diff --git a/ChangeLog b/ChangeLog index 8b58013..5425e6c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,22 @@ $Id$ +2011-02-25 Roy Hills + + * pkt-vlan-llc-response.pcap: New file containing an example of + an ARP reply with 802.1Q tag and LLC/SNAP framing. From a Cisco + 2621 router. + + * pkt-trailer-response.pcap: Renamed from pkt-trailer-reply.pcap. + + * check-decode: New checks for trailer response and 802.1Q/LLC + responses. + + * arp-scan.c: Modified pcap filter string to capture ARP responses + with both 802.1Q tag and LLC/SNAP framing. + + * Makefile.am: Include pkt-trailer-response.pcap and + pkt-vlan-llc-response.pcap. + 2011-02-21 Roy Hills * arp-scan.c: Modified usage() so that it can output either brief or diff --git a/Makefile.am b/Makefile.am index 3852372..29fd8bc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -17,4 +17,4 @@ arp_scan_LDADD = $(LIBOBJS) dist_pkgdata_DATA = ieee-oui.txt ieee-iab.txt mac-vendor.txt # TESTS = $(dist_check_SCRIPTS) -EXTRA_DIST = pkt-simple-request.dat pkt-custom-request.dat pkt-custom-request-padding.dat pkt-custom-request-llc.dat pkt-custom-request-vlan.dat pkt-simple-response.pcap pkt-padding-response.pcap pkt-vlan-response.pcap pkt-llc-response.pcap pkt-net1921681-response.pcap +EXTRA_DIST = pkt-simple-request.dat pkt-custom-request.dat pkt-custom-request-padding.dat pkt-custom-request-llc.dat pkt-custom-request-vlan.dat pkt-simple-response.pcap pkt-padding-response.pcap pkt-vlan-response.pcap pkt-llc-response.pcap pkt-net1921681-response.pcap pkt-trailer-response.pcap pkt-vlan-llc-response.pcap diff --git a/TODO b/TODO index 7edd8de..59030d4 100644 --- a/TODO +++ b/TODO @@ -31,10 +31,6 @@ the IP address. Investigate response packets >60 bytes long, e.g. Windows 2003 Server and some Cisco. -Support LLC/SNAP encapsulation with 802.1Q VLAN tagging (--llc --vlan=n) and -generate the correct packet format. Currently the VLAN tag is added first, -which is incorrect. - Add XML output format. Dave's Mac gives these errors: diff --git a/arp-scan.c b/arp-scan.c index b0e4ffe..d922b07 100644 --- a/arp-scan.c +++ b/arp-scan.c @@ -272,14 +272,17 @@ main(int argc, char *argv[]) { } } /* - * The filter string selects packets addresses to our interface address - * that are either Ethernet-II ARP packets, 802.3 LLC/SNAP ARP packets - * or 802.1Q tagged ARP packets. + * The filter string selects packets addressed to our interface address + * that are Ethernet-II ARP packets, 802.3 LLC/SNAP ARP packets, + * 802.1Q tagged ARP packets or 802.1Q tagged 802.3 LLC/SNAP ARP packets. */ filter_string=make_message("ether dst %.2x:%.2x:%.2x:%.2x:%.2x:%.2x and " "(arp or (ether[14:4]=0xaaaa0300 and " "ether[20:2]=0x0806) or (ether[12:2]=0x8100 " - "and ether[16:2]=0x0806))", + "and ether[16:2]=0x0806) or " + "(ether[12:2]=0x8100 and " + "ether[18:4]=0xaaaa0300 and " + "ether[24:2]=0x0806))", interface_mac[0], interface_mac[1], interface_mac[2], interface_mac[3], interface_mac[4], interface_mac[5]); diff --git a/arp-scan.h b/arp-scan.h index 508628e..ccd3496 100644 --- a/arp-scan.h +++ b/arp-scan.h @@ -111,11 +111,14 @@ #endif #ifdef HAVE_PCAP_H -/* The pcap.h header file on Apple Mac OS Xcode 2.5 and later includes pcap's +/* + * The pcap.h header file on Apple Mac OS Xcode 2.5 and later includes pcap's * cut-down version of bpf.h, which defines macros that conflict with those in * the full bpf.h. To avoid the conflict, we include net/bpf.h before pcap.h * if compiling under Xcode 2.5 or later. This defines all the required macros * and prevents pcap's cut-down version from defining its own ones. + * + * 5370 is the value of __APPLE_CC__ for Xcode 2.5 on Tiger with GCC 4.0.1 */ #if defined(__APPLE_CC__) && (__APPLE_CC__ >= 5370) #include diff --git a/check-decode b/check-decode index ae410ee..096f34a 100755 --- a/check-decode +++ b/check-decode @@ -37,6 +37,8 @@ SAMPLE02="$srcdir/pkt-padding-response.pcap" SAMPLE03="$srcdir/pkt-vlan-response.pcap" SAMPLE04="$srcdir/pkt-llc-response.pcap" SAMPLE05="$srcdir/pkt-net1921681-response.pcap" +SAMPLE06="$srcdir/pkt-trailer-response.pcap" +SAMPLE07="$srcdir/pkt-vlan-llc-response.pcap" # Simple ARP response packet echo "Checking simple ARP response packet decode using $SAMPLE01 ..." @@ -269,3 +271,54 @@ fi echo "ok" rm -f $ARPSCANOUTPUT rm -f $EXAMPLEOUTPUT + +# Simple ARP response packet with trailer ARP reply. +echo "Checking trailer ARP response packet decode using $SAMPLE06 ..." +cat >$EXAMPLEOUTPUT <<_EOF_ +127.0.0.1 08:00:2b:12:34:56 DIGITAL EQUIPMENT CORPORATION +127.0.0.1 08:00:2b:12:34:56 DIGITAL EQUIPMENT CORPORATION (ARP Proto=0x1000) (DUP: 2) + +_EOF_ +ARPARGS="--retry=1 --ouifile=$srcdir/ieee-oui.txt --iabfile=$srcdir/ieee-iab.txt --macfile=$srcdir/mac-vendor.txt" +$srcdir/arp-scan $ARPARGS --readpktfromfile=$SAMPLE06 127.0.0.1 | grep -v '^Starting arp-scan ' | grep -v '^Interface: ' | grep -v '^Ending arp-scan ' | grep -v '^[0-9]* packets received ' > $ARPSCANOUTPUT 2>&1 +if test $? -ne 0; then + rm -f $ARPSCANOUTPUT + rm -f $EXAMPLEOUTPUT + echo "FAILED" + exit 1 +fi +cmp -s $ARPSCANOUTPUT $EXAMPLEOUTPUT +if test $? -ne 0; then + rm -f $ARPSCANOUTPUT + rm -f $EXAMPLEOUTPUT + echo "FAILED" + exit 1 +fi +echo "ok" +rm -f $ARPSCANOUTPUT +rm -f $EXAMPLEOUTPUT + +# 802.1Q LLC ARP response packet +echo "Checking 802.1Q LLC ARP response packet decode using $SAMPLE07 ..." +cat >$EXAMPLEOUTPUT <<_EOF_ +127.0.0.1 08:00:2b:06:07:08 DIGITAL EQUIPMENT CORPORATION (802.2 LLC/SNAP) (802.1Q VLAN=100) + +_EOF_ +ARPARGS="--retry=1 --ouifile=$srcdir/ieee-oui.txt --iabfile=$srcdir/ieee-iab.txt --macfile=$srcdir/mac-vendor.txt" +$srcdir/arp-scan $ARPARGS --readpktfromfile=$SAMPLE07 127.0.0.1 | grep -v '^Starting arp-scan ' | grep -v '^Interface: ' | grep -v '^Ending arp-scan ' | grep -v '^[0-9]* packets received ' > $ARPSCANOUTPUT 2>&1 +if test $? -ne 0; then + rm -f $ARPSCANOUTPUT + rm -f $EXAMPLEOUTPUT + echo "FAILED" + exit 1 +fi +cmp -s $ARPSCANOUTPUT $EXAMPLEOUTPUT +if test $? -ne 0; then + rm -f $ARPSCANOUTPUT + rm -f $EXAMPLEOUTPUT + echo "FAILED" + exit 1 +fi +echo "ok" +rm -f $ARPSCANOUTPUT +rm -f $EXAMPLEOUTPUT diff --git a/pkt-trailer-reply.pcap b/pkt-trailer-reply.pcap deleted file mode 100644 index fd76f6d..0000000 Binary files a/pkt-trailer-reply.pcap and /dev/null differ diff --git a/pkt-trailer-response.pcap b/pkt-trailer-response.pcap new file mode 100644 index 0000000..cbb646c Binary files /dev/null and b/pkt-trailer-response.pcap differ diff --git a/pkt-vlan-llc-response.pcap b/pkt-vlan-llc-response.pcap new file mode 100644 index 0000000..355e72b Binary files /dev/null and b/pkt-vlan-llc-response.pcap differ