A simple TCP packetlogger/sniffer for Linux which includes background logging.
35c08a7777d1b751a168478dad9d3126b0d7fa46d8d372c1035af3c21843f383
/*
* Nagini v0.01 - simple TCP packetlogger by sacrine
* .. 1 kleine neger ..
* NETRIC SECURITY 2003
*
* includes:
* - Log functionality
* - Can run in background
*
* More options will be included in (if it depends on me) next versions
*
* <cliche>
*
* Special Thanks go to:
* gloomy, eSDee, ilja, ntronic
*
* Greets:
* atje, The_Itch, ThePike, Laurens, powerpork,
* psycoder, Remy, {}, Scrippie and whole #netric :)
*
* </cliche>
*
* If there are any questions/remarks or even bugs that you discovered,
* Please mail me at sacrine@netric.org
*
* Weetjes en Nieuwtjes:
*
* - Je bent gespuis als je niet af en toe samba(l) eet
* - The_Itch stemt SP
* - soul en gloomy zijn tegen een jointje op Rock Werchter
* - atje is gestopt met drinken
* - Xatr0z heeft wel degelijk de nederlandse nationaliteit
*
* Volgende keer weer meer nieuwtjes en weetjes uit Netric land,
* Tot ziens ;)
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <getopt.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#define LOG_SIZE 50
#define JUNK_SIZE 1024
#define BUF_SIZE 1024
#define PCKT_SIZE 65535
#define VERSION "Nagini v0.01"
#define BACKGROUND 0
struct
pckts_list
{
char p_size[PCKT_SIZE];
int bytes;
int from_lenght;
struct iphdr *ip;
struct tcphdr *tcp;
} pckts;
struct
ip_list
{
unsigned int ip_lenght:4;
unsigned int ip_version:4;
unsigned char ip_tos;
unsigned short ip_total_lenght;
unsigned short ip_id;
unsigned short ip_flags;
unsigned char ip_ttl;
unsigned char ip_protocol;
unsigned short ip_cksum;
unsigned int ip_source;
} ip;
struct
tcp_list
{
unsigned short tcp_source_port;
unsigned short tcp_dest_port;
unsigned int tcp_seqno;
unsigned int tcp_ackno;
unsigned int tcp_res1:4,
tcp_hlen:4,
tcp_fin:1,
tcp_syn:1,
tcp_rst:1,
tcp_psh:1,
tcp_ack:1,
tcp_urg:1,
tcp_res2:2;
unsigned short tcp_winsize;
unsigned short tcp_cksum;
unsigned short tcp_urgent;
} tcp;
int
bground(void)
{
pid_t dummy;
int fdescr;
int vorkje;
if((dummy = getppid()) != 1)
{
signal(SIGTTOU, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
vorkje = fork();
if(vorkje < 0)
{
perror("fork()");
exit(-1);
}
if(vorkje > 0)
{
fprintf(stdout,"[+] Now running in background.. pid=[%u]\n\n",vorkje);
exit(0);
}
setpgrp();
fdescr=open("/dev/tty", O_RDWR);
if(fdescr >= 0)
{
ioctl(fdescr, TIOCNOTTY, (char *)NULL);
close(fdescr);
}
}
for(fdescr = 0;fdescr < 1024;fdescr++)
errno = 0;
chdir("/");
umask(0);
}
void
usage(char *x)
{
fprintf(stdout,"Usage: %s [l:Bvh]\n"
"\t-l\t-\tspecified logfile\n"
"\t-B\t-\trun in background\n"
"\t-v\t-\tdisplay version info\n"
"\t-h\t-\tshows this help function\n\n",x);
exit(0);
}
int
main(int c, char *v[])
{
char pfile[LOG_SIZE];
int opts;
int sock;
FILE *LOG=NULL;
static char junk[JUNK_SIZE];
static char buf[BUF_SIZE];
struct ip_list *iph;
struct tcp_list *tcph;
struct sockaddr_in ader;
short int sin_family;
unsigned short int sin_port;
struct in_addr sin_addr;
unsigned char sin_zero[8];
struct protoent *pe;
struct servent *pnr;
struct servent *pnr2;
char timebuf[50];
time_t curtime;
struct tm *loctime;
curtime = time (NULL);
loctime = localtime (&curtime);
int i;
int on=0;
fprintf(stdout,"\n%s TCP packetlogger by sacrine\n"
"NETRIC SECURITY 2003 - sacrine@netric.org\n\n",VERSION);
if (getuid() != 0)
{
fprintf(stderr,"This program requires root priviledges\n..aborting\n");
exit(-1);
}
else
{
fprintf(stdout,"[+] Logged in as root\n\n");
}
while((opts=getopt(c,v,"Bhl:v"))!=EOF)
{
switch(opts)
{
case 'l':
memset(pfile,0x00,sizeof(pfile));
strncpy(pfile,optarg,sizeof(pfile)-1);
LOG=fopen(pfile,"w+");
if(!LOG)
{
perror("file()");
exit(-1);
}
fprintf(stdout,"[+] Writing results to: %s\n",pfile);
break;
case 'B':
on=1;
break;
case 'v':
fprintf(stdout,"%s\n",VERSION);
break;
case 'h':
usage(v[0] == NULL ? "help function:" : v[0]);
exit(0);
break;
default:
break;
}
}
if(!LOG)
{
if(on)
{
fprintf(stderr,"Sorry, you need to specify a logfile with the -l option for this!\n"
"..Aborting\n\n");
exit(-1);
}
else
{
LOG = stdout;
}
}
else if(on && LOG)
{
bground();
}
if((sock=socket(AF_INET, SOCK_RAW, 0x06))<0)
{
perror("socket()");
exit(-1);
}
while(1)
{
pckts.from_lenght = sizeof ader;
memset(pckts.p_size,0x00,sizeof(pckts.p_size));
pckts.bytes = recvfrom( sock, pckts.p_size,
sizeof (pckts.p_size)-1, 0,
(struct sockaddr *)&ader, &pckts.from_lenght
);
memset(timebuf,0x00,sizeof(timebuf));
snprintf(timebuf,sizeof(timebuf)-1,"%s", asctime (loctime));
for(i = 0; i < sizeof(timebuf); i++) if (timebuf[i] == 0x0a) timebuf[i] = 0x00;
fprintf(LOG,"[%s]",timebuf);
fprintf(LOG," Recieved %d bytes from ", pckts.bytes);
fflush(LOG);
fprintf(LOG,"%s ", inet_ntoa(ader.sin_addr));
fflush(LOG);
(struct ip *) iph = (struct ip *)pckts.p_size;
pe = getprotobynumber(iph->ip_protocol);
if (pe == NULL)
{
perror("protocol()");
return(-1);
}
fprintf(LOG,"- IP hdr lenght=[%d] ", iph->ip_lenght);
fflush(LOG);
fprintf(LOG,"(%s)", pe->p_name);
fflush(LOG);
(struct tcp *) tcph = (struct tcp *)(pckts.p_size + (4*iph->ip_lenght));
pnr = getservbyport(tcph->tcp_source_port,pe->p_name);
if(pnr == NULL)
{
fprintf(LOG," src port:%d ",ntohs(tcph->tcp_source_port));
fflush(LOG);
}
else
{
fprintf(LOG," src port:%s ", pnr->s_name);
fflush(LOG);
}
pnr2 = getservbyport(tcph->tcp_dest_port,pe->p_name);
if(pnr2 == NULL)
{
fprintf(LOG," dest port:%d\n",ntohs(tcph->tcp_dest_port));
fflush(LOG);
}
else
{
fprintf(LOG," dest port:%s\n", pnr2->s_name);
fflush(LOG);
}
}
return(0);
}