Author: Hilko Bengen Description: urlsnarf: use timestamps from pcap file if available. Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573365 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/urlsnarf.c +++ b/urlsnarf.c @@ -36,6 +36,7 @@ u_short Opt_dns = 1; int Opt_invert = 0; regex_t *pregex = NULL; +time_t tt = 0; static void usage(void) @@ -57,9 +58,12 @@ { static char tstr[32], sign; struct tm *t, gmt; - time_t tt = time(NULL); int days, hours, tz, len; + if (!nids_params.filename) { + tt = time(NULL); + } + gmt = *gmtime(&tt); t = localtime(&tt); @@ -312,9 +316,48 @@ nids_register_chksum_ctl(&chksum_ctl, 1); - nids_run(); - - /* NOTREACHED */ + pcap_t *p; + char pcap_errbuf[PCAP_ERRBUF_SIZE]; + if (nids_params.filename == NULL) { + /* adapted from libnids.c:open_live() */ + if (strcmp(nids_params.device, "all") == 0) + nids_params.device = "any"; + p = pcap_open_live(nids_params.device, 16384, + (nids_params.promisc != 0), + 0, pcap_errbuf); + if (!p) { + fprintf(stderr, "pcap_open_live(): %s\n", + pcap_errbuf); + exit(1); + } + } + else { + p = pcap_open_offline(nids_params.filename, + pcap_errbuf); + if (!p) { + fprintf(stderr, "pcap_open_offline(%s): %s\n", + nids_params.filename, pcap_errbuf); + } + } + + struct pcap_pkthdr *h; + u_char *d; + int rc; + while ((rc = pcap_next_ex(p, &h, &d)) == 1) { + tt = h->ts.tv_sec; + nids_pcap_handler(NULL, h, d); + } + switch (rc) { + case(-2): /* end of pcap file */ + case(0): /* timeout on live capture */ + break; + case(-1): + default: + fprintf(stderr, "rc = %i\n", rc); + pcap_perror(p, "pcap_read_ex()"); + exit(1); + break; + } exit(0); }