C++ pcap_freecode函数代码示例

/**
 * Install filter for hijacked connection
 *
 */
static int hijack_install_filter ( struct hijack *hijack,
                                   char *filter ) {
    struct bpf_program program;

    /* Compile filter */
    if ( pcap_compile ( hijack->pcap, &program, filter, 1, 0 ) < 0 ) {
        logmsg ( LOG_ERR, "could not compile filter \"%s\": %s\n",
                 filter, pcap_geterr ( hijack->pcap ) );
        goto err_nofree;
    }

    /* Install filter */
    if ( pcap_setfilter ( hijack->pcap, &program ) < 0 ) {
        logmsg ( LOG_ERR, "could not install filter \"%s\": %s\n",
                 filter, pcap_geterr ( hijack->pcap ) );
        goto err;
    }

    logmsg ( LOG_INFO, "using filter \"%s\"\n", filter );

    pcap_freecode ( &program );
    return 0;

err:
    pcap_freecode ( &program );
err_nofree:
    return -1;
}

PyObject *
captureObject_filter(captureObject *self, PyObject *args)
{
    char *filter = NULL;
    int optimize = 0;
    unsigned int netmask = 0xffffffff;
    struct bpf_program prog;
    
    if (! PyArg_ParseTuple(args, "s|i:filter", &filter, &optimize))
        return NULL;

    if (pcap_compile(self->pcap, &prog, filter, optimize, netmask))
    {
        PyErr_SetString(ErrorObject, pcap_geterr(self->pcap));
        return NULL;
    }
    if (pcap_setfilter(self->pcap, &prog))
    {
        pcap_freecode(&prog);
        PyErr_SetString(ErrorObject, pcap_geterr(self->pcap));
        return NULL;
    }
    pcap_freecode(&prog);
    return Py_BuildValue("");
}

int
tc_pcap_socket_in_init(pcap_t **pd, char *device, 
        int snap_len, int buf_size, char *pcap_filter)
{
    int         fd;
    char        ebuf[PCAP_ERRBUF_SIZE]; 
    struct      bpf_program fp;
    bpf_u_int32 net, netmask;      

    if (device == NULL) {
        return TC_INVALID_SOCK;
    }

    tc_log_info(LOG_NOTICE, 0, "pcap open,device:%s", device);

    *ebuf = '\0';

    if (tc_pcap_open(pd, device, snap_len, buf_size) == TC_ERR) {
        return TC_INVALID_SOCK;
    }

    if (pcap_lookupnet(device, &net, &netmask, ebuf) < 0) {
        net = 0;
        netmask = 0;
        tc_log_info(LOG_WARN, 0, "lookupnet:%s", ebuf);
        return TC_INVALID_SOCK;
    }

    if (pcap_compile(*pd, &fp, pcap_filter, 0, netmask) == -1) {
        tc_log_info(LOG_ERR, 0, "couldn't parse filter %s: %s", 
                pcap_filter, pcap_geterr(*pd));
        return TC_INVALID_SOCK;
    }

    if (pcap_setfilter(*pd, &fp) == -1) {
        tc_log_info(LOG_ERR, 0, "couldn't install filter %s: %s",
                pcap_filter, pcap_geterr(*pd));
        pcap_freecode(&fp);
        return TC_INVALID_SOCK;
    }

    pcap_freecode(&fp);

    if (pcap_get_selectable_fd(*pd) == -1) {
        tc_log_info(LOG_ERR, 0, "pcap_get_selectable_fd fails"); 
        return TC_INVALID_SOCK;
    }

    if (pcap_setnonblock(*pd, 1, ebuf) == -1) {
        tc_log_info(LOG_ERR, 0, "pcap_setnonblock failed: %s", ebuf);
        return TC_INVALID_SOCK;
    }

    fd = pcap_get_selectable_fd(*pd);

    return fd;
}

/*
 * privileged part of priv_pcap_setfilter, compile the filter
 * expression, and return it to the parent. Note that we fake an hpcap
 * and use it to capture the error messages, and pass the error back
 * to client.
 */
int
setfilter(int bpfd, int sock, char *filter)
{
	struct bpf_program fcode;
	int oflag, snap, link;
	u_int32_t netmask;
	pcap_t hpcap;

	must_read(sock, &oflag, sizeof(oflag));
	must_read(sock, &netmask, sizeof(netmask));
	must_read(sock, &snap, sizeof(snap));
	must_read(sock, &link, sizeof(link));

	if (snap < 0) {
		snprintf(hpcap.errbuf, PCAP_ERRBUF_SIZE, "invalid snaplen");
		goto err;
	}

	/* fake hpcap, it only needs errbuf, snaplen, and linktype to
	 * compile a filter expression */
	/* XXX messing with pcap internals */
	hpcap.snapshot = snap;
	hpcap.linktype = link;
	if (pcap_compile(&hpcap, &fcode, filter, oflag, netmask))
		goto err;

	/* if bpf descriptor is open, set the filter XXX check oflag? */
	if (bpfd >= 0 && ioctl(bpfd, BIOCSETF, &fcode)) {
		snprintf(hpcap.errbuf, PCAP_ERRBUF_SIZE,
		    "ioctl: BIOCSETF: %s", strerror(errno));
		pcap_freecode(&fcode);
		goto err;
	}
	if (fcode.bf_len > 0) {
		/* write the filter */
		must_write(sock, &fcode.bf_len, sizeof(fcode.bf_len));
		must_write(sock, fcode.bf_insns,
		    fcode.bf_len * sizeof(struct bpf_insn));
	} else {
		snprintf(hpcap.errbuf, PCAP_ERRBUF_SIZE, "Invalid filter size");
		pcap_freecode(&fcode);
		goto err;
	}


	pcap_freecode(&fcode);
	return (0);

 err:
	fcode.bf_len = 0;
	must_write(sock, &fcode.bf_len, sizeof(fcode.bf_len));

	/* write back the error string */
	write_string(sock, hpcap.errbuf);
	return (1);
}

void startSniffer(char *filter)
{
	struct in_addr in;

	if (dev == NULL)
		if ((dev = pcap_lookupdev(errbuf)) == NULL) {
			fprintf(stderr, "startSniffer: couldn't find a device to sniff: %s\n", errbuf);
			exit(1);
		}

	printf("\n\n%s starting: listening on device: %s\n", VERSION, dev);

	if ((pd = pcap_open_live(dev, SNAPLEN, promisc, readtimeout, errbuf)) == NULL) {
		fprintf(stderr, "startSniffer: pcap_open_live failed: %s\n", errbuf);
		exit(1);
	}


	pcap_lookupnet(dev, &netp, &maskp, errbuf);
	in.s_addr = netp;
	printf("%s (%s/", dev, inet_ntoa(in));
	in.s_addr = maskp;
	printf("%s) opened successfully in %spromiscuous mode\n", inet_ntoa(in), (promisc ? "" : "non-"));

	if (filter != NULL) {
		pcap_compile(pd, &fprog, filter, 0, netp);
		if ((pcap_setfilter(pd, &fprog)) == -1) {
			fprintf(stderr, "startSniffer: pcap_setfilter: cannot set filter\n");
			exit(1);
		}
		pcap_freecode(&fprog);
	}
}

/* Called at the start on main thread or each time a new file is open on single thread */
void moloch_rules_recompile()
{
    int t, r;

    if (deadPcap)
        pcap_close(deadPcap);

    deadPcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
    MolochRule_t *rule;
    for (t = 0; t < MOLOCH_RULE_TYPE_NUM; t++) {
        for (r = 0; (rule = current.rules[t][r]); r++) {
            if (!rule->bpf)
                continue;

            pcap_freecode(&rule->bpfp);
            if (pcapFileHeader.linktype != 239) {
                if (pcap_compile(deadPcap, &rule->bpfp, rule->bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
                    LOGEXIT("ERROR - Couldn't compile filter %s: '%s' with %s", rule->filename, rule->bpf, pcap_geterr(deadPcap));
                }
            } else {
                rule->bpfp.bf_len = 0;
            }
        }
    }
}

int set_raw_filter(unsigned int loc_idx, char *filter) {

        struct bpf_program raw_filter;
        //uint16_t snaplen = 65535;
        int linktype;
        //struct pcap_t *aa;
        int fd = -1;
                
        LERR("APPLY FILTER [%d]\n", loc_idx);        
        if(loc_idx >= MAX_SOCKETS || sniffer_proto[loc_idx] == NULL) return 0;         

        fd = pcap_get_selectable_fd(sniffer_proto[loc_idx]);

        linktype  = profile_socket[loc_idx].link_type ? profile_socket[loc_idx].link_type : DLT_EN10MB;

        if (pcap_compile_nopcap(profile_socket[loc_idx].snap_len ? profile_socket[loc_idx].snap_len : 0xffff, linktype, &raw_filter, filter, 1, 0) == -1) {
                LERR("Failed to compile filter '%s'", filter);
                return -1;
        }

#if ( defined (OS_LINUX) || defined (OS_SOLARIS) )
        if(setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &raw_filter, sizeof(raw_filter)) < 0 ) {
                LERR(" setsockopt filter: [%s] [%d]", strerror(errno), errno);
                return -1;
        }
#endif

        //free(BPF_code);
        pcap_freecode( (struct bpf_program *) &raw_filter);

        return 1;

}

static int l2_packet_init_libpcap(struct l2_packet_data *l2,
                                  unsigned short protocol)
{
        bpf_u_int32 pcap_maskp, pcap_netp;
        char pcap_filter[200], pcap_err[PCAP_ERRBUF_SIZE];
        struct bpf_program pcap_fp;

        pcap_lookupnet(l2->ifname, &pcap_netp, &pcap_maskp, pcap_err);
        l2->pcap = pcap_open_live(l2->ifname, 2500, 0, 1, pcap_err);
        if (l2->pcap == NULL) {
                fprintf(stderr, "pcap_open_live: %s\n", pcap_err);
                fprintf(stderr, "ifname='%s'\n", l2->ifname);
                return -1;
        }
        os_snprintf(pcap_filter, sizeof(pcap_filter),
                    "not ether src " MACSTR " and "
                    "( ether dst " MACSTR " or ether dst " MACSTR " ) and "
                    "ether proto 0x%x",
                    MAC2STR(l2->own_addr), /* do not receive own packets */
                    MAC2STR(l2->own_addr), MAC2STR(pae_group_addr),
                    protocol);
        if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) {
                fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap));
                return -1;
        }

        if (pcap_setfilter(l2->pcap, &pcap_fp) < 0) {
                fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(l2->pcap));
                return -1;
        }

        pcap_freecode(&pcap_fp);

        return 0;
}

/*-
-- cap = cap:set_filter(filter, nooptimize)

- filter is the filter string, see tcpdump or pcap-filter man page.
- nooptimize can be true if you don't want the filter optimized during compile
  (the default is to optimize).
*/
static int lpcap_set_filter(lua_State* L)
{
    pcap_t* cap = checkpcap(L);
    const char* filter = luaL_checkstring(L, 2);
    int optimize = !lua_toboolean(L, 3);
    bpf_u_int32 netmask = PCAP_NETMASK_UNKNOWN; /* TODO get device from registry, and call pcap_lookup_net()*/
    int ret = 0;
    struct bpf_program program = { 0 };

    ret = pcap_compile(cap, &program, filter, optimize, netmask);

    if(ret < 0) {
        return pusherr(L, cap);
    }

    ret = pcap_setfilter(cap, &program);

    pcap_freecode(&program);

    if(ret < 0) {
        return pusherr(L, cap);
    }

    lua_settop(L, 1);

    return 1;
}

void init_pcap(void){
	pcap_t 	* handle;		//Handle de capture
	struct bpf_program fp;
	char	* device;		//Périphérique pour sniffer
	struct devInfo myDevInfo;
	char errbuf[PCAP_ERRBUF_SIZE];
	int num_packets = 10;

	getDevice(&myDevInfo);
#ifdef DEBUG
	displayInformationDevice(&myDevInfo); // affiche ip/mask/peripherique
#endif
	DEBUGMSG(1)("Ouverture interface"); 
	 handle = pcap_open_live(myDevInfo.dev, BUFSIZ, 1, 1000, errbuf);
	 if (handle == NULL) {
		 fprintf(stderr, "Couldn't open device %s: %s\n", "eth0", errbuf);
		 exit(EXIT_FAILURE);
	 }
	DEBUGMSG(1)("compilation du filtre"); 
	if (pcap_compile(handle, &fp, FILTRE, 0, myDevInfo.net) == -1){
		fprintf(stderr, "Couldn't parse filter %s: %s\n", FILTRE, pcap_geterr(handle));
		exit(EXIT_FAILURE);
	}
	DEBUGMSG(1)("Activation du filtre"); 
	if (pcap_setfilter(handle, &fp) == -1) {
		fprintf(stderr, "Couldn't install filter %s: %s\n", FILTRE, pcap_geterr(handle));
		exit(EXIT_FAILURE);
	}
	DEBUGMSG(1)("Sniffing ... listen packets"); 
	pcap_loop(handle, num_packets, got_packet, NULL);
	DEBUGMSG(1)("cleaning and stopping... bye"); 
	pcap_freecode(&fp);
	pcap_close(handle);

}

void reader_pfring_start() {
    int dlt_to_linktype(int dlt);

    pcapFileHeader.linktype = 1;
    pcapFileHeader.snaplen = MOLOCH_SNAPLEN;


    pcap_t *pcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
    if (config.dontSaveBPFs) {
        int i;
        if (bpf_programs) {
            for (i = 0; i < config.dontSaveBPFsNum; i++) {
                pcap_freecode(&bpf_programs[i]);
            }
        } else {
            bpf_programs = malloc(config.dontSaveBPFsNum*sizeof(struct bpf_program));
        }
        for (i = 0; i < config.dontSaveBPFsNum; i++) {
            if (pcap_compile(pcap, &bpf_programs[i], config.dontSaveBPFs[i], 0, PCAP_NETMASK_UNKNOWN) == -1) {
                LOG("ERROR - Couldn't compile filter: '%s' with %s", config.dontSaveBPFs[i], pcap_geterr(pcap));
                exit(1);
            }
        }
        moloch_reader_should_filter = reader_pfring_should_filter;
    }
    pcap_close(pcap);

    int i;
    for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) {
        char name[100];
        snprintf(name, sizeof(name), "moloch-pfring%d", i);
        g_thread_new(name, &reader_pfring_thread, rings[i]);
    }
}

bool us_rawnet_join_multicast( us_rawnet_context_t *self, const uint8_t multicast_mac[6] )
{
    bool r = false;
    struct bpf_program fcode;
    pcap_t *p = (pcap_t *)self->m_pcap;
    char filter[1024];
    /* TODO: add multicast address to pcap filter here if multicast_mac is not null*/
    (void)multicast_mac;
    sprintf( filter, "ether proto 0x%04x", self->m_ethertype );

    if ( pcap_compile( p, &fcode, filter, 1, 0xffffffff ) < 0 )
    {
        pcap_close( p );
        us_log_error( "Unable to pcap_compile: '%s'", filter );
    }
    else
    {
        if ( pcap_setfilter( p, &fcode ) < 0 )
        {
            pcap_close( p );
            us_log_error( "Unable to pcap_setfilter" );
        }
        else
        {
            r = true;
        }
        pcap_freecode( &fcode );
    }
    return r;
}

 void apply_bpf_filters()
{
	struct bpf_program bpf_filter;
	char *str = "(src host 139.91.70.42 or src host 1.1.1.2) " 
		    "and (dst host 139.91.70.43 or dst host 1.1.1.3) "
		    "and (dst port 22 or dst port 23)";
	
	printf("Constructing filter : %s\n",str);
	
	if(pcap_compile(p,&bpf_filter,str,1,0xFFFFFF00))
	{
		pcap_perror(p,"pcap_compile");
		
		exit(1);
	}

	if(pcap_setfilter(p,&bpf_filter))
	{
		pcap_perror(p,"pcap_setfilter");
		
		exit(1);
	}
	
	pcap_freecode(&bpf_filter);
}

void reader_snf_start() {
    pcapFileHeader.linktype = DLT_EN10MB;
    pcapFileHeader.snaplen = MOLOCH_SNAPLEN;
    pcap_t *dpcap = pcap_open_dead(pcapFileHeader.linktype, pcapFileHeader.snaplen);
    int t;
    for (t = 0; t < MOLOCH_FILTER_MAX; t++) {
        if (config.bpfsNum[t]) {
            int i;
            if (bpf_programs[t]) {
                for (i = 0; i < config.bpfsNum[t]; i++) {
                    pcap_freecode(&bpf_programs[t][i]);
                }
            } else {
                bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program));
            }
            for (i = 0; i < config.bpfsNum[t]; i++) {
                if (pcap_compile(dpcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) {
                    LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(dpcap));
                    exit(1);
                }
            }
            moloch_reader_should_filter = reader_snf_should_filter;
        }
    }

    int i, r;
    for (i = 0; i < MAX_INTERFACES && config.interface[i]; i++) {
        for (r = 0; r < snfNumRings; r++) {
            char name[100];
            snprintf(name, sizeof(name), "moloch-snf%d-%d", i, r);
            g_thread_new(name, &reader_snf_thread, rings[i][r]);
        }
        snf_start(handles[i]);
    }
}

/* Find and prepare ethernet device for capturing */
pcap_t *prepare_capture(char *interface, int promisc, char *capfilter) {
    char errbuf[PCAP_ERRBUF_SIZE];
    pcap_t *pcap_hnd;
    char *dev = NULL;
    bpf_u_int32 net, mask;
    struct bpf_program filter;


    /* Starting live capture, so find and open network device */
    if (!interface) {
        dev = pcap_lookupdev(errbuf);
        if (dev == NULL)
            LOG_DIE("Cannot find a valid capture device: %s", errbuf);
    } else {
        dev = interface;
    }

    if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) net = 0;

    pcap_hnd = pcap_open_live(dev, BUFSIZ, promisc, 0, errbuf);
    if (pcap_hnd == NULL)
        LOG_DIE("Cannot open live capture on '%s': %s", dev, errbuf);

    set_link_header_offset(pcap_datalink(pcap_hnd));

    /* Compile capture filter and apply to handle */
    if (pcap_compile(pcap_hnd, &filter, capfilter, 0, net) == -1)
        LOG_DIE("Cannot compile capture filter '%s': %s", capfilter, pcap_geterr(pcap_hnd));

    if (pcap_setfilter(pcap_hnd, &filter) == -1)
        LOG_DIE("Cannot apply capture filter: %s", pcap_geterr(pcap_hnd));

    pcap_freecode(&filter);
    return pcap_hnd;
}