pSrc", json_object_new_string((char *)pAddrSrc));
+ json_object_object_add(jparent, "ARP_pDst", json_object_new_string((char *)pAddrDst));
+ }
+
+ RETURN_DATA_AFTER(28);
+}
+
+/*
+ * This function parses the bytes in the received packet to extract RARP metadata.
+ * This is a copy of ARP handler, as structure is the same but protocol code and name are different
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the RARP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where RARP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *rarp_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("rarp_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 28) { /* too small for RARP header*/
+ DBGPRINTF("RARP packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0);
+ }
+
+ /* Union to prevent cast from uchar to arp_header_t */
+ union {
+ const uchar *pck;
+ arp_header_t *hdr;
+ } arp_header_to_char;
+
+ arp_header_to_char.pck = packet;
+ arp_header_t *rarp_header = arp_header_to_char.hdr;
+
+ char pAddrSrc[20], pAddrDst[20];
+
+ json_object_object_add(jparent, "RARP_hwType", json_object_new_int(ntohs(rarp_header->hwType)));
+ json_object_object_add(jparent, "RARP_pType", json_object_new_int(ntohs(rarp_header->pType)));
+ json_object_object_add(jparent, "RARP_op", json_object_new_int(ntohs(rarp_header->opCode)));
+
+ if (ntohs(rarp_header->hwType) == 1) { /* ethernet addresses */
+ char *hwAddrSrc = ether_ntoa((struct ether_addr *)rarp_header->pAddr);
+ char *hwAddrDst = ether_ntoa((struct ether_addr *)(rarp_header->pAddr +
+ rarp_header->hwAddrLen +
+ rarp_header->pAddrLen));
+
+ json_object_object_add(jparent, "RARP_hwSrc", json_object_new_string((char *)hwAddrSrc));
+ json_object_object_add(jparent, "RARP_hwDst", json_object_new_string((char *)hwAddrDst));
+ }
+
+ if (ntohs(rarp_header->pType) == ETHERTYPE_IP) {
+ inet_ntop(AF_INET, (void *)(rarp_header->pAddr + rarp_header->hwAddrLen), pAddrSrc, 20);
+ inet_ntop(AF_INET, (void *)(rarp_header->pAddr + 2 * rarp_header->hwAddrLen + rarp_header->pAddrLen),
+ pAddrDst, 20);
+
+ json_object_object_add(jparent, "RARP_pSrc", json_object_new_string((char *)pAddrSrc));
+ json_object_object_add(jparent, "RARP_pDst", json_object_new_string((char *)pAddrDst));
+ }
+
+ RETURN_DATA_AFTER(28);
+}
diff --git a/contrib/impcap/dns_parser.c b/contrib/impcap/dns_parser.c
new file mode 100644
index 0000000..f9f4e68
--- /dev/null
+++ b/contrib/impcap/dns_parser.c
@@ -0,0 +1,372 @@
+/* dns_parser.c
+ *
+ * This file contains functions to parse DNS headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Kevin Guillemot (kevin.guillemot@advens.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+
+/* List of RCodes defined in RFC6895 : https://tools.ietf.org/html/rfc6895 */
+static const char *dns_rcodes[] = {
+ "NoError", // 0
+ "FormErr", // 1
+ "ServFail", // 2
+ "NXDomain", // 3
+ "NotImp", // 4
+ "Refused", // 5
+ "YXDomain", // 6
+ "YXRRSet", // 7
+ "NXRRSet", // 8
+ "NotAuth", // 9
+ "NotZone", // 10
+ "", // 11 - Reserved
+ "", // 12 - Reserved
+ "", // 13 - Reserved
+ "", // 14 - Reserved
+ "", // 15 - Reserved
+ "BADVERS|BADSIG", // 16
+ "BADKEY", // 17
+ "BADTIME", // 18
+ "BADMODE", // 19
+ "BADNAME", // 20
+ "BADALG", // 21
+ "BADTRUNC", // 22
+ /* Reserved for private use */
+ NULL
+};
+
+/* List of record types (maybe not complete) */
+static const char *dns_types[] = {
+ 0,
+ "A", // 1
+ "NS", // 2
+ "MD", // 3
+ "MF", // 4
+ "CNAME", // 5
+ "SOA", // 6
+ "MB", // 7
+ "MG", // 8
+ "MR", // 9
+ "NULL", // 10
+ "WKS", // 11
+ "PTR", // 12
+ "HINFO", // 13
+ "MINFO", // 14
+ "MX", // 15
+ "TXT", // 16
+ "RP", // 17
+ "AFSDB", // 18
+ "X25", // 19
+ "ISDN", // 20
+ "RT", // 21
+ "NSAP", // 22
+ "NSAP-PTR", // 23
+ "SIG", // 24
+ "KEY", // 25
+ "PX", // 26
+ "GPOS", // 27
+ "AAAA", // 28
+ "LOC", // 29
+ "NXT", // 30
+ "EID", // 31
+ "NIMLOC", // 32
+ "SRV", // 33
+ "ATMA", // 34
+ "NAPTR", // 35
+ "KX", // 36
+ "CERT", // 37
+ "A6", // 38
+ "DNAME", // 39
+ "SINK", // 40
+ "OPT", // 41
+ "APL", // 42
+ "DS", // 43
+ "SSHFP", // 44
+ "IPSECKEY", // 45
+ "RRSIG", // 46
+ "NSEC", // 47
+ "DNSKEY", // 48
+ "DHCID", // 49
+ "NSEC3", // 50
+ "NSEC3PARAM", // 51
+ "TLSA", // 51
+ "SMIMEA", // 52
+ "Unassigned", // 53
+ "HIP", // 53
+ "NINFO", // 54
+ "RKEY", // 55
+ "TALINK", // 56
+ "CDS", // 57
+ "CDNSKEY", // 58
+ "OPENPGPKEY", // 59
+ "CSYNC", // 60
+ "ZONEMD", // 61
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ "SPF", // 99
+ "UINFO", // 100
+ "UID", // 101
+ "GID", // 102
+ "UNSPEC", // 103
+ "NID", // 104
+ "L32", // 105
+ "L64", // 106
+ "LP", // 107
+ "EUI48", // 108
+ "EUI64", // 109
+ /* Reserved for private use */
+ NULL
+};
+/* Part 2, since 249. To prevent useless large buffer in memory */
+static const char *dns_types2[] = {
+ "TKEY",
+ "TSIG",
+ "IXFR",
+ "AXFR",
+ "MAILB",
+ "MAILA",
+ "*",
+ "URI",
+ "CAA",
+ "AVC",
+ "DOA",
+ "AMTRELAY",
+ NULL
+};
+/* Part 3, since 32768. To prevent useless large buffer in memory */
+static const char *dns_types3[] = {
+ "TA",
+ "DLV",
+ NULL
+};
+
+
+/* This function takes an integer as parameter
+ * and returns the corresponding string type of DNS query
+ */
+static const char *get_type(uint16_t x) {
+ const char **types = NULL;
+ uint16_t len_types3 = (sizeof(dns_types3) / sizeof(char *)) - 1;
+ uint16_t len_types2 = (sizeof(dns_types2) / sizeof(char *)) - 1;
+ uint16_t len_types = (sizeof(dns_types) / sizeof(char *)) - 1;
+ if (x >= 32768 && x < 32768 + len_types3) {
+ types = dns_types3;
+ x -= 32768;
+ }
+ else if (x >= 249 && x < 249 + len_types2) {
+ types = dns_types2;
+ x -= 249;
+ }
+ else if (x > 0 && x < len_types)
+ types = dns_types;
+ else
+ return "UNKNOWN";
+ if (types[x] != NULL)
+ return types[x];
+ return "UNKNOWN";
+}
+
+
+/* This function takes an integer as parameter
+ * and returns the corresponding string class of DNS query
+ */
+static const char *get_class(uint16_t x) {
+ switch (x) {
+ case 1:
+ return "IN";
+ case 3:
+ return "CH";
+ case 4:
+ return "HS";
+ case 254:
+ return "QCLASS NONE";
+ case 255:
+ return "QCLASS *";
+ }
+ return "UNKNOWN";
+}
+
+
+/*
+ * This function parses the bytes in the received packet to extract DNS metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where DNS metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *dns_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ const uchar *packet_ptr = packet;
+ const uchar *end_packet = packet + pktSize;
+ DBGPRINTF("dns_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ /* Union to prevent cast from uchar to smb_header_t */
+ union {
+ unsigned short int *two_bytes;
+ const uchar *pckt;
+ } union_short_int;
+
+ /* Get transaction id */
+ union_short_int.pckt = packet_ptr;
+ unsigned short int transaction_id = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("transaction_id = %02x \n", transaction_id);
+ union_short_int.pckt += 2;
+
+ /* Get flags */
+ unsigned short int flags = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("flags = %02x \n", flags);
+
+ /* Get response flag */
+ unsigned short int response_flag = (flags >> 15) & 0b1; // Get the left bit
+ //DBGPRINTF("response_flag = %02x \n", response_flag);
+
+ /* Get Opcode */
+ unsigned short int opcode = (flags >> 11) & 0b1111;
+ //DBGPRINTF("opcode = %02x \n", opcode);
+
+ /* Verify Z: reserved bit */
+ unsigned short int reserved = (flags >> 6) & 0b1;
+ //DBGPRINTF("reserved = %02x \n", reserved);
+ /* Reserved bit MUST be 0 */
+ if (reserved != 0) {
+ DBGPRINTF("DNS packet reserved bit (Z) is not 0, aborting message. \n");
+ RETURN_DATA_AFTER(0)
+ }
+
+ /* Get reply code : 4 last bits */
+ unsigned short int reply_code = flags & 0b1111;
+ //DBGPRINTF("reply_code = %02x \n", reply_code);
+
+ union_short_int.pckt += 2;
+
+ /* Get QDCOUNT */
+ unsigned short int query_count = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("query_count = %02x \n", query_count);
+ union_short_int.pckt += 2;
+
+ /* Get ANCOUNT */
+ unsigned short int answer_count = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("answer_count = %02x \n", answer_count);
+ union_short_int.pckt += 2;
+
+ /* Get NSCOUNT */
+ unsigned short int authority_count = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("authority_count = %02x \n", authority_count);
+ union_short_int.pckt += 2;
+
+ /* Get ARCOUNT */
+ unsigned short int additionnal_count = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("additionnal_count = %02x \n", additionnal_count);
+ union_short_int.pckt += 2;
+ packet_ptr = union_short_int.pckt;
+
+ fjson_object *queries = NULL;
+ if ((queries = json_object_new_array()) == NULL) {
+ DBGPRINTF("impcap::dns_parser: Cannot create new json array. Stopping.\n");
+ RETURN_DATA_AFTER(0)
+ }
+
+ // For each query of query_count
+ int query_cpt = 0;
+ while (query_cpt < query_count && packet_ptr < end_packet) {
+ size_t query_size = strnlen((const char *)packet_ptr, (size_t)(end_packet - packet_ptr));
+ // Check if query is valid (max 255 bytes, plus a '\0')
+ if (query_size >= 256) {
+ DBGPRINTF("impcap::dns_parser: Length of domain queried is > 255. Stopping.\n");
+ break;
+ }
+ // Check if remaining data is enough to hold query + '\0' + 4 bytes (QTYPE and QCLASS fields)
+ if (query_size + 5 > (size_t)(end_packet - packet_ptr)) {
+ DBGPRINTF("impcap::dns_parser: packet size too small to parse query. Stopping.\n");
+ break;
+ }
+ fjson_object *query = NULL;
+ if ((query = json_object_new_object()) == NULL) {
+ DBGPRINTF("impcap::dns_parser: Cannot create new json object. Stopping.\n");
+ break;
+ }
+ char domain_query[256] = {0};
+ uchar nb_char = *packet_ptr;
+ packet_ptr++;
+ size_t cpt = 0;
+ while (cpt + 1 < query_size) {
+ if (nb_char == 0) {
+ nb_char = *packet_ptr;
+ domain_query[cpt] = '.';
+ } else {
+ domain_query[cpt] = (char)*packet_ptr;
+ nb_char--;
+ }
+ cpt++;
+ packet_ptr++;
+ }
+ domain_query[cpt] = '\0';
+ if (cpt)
+ packet_ptr++; // pass the last \0, only if query was not empty
+ // DBGPRINTF("Requested domain : '%s' \n", domain_query);
+
+ /* Register the name in dict */
+ json_object_object_add(query, "qname", json_object_new_string(domain_query));
+ /* Get QTYPE */
+ union_short_int.pckt = packet_ptr;
+ unsigned short int qtype = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("qtype = %02x \n", qtype);
+ json_object_object_add(query, "qtype", json_object_new_int((int)qtype));
+ json_object_object_add(query, "type", json_object_new_string(get_type(qtype)));
+ union_short_int.pckt += 2;
+ /* Retrieve QCLASS */
+ unsigned short int qclass = ntohs(*(union_short_int.two_bytes));
+ //DBGPRINTF("qclass = %02x \n", qclass);
+ json_object_object_add(query, "qclass", json_object_new_int((int)qclass));
+ json_object_object_add(query, "class", json_object_new_string(get_class(qclass)));
+ packet_ptr = union_short_int.pckt + 2;
+ /* Register the query in json array */
+ json_object_array_add(queries, query);
+ query_cpt++;
+ }
+
+ json_object_object_add(jparent, "DNS_transaction_id", json_object_new_int((int)transaction_id));
+
+ json_bool is_reponse = FALSE;
+ if (response_flag)
+ is_reponse = TRUE;
+ json_object_object_add(jparent, "DNS_response_flag", json_object_new_boolean(is_reponse));
+
+ json_object_object_add(jparent, "DNS_opcode", json_object_new_int(opcode));
+ json_object_object_add(jparent, "DNS_rcode", json_object_new_int((int)reply_code));
+ json_object_object_add(jparent, "DNS_error", json_object_new_string(dns_rcodes[reply_code]));
+ json_object_object_add(jparent, "DNS_QDCOUNT", json_object_new_int((int)query_count));
+ json_object_object_add(jparent, "DNS_ANCOUNT", json_object_new_int((int)answer_count));
+ json_object_object_add(jparent, "DNS_NSCOUNT", json_object_new_int((int)authority_count));
+ json_object_object_add(jparent, "DNS_ARCOUNT", json_object_new_int((int)additionnal_count));
+ json_object_object_add(jparent, "DNS_Names", queries);
+
+ /* Packet has been successfully parsed, there still can be some responses left, but do not process them */
+ RETURN_DATA_AFTER(0);
+}
diff --git a/contrib/impcap/eth_parser.c b/contrib/impcap/eth_parser.c
new file mode 100644
index 0000000..4bda2d5
--- /dev/null
+++ b/contrib/impcap/eth_parser.c
@@ -0,0 +1,179 @@
+/* eth_parser.c
+ *
+ * This file contains functions to parse Ethernet II headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wpacked"
+#pragma GCC diagnostic ignored "-Wattributes"
+struct __attribute__ ((__packed__)) eth_header_s {
+ uint8_t addrDst[6];
+ uint8_t addrSrc[6];
+ uint16_t type;
+};
+
+struct __attribute__ ((__packed__)) vlan_header_s {
+ uint8_t addrDst[6];
+ uint8_t addrSrc[6];
+ uint16_t vlanCode;
+ uint16_t vlanTag;
+ uint16_t type;
+};
+#pragma GCC diagnostic pop
+
+typedef struct eth_header_s eth_header_t;
+typedef struct vlan_header_s vlan_header_t;
+
+
+/*
+ * Get an ethernet header type as uint16_t
+ * and return the correspondence as string
+ * NOTE : Only most common types are present, to complete if needed
+ */
+static const char *eth_type_to_string(uint16_t eth_type) {
+ switch (eth_type) {
+ case 0x00bb: // Extreme Networks Discovery Protocol
+ return "EDP";
+ case 0x0200: // PUP protocol
+ return "PUP";
+ case 0x0800: // IP protocol
+ return "IP";
+ case 0x0806: // address resolution protocol
+ return "ARP";
+ case 0x88a2: // AoE protocol
+ return "AOE";
+ case 0x2000: // Cisco Discovery Protocol
+ return "CDP";
+ case 0x2004: // Cisco Dynamic Trunking Protocol
+ return "DTP";
+ case 0x8035: // reverse addr resolution protocol
+ return "REVARP";
+ case 0x8100: // IEEE 802.1Q VLAN tagging
+ return "802.1Q";
+ case 0x88a8: // IEEE 802.1ad
+ return "802.1AD";
+ case 0x9100: // Legacy QinQ
+ return "QINQ1";
+ case 0x9200: // Legacy QinQ
+ return "QINQ2";
+ case 0x8137: // Internetwork Packet Exchange
+ return "IPX";
+ case 0x86DD: // IPv6 protocol
+ return "IPv6";
+ case 0x880B: // PPP
+ return "PPP";
+ case 0x8847: // MPLS
+ return "MPLS";
+ case 0x8848: // MPLS Multicast
+ return "MPLS_MCAST";
+ case 0x8863: // PPP Over Ethernet Discovery Stage
+ return "PPPoE_DISC";
+ case 0x8864: // PPP Over Ethernet Session Stage
+ return "PPPoE";
+ case 0x88CC: // Link Layer Discovery Protocol
+ return "LLDP";
+ case 0x6558: // Transparent Ethernet Bridging
+ return "TEB";
+ default:
+ return "UNKNOWN";
+ }
+}
+
+
+/*
+ * This function parses the bytes in the received packet to extract Ethernet II metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the ETH header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where ETH metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *eth_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("entered eth_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+ if (pktSize < 14) { /* too short for eth header */
+ DBGPRINTF("ETH packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ eth_header_t *eth_header = (eth_header_t *)packet;
+ char ethMacSrc[20], ethMacDst[20];
+ uint8_t hdrLen = 14;
+
+ ether_ntoa_r((struct ether_addr *)eth_header->addrSrc, ethMacSrc);
+ ether_ntoa_r((struct ether_addr *)eth_header->addrDst, ethMacDst);
+
+ json_object_object_add(jparent, "ETH_src", json_object_new_string((char *)ethMacSrc));
+ json_object_object_add(jparent, "ETH_dst", json_object_new_string((char *)ethMacDst));
+
+ uint16_t ethType = (uint16_t)ntohs(eth_header->type);
+
+ if (ethType == ETHERTYPE_VLAN) {
+ vlan_header_t *vlan_header = (vlan_header_t *)packet;
+ json_object_object_add(jparent, "ETH_tag", json_object_new_int(ntohs(vlan_header->vlanTag)));
+ ethType = (uint16_t)ntohs(vlan_header->type);
+ hdrLen += 4;
+ }
+
+ data_ret_t *ret;
+
+ if (ethType < 1500) {
+ /* this is a LLC header */
+ json_object_object_add(jparent, "ETH_len", json_object_new_int(ethType));
+ ret = llc_parse(packet + hdrLen, pktSize - hdrLen, jparent);
+
+ /* packet has the minimum allowed size, so the remaining data is
+ * most likely padding, this should not appear as data, so remove it
+ * */
+ //TODO this is a quick win, a more elaborate solution would be to check if all data
+ // is indeed zero, but that would take more processing time
+ if (pktSize <= 60 && ret->pData != NULL) {
+ if (!ret->pData[0]) ret->size = 0;
+ }
+ return ret;
+ }
+
+ json_object_object_add(jparent, "ETH_type", json_object_new_int(ethType));
+ json_object_object_add(jparent, "ETH_typestr", json_object_new_string((char *)eth_type_to_string(ethType)));
+ ret = eth_proto_parse(ethType, (packet + hdrLen), (pktSize - hdrLen), jparent);
+
+ /* packet has the minimum allowed size, so the remaining data is
+ * most likely padding, this should not appear as data, so remove it */
+ if (pktSize <= 60 && ret->pData != NULL) {
+ if (!ret->pData[0]) ret->size = 0;
+ }
+ return ret;
+}
diff --git a/contrib/impcap/ftp_parser.c b/contrib/impcap/ftp_parser.c
new file mode 100644
index 0000000..6e724c9
--- /dev/null
+++ b/contrib/impcap/ftp_parser.c
@@ -0,0 +1,152 @@
+/* ftp_parser.c
+ *
+ * This file contains functions to parse FTP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+static const int ftp_cds[] = {
+ 100, 110, 120, 125, 150,
+ 200, 202, 211, 212, 213, 214, 215, 220, 221, 225, 226, 227, 228, 229, 230, 231, 232, 250, 257,
+ 300, 331, 332, 350,
+ 400, 421, 425, 426, 430, 434, 450, 451, 452,
+ 500, 501, 502, 503, 504, 530, 532, 550, 551, 552, 553,
+ 600, 631, 632, 633,
+ 10000, 100054, 10060, 10061, 10066, 10068,
+ 0
+};
+
+static const char *ftp_cmds[] = {
+ "STOR",
+ "TYPE",
+ "ABOR",
+ "ACCT",
+ "ALLO",
+ "APPE",
+ "CDUP",
+ "CWD",
+ "DELE",
+ "HELP",
+ "LIST",
+ "MKD",
+ "MODE",
+ "NLST",
+ "NOOP",
+ "PASS",
+ "PASV",
+ "PORT",
+ "PWD",
+ "QUIT",
+ "REIN",
+ "REST",
+ "RETR",
+ "RMD",
+ "RNFR",
+ "RNTO",
+ "SITE",
+ "SMNT",
+ "STAT",
+ "STOU",
+ "STRU",
+ "SYST",
+ "USER",
+ NULL
+};
+
+/*
+ * This function searches for a valid command in the header (from the list defined in ftp_cmds[])
+ * and returns either the command or a NULL pointer
+*/
+static const char *check_Command_ftp(uchar *first_part_packet) {
+ DBGPRINTF("in check_Command_ftp\n");
+ DBGPRINTF("first_part_packet : '%s' \n", first_part_packet);
+ int i = 0;
+ for (i = 0; ftp_cmds[i] != NULL; i++) {
+ if (strncmp((const char *)first_part_packet, ftp_cmds[i], strlen((const char *)ftp_cmds[i]) + 1) == 0) {
+ return ftp_cmds[i];
+ }
+ }
+ return "UNKNOWN";
+}
+
+/*
+ * This function searches for a valid code in the header (from the list defined in ftp_cds[])
+ * and returns either the command or a NULL pointer
+*/
+static int check_Code_ftp(uchar *first_part_packet) {
+ DBGPRINTF("in check_Code_ftp\n");
+ DBGPRINTF("first_part_packet : %s \n", first_part_packet);
+ int i = 0;
+ for (i = 0; ftp_cds[i] != 0; i++) {
+ if (strtol((const char *)first_part_packet, NULL, 10) == ftp_cds[i]) {
+ return ftp_cds[i];
+ }
+ }
+ return 0;
+}
+
+/*
+ * This function parses the bytes in the received packet to extract FTP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the FTP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where FTP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *ftp_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("ftp_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 5) { /* too short for ftp packet*/
+ RETURN_DATA_AFTER(0)
+ }
+ uchar *packet2 = (uchar *)malloc(pktSize * sizeof(uchar));
+
+ memcpy(packet2, packet, pktSize); // strtok changes original packet
+ uchar *frst_part_ftp;
+ frst_part_ftp = (uchar *)strtok((char *)packet2, " "); // Get first part of packet ftp
+ strtok(NULL, "\r\n");
+
+ if (frst_part_ftp) {
+ int code = check_Code_ftp(frst_part_ftp);
+ const char *command = check_Command_ftp(frst_part_ftp);
+ if (code != 0) {
+ json_object_object_add(jparent, "FTP_response", json_object_new_int(code));
+ } else if (command != NULL) {
+ json_object_object_add(jparent, "FTP_request", json_object_new_string(command));
+ }
+ }
+ free(packet2);
+ RETURN_DATA_AFTER(0)
+}
diff --git a/contrib/impcap/http_parser.c b/contrib/impcap/http_parser.c
new file mode 100644
index 0000000..56d8a25
--- /dev/null
+++ b/contrib/impcap/http_parser.c
@@ -0,0 +1,159 @@
+/* http_parser.c
+ *
+ * This file contains functions to parse HTTP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+static const char *keywords[] = {
+ "OPTIONS",
+ "GET",
+ "HEAD",
+ "POST",
+ "PUT",
+ "DELETE",
+ "TRACE",
+ "CONNECT",
+ "HTTP",
+ NULL
+};
+
+static inline char *string_split(char **initString, const char *delimiterString) {
+ char *ret = *initString;
+
+ if (*initString) {
+ char *pos = strstr(*initString, delimiterString);
+ if (pos) {
+ *initString = pos;
+ **initString = '\0';
+ *initString += strlen(delimiterString);
+ } else {
+ *initString = NULL;
+ }
+ }
+
+ return ret;
+}
+
+static inline int has_status_keyword(char *http) {
+ const char *found;
+ int i;
+
+ for (i = 0; keywords[i] != NULL; i++) {
+ found = strstr(http, keywords[i]);
+ if (found && (found - http) < 20) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * This function catches HTTP header fields and status line
+ * and adds them to the provided json object
+*/
+static inline void catch_status_and_fields(char *header, struct json_object *jparent) {
+ DBGPRINTF("catch_status_and_fields\n");
+
+ struct json_object *fields = json_object_new_object();
+
+ char *statusLine = string_split(&header, "\r\n");
+ char *firstPart, *secondPart, *thirdPart;
+ firstPart = string_split(&statusLine, " ");
+ secondPart = string_split(&statusLine, " ");
+ thirdPart = statusLine;
+ if (firstPart && secondPart && thirdPart) {
+ if (strstr(firstPart, "HTTP")) {
+ json_object_object_add(jparent, "HTTP_version", json_object_new_string(firstPart));
+ json_object_object_add(jparent, "HTTP_status_code", json_object_new_string(secondPart));
+ json_object_object_add(jparent, "HTTP_reason", json_object_new_string(thirdPart));
+ } else {
+ json_object_object_add(jparent, "HTTP_method", json_object_new_string(firstPart));
+ json_object_object_add(jparent, "HTTP_request_URI", json_object_new_string(secondPart));
+ json_object_object_add(jparent, "HTTP_version", json_object_new_string(thirdPart));
+ }
+ }
+
+ char *fieldValue = string_split(&header, "\r\n");
+ char *field, *value;
+ while (fieldValue) {
+ field = string_split(&fieldValue, ":");
+ value = fieldValue;
+ if (value) {
+ while (*value == ' ') { value++; }
+ DBGPRINTF("got header field -> '%s': '%s'\n", field, value);
+ json_object_object_add(fields, field, json_object_new_string(value));
+ }
+
+ fieldValue = string_split(&header, "\r\n");
+ }
+
+ json_object_object_add(jparent, "HTTP_header_fields", fields);
+
+ return;
+}
+
+/*
+ * This function parses the bytes in the received packet to extract HTTP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the beginning of the header will be checked by the function
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where HTTP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *http_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("http_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+ if (pktSize < 6) {
+ RETURN_DATA_AFTER(0)
+ }
+
+ char *pHttp = malloc(pktSize + 1);
+ char *http = pHttp;
+ memcpy(http, packet, pktSize);
+ *(http + pktSize) = '\0';
+
+ if (!has_status_keyword(http)) {
+ free(pHttp);
+ RETURN_DATA_AFTER(0)
+ }
+
+ char *header = string_split(&http, "\r\n\r\n");
+
+ catch_status_and_fields(header, jparent);
+
+ free(pHttp);
+ RETURN_DATA_AFTER(0)
+}
diff --git a/contrib/impcap/icmp_parser.c b/contrib/impcap/icmp_parser.c
new file mode 100644
index 0000000..8a627ee
--- /dev/null
+++ b/contrib/impcap/icmp_parser.c
@@ -0,0 +1,79 @@
+/* icmp_parser.c
+ *
+ * This file contains functions to parse ICMP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+struct icmp_header_s {
+ uint8_t type;
+ uint8_t code;
+ uint16_t checksum;
+ uint8_t data[];
+};
+
+typedef struct icmp_header_s icmp_header_t;
+
+/*
+ * This function parses the bytes in the received packet to extract ICMP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the ICMP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where ICMP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *icmp_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("icmp_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 8) {
+ DBGPRINTF("ICMP packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0);
+ }
+
+ /* Union to prevent cast from uchar to icmp_header_t */
+ union {
+ const uchar *pck;
+ icmp_header_t *hdr;
+ } icmp_header_to_char;
+
+ icmp_header_to_char.pck = packet;
+ icmp_header_t *icmp_header = icmp_header_to_char.hdr;
+
+ json_object_object_add(jparent, "net_icmp_type", json_object_new_int(icmp_header->type));
+ json_object_object_add(jparent, "net_icmp_code", json_object_new_int(icmp_header->code));
+ json_object_object_add(jparent, "icmp_checksum", json_object_new_int(ntohs(icmp_header->checksum)));
+
+ RETURN_DATA_AFTER(8)
+}
diff --git a/contrib/impcap/impcap.c b/contrib/impcap/impcap.c
new file mode 100644
index 0000000..cdb1e54
--- /dev/null
+++ b/contrib/impcap/impcap.c
@@ -0,0 +1,748 @@
+/* impcap.c
+ *
+ * This is an input module using libpcap, a
+ * portable C/C++ library for network traffic capture.
+ * This module reads packets received from a network interface
+ * using libpcap, to extract information such as IP addresses, ports,
+ * protocols, etc... and make it available to rsyslog and other modules.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include <stdlib.h>
+#include <assert.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <ctype.h>
+#include <signal.h>
+#include <json.h>
+
+#include <pcap.h>
+
+#include "rsyslog.h"
+#include "prop.h"
+#include "ruleset.h"
+#include "datetime.h"
+
+#include "errmsg.h"
+#include "unicode-helper.h"
+#include "module-template.h"
+#include "rainerscript.h"
+#include "rsconf.h"
+#include "glbl.h"
+#include "srUtils.h"
+
+#include "parsers.h"
+
+
+MODULE_TYPE_INPUT
+MODULE_TYPE_NOKEEP
+MODULE_CNFNAME("impcap")
+
+#define DEFAULT_META_CONTAINER "!impcap"
+#define DEFAULT_DATA_CONTAINER "!data"
+
+
+/* static data */
+DEF_IMOD_STATIC_DATA
+DEFobjCurrIf(glbl)
+DEFobjCurrIf(prop)
+DEFobjCurrIf(ruleset)
+DEFobjCurrIf(datetime)
+
+static prop_t *pInputName = NULL;
+
+char *stringToHex(char *string, size_t length);
+
+static ATTR_NORETURN void *startCaptureThread(void *instanceConf);
+
+/* conf structures */
+
+struct instanceConf_s {
+ char *interface;
+ uchar *filePath;
+ pcap_t *device;
+ uchar *filter;
+ uchar *tag;
+ uint8_t promiscuous;
+ uint8_t immediateMode;
+ uint32_t bufSize;
+ uint8_t bufTimeout;
+ uint8_t pktBatchCnt;
+ pthread_t tid;
+ uchar *pszBindRuleset; /* name of ruleset to bind to */
+ ruleset_t *pBindRuleset; /* ruleset to bind listener to (use system default if unspecified) */
+ struct instanceConf_s *next;
+};
+
+struct modConfData_s {
+ rsconf_t *pConf;
+ instanceConf_t *root, *tail;
+ uint16_t snap_length;
+ uint8_t metadataOnly;
+ char *metadataContainer;
+ char *dataContainer;
+};
+
+static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */
+static modConfData_t *runModConf = NULL; /* modConf ptr to use for the current exec process */
+
+/* input instance parameters */
+static struct cnfparamdescr inppdescr[] = {
+ {"interface", eCmdHdlrGetWord, 0},
+ {"file", eCmdHdlrString, 0},
+ {"promiscuous", eCmdHdlrBinary, 0},
+ {"filter", eCmdHdlrString, 0},
+ {"tag", eCmdHdlrString, 0},
+ {"ruleset", eCmdHdlrString, 0},
+ {"no_buffer", eCmdHdlrBinary, 0},
+ {"buffer_size", eCmdHdlrPositiveInt, 0},
+ {"buffer_timeout", eCmdHdlrPositiveInt, 0},
+ {"packet_count", eCmdHdlrPositiveInt, 0}
+};
+static struct cnfparamblk inppblk = {
+ CNFPARAMBLK_VERSION,
+ sizeof(inppdescr) / sizeof(struct cnfparamdescr),
+ inppdescr
+};
+
+/* module-global parameters */
+static struct cnfparamdescr modpdescr[] = {
+ {"snap_length", eCmdHdlrPositiveInt, 0},
+ {"metadata_only", eCmdHdlrBinary, 0},
+ {"metadata_container", eCmdHdlrGetWord, 0},
+ {"data_container", eCmdHdlrGetWord, 0}
+};
+static struct cnfparamblk modpblk = {
+ CNFPARAMBLK_VERSION,
+ sizeof(modpdescr) / sizeof(struct cnfparamdescr),
+ modpdescr
+};
+
+#include "im-helper.h"
+
+/*
+ * create input instance, set default parameters, and
+ * add it to the list of instances.
+ */
+static rsRetVal
+createInstance(instanceConf_t **pinst) {
+ instanceConf_t *inst;
+ DEFiRet;
+ CHKmalloc(inst = malloc(sizeof(instanceConf_t)));
+ inst->next = NULL;
+ inst->interface = NULL;
+ inst->filePath = NULL;
+ inst->device = NULL;
+ inst->promiscuous = 0;
+ inst->filter = NULL;
+ inst->tag = NULL;
+ inst->pszBindRuleset = NULL;
+ inst->immediateMode = 0;
+ inst->bufTimeout = 10;
+ inst->bufSize = 1024 * 1024 * 15; /* should be enough for up to 10Gb interface*/
+ inst->pktBatchCnt = 5;
+
+ /* node created, let's add to global config */
+ if (loadModConf->tail == NULL) {
+ loadModConf->tail = loadModConf->root = inst;
+ } else {
+ loadModConf->tail->next = inst;
+ loadModConf->tail = inst;
+ }
+
+ *pinst = inst;
+finalize_it:
+ RETiRet;
+}
+
+/* input instances */
+
+BEGINnewInpInst
+struct cnfparamvals *pvals;
+instanceConf_t *inst;
+int i;
+CODESTARTnewInpInst
+ pvals = nvlstGetParams(lst, &inppblk, NULL);
+
+ if(pvals == NULL) {
+ LogError(0, RS_RET_MISSING_CNFPARAMS,
+ "impcap: required parameters are missing\n");
+ ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+ }
+
+ CHKiRet(createInstance(&inst));
+
+ for (i = 0 ; i<inppblk.nParams ; ++i) {
+ if (!pvals[i].bUsed)
+ continue;
+ if (!strcmp(inppblk.descr[i].name, "interface")) {
+ inst->interface = (char *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else if (!strcmp(inppblk.descr[i].name, "file")) {
+ inst->filePath = (uchar *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else if (!strcmp(inppblk.descr[i].name, "promiscuous")) {
+ inst->promiscuous = (uint8_t)pvals[i].val.d.n;
+ }
+ else if (!strcmp(inppblk.descr[i].name, "filter")) {
+ inst->
+ filter = (uchar *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else if (!strcmp(inppblk.descr[i].name, "tag")) {
+ inst->tag = (uchar *) es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else if (!strcmp(inppblk.descr[i].name, "ruleset")) {
+ inst->pszBindRuleset = (uchar *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else if (!strcmp(inppblk.descr[i].name, "no_buffer")) {
+ inst->immediateMode = (uint8_t)pvals[i].val.d.n;
+ }
+ else if (!strcmp(inppblk.descr[i].name, "buffer_size")) {
+ inst->bufSize = (uint32_t)pvals[i].val.d.n;
+ }
+ else if (!strcmp(inppblk.descr[i].name, "buffer_timeout")) {
+ inst->bufTimeout = (uint8_t)pvals[i].val.d.n;
+ }
+ else if (!strcmp(inppblk.descr[i].name, "packet_count")) {
+ inst->pktBatchCnt = (uint8_t)pvals[i].val.d.n;
+ }
+ else {
+ dbgprintf("impcap: non-handled param %s in beginCnfLoad\n", inppblk.descr[i].name);
+ }
+ }
+
+finalize_it:
+
+CODE_STD_FINALIZERnewInpInst
+ cnfparamvalsDestruct(pvals, &inppblk);
+ENDnewInpInst
+
+/* global mod conf (v2 system) */
+BEGINsetModCnf
+ struct cnfparamvals *pvals = NULL;
+ int i;
+
+CODESTARTsetModCnf
+ pvals = nvlstGetParams(lst, &modpblk, NULL);
+ if (pvals == NULL) {
+ LogError(0, RS_RET_MISSING_CNFPARAMS, "impcap: error processing module "
+ "config parameters missing [module(...)]");
+ ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+ }
+
+ for (i = 0 ; i<modpblk.nParams ; ++i) {
+ if (!pvals[i].bUsed)
+ continue;
+ if (!strcmp(modpblk.descr[i].name, "snap_length")) {
+ loadModConf->snap_length = (int)pvals[i].val.d.n;
+ }
+ else if (!strcmp(modpblk.descr[i].name, "metadata_only")) {
+ loadModConf->metadataOnly = (uint8_t)pvals[i].val.d.n;
+ }
+ else if (!strcmp(modpblk.descr[i].name, "metadata_container")) {
+ loadModConf->metadataContainer = (char *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else if (!strcmp(modpblk.descr[i].name, "data_container")) {
+ loadModConf->dataContainer = (char *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ }
+ else {
+ dbgprintf("impcap: non-handled param %s in beginSetModCnf\n", modpblk.descr[i].name);
+ }
+ }
+
+ if (!loadModConf->metadataContainer)
+ CHKmalloc(loadModConf->metadataContainer = strdup(DEFAULT_META_CONTAINER));
+
+ if (!loadModConf->dataContainer)
+ CHKmalloc(loadModConf->dataContainer = strdup(DEFAULT_DATA_CONTAINER));
+finalize_it:
+ if (pvals != NULL)
+ cnfparamvalsDestruct(pvals, &modpblk);
+ENDsetModCnf
+
+/* config v2 system */
+
+BEGINbeginCnfLoad
+CODESTARTbeginCnfLoad
+ loadModConf = pModConf;
+ loadModConf->pConf = pConf;
+ loadModConf->metadataOnly = 0;
+ loadModConf->snap_length = 65535;
+ loadModConf->metadataContainer = NULL;
+ loadModConf->dataContainer = NULL;
+ENDbeginCnfLoad
+
+BEGINendCnfLoad
+CODESTARTendCnfLoad
+ENDendCnfLoad
+
+
+/* function to generate error message if framework does not find requested ruleset */
+static inline void
+std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, instanceConf_t *inst) {
+ LogError(0, NO_ERRCODE, "impcap: ruleset '%s' for interface %s not found - "
+ "using default ruleset instead", inst->pszBindRuleset,
+ inst->interface);
+}
+
+BEGINcheckCnf
+ instanceConf_t *inst;
+CODESTARTcheckCnf
+ if (pModConf->root == NULL) {
+ LogError(0, RS_RET_NO_LISTNERS , "impcap: module loaded, but "
+ "no interface defined - no input will be gathered");
+ iRet = RS_RET_NO_LISTNERS;
+ }
+
+ if (pModConf->metadataOnly) { /* if metadata_only is "on", snap_length is overwritten */
+ pModConf->snap_length = 100; /* arbitrary value, but should be enough for most protocols */
+ }
+
+ if (!pModConf->metadataContainer || !pModConf->dataContainer) {
+ LogError(0, RS_RET_LOAD_ERROR, "impcap: no name defined for metadata_container and "
+ "data_container, this shouldn't happen");
+ }
+ else {
+ DBGPRINTF("impcap: metadata will be stored in '%s', and data in '%s'\n",
+ pModConf->metadataContainer, pModConf->dataContainer);
+ }
+
+ for (inst = pModConf->root ; inst != NULL ; inst = inst->next) {
+ std_checkRuleset(pModConf, inst);
+ if (inst->interface ==NULL &&inst->filePath == NULL) {
+ iRet = RS_RET_INVALID_PARAMS;
+ LogError(0, RS_RET_LOAD_ERROR, "impcap: 'interface' or 'file' must be specified");
+ break;
+ }
+ if (inst->interface !=NULL &&inst->filePath != NULL) {
+ iRet = RS_RET_INVALID_PARAMS;
+ LogError(0, RS_RET_LOAD_ERROR, "impcap: either 'interface' or 'file' must be specified");
+ break;
+ }
+ }
+
+ENDcheckCnf
+
+BEGINactivateCnfPrePrivDrop
+CODESTARTactivateCnfPrePrivDrop
+ runModConf = pModConf;
+ENDactivateCnfPrePrivDrop
+
+BEGINactivateCnf
+ instanceConf_t *inst;
+ pcap_t *dev = NULL;
+ struct bpf_program filter_program;
+ bpf_u_int32 SubNet, NetMask;
+ char errBuf[PCAP_ERRBUF_SIZE];
+ uint8_t retCode = 0;
+CODESTARTactivateCnf
+ for (inst = pModConf->root ; inst != NULL ; inst = inst->next) {
+ if (inst->filePath != NULL) {
+ dev = pcap_open_offline((const char *)inst->filePath, errBuf);
+ if (dev == NULL) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while opening capture file: '%s'", errBuf);
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+ }
+ else if (inst->interface != NULL) {
+ dev = pcap_create((const char *)inst->interface, errBuf);
+ if (dev == NULL) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while creating packet capture: '%s'",
+ errBuf);
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+
+ DBGPRINTF("setting snap_length %d\n", pModConf->snap_length);
+ if (pcap_set_snaplen(dev, pModConf->snap_length)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting snap length: '%s'",
+ pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+
+ DBGPRINTF("setting promiscuous %d\n", inst->promiscuous);
+ if (pcap_set_promisc(dev, inst->promiscuous)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting promiscuous mode: '%s'",
+ pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+
+ if (inst->immediateMode) {
+ DBGPRINTF("setting immediate mode %d\n", inst->immediateMode);
+ retCode = pcap_set_immediate_mode(dev, inst->immediateMode);
+ if (retCode) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting immediate mode: '%s',"
+ " using buffer instead\n",pcap_geterr(dev));
+ }
+ }
+
+ if (!inst->immediateMode || retCode){
+ DBGPRINTF("setting buffer size %u \n", inst->bufSize);
+ if (pcap_set_buffer_size(dev, inst->bufSize)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting buffer size: '%s'",
+ pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+ DBGPRINTF("setting buffer timeout %dms\n", inst->bufTimeout);
+ if (pcap_set_timeout(dev, inst->bufTimeout)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting buffer timeout: '%s'",
+ pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+ }
+
+ switch (pcap_activate(dev)) {
+ case PCAP_WARNING_PROMISC_NOTSUP:
+ LogError(0, NO_ERRCODE, "interface doesn't support promiscuous mode");
+ break;
+ case PCAP_WARNING_TSTAMP_TYPE_NOTSUP:
+ LogError(0, NO_ERRCODE, "timestamp type is not supported");
+ break;
+ case PCAP_WARNING:
+ LogError(0, NO_ERRCODE, "pcap: %s", pcap_geterr(dev));
+ break;
+ case PCAP_ERROR_ACTIVATED:
+ LogError(0, RS_RET_LOAD_ERROR, "already activated, shouldn't happen");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ case PCAP_ERROR_NO_SUCH_DEVICE:
+ LogError(0, RS_RET_LOAD_ERROR, "device doesn't exist");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ case PCAP_ERROR_PERM_DENIED:
+ LogError(0, RS_RET_LOAD_ERROR, "elevated privilege needed to open capture "
+ "interface");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ case PCAP_ERROR_PROMISC_PERM_DENIED:
+ LogError(0, RS_RET_LOAD_ERROR, "elevated privilege needed to put interface "
+ "in promiscuous mode");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ case PCAP_ERROR_RFMON_NOTSUP:
+ LogError(0, RS_RET_LOAD_ERROR, "interface doesn't support monitor mode");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ case PCAP_ERROR_IFACE_NOT_UP:
+ LogError(0, RS_RET_LOAD_ERROR, "interface is not up");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ case PCAP_ERROR:
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: %s", pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+
+ if (inst->filter != NULL) {
+ DBGPRINTF("getting netmask on %s\n", inst->interface);
+ //obtain the subnet
+ if (pcap_lookupnet(inst->interface, &SubNet, &NetMask, errBuf)){
+ DBGPRINTF("could not get netmask\n");
+ NetMask = PCAP_NETMASK_UNKNOWN;
+ }
+ DBGPRINTF("setting filter to '%s'\n", inst->filter);
+ /* Compile the filter */
+ if (pcap_compile(dev, &filter_program, (const char *)inst->filter, 1, NetMask)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while compiling filter: '%s'",
+ pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+ else if (pcap_setfilter(dev, &filter_program)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting filter: '%s'",
+ pcap_geterr(dev));
+ pcap_freecode(& filter_program);
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+ pcap_freecode(&filter_program);
+ }
+
+ if (pcap_set_datalink(dev, DLT_EN10MB)) {
+ LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting datalink type: '%s'",
+ pcap_geterr(dev));
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+ } /* inst->interface != NULL */
+ else {
+ LogError(0, RS_RET_LOAD_ERROR, "impcap: no capture method specified, "
+ "please specify either 'interface' or 'file' in config");
+ ABORT_FINALIZE(RS_RET_LOAD_ERROR);
+ }
+
+ inst->device = dev;
+ }
+
+finalize_it:
+ if(iRet != 0) {
+ if(dev) pcap_close(dev);
+ }
+ENDactivateCnf
+
+BEGINfreeCnf
+ instanceConf_t *inst, *del;
+CODESTARTfreeCnf
+ DBGPRINTF("impcap: freeing confs...\n");
+ for (inst = pModConf->root ; inst != NULL ; ) {
+ del = inst;
+ inst = inst->next;
+ free(del->filePath);
+ free(del->filter);
+ free(del->pszBindRuleset);
+ free(del->interface);
+ free(del->tag);
+ free(del);
+ }
+ free(pModConf->metadataContainer);
+ free(pModConf->dataContainer);
+ DBGPRINTF("impcap: finished freeing confs\n");
+ENDfreeCnf
+
+/* runtime functions */
+
+/*
+ * Converts a list of bytes to their hexadecimal representation in ASCII
+ *
+ * Gets the list of bytes and the length as parameters
+ *
+ * Returns a pointer on the new list, being a string of ASCII characters
+ * representing hexadecimal values, in the form "A5B34C65..."
+ * its size is twice length parameter + 1
+*/
+char *stringToHex(char *string, size_t length) {
+ const char *hexChar = "0123456789ABCDEF";
+ char *retBuf;
+ uint16_t i;
+
+ retBuf = malloc((2 * length + 1) * sizeof(char));
+ for (i = 0; i < length; ++i) {
+ retBuf[2 * i] = hexChar[(string[i] & 0xF0) >> 4];
+ retBuf[2 * i + 1] = hexChar[string[i] & 0x0F];
+ }
+ retBuf[2 * length] = '\0';
+
+ return retBuf;
+}
+
+/*
+ * This method parses every packet received by libpcap, and is called by it
+ * It creates the message for Rsyslog, calls the parsers and add all necessary information
+ * in the message
+*/
+void packet_parse(uchar *arg, const struct pcap_pkthdr *pkthdr, const uchar *packet) {
+ DBGPRINTF("impcap : entered packet_parse\n");
+ smsg_t *pMsg;
+
+ /* Prevent cast error from char to int with arg */
+ union {
+ uchar *buf;
+ int *id;
+ } aux;
+
+ aux.buf = arg;
+ int *id = aux.id;
+ msgConstruct(&pMsg);
+
+ MsgSetInputName(pMsg, pInputName);
+ //search inst in loadmodconf,and check if there is tag. if so set tag in msg.
+ pthread_t ctid = pthread_self();
+ instanceConf_t * inst;
+ for (inst = runModConf->root; inst != NULL; inst = inst->next) {
+ if (pthread_equal(ctid, inst->tid)) {
+ if (inst->pBindRuleset != NULL) {
+ MsgSetRuleset(pMsg, inst->pBindRuleset);
+ }
+ if (inst->tag != NULL) {
+ MsgSetTAG(pMsg, inst->tag, strlen((const char *)inst->tag));
+ }
+ }
+ }
+
+
+ struct json_object *jown = json_object_new_object();
+ json_object_object_add(jown, "ID", json_object_new_int(++(*id)));
+
+ struct syslogTime sysTimePkt;
+ char timeStr[30];
+ struct timeval tv = pkthdr->ts;
+ datetime.timeval2syslogTime(&tv, &sysTimePkt, 1/*inUTC*/);
+ if (datetime.formatTimestamp3339(&sysTimePkt, timeStr)) {
+ json_object_object_add(jown, "timestamp", json_object_new_string(timeStr));
+ }
+
+ json_object_object_add(jown, "net_bytes_total", json_object_new_int(pkthdr->len));
+
+ data_ret_t * dataLeft = eth_parse(packet, pkthdr->caplen, jown);
+
+ json_object_object_add(jown, "net_bytes_data", json_object_new_int(dataLeft->size));
+ char *dataHex = stringToHex(dataLeft->pData, dataLeft->size);
+ if (dataHex != NULL) {
+ struct json_object *jadd = json_object_new_object();
+ json_object_object_add(jadd, "length", json_object_new_int(strlen(dataHex)));
+ json_object_object_add(jadd, "content", json_object_new_string(dataHex));
+ msgAddJSON(pMsg, (uchar *)runModConf->dataContainer, jadd, 0, 0);
+ free(dataHex);
+ }
+ free(dataLeft);
+
+ msgAddJSON(pMsg, (uchar *)runModConf->metadataContainer, jown, 0, 0);
+ submitMsg2(pMsg);
+}
+
+/* This is used to terminate the plugin.
+ */
+static void
+doSIGTTIN(int __attribute__((unused)) sig)
+{
+ pthread_t tid = pthread_self();
+ const int bTerminate = ATOMIC_FETCH_32BIT(&bTerminateInputs, &mutTerminateInputs);
+ DBGPRINTF("impcap: awoken via SIGTTIN; bTerminateInputs: %d\n", bTerminate);
+ if(bTerminate) {
+ for(instanceConf_t *inst = runModConf->root; inst != NULL; inst = inst->next) {
+ if(pthread_equal(tid, inst->tid)) {
+ pcap_breakloop(inst->device);
+ DBGPRINTF("impcap: thread %lx, termination requested via SIGTTIN - telling libpcap\n",
+ (long unsigned int)tid);
+ }
+ }
+ }
+}
+
+/*
+ * This is the main function for each thread
+ * taking care of a specified network interface
+*/
+static ATTR_NORETURN void *startCaptureThread(void *instanceConf) {
+ int id = 0;
+ pthread_t tid = pthread_self();
+
+ /* we want to support non-cancel input termination. To do so, we must signal libpcap
+ * when to stop. As we run on the same thread, we need to register as SIGTTIN handler,
+ * which will be used to put the terminating condition into libpcap.
+ */
+ DBGPRINTF("impcap: setting catch for SIGTTIN, thread %lx\n",
+ (long unsigned int)tid);
+ sigset_t sigSet;
+ struct sigaction sigAct;
+ sigfillset(&sigSet);
+ pthread_sigmask(SIG_BLOCK, &sigSet, NULL);
+ sigemptyset(&sigSet);
+ sigaddset(&sigSet, SIGTTIN);
+ pthread_sigmask(SIG_UNBLOCK, &sigSet, NULL);
+ memset(&sigAct, 0, sizeof (sigAct));
+ sigemptyset(&sigAct.sa_mask);
+ sigAct.sa_handler = doSIGTTIN;
+ sigaction(SIGTTIN, &sigAct, NULL);
+
+ instanceConf_t * inst = (instanceConf_t * )instanceConf;
+ DBGPRINTF("impcap: thread %lx, begin capture!\n",
+ (long unsigned int)tid);
+ while (glbl.GetGlobalInputTermState() == 0) {
+ pcap_dispatch(inst->device, inst->pktBatchCnt, packet_parse, (uchar * ) & id);
+ }
+ DBGPRINTF("impcap: thread %lx, capture finished\n",
+ (long unsigned int)tid);
+ pthread_exit(0);
+}
+
+BEGINrunInput
+ instanceConf_t *inst;
+ int ret = 0;
+CODESTARTrunInput
+ for (inst = runModConf->root ; inst != NULL ; inst = inst->next) {
+ /* creates a thread and starts capturing on the interface */
+ ret = pthread_create(&inst->tid, NULL, startCaptureThread, inst);
+ if (ret) {
+ LogError(0, RS_RET_NO_RUN, "impcap: error while creating threads\n");
+ }
+ }
+
+ DBGPRINTF("impcap: starting to wait for close condition\n");
+ // TODO: Use thread for capture instead of just waiting
+ while(glbl.GetGlobalInputTermState() == 0) {
+ if(glbl.GetGlobalInputTermState() == 0)
+ srSleep(0, 400000);
+ }
+
+ DBGPRINTF("impcap: received close signal, signaling instance threads...\n");
+ for (inst = runModConf->root; inst != NULL; inst = inst->next) {
+ pthread_kill(inst->tid, SIGTTIN);
+ }
+
+ DBGPRINTF("impcap: threads signaled, waiting for join...");
+ for (inst = runModConf->root ; inst != NULL ; inst = inst->next) {
+ pthread_join(inst->tid, NULL);
+ pcap_close(inst->device);
+ }
+
+ DBGPRINTF("impcap: finished threads, stopping\n");
+ENDrunInput
+
+BEGINwillRun
+CODESTARTwillRun
+/* we need to create the inputName property (only once during our lifetime) */
+ CHKiRet(prop.Construct(&pInputName));
+ CHKiRet(prop.SetString(pInputName, UCHAR_CONSTANT("impcap"), sizeof("impcap") - 1));
+ CHKiRet(prop.ConstructFinalize(pInputName));
+finalize_it:
+ENDwillRun
+
+BEGINafterRun
+CODESTARTafterRun
+ if (pInputName != NULL) {
+ prop.Destruct(&pInputName);
+ }
+ENDafterRun
+
+BEGINmodExit
+CODESTARTmodExit
+ DBGPRINTF("impcap:: modExit\n");
+ objRelease(glbl, CORE_COMPONENT);
+ objRelease(prop, CORE_COMPONENT);
+ objRelease(ruleset, CORE_COMPONENT);
+ objRelease(datetime, CORE_COMPONENT);
+ENDmodExit
+
+/* declaration of functions */
+
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+ if(eFeat == sFEATURENonCancelInputTermination)
+ iRet = RS_RET_OK;
+ENDisCompatibleWithFeature
+
+BEGINqueryEtryPt
+CODESTARTqueryEtryPt
+ CODEqueryEtryPt_STD_IMOD_QUERIES
+ CODEqueryEtryPt_STD_CONF2_QUERIES
+ CODEqueryEtryPt_STD_CONF2_setModCnf_QUERIES
+ CODEqueryEtryPt_STD_CONF2_IMOD_QUERIES
+ CODEqueryEtryPt_STD_CONF2_PREPRIVDROP_QUERIES /* might need it */
+ CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES
+ENDqueryEtryPt
+
+BEGINmodInit()
+CODESTARTmodInit
+ *ipIFVersProvided = CURR_MOD_IF_VERSION;
+ CHKiRet(objUse(glbl, CORE_COMPONENT));
+ CHKiRet(objUse(ruleset, CORE_COMPONENT));
+ CHKiRet(objUse(prop, CORE_COMPONENT));
+ CHKiRet(objUse(datetime, CORE_COMPONENT));
+ENDmodInit
diff --git a/contrib/impcap/ipv4_parser.c b/contrib/impcap/ipv4_parser.c
new file mode 100644
index 0000000..2693c60
--- /dev/null
+++ b/contrib/impcap/ipv4_parser.c
@@ -0,0 +1,101 @@
+/* ipv4_parser.c
+ *
+ * This file contains functions to parse IP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+struct ipv4_header_s {
+/*#if __BYTE_ORDER == __BIG_ENDIAN
+ unsigned char version:4;
+ unsigned char ihl:4;
+#else*/
+ unsigned char ihl:4;
+ unsigned char version:4;
+//#endif
+ uint8_t service;
+ uint16_t totLen;
+ uint16_t id;
+ uint16_t frag;
+ uint8_t ttl;
+ uint8_t proto;
+ uint16_t hdrChksum;
+ uint8_t addrSrc[4];
+ uint8_t addrDst[4];
+ uint8_t pOptions[];
+};
+
+typedef struct ipv4_header_s ipv4_header_t;
+
+/*
+ * This function parses the bytes in the received packet to extract IP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the IP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where IP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *ipv4_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("ipv4_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 20) { /* too small for IPv4 header + data (header might be longer)*/
+ DBGPRINTF("IPv4 packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ /* Union to prevent cast from uchar to ipv4_header_t */
+ union {
+ const uchar *pck;
+ ipv4_header_t *hdr;
+ } ipv4_header_to_char;
+
+ ipv4_header_to_char.pck = packet;
+ ipv4_header_t *ipv4_header = ipv4_header_to_char.hdr;
+
+ char addrSrc[20], addrDst[20];
+ uint8_t hdrLen = 4 * ipv4_header->ihl; /* 4 x length in words */
+
+ inet_ntop(AF_INET, (void *)&ipv4_header->addrSrc, addrSrc, 20);
+ inet_ntop(AF_INET, (void *)&ipv4_header->addrDst, addrDst, 20);
+
+ json_object_object_add(jparent, "net_dst_ip", json_object_new_string((char *)addrDst));
+ json_object_object_add(jparent, "net_src_ip", json_object_new_string((char *)addrSrc));
+ json_object_object_add(jparent, "IP_ihl", json_object_new_int(ipv4_header->ihl));
+ json_object_object_add(jparent, "net_ttl", json_object_new_int(ipv4_header->ttl));
+ json_object_object_add(jparent, "IP_proto", json_object_new_int(ipv4_header->proto));
+
+
+ return ip_proto_parse(ipv4_header->proto, (packet + hdrLen), (pktSize - hdrLen), jparent);
+}
diff --git a/contrib/impcap/ipv6_parser.c b/contrib/impcap/ipv6_parser.c
new file mode 100644
index 0000000..25c6b4c
--- /dev/null
+++ b/contrib/impcap/ipv6_parser.c
@@ -0,0 +1,305 @@
+/* ipv6_parser.c
+ *
+ * This file contains functions to parse IPv6 headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wpacked"
+#pragma GCC diagnostic ignored "-Wattributes"
+typedef struct __attribute__ ((__packed__)) ipv6_header_s {
+#ifndef IPV6_VERSION_MASK
+#define IPV6_VERSION_MASK 0xF0000000
+#endif
+#ifndef IPV6_TC_MASK
+#define IPV6_TC_MASK 0x0FF00000
+#endif
+#ifndef IPV6_FLOW_MASK
+#define IPV6_FLOW_MASK 0x000FFFFF
+#endif
+ uint32_t vtf;
+ uint16_t dataLength;
+ uint8_t nextHeader;
+#define IPV6_NHDR_HBH 0
+#define IPV6_NHDR_TCP 6
+#define IPV6_NHDR_UDP 17
+#define IPV6_NHDR_ENCIP6 41
+#define IPV6_NHDR_ROUT 43
+#define IPV6_NHDR_FRAG 44
+#define IPV6_NHDR_RRSV 46
+#define IPV6_NHDR_SEC 50
+#define IPV6_NHDR_AUTH 51
+#define IPV6_NHDR_ICMP6 58
+#define IPV6_NHDR_NONHDR 59
+#define IPV6_NHDR_DOPTS 60
+
+ uint8_t hopLimit;
+ uint8_t addrSrc[16];
+ uint8_t addrDst[16];
+} ipv6_header_t;
+#pragma GCC diagnostic pop
+
+#ifndef IPV6_VERSION
+#define IPV6_VERSION(h) (ntohl(h->vtf) & IPV6_VERSION_MASK)>>28
+#endif
+#ifndef IPV6_TC
+#define IPV6_TC(h) (ntohl(h->vtf) & IPV6_TC_MASK)>>20
+#endif
+#ifndef IPV6_FLOW
+#define IPV6_FLOW(h) (ntohl(h->vtf) & IPV6_FLOW_MASK)
+#endif
+
+/* extension headers */
+typedef struct hbh_header_s {
+ uint8_t nextHeader;
+ uint8_t hLength;
+ uint8_t *pOptions;
+} hbh_header_t;
+
+typedef struct dest_header_s {
+ uint8_t nextHeader;
+ uint8_t hLength;
+ uint8_t *pOptions;
+} dest_header_t;
+
+typedef struct route_header_s {
+ uint8_t nextHeader;
+ uint8_t hLength;
+ uint8_t rType;
+ uint8_t segsLeft;
+ uint32_t reserved;
+ uint8_t addrs[16];
+} route_header_t;
+
+typedef struct frag_header_s {
+ uint8_t nextHeader;
+ uint8_t reserved;
+ uint16_t offsetFlags;
+ uint32_t id;
+} frag_header_t;
+
+static inline uint8_t hbh_header_parse(const uchar **packet, int *pktSize) {
+ DBGPRINTF("hbh_header_parse\n");
+
+ /* Union to prevent cast from uchar to hbh_header_t */
+ union {
+ const uchar *pck;
+ hbh_header_t *hdr;
+ } hbh_header_to_char;
+
+ hbh_header_to_char.pck = *packet;
+ hbh_header_t *hbh_header = hbh_header_to_char.hdr;
+
+ /* hbh_header->hLength is the number of octets of header in 8-octet units minus 1
+ * the header length SHOULD be a multiple of 8 */
+ uint8_t hByteLength = hbh_header->hLength * 8 + 8;
+ DBGPRINTF("hByteLength: %d\n", hByteLength);
+ *pktSize -= hByteLength;
+ *packet += hByteLength;
+
+ return hbh_header->nextHeader;
+}
+
+static inline uint8_t dest_header_parse(const uchar **packet, int *pktSize) {
+ DBGPRINTF("dest_header_parse\n");
+
+ /* Union to prevent cast from uchar to dest_header_t */
+ union {
+ const uchar *pck;
+ dest_header_t *hdr;
+ } dest_header_to_char;
+
+ dest_header_to_char.pck = *packet;
+ dest_header_t *dest_header = dest_header_to_char.hdr;
+
+ /* dest_header->hLength is the number of octets of header in 8-octet units minus 1
+ * the header length SHOULD be a multiple of 8 */
+ uint8_t hByteLength = dest_header->hLength * 8 + 8;
+ DBGPRINTF("hByteLength: %d\n", hByteLength);
+ *pktSize -= hByteLength;
+ *packet += hByteLength;
+
+ return dest_header->nextHeader;
+}
+
+static inline uint8_t route_header_parse(const uchar **packet, int *pktSize, struct json_object *jparent) {
+ DBGPRINTF("route_header_parse\n");
+
+ /* Union to prevent cast from uchar to route_header_t */
+ union {
+ const uchar *pck;
+ route_header_t *hdr;
+ } route_header_to_char;
+
+ route_header_to_char.pck = *packet;
+ route_header_t *route_header = route_header_to_char.hdr;
+
+ /* route_header->hLength is the number of octets of header in 8-octet units minus 1
+ * the header length (in bytes) SHOULD be a multiple of 8 */
+ uint8_t hByteLength = route_header->hLength * 8 + 8;
+ *pktSize -= hByteLength;
+ *packet += hByteLength;
+
+ if (route_header->rType == 0) {
+ json_object_object_add(jparent, "IP6_route_seg_left", json_object_new_int(route_header->segsLeft));
+
+ hByteLength -= 8; //leave only length of routing addresses
+
+ char addrStr[40], routeFieldName[20];
+ int addrNum = 1;
+ uint8_t *addr = &(route_header->addrs[0]);
+
+ //while there is enough space for an IPv6 address
+ while (hByteLength >= 16) {
+ inet_ntop(AF_INET6, (void *)addr, addrStr, 40);
+ snprintf(routeFieldName, 20, "IP6_route_%d", addrNum++);
+ json_object_object_add(jparent, routeFieldName, json_object_new_string((char *)addrStr));
+
+ addr += 16;
+ hByteLength -= 16;
+ }
+ }
+
+ return route_header->nextHeader;
+}
+
+#define FRAG_OFFSET_MASK 0xFFF8
+#define MFLAG_MASK 0x0001
+static inline uint8_t frag_header_parse(const uchar **packet, int *pktSize, struct json_object *jparent) {
+ DBGPRINTF("frag_header_parse\n");
+
+ /* Union to prevent cast from uchar to frag_header_t */
+ union {
+ const uchar *pck;
+ frag_header_t *hdr;
+ } frag_header_to_char;
+
+ frag_header_to_char.pck = *packet;
+ frag_header_t *frag_header = frag_header_to_char.hdr;
+
+ uint16_t flags = ntohs(frag_header->offsetFlags);
+
+ json_object_object_add(jparent, "IP6_frag_offset", json_object_new_int((flags & FRAG_OFFSET_MASK) >> 3));
+ json_object_object_add(jparent, "IP6_frag_more", json_object_new_boolean(flags & MFLAG_MASK));
+ json_object_object_add(jparent, "IP6_frag_id", json_object_new_int64(frag_header->id));
+
+ *pktSize -= 8;
+ *packet += 8;
+
+ return frag_header->nextHeader;
+}
+
+/*
+ * This function parses the bytes in the received packet to extract IPv6 metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the IPv6 header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where IPv6 metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *ipv6_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("ipv6_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 40) { /* too small for IPv6 header + data (header might be longer)*/
+ DBGPRINTF("IPv6 packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ ipv6_header_t *ipv6_header = (ipv6_header_t *)packet;
+
+ char addrSrc[40], addrDst[40];
+
+ inet_ntop(AF_INET6, (void *)&ipv6_header->addrSrc, addrSrc, 40);
+ inet_ntop(AF_INET6, (void *)&ipv6_header->addrDst, addrDst, 40);
+
+ json_object_object_add(jparent, "net_dst_ip", json_object_new_string((char *)addrDst));
+ json_object_object_add(jparent, "net_src_ip", json_object_new_string((char *)addrSrc));
+ json_object_object_add(jparent, "net_ttl", json_object_new_int(ipv6_header->hopLimit));
+
+ uint8_t nextHeader = ipv6_header->nextHeader;
+
+ packet += sizeof(ipv6_header_t);
+ pktSize -= sizeof(ipv6_header_t);
+
+ DBGPRINTF("beginning ext headers scan\n");
+ uint8_t hasNext = 1;
+ do {
+ switch (nextHeader) {
+ case IPV6_NHDR_HBH:
+ nextHeader = hbh_header_parse(&packet, &pktSize);
+ break;
+ case IPV6_NHDR_TCP:
+ json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader));
+ return tcp_parse(packet, pktSize, jparent);
+ case IPV6_NHDR_UDP:
+ json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader));
+ return udp_parse(packet, pktSize, jparent);
+ case IPV6_NHDR_ENCIP6:
+ hasNext = 0;
+ break;
+ case IPV6_NHDR_ROUT:
+ nextHeader = route_header_parse(&packet, &pktSize, jparent);
+ break;
+ case IPV6_NHDR_FRAG:
+ nextHeader = frag_header_parse(&packet, &pktSize, jparent);
+ break;
+ case IPV6_NHDR_RRSV:
+ hasNext = 0;
+ break;
+ case IPV6_NHDR_SEC:
+ hasNext = 0;
+ break;
+ case IPV6_NHDR_AUTH:
+ hasNext = 0;
+ break;
+ case IPV6_NHDR_ICMP6:
+ json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader));
+ return icmp_parse(packet, pktSize, jparent);
+ case IPV6_NHDR_NONHDR:
+ hasNext = 0;
+ break;
+ case IPV6_NHDR_DOPTS:
+ nextHeader = dest_header_parse(&packet, &pktSize);
+ break;
+ default:
+ hasNext = 0;
+ break;
+ }
+ } while (hasNext);
+
+ json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader));
+ RETURN_DATA_AFTER(0)
+}
diff --git a/contrib/impcap/ipx_parser.c b/contrib/impcap/ipx_parser.c
new file mode 100644
index 0000000..acd43bc
--- /dev/null
+++ b/contrib/impcap/ipx_parser.c
@@ -0,0 +1,97 @@
+/* ipx_parser.c
+ *
+ * This file contains functions to parse IPX (Novell) headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wpacked"
+#pragma GCC diagnostic ignored "-Wattributes"
+struct __attribute__ ((__packed__)) ipx_header_s {
+ uint16_t chksum;
+ uint16_t pktLen;
+ uint8_t transCtrl;
+ uint8_t type;
+ uint32_t dstNet;
+ uint8_t dstNode[6];
+ uint16_t dstSocket;
+ uint32_t srcNet;
+ uint8_t srcNode[6];
+ uint16_t srcSocket;
+};
+#pragma GCC diagnostic pop
+
+typedef struct ipx_header_s ipx_header_t;
+
+/*
+ * This function parses the bytes in the received packet to extract IPX metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the IPX header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where IPX metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *ipx_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+
+ DBGPRINTF("entered ipx_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 30) { /* too short for IPX header */
+ DBGPRINTF("IPX packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ char ipxSrcNode[20], ipxDstNode[20];
+ ipx_header_t *ipx_header = (ipx_header_t *)packet;
+
+ snprintf(ipxDstNode, sizeof(ipxDstNode), "%02x:%02x:%02x:%02x:%02x:%02x", ipx_header->dstNode[0],
+ ipx_header->dstNode[1], ipx_header->dstNode[2], ipx_header->dstNode[3], ipx_header->dstNode[4],
+ ipx_header->dstNode[5]);
+
+ snprintf(ipxSrcNode, sizeof(ipxSrcNode), "%02x:%02x:%02x:%02x:%02x:%02x", ipx_header->srcNode[0],
+ ipx_header->srcNode[1], ipx_header->srcNode[2], ipx_header->srcNode[3], ipx_header->srcNode[4],
+ ipx_header->srcNode[5]);
+
+ json_object_object_add(jparent, "IPX_transCtrl", json_object_new_int(ipx_header->transCtrl));
+ json_object_object_add(jparent, "IPX_type", json_object_new_int(ipx_header->type));
+ json_object_object_add(jparent, "IPX_dest_net", json_object_new_int(ntohl(ipx_header->dstNet)));
+ json_object_object_add(jparent, "IPX_src_net", json_object_new_int(ntohl(ipx_header->srcNet)));
+ json_object_object_add(jparent, "IPX_dest_node", json_object_new_string(ipxDstNode));
+ json_object_object_add(jparent, "IPX_src_node", json_object_new_string(ipxSrcNode));
+ json_object_object_add(jparent, "IPX_dest_socket", json_object_new_int(ntohs(ipx_header->dstSocket)));
+ json_object_object_add(jparent, "IPX_src_socket", json_object_new_int(ntohs(ipx_header->srcSocket)));
+
+ RETURN_DATA_AFTER(30)
+}
diff --git a/contrib/impcap/llc_parser.c b/contrib/impcap/llc_parser.c
new file mode 100644
index 0000000..fca4568
--- /dev/null
+++ b/contrib/impcap/llc_parser.c
@@ -0,0 +1,109 @@
+/* llc_parser.c
+ *
+ * This file contains functions to parse llc headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+/*
+ * This function parses the bytes in the received packet to extract LLC metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the LLC header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where LLC metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *llc_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("entered llc_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 3) { /* too short for llc header */
+ DBGPRINTF("LLC packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ uint8_t dsapField, dsap, ssapField, ssap;
+ uint16_t ctrl;
+ uint8_t headerLen;
+
+ dsapField = (uint8_t)packet[0];
+ ssapField = (uint8_t)packet[1];
+ DBGPRINTF("dsapField : %02X\n", dsapField);
+ DBGPRINTF("ssapField : %02X\n", ssapField);
+
+ if (dsapField == 0xff && ssapField == 0xff) {
+ /* this is an IPX packet, without LLC */
+ return ipx_parse(packet, pktSize, jparent);
+ }
+
+ if ((packet[2] & 0x03) == 3) {
+ /* U frame: LLC control is 8 bits */
+ ctrl = (uint8_t)packet[2];
+ headerLen = 3;
+ } else {
+ /* I and S data frames: LLC control is 16 bits */
+ ctrl = ntohs((uint16_t)packet[2]);
+ headerLen = 4;
+ }
+
+ /* don't take last bit into account */
+ dsap = dsapField & 0xfe;
+ ssap = ssapField & 0xfe;
+
+ json_object_object_add(jparent, "LLC_dsap", json_object_new_int(dsap));
+ json_object_object_add(jparent, "LLC_ssap", json_object_new_int(ssap));
+ json_object_object_add(jparent, "LLC_ctrl", json_object_new_int(ctrl));
+
+ if (dsap == 0xaa && ssap == 0xaa && ctrl == 0x03) {
+ /* SNAP header */
+ uint32_t orgCode = packet[headerLen] << 16 |
+ packet[headerLen + 1] << 8 |
+ packet[headerLen + 2];
+ uint16_t ethType = packet[headerLen + 3] << 8 |
+ packet[headerLen + 4];
+ json_object_object_add(jparent, "SNAP_oui", json_object_new_int(orgCode));
+ json_object_object_add(jparent, "SNAP_ethType", json_object_new_int(ethType));
+ return eth_proto_parse(ethType, packet + headerLen, pktSize - headerLen, jparent);
+ }
+ if (dsap == 0x06 && ssap == 0x06 && ctrl == 0x03) {
+ /* IPv4 header */
+ return ipv4_parse(packet + headerLen, pktSize - headerLen, jparent);
+ }
+ if (dsap == 0xe0 && ssap == 0xe0 && ctrl == 0x03) {
+ /* IPX packet with LLC */
+ return ipx_parse(packet + headerLen, pktSize - headerLen, jparent);
+ }
+
+ RETURN_DATA_AFTER(headerLen)
+}
diff --git a/contrib/impcap/parsers.h b/contrib/impcap/parsers.h
new file mode 100644
index 0000000..d2e71d4
--- /dev/null
+++ b/contrib/impcap/parsers.h
@@ -0,0 +1,189 @@
+/* parser.h
+ *
+ * This file contains the prototypes of all the parsers available within impcap.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <ctype.h>
+#include <pcap.h>
+
+#include "rsyslog.h"
+#include "msg.h"
+#include "dirty.h"
+
+#ifdef __FreeBSD__
+#include <sys/socket.h>
+#else
+
+#include <netinet/ether.h>
+
+#endif
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <net/ethernet.h>
+#include <arpa/inet.h>
+
+#ifndef INCLUDED_PARSER_H
+#define INCLUDED_PARSER_H 1
+
+/* data return structure */
+struct data_ret_s {
+ size_t size;
+ char *pData;
+};
+typedef struct data_ret_s data_ret_t;
+
+#define RETURN_DATA_AFTER(x) data_ret_t *retData = malloc(sizeof(data_ret_t)); \
+ if(pktSize > x) { \
+ retData->size = pktSize - x; \
+ retData->pData = (char *)packet + x; \
+ } \
+ else { \
+ retData->size = 0; \
+ retData->pData = NULL; \
+ } \
+ return retData; \
+
+/* --- handlers prototypes --- */
+void packet_parse(uchar *arg, const struct pcap_pkthdr *pkthdr, const uchar *packet);
+
+data_ret_t *eth_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *llc_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *ipx_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *ipv4_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *icmp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *tcp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *udp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *ipv6_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *arp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *rarp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *ah_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *esp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *smb_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *ftp_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *http_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+data_ret_t *dns_parse(const uchar *packet, int pktSize, struct json_object *jparent);
+
+
+// inline function definitions
+static inline data_ret_t *dont_parse(
+ const uchar *packet,
+ int pktSize,
+ __attribute__((unused)) struct json_object *jparent);
+
+static inline data_ret_t *eth_proto_parse(
+ uint16_t ethProto,
+ const uchar *packet,
+ int pktSize,
+ struct json_object *jparent);
+
+static inline data_ret_t *ip_proto_parse(
+ uint16_t ipProto,
+ const uchar *packet,
+ int pktSize,
+ struct json_object *jparent);
+
+/*
+ * Mock function to do no parsing when protocol is not a valid number
+*/
+static inline data_ret_t *dont_parse(
+ const uchar *packet,
+ int pktSize,
+ __attribute__((unused)) struct json_object *jparent)
+{
+ DBGPRINTF("protocol not handled\n");
+ RETURN_DATA_AFTER(0)
+}
+
+// proto code handlers
+static inline data_ret_t *eth_proto_parse(
+ uint16_t ethProto,
+ const uchar *packet,
+ int pktSize,
+ struct json_object *jparent)
+{
+ switch(ethProto) {
+ case ETHERTYPE_IP:
+ return ipv4_parse(packet, pktSize, jparent);
+ case ETHERTYPE_IPV6:
+ return ipv6_parse(packet, pktSize, jparent);
+ case ETHERTYPE_ARP:
+ return arp_parse(packet, pktSize, jparent);
+ case ETHERTYPE_REVARP:
+ return rarp_parse(packet, pktSize, jparent);
+ case ETHERTYPE_IPX:
+ return ipx_parse(packet, pktSize, jparent);
+ default:
+ return dont_parse(packet, pktSize, jparent);
+ }
+}
+
+static inline data_ret_t *ip_proto_parse(
+ uint16_t ipProto,
+ const uchar *packet,
+ int pktSize,
+ struct json_object *jparent)
+{
+ switch(ipProto) {
+ case IPPROTO_TCP:
+ return tcp_parse(packet, pktSize, jparent);
+ case IPPROTO_UDP:
+ return udp_parse(packet, pktSize, jparent);
+ case IPPROTO_ICMP:
+ return icmp_parse(packet, pktSize, jparent);
+ default:
+ return dont_parse(packet, pktSize, jparent);
+ }
+}
+
+#endif /* INCLUDED_PARSER_H */
diff --git a/contrib/impcap/smb_parser.c b/contrib/impcap/smb_parser.c
new file mode 100644
index 0000000..e673cd3
--- /dev/null
+++ b/contrib/impcap/smb_parser.c
@@ -0,0 +1,145 @@
+/* smb_parser.c
+ *
+ * This file contains functions to parse SMB (version 2 and 3) headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+/* SMB2 opCodes */
+#define SMB2_NEGOTIATE 0x00
+#define SMB2_SESSIONSET 0x01
+#define SMB2_SESSIONLOGOFF 0x02
+#define SMB2_TREECONNECT 0x03
+#define SMB2_TREEDISCONNECT 0x04
+#define SMB2_CREATE 0x05
+#define SMB2_CLOSE 0x06
+#define SMB2_FLUSH 0x07
+#define SMB2_READ 0x08
+#define SMB2_WRITE 0x09
+#define SMB2_LOCK 0x0a
+#define SMB2_IOCTL 0x0b
+#define SMB2_CANCEL 0x0c
+#define SMB2_KEEPALIVE 0x0d
+#define SMB2_FIND 0x0e
+#define SMB2_NOTIFY 0x0f
+#define SMB2_GETINFO 0x10
+#define SMB2_SETINFO 0x11
+#define SMB2_BREAK 0x12
+
+struct smb_header_s {
+ uint32_t version;
+ uint16_t headerLength;
+ uint16_t padding1;
+ uint32_t ntStatus;
+ uint16_t opCode;
+ uint16_t padding2;
+ uint32_t flags;
+ uint32_t chainOffset;
+ uint32_t comSeqNumber[2];
+ uint32_t processID;
+ uint32_t treeID;
+ uint32_t userID[2];
+ uint32_t signature[4];
+};
+
+typedef struct smb_header_s smb_header_t;
+
+static char flagCodes[5] = "RPCS";
+
+/*
+ * This function parses the bytes in the received packet to extract SMB2 metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the beginning of the header will be checked by the function
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where SMB2 metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *smb_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("smb_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ int pktSizeCpy = pktSize;
+ const uchar *packetCpy = packet;
+
+ while (pktSizeCpy > 0) {
+ /* don't check packetCpy[0] to include SMB version byte at the beginning */
+ if (packetCpy[1] == 'S') {
+ if (packetCpy[2] == 'M') {
+ if (packetCpy[3] == 'B') {
+ break;
+ }
+ }
+ }
+ packetCpy++, pktSizeCpy--;
+ }
+
+ if ((int)pktSizeCpy < 64) {
+ DBGPRINTF("SMB packet too small : %d\n", pktSizeCpy);
+ RETURN_DATA_AFTER(0)
+ }
+
+ /* Union to prevent cast from uchar to smb_header_t */
+ union {
+ const uchar *pck;
+ smb_header_t *hdr;
+ } smb_header_to_char;
+
+ smb_header_to_char.pck = packetCpy;
+ smb_header_t *smb_header = smb_header_to_char.hdr;
+
+ char flags[5] = {0};
+ uint64_t seqNum, userID;
+ uint8_t version;
+
+ version = (smb_header->version == 0xFF) ? 1 : 2;
+ seqNum = smb_header->comSeqNumber[0] | smb_header->comSeqNumber[1] << 16;
+ userID = smb_header->userID[0] | smb_header->userID[1] << 16;
+
+ uint8_t i, pos = 0;
+ for (i = 0; i < 4; ++i) {
+ if (smb_header->flags & (0x01 << i))
+ flags[pos++] = flagCodes[i];
+ }
+
+ json_object_object_add(jparent, "SMB_version", json_object_new_int(version));
+ json_object_object_add(jparent, "SMB_NTstatus", json_object_new_int64(smb_header->ntStatus));
+ json_object_object_add(jparent, "SMB_operation", json_object_new_int(smb_header->opCode));
+ json_object_object_add(jparent, "SMB_flags", json_object_new_string(flags));
+ json_object_object_add(jparent, "SMB_seqNumber", json_object_new_int64(seqNum));
+ json_object_object_add(jparent, "SMB_processID", json_object_new_int64(smb_header->processID));
+ json_object_object_add(jparent, "SMB_treeID", json_object_new_int64(smb_header->treeID));
+ json_object_object_add(jparent, "SMB_userID", json_object_new_int64(userID));
+
+ RETURN_DATA_AFTER(0)
+}
diff --git a/contrib/impcap/tcp_parser.c b/contrib/impcap/tcp_parser.c
new file mode 100644
index 0000000..b96c1f3
--- /dev/null
+++ b/contrib/impcap/tcp_parser.c
@@ -0,0 +1,121 @@
+/* tcp_parser.c
+ *
+ * This file contains functions to parse TCP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+#define SMB_PORT 445
+#define HTTP_PORT 80
+#define HTTP_PORT_ALT 8080
+#define FTP_PORT 21
+#define FTP_PORT_DATA 20
+
+struct tcp_header_s {
+ uint16_t srcPort;
+ uint16_t dstPort;
+ uint32_t seq;
+ uint32_t ack;
+ uint8_t dor;
+ uint8_t flags;
+ uint16_t windowSize;
+ uint16_t checksum;
+ uint16_t urgPointer;
+ uint8_t options[];
+};
+
+typedef struct tcp_header_s tcp_header_t;
+
+static char flagCodes[10] = "FSRPAUECN";
+
+/*
+ * This function parses the bytes in the received packet to extract TCP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the TCP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where TCP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *tcp_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("tcp_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 20) {
+ DBGPRINTF("TCP packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ /* Union to prevent cast from uchar to tcp_header_t */
+ union {
+ const uchar *pck;
+ tcp_header_t *hdr;
+ } tcp_header_to_char;
+
+ tcp_header_to_char.pck = packet;
+ tcp_header_t *tcp_header = tcp_header_to_char.hdr;
+
+ uint8_t i, pos = 0;
+ char flags[10] = {0};
+
+ for (i = 0; i < 8; ++i) {
+ if (tcp_header->flags & (0x01 << i))
+ flags[pos++] = flagCodes[i];
+ }
+ if (tcp_header->dor & 0x01)
+ flags[pos++] = flagCodes[9];
+
+ uint16_t srcPort = ntohs(tcp_header->srcPort);
+ uint16_t dstPort = ntohs(tcp_header->dstPort);
+
+ uint8_t headerLength = (tcp_header->dor & 0xF0) >> 2; //>>4 to offset but <<2 to get offset as bytes
+
+ json_object_object_add(jparent, "net_src_port", json_object_new_int(srcPort));
+ json_object_object_add(jparent, "net_dst_port", json_object_new_int(dstPort));
+ json_object_object_add(jparent, "TCP_seq_number", json_object_new_int64(ntohl(tcp_header->seq)));
+ json_object_object_add(jparent, "TCP_ack_number", json_object_new_int64(ntohl(tcp_header->ack)));
+ json_object_object_add(jparent, "net_flags", json_object_new_string(flags));
+
+ if (srcPort == SMB_PORT || dstPort == SMB_PORT) {
+ return smb_parse(packet + headerLength, pktSize - headerLength, jparent);
+ }
+ if (srcPort == FTP_PORT || dstPort == FTP_PORT || srcPort == FTP_PORT_DATA || dstPort == FTP_PORT_DATA) {
+ return ftp_parse(packet + headerLength, pktSize - headerLength, jparent);
+ }
+ if (srcPort == HTTP_PORT || dstPort == HTTP_PORT ||
+ srcPort == HTTP_PORT_ALT || dstPort == HTTP_PORT_ALT) {
+ return http_parse(packet + headerLength, pktSize - headerLength, jparent);
+ }
+ DBGPRINTF("tcp return after header length (%u)\n", headerLength);
+ RETURN_DATA_AFTER(headerLength)
+}
diff --git a/contrib/impcap/udp_parser.c b/contrib/impcap/udp_parser.c
new file mode 100644
index 0000000..a9b7dca
--- /dev/null
+++ b/contrib/impcap/udp_parser.c
@@ -0,0 +1,90 @@
+/* udp_parser.c
+ *
+ * This file contains functions to parse UDP headers.
+ *
+ * File begun on 2018-11-13
+ *
+ * Created by:
+ * - Théo Bertin (theo.bertin@advens.fr)
+ *
+ * With:
+ * - François Bernard (francois.bernard@isen.yncrea.fr)
+ * - Tianyu Geng (tianyu.geng@isen.yncrea.fr)
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "config.h"
+#include "parsers.h"
+
+#define DNS_PORT 53
+
+struct udp_header_s {
+ uint16_t srcPort;
+ uint16_t dstPort;
+ uint16_t totalLength;
+ uint16_t checksum;
+};
+
+typedef struct udp_header_s udp_header_t;
+
+/*
+ * This function parses the bytes in the received packet to extract UDP metadata.
+ *
+ * its parameters are:
+ * - a pointer on the list of bytes representing the packet
+ * the first byte must be the beginning of the UDP header
+ * - the size of the list passed as first parameter
+ * - a pointer on a json_object, containing all the metadata recovered so far
+ * this is also where UDP metadata will be added
+ *
+ * This function returns a structure containing the data unprocessed by this parser
+ * or the ones after (as a list of bytes), and the length of this data.
+*/
+data_ret_t *udp_parse(const uchar *packet, int pktSize, struct json_object *jparent) {
+ DBGPRINTF("udp_parse\n");
+ DBGPRINTF("packet size %d\n", pktSize);
+
+ if (pktSize < 8) {
+ DBGPRINTF("UDP packet too small : %d\n", pktSize);
+ RETURN_DATA_AFTER(0)
+ }
+
+ /* Union to prevent cast from uchar to udp_header_t */
+ union {
+ const uchar *pck;
+ udp_header_t *hdr;
+ } udp_header_to_char;
+
+ udp_header_to_char.pck = packet;
+ udp_header_t *udp_header = udp_header_to_char.hdr;
+
+ // Prevent endianness issue
+ unsigned short int src_port = ntohs(udp_header->srcPort);
+ unsigned short int dst_port = ntohs(udp_header->dstPort);
+
+ json_object_object_add(jparent, "net_src_port", json_object_new_int(src_port));
+ json_object_object_add(jparent, "net_dst_port", json_object_new_int(dst_port));
+ json_object_object_add(jparent, "UDP_Length", json_object_new_int(ntohs(udp_header->totalLength)));
+ json_object_object_add(jparent, "UDP_Checksum", json_object_new_int(ntohs(udp_header->checksum)));
+
+ if (src_port == DNS_PORT || dst_port == DNS_PORT) {
+ return dns_parse(packet + sizeof(udp_header_t), pktSize - sizeof(udp_header_t), jparent);
+ }
+
+ RETURN_DATA_AFTER(8)
+}