Permalink
Browse files

fast sll c00ked parsing

  • Loading branch information...
1 parent d7862b6 commit 42fbeae73c97f87f0b734a7f92dfb72609ab962f ebf committed Nov 2, 2012
Showing with 56 additions and 1 deletion.
  1. +25 −1 src/passivedns.c
  2. +16 −0 src/passivedns.h
  3. +15 −0 tools/README.skip_white_black-list.txt
View
@@ -112,7 +112,7 @@ void got_packet(u_char * useless, const struct pcap_pkthdr *pheader,
parse_ip6(pi);
} else {
config.p_s.otherl_recv++;
- //vlog(0x3, "[*] ETHERNET TYPE : %x\n",pi->eth_hdr->eth_ip_type);
+ olog("[*] ETHERNET TYPE : %d\n", pi->eth_type);
}
config.inpacket = 0;
return;
@@ -125,6 +125,30 @@ void prepare_eth (packetinfo *pi)
pi->eth_hdr = (ether_header *) (pi->packet);
pi->eth_type = ntohs(pi->eth_hdr->eth_ip_type);
pi->eth_hlen = ETHERNET_HEADER_LEN;
+
+ if (pi->eth_type == 0 ) {
+ /* Might be linux C00ked?*/
+ struct sll_header *sllh;
+ sllh = (struct sll_header*) pi->packet;
+ switch(ntohs(sllh->sll_protocol)) {
+ /* IP */
+ case ETHERNET_TYPE_IP:
+ pi->eth_type = ETHERNET_TYPE_IP;
+ pi->eth_hlen = SLL_HDR_LEN;
+ break;
+
+ /* ARP */
+ case ETHERNET_TYPE_IPV6:
+ pi->eth_type = ETHERNET_TYPE_IPV6;
+ pi->eth_hlen = SLL_HDR_LEN;
+ break;
+
+ /* Unknown Protocol */
+ default:
+ return;
+ }
+ }
+
return;
}
View
@@ -525,3 +525,19 @@ typedef struct _globalconfig {
int cxt_update_client(connection *cxt, packetinfo *pi);
int cxt_update_server(connection *cxt, packetinfo *pi);
+/*
+ * SLL data structure taken from tcpdump.
+ */
+#ifdef DLT_LINUX_SLL
+#define SLL_HDR_LEN 16 /* total header length */
+#define SLL_ADDRLEN 8 /* length of address field */
+
+struct sll_header {
+ u_int16_t sll_pkttype; /* packet type */
+ u_int16_t sll_hatype; /* link-layer address type */
+ u_int16_t sll_halen; /* link-layer address length */
+ u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
+ u_int16_t sll_protocol; /* protocol */
+};
+#endif /* DLT_LINUX_SLL */
+
@@ -22,3 +22,18 @@ current.cvd.clamav.net
antivirus
\.3322\.org$
+## Stuff that you might wan to skip:
+\.ping\.clamav\.net$
+\.current\.cvd\.clamav\.net$
+-adfe2ko9\.senderbase\.org$
+\.hashserver\.cs\.trendmicro\.com$
+\.sbl-xbl\.spamhaus\.org$
+\.mail-abuse\.com$
+\.zen\.spamhaus\.org$
+\.r\.mail-abuse\.com$
+\.avqs\.mcafee\.com$
+\.channel\.facebook\.com$
+.channel\.facebook\.com$
+.channel\d{2}\.facebook\.com$
+
+

0 comments on commit 42fbeae

Please sign in to comment.