Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: altivore.c

Altivore 0.9.3 Altivore is an alternative implementation of Carnivore. Source code is being disclosed in an effort to provide a solid foundation for debate of the technical features of Carnivore. This software contains the basic Carnivore features outlined in the FBI's solicitation for independent review of Carnivore. The basic capabilities are:
  • monitors suspect's e-mail (either headers or full content)
  • lists servers suspect accesses (FTP, HTTP, etc.)
  • full "sniffing" of suspect's IP address
  • discovery of suspect's current IP address through RADIUS logon


  • 
    /*
    Copyright (c) 2000  by Network ICE Corporation.  All rights reserved.
    The  source  code to this program  is being  publicly  disclosed  for
    purposes  of  discussion.  However,  this  source code  is not in the
    public domain (or open-source or GPL).  However,  we plan to GPL this
    code in the future.
    
    A license is hearby granted to  use this software only in cases where
    an individual monitors his/her own network traffic. If you would like
    to purchase a license for other uses of this software, please contact
    <sales@altivore.com>.  Using this software to surreptitiously monitor
    other people's data may be in violation of USC 18 2512.
    
    
    ALTIVORE v0.9.3
    
      This is a  sample program  containing  some of the  features of the
      features of the FBI's "Carnivore" program.  It is intended to serve
      as a point of discussion about Carnivore features.  It has not been
      thoroughly tested and contains numerous bugs.
    
      This may also serve as an "alternative" for ISPs who do not wish to
      install a black-box from the FBI.  Court orders demanding data from
      the  ISP do not necessarily  require that Carnivore must be used if
      the ISP is able to obtain the data in another manner.
    
      This software  may also  be useful in  network management,  such as
      backing up data or  sniffing a  consumer's  dial-up connection when
      they are reporting problems to customer support.
    
    HOW TO USE THIS SOFTWARE
    
      This software must be compiled and linked with the libpcap library.
      Libpcap  must likewise be  installed on the  system in order to for
      this to run.
    
      This  software has  been compiled  and briefly tested under Windows
      and Linux. It should run on  pretty much any system with some minor
      adjustments.
    
      Windows Compilation
    
      Download WINPCAP developers kit from: 
        http://netgroup-serv.polito.it/winpcap/
      Point the include directory to "WPdpack/include" and link  with the
      libraries "libpcap.lib", "user32.lib", and "wsock32.lib".
    
      Linux Compilation
    
      gcc altivore.c -lpcap -Ipcap -o altivore
    
      Note: libpcap broken on RedHat 6.2
    
    WHAT DATA IS COLLECTED?
    
      This  module was  written  to  match  the  FBI's  solicitation  for
      indepedent  technical review  of Carnivore  that was  published  on
      August 25, 2000.  Attachment 1  of that document describes  several
      scenarios for Carnivore usage.
    
      Throughout this document,  the term  "Alice" refers to the criminal
      suspect whose email is being monitored.  The term  "Bob"  refers to
      the person Alice  is communicating with.  The sections below can be
      copied/pasted into the file "altivore.ini", which this program uses
      to store its configuration information.
    
      [1.1 email header pen-register]
        ;Monitors all the email headers to and from Alice's
        ;account. This does not capture the "Subject:" field, 
        ;which is considered by courts to be part of the "data" 
        ;rather than the "call records". This should be 
        ;deployed on or near the email server that processes 
        ;Alice's mail.
        mode = email-headers
        email.address = alice@example.com
        logfile = alice.txt
    
      [1.2 HTTP pen-register from dial-up user]
        ;Monitors the IP address of web-sites the user visits. 
        ;A complication in this is that the user dials-up and 
        ;receives a unique IP address each time. We monitor 
        ;the dial-up password protocol known as "RADIUS" in 
        ;order to trigger when Alice logs on and in order to 
        ;find out what IP address she is using. This should be 
        ;deployed on a segment behind the bank of dialup servers 
        ;as well as where it can sniff the RADIUS packets. This
        ;version of Carnivore only monitors Accounting packets; 
        ;you may have to enable this feature in order to get 
        ;this to work right.
        mode = server-access
        radius.account = alice@example.com
        server.port = 80
        logfile = alice.csv
    
      [1.3 FTP pen-register from dial-up user]
        ;Same as above, but monitors FTP instead of HTTP.
        mode = server-access
        radius.account = alice@example.com
        server.port = 80
        logfile = alice.csv
    
      [2.1 email content-wiretap]
        ;Instead of capturing just the headers, this scenario 
        ;captures the full contents of the email
        mode = email-content
        email.address = alice@example.com
        tracefile = alice.tcp
        
      [2.2 email content-wiretap]
        ;Captures the full content to/from a specific IP 
        ;address. This is the same as running the freeware 
        ;product called TCPDUMP. Example: 
        ;    tcpdump -w tracefile.tcp host 192.0.2.189
        mode = ip-content
        ip.address = 192.0.2.189
        tracefile = alice.tcp
        
    
    DESIGN
    
      No reassembly/reordering
        This software does not support  IP fragmentation  or  TCP segment
        reordering.  As a result, it may miss some emails or accidentally
        include  segments from other people's  emails.  This is a crucial
        area  of discussion;  fragmentation issues are  an important flaw
        in many products, and is likely a flaw of Carnivore as well.
        
      Little SMTP server state
        Altivore  only monitors a  little bit of SMTP server state (it is
        impossible  to fully support  SMTP  state without  reassembly and 
        re-ording of fragments). As a result, it may indvertently capture
        email not belonging to Alice (the suspect).  For example,  if the
        system is unable to determine when an email message ends,  it may
        accidentally capture subsequent emails transfered across the same
        SMTP connection.  It is believed that  this is a problem with the
        FBI's Carnivore as well.
    
      RADIUS incomplete
        This RADIUS parsing code has only been tested at a few ISPs. This
        is a concern in some deployments  because it won't work.  One way
        arround  this is to force  RADIUS  Accounting  during  deployment.
        More work on RADIUS decoding needs to be done with Altivore.
    
      Evidence Authentication
        Evidence handling is a big concern. Altivore and Carnivore really
        should support MD5, PGP, or X.509 private-key signing in order to
        fully  authenticate files.  This would  detect later unauthorized
        tampering of the evidence.
    
    ALTIVORE VS. NETWORK ICE
    
      Network ICE is  a leading  software vendor  of products  similar to
      this technology.  The  "sniff" network traffic looking for signs of
      hacker activity in order to  protect customer networks. Our primary
      competitive advantages are our  stateful protocol decoding features
      and high-speed sniffing. This means we can monitor gigabit networks
      with full packet reassembly and application protocol state.
    
      In contrast,  Carnivore was probably written using many of the same
      short-cuts that our competitors have taken.  We've written Altivore
      using similar short-cuts  in order to demonstrate the problems with
      this approach.  We've included a small amount  of state in order to
      show why stateful inspection is needed in this class of products.
    
    */
    #include <string.h>
    #include <malloc.h>
    #include <stdlib.h>
    #include <ctype.h>
    #include <stdarg.h>
    #include <stdio.h>
    #include <sys/stat.h>
    #include <errno.h>
    
    /* Links to the libpcap library, standard library on Windows and 
     * UNIX for sniffing.*/
    #include <pcap.h>
    
    
    #define HASH_ENTRIES        1024
    #define ADD_IF_NOT_FOUND    1
    #define IGNORE_IF_NOT_FOUND 0
    #define TCP_TO_SERVER       0x100
    #define TCP_FROM_SERVER     0x000
    
    /** Maximum length of an email address. Portions of the address
     * longer than this length are ignored. */
    #define MAX_ADDRESS_LENGTH 1024
    
    /** Maximum number of recipients. More recipients than this are 
     * ignored. */
    #define MAX_RECIPIENTS 100
    
    #undef TRUE
    #define TRUE 1
    #undef FALSE
    #define FALSE 0
    
    /** For pretty printing IP addresses */
    #define _XIP(a,n) (int)(((a)>>(n))&0xFF)
    #define P_IP_ADDR(a) _XIP(a,24), _XIP(a,16), _XIP(a,8), _XIP(a,0)
    
    /**
     * TCP/IP protocol extraction stuff.
     */
    #define ex8(p,f)            ((p)[f]) 
    #define ex16(p,f)            ((p)[f] << 8 | (p)[f+1])
    #define ex32(p,f)            ((ex16(p,f)<<16) | ex16(p,f+2))
    #define IP_VERSION(p,f)            ((ex8(p,f+0) >> 4) & 0x0F)
    #define IP_SIZEOF_HDR(p,f)        ((ex8(p,f+0) & 0x0F) * 4)
    #define IP_TOTALLENGTH(p,f)        ex16(p,f+2)
    #define IP_PROTOCOL(p,f)        ex8(p,f+9)
    #define IP_SRC(p,f)                ex32(p,f+12)                
    #define IP_DST(p,f)                ex32(p,f+16)
    #define TCP_SRC(p,f)            ex16(p,f+0)
    #define TCP_DST(p,f)            ex16(p,f+2)
    #define TCP_SEQNO(p,f)            ex32(p,f+4)
    #define TCP_ACKNO(p,f)            ex32(p,f+8)
    #define TCP_FLAGS(p,f)            (ex8(p,f+13)&0x3F)
    #define TCP_SIZEOF_HDR(p,f)        (((ex8(p,f+12)>>4) & 0x0f)*4)
    #define TCP_FIN                    1
    #define TCP_SYN                    2
    #define TCP_RST                    4
    
    #define FREE(x) if (x) free(x)
    
    /**
     * A utility function for assigning strings. It solves several
     * string handling issues, such as copying over "counted strings"
     * rather than NUL-terminated strings.
     */
    static void 
    setString(char **r_str, const void *vstr, int offset, int len)
    {
        const char *str = vstr; /*kludge: avoid warnings*/
        if (*r_str)
            free(*r_str);
        if (str == NULL) {
            *r_str = NULL;
            return;
        }
        if (len == -1)
            len = strlen((const char*)str);
        *r_str = (char*)malloc(len+1);
        memcpy(*r_str, str+offset, len);
        (*r_str)[len] = '\0';
    }
    
    /** Case-insensitive memcmp() */
    static int 
    memcasecmp(const void *lhs, const void *rhs, int length)
    {
        int i;
        for (i=0; i<length; i++) {
            if (tolower(((char*)lhs)[i]) != tolower(((char*)rhs)[i]))
                return -1;
        }
        return 0;
    }
    
    /** Utility for case-insensitive comparisons*/
    static int 
    startsWith(const char lhs[], const char rhs[])
    {
        int len = strlen(lhs);
        if ((int)strlen(rhs) < len)
            len = strlen(rhs);
        return memcmp(lhs, rhs, len) == 0;
    }
    
    
    /** 
     * Encapsulates the idea of an array of nul terminated strings. Use
     * straXXXX() functions.
     */
    struct stringarray {
        char **str;
        int length;
        int max;
    };
    typedef struct stringarray stringarray;
    
    
    /** stringarray.straAddElement()
     * Appends a string onto the end of an array of strings.
     */
    void 
    straAddElement(stringarray *lhs, const char rhs[])
    {
        if (lhs->length + 1 >= lhs->max) {
            int new_max = lhs->max * 2 + 1;
            char **new_array = (char**)malloc(sizeof(char*)*(new_max));
            if (lhs->str) {
                memcpy(    new_array, 
                        lhs->str, 
                        sizeof(new_array[0])*lhs->length);
                free(lhs->str);
            }
            lhs->str = new_array;
            lhs->max = new_max;
        }
        lhs->str[lhs->length] = strdup(rhs);
        lhs->length++;
    }
    
    
    /** 
     * These are the several modes that Carnivore/Altivore can run as.
     * See the explanation above for more information on how to 
     * configure these modes.
     */
    enum {
        /** Capture the headers of email to a text file */
        mode_email_headers = 1,
    
        /** Capture just the addresses to/from Alice */
        mode_email_addresses,
    
        /** Record accesses to servers with a specific TCP port. */
        mode_server_access,
    
        /** Record the full email content for Alice's email*/
        mode_email_content,
    
        /** Record a full sniffer trace for the indicated
         * IP address. */
        mode_ip_content
    };
    #define MODE(carn, m) ((carn)->mode == m)
    static const char *modeNames[] = {"unspecified", "email-headers",
            "email-addresses", "server-access", "email-content",
            "ip-content", 0};
    
    int 
    parseMode(const char modeName[])
    {
        int i;
    
        for (i=0; modeNames[i]; i++) {
            if (strcmp(modeName, modeNames[i]) == 0)
                return i;
        }
        return 0;
    }
    
    struct intlist {
        int list[32];
        int count;
    };
    typedef struct intlist intlist;
    
    /**
     * The root object for the Carnivore system.
     */
    struct Carnivore
    {
        /** What mode of operation we are in */
        int mode;
    
        /** The name of the sniffer compatible tracefile that data will
         * be copied to (when doing full-content wiretaps).*/
        char *tracefile;
        FILE *fp_trace;
        
        /** Logfile for text information. */
        char *logfile;
    
        /** A list of IP addresses to filter for. This is used when a 
         * court order specifies IP addresses. TODO: allow ranges and
         * more IP addresses.*/
        intlist ip;
    
        /** Contains a list of ports that we will use in order to
         * monitor when a certain type of server has been accessed.
         */
        intlist port;
    
        /** TCP/IP connection table for maintaining session state*/
        struct TcpCnxn *cxTable[HASH_ENTRIES];
        int cxId;
    
        /** Whether or not we should save the last frame to a file */
        int do_filter;
    
        /** Whether or not we should remove this connection from
         * our list. */
        int do_remove;
    
        /** A list of email addresses. We compare these addresses to
         * emails as they go by in order to determine if we need to
         * make a copy. */
        stringarray email_addresses;
    
        /** A list of RADIUS account names that we should monitor
         * when doing IP wiretaps. */
        stringarray radius_accounts;
    
        /** An array of tracefiles that we will read in order to test
         * the system. They must be in tcpdump/libpcap format. */
        stringarray testinput;
    
        /** An array of adapter names that we need to open in
         * promiscuous mode. */
        stringarray interfaces;
    };
    typedef struct Carnivore Carnivore;
    
    /** 
     * Test to see if either the source or destination IP address is
     * being filtered for. If we are filtering for this IP address,
     * then we'll likely save it to a file. Note that we are doing a
     * linear search through the array on the assumption that we are
     * filtering only a few IP addresses, often just a single one.
     */
    int 
    has_integer(intlist *ip, int ip1, int ip2)
    {
        int i;
        for (i=0; i<ip->count; i++) {
            if (ip->list[i] == ip1 || ip->list[i] == ip2)
                return 1;
        }
        return 0;
    }
    
    /** Adds the specified IP address to the list of addresses that we
     * are filtering for. This may be a configured IP address or one 
     * that is auto-configured by the RADIUS parsing. */
    void 
    add_integer(intlist *ip, int ip_address)
    {
        if (ip_address == 0)
            return; /*ignore empty IP addresses*/
        if (has_integer(ip, ip_address, ip_address))
            return; /*ignore duplicates*/
        if (ip->count < sizeof(ip->list)/sizeof(int)) {
            ip->list[ip->count] = ip_address;
            ip->count++;
        }
    }
    
    /** Delete an IP address from the list of filters. This is called
     * when the RADIUS parsing determines that the monitored user has
     * hung up. */
    void 
    del_integer(intlist *ip, int ip_address) 
    {
        int i;
        for (i=0; i<ip->count; i++) {
            if (ip->list[i] == ip_address) {
                memmove(ip->list+i, ip->list+i+1, 
                                (ip->count - i - 1)*sizeof(int));
                ip->count--;
            }
        }
    }
    
    
    
    /** matchName()
     * Tests to see if the desired email address should be filtered
     * for. This is presumably the email address of somebody that we
     * have a court-order to  monitor.
     */
    int 
    matchName(const char addr[], int addr_len, stringarray *list)
    {
        int i;
        if (addr == NULL)
            return 0;
        for (i=0; i<list->length; i++) {
            int lhs_len = strlen(list->str[i]);
            if (list->str[i][0] == '*') {
                /*match end of string, e.g. allow specification of
                 * "*@suspect.com" to match any emails for a domain*/
                if (addr_len >= lhs_len - 1) {
                    const char *new_lhs = list->str[i]+1;
                    const char *new_addr = addr+addr_len-lhs_len+1;
                    if (memcasecmp(new_lhs, new_addr, lhs_len-1) == 0)
                        return TRUE;
                }
            }
            else if (addr_len == lhs_len 
                    && memcasecmp(list->str[i], addr, addr_len) == 0)
                return TRUE;
        }
        return FALSE;
    }
    
    
    /**
     * A TCP connection entry. We maintain one of these for every
     * outstanding connection that we might be tracking. This contains
     * the basic TCP info, as well as some higher level protocol info
     * for SMTP.
     */
    struct TcpCnxn
    {
        /** Each new connection is identified with a unique ID */
        int msg_id;
        int server_ip;
        int client_ip;
        int server_port;
        int client_port;
        int server_seqno;
        int client_seqno;
        struct TcpCnxn *next;
        time_t creation_time;
        char *sender;
        int sender_matches;
        char *recipient;
        stringarray recipients;
        
        /** Whether or not we should save the email message for this
         * connection. */
        int do_filter;
    
        /** Whether we should filter this one frame. We need this in
         * order to capture the trailing dot that ends an email message. 
         */
        int filter_one_frame;
    
        /** Whether or not we should remove this connection entry at
         * the next opportunity. */
        int do_remove;
    
        /** Whether we are parsing the 'envelope' or the message
         * itself. */
        int state;
    };
    typedef struct TcpCnxn TcpCnxn;
    
    
    /**
     * Create a hash entry for our table. The hash entry is based
     * only on the IP addresses and port numbers. The exact
     * hash algorithm is unimportant, and should be adjusted over
     * time to produce the best results. Note that since we've
     * already converted the (src,dst) to (srvr,clnt), we don't
     * need to make the hash symmetric.
     */
    int 
    cxHash(TcpCnxn *cx)
    {
        int result = 0;
        result = abs((cx->server_ip ^ (cx->client_ip*2)) 
                    ^ ((cx->server_port<<16) | cx->client_port));
        return result % HASH_ENTRIES;
    }
    
    
    /**
     * Compares two connection objects in order to see if they are the 
     * same one. Only IP address and TCP port info is used in this 
     * comparison.
     */
    int 
    cxEquals(TcpCnxn *lhs, TcpCnxn *rhs)
    {
        if (lhs->server_ip != rhs->server_ip)
            return 0;
        if (lhs->client_ip != rhs->client_ip)
            return 0;
        if (lhs->server_port != rhs->server_port)
            return 0;
        if (lhs->client_port != rhs->client_port)
            return 0;
        return 1;
    }
    
    
    /**
     * Looks up a TCP connection object within our table. If not found,
     * it may add it (depending upon a parameter).
     * @param carn
     *        This object.
     * @param rhs
     *        A copy of the connection object we are looking up (we simply
     *        pull out the address/ports from this to compare them).
     * @param add_if_not_found
     *        Whether we should add a new connection object if we cannot
     *        find an    existing one. It is important that we only add
     *        connection objects during a SYN/SYN-ACK in order to avoid
     *        accidentally getting state in the middle of the connection.
     */
    TcpCnxn *
    cxLookup(Carnivore *carn, TcpCnxn *rhs, int add_if_not_found)
    {
        int h = cxHash(rhs);
        TcpCnxn **r_cx = &carn->cxTable[h];
        
        for (;;) {
            if (*r_cx == NULL) {
                /* The connection object wasn't found. If this was
                 * a SYN or SYN-ACK, then we'll need to add this
                 * connection. */
                if (add_if_not_found) {
                    *r_cx = (TcpCnxn*)malloc(sizeof(TcpCnxn));
                    memset(*r_cx, 0, sizeof(**r_cx));
                    (*r_cx)->server_ip = rhs->server_ip;
                    (*r_cx)->client_ip = rhs->client_ip;
                    (*r_cx)->server_port = rhs->server_port;
                    (*r_cx)->client_port = rhs->client_port;
                    (*r_cx)->server_seqno = rhs->server_seqno;
                    (*r_cx)->client_seqno = rhs->client_seqno;
                    (*r_cx)->creation_time = time(0);
                }
                return *r_cx;
            }
    
            if (cxEquals(*r_cx, rhs))
                return *r_cx;
            else
                r_cx = &(*r_cx)->next;
        }
    }
    
    
    /**
     * Resets the SMTP protocol info back to a known state. It is
     * important that this be as delicate as possible: it should reset
     * data at the slightest provocation in order to avoid accidentally
     * capturing somebody else's email.
     */
    void 
    cxResetMsg(TcpCnxn *cx)
    {
        cx->do_filter = FALSE; /*don't capture these emails*/
        if (cx->sender) {
            free(cx->sender);
            cx->sender = NULL;
        }
        cx->sender_matches = FALSE;
        if (cx->recipients.length) {
            int i;
            for (i=0; i<cx->recipients.length; i++)
                free(cx->recipients.str[i]);
            free(cx->recipients.str);
            cx->recipients.str = NULL;
            memset(&cx->recipients, 0, sizeof(cx->recipients));
        }
    }
    
    
    /**
     * Removes a TCP connection object from our table. This is called
     * whenever we reach the end of SMTP processing, the TCP connection
     * closes, or when we timeout and clean up a connection.
     */
    void 
    cxRemove(Carnivore *carn, TcpCnxn *rhs)
    {
        int h = cxHash(rhs);
        TcpCnxn **r_cx = &carn->cxTable[h];
        for (;;) {
            if (*r_cx == NULL)
                break; /*not found*/
            else if (cxEquals(*r_cx, rhs)) {
                TcpCnxn *cx = *r_cx;
                *r_cx = cx->next;
                cxResetMsg(cx);
                free(cx);
                break;
            }
            else
                r_cx = &(*r_cx)->next;
        }
    }
    
    
    /** Writes a little-endian integer to the buffer */
    void 
    writeint(unsigned char hdr[], int offset, int x)
    {
        hdr[offset+0] = (unsigned char)(x>>0);
        hdr[offset+1] = (unsigned char)(x>>8);
        hdr[offset+2] = (unsigned char)(x>>16);
        hdr[offset+3] = (unsigned char)(x>>24);
    }
    
    
    /**
     * Saves the current packet to a TCPDUMP compatible file. Note
     * that I could use the built-in libpcap file saving mechanism
     * but I want to eventually at digital-signatures, so I'll be
     * doing strange stuff with the file in the future.
     */
    void 
    carnSavePacket(Carnivore *carn, const unsigned char buf[], 
            int orig_len, time_t timestamp, int usecs)
    {
        unsigned char hdr[16];
        int snap_len = orig_len;
    
        /* We were triggered to save the frame, now turn this off.
         * The SMTP state engine will have to revalidate the next
         * packet in order to make sure we should be saving it. */
        carn->do_filter = FALSE;
    
        /* Exit from this function (without saving content) if we
         * are not running in the appropriate mode.*/
        switch (carn->mode) {
        case mode_email_content:
        case mode_ip_content:
            break;
        default:
            return;
        }
        if (carn->tracefile == NULL)
            return; /*no filename*/
    
        /*Open the tracefile if need be*/
        if (carn->fp_trace == NULL) {
            struct stat s = {0};
            if (stat(carn->tracefile, &s) == 0)    {
                /*Ooops, it already exists. Maybe we crashed before? 
                 * We should not put the header on the file if it 
                 * already exists */
                carn->fp_trace = fopen(carn->tracefile, "a+b");
            } else {
                /*Create a new one.*/
                carn->fp_trace = fopen(carn->tracefile, "wb");
                if (carn->fp_trace) {
                    /*create a file header*/
                    static const char *foo = 
                            "\xD4\xC3\xB2\xA1" /*MAGIC*/
                            "\x02\x00\x04\x00" /*major/minor version*/
                            "\x00\x00\x00\x00" /*this timezone (GMT)*/
                            "\x00\x00\x00\x00" /*sig figs */
                            "\xDC\x05\x00\x00" /*snap length*/
                            "\x01\x00\x00\x00"; /*link type*/
                    if (fwrite(foo, 1, 24, carn->fp_trace) != 24) {
                        int xxx = errno;
                        fclose(carn->fp_trace);
                        carn->fp_trace = NULL;
                        errno = xxx;
                    }
                }
            }
            if (carn->fp_trace == NULL) {
                perror(carn->tracefile);
                return;
            }
        }
    
        /* Write the frame to the file */
        writeint(hdr, 0, ((int)timestamp));
        writeint(hdr, 4, usecs);        /*microseconds*/
        writeint(hdr, 8, snap_len);        /*snapped size of frame*/
        writeint(hdr, 12, orig_len);    /*original size of frame*/
    
        fwrite(hdr, 1, 16, carn->fp_trace);
        fwrite(buf, 1, snap_len, carn->fp_trace);
    }
    
    
    /**
     * Prints some text to the logfile.
     */
    void 
    logprint(Carnivore *carn, const char fmt[], ...)
    {
        FILE *fp;
        struct stat s = {0};
        va_list marker;
    
        if (carn->logfile == NULL)
            return;
        if (stat(carn->logfile,&s) == 0)
            fp = fopen(carn->logfile, "a");
        else
            fp = fopen(carn->logfile, "w");
        if (fp == NULL) {
            perror(carn->logfile);
            return;
        }
    
        va_start(marker, fmt);
        vfprintf(fp, fmt, marker);
        va_end(marker);
    
        fclose(fp);
    }
    
    /**
     * For logging purposes, we frequently need to grab the current
     * time. This function formats the current GMT time in ISO
     * format. BUG: the time should really be retrieved from the 
     * packet, not the system time (in case we read from tracefiles
     * rather the live network).
     */
    void 
    formatNow(char tbuf[], int sizeof_tbuf)
    {
        time_t now = time(0);
        struct tm *tmptr = gmtime(&now); /*must be GMT*/
        if (tmptr == NULL)
            strcpy(tbuf, "err");
        else
            strftime(tbuf, sizeof_tbuf, "%Y-%m-%d %H:%M:%S", tmptr);
    }
    
    
    /**
     * This function captures just the email addresses.
     */
    void 
    carnPenEmail(Carnivore *carn, const char sender[],
                const unsigned char rcpt[], int offset, int length)
    {
        char tbuf[64];
    
        if (!MODE(carn, mode_email_addresses))
            return; /*not recording email addresses*/
    
        if (carn->logfile == NULL)
            return; /*no logfile specified by user*/
    
        if (sender == NULL)
            sender = "(nul)";
        
        /*format time: eg. 2000-08-24 08:23:59*/
        formatNow(tbuf, sizeof(tbuf));
        logprint(carn, "%s, %s, %.*s\n", tbuf, sender,
                                            length, rcpt+offset);
        printf("%s, %s, %.*s\n", tbuf, sender,
                                            length, rcpt+offset);
    }
    
    
    
    
    enum {
        parsing_envelope, parsing_message
    };
    
    
    /**
     * Tests to see if the TCP packet data starts with the specified
     * command.
     */
    int 
    SMTP_COMMAND(const unsigned char buf[], int offset, 
                                    int max_offset, const char cmd[])
    {
        int cmd_length = strlen(cmd);
        int line_length = max_offset-offset;
    
        if (line_length < cmd_length)
            return FALSE;
        if (memcasecmp(buf+offset, cmd, cmd_length) != 0)
            return FALSE;
        offset += cmd_length;
    
        /*TODO: test for some boundary conditions*/
        return TRUE;
    }
    
    /**
     * Tests to see if the email body contains a dot '.' on a blank
     * line by itself.
     */
    int 
    SMTP_IS_DOT(const unsigned char buf[], int offset, int max_offset)
    {
        int i;
        char last_char = '\0';
    
        for (i=offset; i<max_offset; i++) {
            char c = buf[i];
            if (c == '.') {
                if (i+1 < max_offset 
                    && (buf[i+1] == '\n' || buf[i+1] == '\r')
                    && (last_char == '\n' || last_char == '\r')) {
                    return TRUE;
                }
            }
            last_char = c;
        }
        return FALSE;
    }
    
    
    static const char *MAIL_FROM = "MAIL FROM:";
    static const char *RCPT_TO = "RCPT TO:";
    
    
    /**
     * Processes the email address in a RCPT TO: or MAIL FROM:
     */
    void 
    match_email(Carnivore *carn, const char *cmd,
            const unsigned char buf[], int offset, int max_offset, 
                                                    TcpCnxn *cx)
    {
        int length = -1;
        int address_matched = FALSE;
    
    
        /* See if this starts with RCPT TO: or MAIL FROM:, and then
         * skip beyond it. */
        if (!SMTP_COMMAND(buf, offset, max_offset, cmd))
            return;
        offset += strlen(cmd);
    
        /* Skip beyond leading whitespace and the initial '<' character
         * (if they exist). */
        while (offset < max_offset 
            && (isspace(buf[offset]) || buf[offset] == '<'))
            offset++;
    
        /* Figure out how long the email address is */
        for (length=0; offset+length<max_offset; length++) {
            char c = (char)buf[offset+length];
            if (c == '\r' || c == '\n' || c == '>')
                break;
        }
        if (length < 0)
            return;
    
        if (MODE(carn, mode_email_addresses) && cmd == MAIL_FROM ) {
            /* If we are doing a pen-register style capturing of email
             * addresses, then save off the SOURCE email address. */
            if (cx->sender)
                free(cx->sender);
            cx->sender = (char*)malloc(length+1);
            memcpy(cx->sender, buf+offset, length);
            cx->sender[length] = '\0';
        }
    
        /* See if the email addresses match */
        if (matchName((char*)buf+offset, length, 
                                            &carn->email_addresses)) {
            cx->do_filter = TRUE;
            address_matched = TRUE;
        }
    
        if (cmd == MAIL_FROM) {
            if (address_matched)
                cx->sender_matches = TRUE;
        } else if (cmd == RCPT_TO) {
            if (address_matched || cx->sender_matches)
                carnPenEmail(carn, cx->sender, buf, offset, length);
        }
    }
    
    
    /**
     * Read the number of remaining characters in the line.
     */
    int 
    readLine(const unsigned char buf[], int offset, int max_offset)
    {
        int length = 0;
        while (offset + length < max_offset) {
            char c = buf[offset+length];
            length++;
            if (c == '\n')
                break;
        }
        return length;
    }
    
    /**
     * Examine the line from the packet in order to determine whether
     * it constitutes a legal RFC822 email header. We stop processing
     * data at the end of the headers.
     */
    int 
    isEmailHeader(const unsigned char buf[], int offset, int max_offset)
    {
        int leading_space = 0;
        int saw_colon = 0;
    
        while (offset < max_offset && isspace(buf[offset])) {
            offset++; /*strip leading whitespace*/
            leading_space++;
        }
    
        if (offset >= max_offset)
            return FALSE; /*empty lines are not a header*/
    
        if (buf[offset] == '>')
            return FALSE;
    
        while (offset < max_offset) {
            if (buf[offset] == ':')
                saw_colon = TRUE;
            offset++;
        }
    
        if (saw_colon)
            return TRUE;
        if (leading_space)
            return TRUE;
        return FALSE;
    }
    
    
    /**
     * This function processes a single TCP segment sent by the client
     * to the SMTP server.
     */
    int 
    sniffSmtp(Carnivore *carn, TcpCnxn *rhs, int tcp_flags, 
                  const unsigned char buf[], int offset, int max_offset)
    {
        TcpCnxn *cx;
        int length;
    
        /* Lookup the TCP connection record to see if we are saving 
         * packets on the indicated TCP connection. */
        cx = cxLookup(carn, rhs, IGNORE_IF_NOT_FOUND);
    
        /* Process data within this TCP segment */
        length = max_offset - offset;
        if (length > 0) {
    
            if (cx == NULL) {
                /* Add a record for this connection whenever we see a
                 * an address in an envelope. */
                if (SMTP_COMMAND(buf, offset, max_offset, "RCPT TO:"))
                    cx = cxLookup(carn, rhs, ADD_IF_NOT_FOUND);
                if (SMTP_COMMAND(buf, offset, max_offset, "MAIL FROM:"))
                    cx = cxLookup(carn, rhs, ADD_IF_NOT_FOUND);
            } 
            
            if (cx != NULL) {
                switch (cx->state) {
                case parsing_envelope:
                    match_email(carn, MAIL_FROM,
                                        buf, offset, max_offset, cx);
    
                    match_email(carn, RCPT_TO,
                                        buf, offset, max_offset, cx);
    
                    if (SMTP_COMMAND(buf, offset, max_offset, "DATA")) {
                        if (cx->do_filter)
                            cx->state = parsing_message;
                        else
                            cx->do_remove = TRUE;
                    }
                    if (SMTP_COMMAND(buf, offset, max_offset, "QUIT"))
                        cx->do_remove = TRUE;
                    if (SMTP_COMMAND(buf, offset, max_offset, "RSET"))
                        cx->do_remove = TRUE;
                    if (SMTP_COMMAND(buf, offset, max_offset, "ERST"))
                        cx->do_remove = TRUE;
                    break;
                case parsing_message:
                    if (MODE(carn, mode_email_headers)) {
                        int i;
                        char tbuf[64];
                        formatNow(tbuf, sizeof(tbuf));
                        logprint(carn, "--- %08X->%08X %s ---\n", 
                            cx->client_ip, cx->server_ip, tbuf);
    
                        /*Parse just the headers from the first packet*/
                        for (i=offset; i<max_offset; i++) {
                            int len;
                            len = readLine(buf, offset, max_offset);
                            if (!isEmailHeader(buf, offset, offset+len))
                                break;
                            if (len > 8 && 
                              startsWith((char*)buf+offset, "Subject:"))
                                logprint(carn, "Subject: <removed>\n");
                            else {
                                /*Write line to log file*/
                                logprint(carn, "%.*s", len, buf+offset);
                            }
                            offset += len;
                        }
                        logprint(carn,"---EOM---\n");
                        cx->do_remove = TRUE;
                        cx->do_filter = FALSE;
                        carn->do_filter = FALSE;
                    }
                    if (SMTP_IS_DOT(buf, offset, max_offset))
                        cx->do_remove = TRUE;
                    break;
                }
            }
        }
    
        if (cx) {
        
            if (cx->do_filter)
                carn->do_filter = TRUE;
    
            if (cx->filter_one_frame) {
                carn->do_filter = TRUE;
                cx->filter_one_frame = FALSE;
            }
    
            if (cx->do_remove 
                || (tcp_flags & TCP_RST) || (tcp_flags & TCP_FIN))
                cxRemove(carn, rhs);
        }
    
        return 0;
    }
    
    
    /**
     * RADIUS protocol information we parse out of a packet. In the
     * future versions of this software, we are going to need to
     * store these records over time; for now, we just parse the
     * protocol into this normalized structure.
     */
    struct RadiusRecord
    {
        int radius_client;
        int radius_server;
        int nas_ip;
        int nas_port;
        int direction;
        int code;
        int xid;
        int status;
        char *user_name;
        char *caller_id;
        char *called_phone;
        char *session_id;
        int ip_address;
        int session_duration;
    };
    typedef struct RadiusRecord RadiusRecord;
    
    /** Frees the allocated information */
    void 
    radFree(RadiusRecord *rad)
    {
        FREE(rad->user_name);
        FREE(rad->caller_id);
        FREE(rad->called_phone);
        FREE(rad->session_id);
    }
    
    
    /**
     * Process a single RADIUS command that we saw on the network.
     * For right now, we are primarily going to process radius
     * accounting packets, as these are the ones most likely to give
     * us solid information.
     */
    void 
    radProcess(Carnivore *carn, RadiusRecord *rad)
    {
        enum {account_start=1, account_stop=2};
        if (rad->code == 4 || rad->code == 5) {
            /* ACCOUNTING packet: This packet contains an accounting
             * record. Accounting records will often contains IP address
             * assignments that normal authentication packets won't.*/
            if (rad->user_name && matchName(rad->user_name, 
                    strlen(rad->user_name), &carn->radius_accounts)) {
                /* Found Alice! Therefore, we going add add Alice's
                 * IP address to the list of IP addresses currently
                 * being filtered. Conversely, if this is a stop
                 * packet, then we will delete the IP address from
                 * our list. */
                if (rad->status == account_start)
                    add_integer(&carn->ip, rad->ip_address);
                else {
                    /* Default: any unknown accounting message should
                     * trigger us to stop capturing data. If we make a
                     * mistake, we should err on the side of not
                     * collecting data. */
                    del_integer(&carn->ip, rad->ip_address);
                }
                carn->do_filter = TRUE; /*capture this packet*/
            }
    
            /* Double-check: Look to see if the IP address belongs to
             * another person.*/
            else if (has_integer(&carn->ip, rad->ip_address, 0)) {
                /* The names did not match, yet we have seen some sort 
                 * of packet dealing with the account that we are 
                 * monitoring. This is bad -- it indicates that we might
                 * have dropped a packet somewhere. Therefore, we are
                 * going to immediately drop this packet.*/
                del_integer(&carn->ip, rad->ip_address);
                carn->do_filter = TRUE; /*capture this packet*/
            }
        }
    
    }
    
    
    /**
     * This function sniffs RADIUS packets off the network, then passes
     * the processed RADIUS information to another function that
     * deals with the content.
     */
    int 
    sniffRadius(Carnivore *carn, int ip_src, int ip_dst,
                  const unsigned char buf[], int offset, int max_offset)
    {
        RadiusRecord recx = {0};
        RadiusRecord *rad = &recx;
        const static int minimum_length = 20;
        int code;
        int xid;
        int radius_length;
        int i;
    
        if (carn->radius_accounts.length == 0)
            return 0; /*not scanning radius*/
    
        if (max_offset - offset <= minimum_length)
            return 0; /*corrupt*/
    
        /* Parse the RADIUS header info and verify */
        code = ex8(buf, offset+0);
        if (code < 1 || code > 5)
            return 0; /*unknown command/operationg*/
        xid = ex8(buf, offset+1);
        radius_length = ex16(buf, offset+2);
        if (offset + radius_length > max_offset)
            return 0; /*packet corrupt*/
        else if (offset + radius_length < minimum_length)
            return 0; /*packet corrupt*/
        else if (max_offset > offset + radius_length)
            max_offset = offset + radius_length; /*ignore padding*/
    
        /* Verify the attributes field */
        for (i=offset+minimum_length; i<max_offset-2; /*nul*/) {
            /*int type = buf[i];*/
            int len = buf[i+1];
            if (i+len > max_offset)
                return 0;
            i += len;
        }
    
    
        /* Grab the IP addresses of the client (the Network Access
         * Server like Livingston) and the RADIUS authentication
         * server. */
        if (code == 1 || code == 4) {
            rad->radius_client = ip_src;
            rad->radius_server = ip_dst;
        } else {
            rad->radius_client = ip_dst;
            rad->radius_server = ip_src;
        }
        rad->code = code;
        rad->xid = xid;
    
        /* Parse the attributes field */
        for (i=offset+minimum_length; i<max_offset-2; ) {
            int type = buf[i];
            int len = buf[i+1];
            int data_offset = i+2;
            if (i+len > max_offset)
                break;
            i += len;
            len -= 2;
    
            switch (type) {
            case 1: /*User-Name*/
                /*Lots of names appear to have a trailing nul that we
                 *should strip from the end of the name.*/
                if (len > 1 && buf[data_offset+len-1] == '\0')
                    len--;
                setString(&rad->user_name, buf, data_offset, len);
                break;
            case 2: /*User-Password*/
                break;
            case 4: /*NAS-IP-Address*/
                rad->nas_ip = ex32(buf,data_offset);
                break;
            case 5: /*NAS-Port*/
                rad->nas_port = ex32(buf,data_offset);
                break;
            case 8: /*Framed-IP-Address*/
                rad->ip_address = ex32(buf,data_offset);
                break;
            case 19: /*Callback-Number*/
            case 20: /*Callback-Id*/
                /*TODO: sounds like something we might want to record*/
                break;
            case 30: /*Called-Station-Id*/
                /*Find out the phone number of the NAS. This could be
                 *important in cases where the evidence will later be
                 *correlated with phone records.*/
                setString(&rad->called_phone, buf, data_offset, len);
                break;
            case 31: /*Calling-Station-Id*/
                /*True "trap-and-trace"! Assuming that caller-id is 
                 *enabled, this will reveal the phone number of the 
                 *person dialing in.*/
                setString(&rad->caller_id, buf, data_offset, len);
                break;
            case 40: /*Acct-Status-Type*/
                /*When scanning accounting packets, this is critical in
                 *order to be able to detect when the service starts and
                 *stops.*/
                rad->status = ex32(buf,data_offset);
                if (rad->status < 1 || 8 < rad->status)
                    rad->status = 2; /*STOP if unknown*/
                break;
            case 44: /*Acct-Session-Id*/
                setString(&rad->session_id, buf, data_offset, len);
                break;
            case 46: /*Acct-Session-Time*/
                /*Could be interesting information to collect*/
                if (len == 4)
                    rad->session_duration = ex32(buf,data_offset);
                break;
            }
        }
    
        /* The data was parsed from the RADIUS packet, now process that
         * data in order to trigger on the suspect.*/
        radProcess(carn, rad);
        radFree(rad);
        return 0;
    }
    
    struct iphdr {
        int offset;
        int proto;
        int src;
        int dst;
        int data_offset;
        int max_offset;
    };
    struct tcphdr {
        int offset;
        int src;
        int dst;
        int seqno;
        int ackno;
        int flags;
        int data_offset;
    };
    
    
    /**
     * This packet is called for each packet received from the wire
     * (or from test input). This function will parse the packet into
     * the consituent IP and TCP headers, then find which stream the
     * packet belongs to, then parse the remaining data according
     * to that stream.
     */
    int 
    sniffPacket(Carnivore *carn, const unsigned char buf[], 
                    int max_offset, time_t timestamp, int usecs)
    {
        struct iphdr ip;
        struct tcphdr tcp;
        TcpCnxn cn;
        
        /* Make sure that we have a frame long enough to hold the
         * Ethernet(14), IP(20), and UDP(8) or TCP(20) headers */
        if (max_offset < 14 + 20 + 20)
            return 1; /* packet fragment too small */
    
        if (ex16(buf,12) != 0x0800)
            return 1; /*not IP ethertype */
    
        /*IP*/
        ip.offset = 14; /*sizeof ethernet_header*/
        if (IP_VERSION(buf,ip.offset) != 4)
            return 1;
        ip.proto = IP_PROTOCOL(buf,ip.offset);
        ip.src = IP_SRC(buf,ip.offset);
        ip.dst = IP_DST(buf,ip.offset);
        ip.data_offset = ip.offset + IP_SIZEOF_HDR(buf,ip.offset);
        if (max_offset > IP_TOTALLENGTH(buf,ip.offset) + ip.offset)
            ip.max_offset = IP_TOTALLENGTH(buf,ip.offset) + ip.offset;
        else
            ip.max_offset = max_offset;
    
        /* If sniffing somebody's IP address, then sift for it */
        if (MODE(carn, mode_ip_content)
                            && has_integer(&carn->ip, ip.src, ip.dst))
            carn->do_filter = TRUE;
    
        if (ip.proto == 6) {
            /*TCP*/
            tcp.offset = ip.data_offset;
            tcp.dst = TCP_DST(buf,tcp.offset);
            tcp.src = TCP_SRC(buf,tcp.offset);
            tcp.flags = TCP_FLAGS(buf,tcp.offset);
            tcp.seqno = TCP_SEQNO(buf,tcp.offset);
            tcp.ackno = TCP_ACKNO(buf,tcp.offset);
            tcp.data_offset = tcp.offset 
                                    + TCP_SIZEOF_HDR(buf,tcp.offset);
    
            if (MODE(carn, mode_server_access)) {
                /* We are watching for when the user attempts to access
                 * servers of a specific type (HTTP, FTP, etc.). This
                 * only tracks SYNs; though we could change the code
                 * to track all packets. */
                if ((tcp.flags & TCP_SYN)
                    && has_integer(&carn->ip, ip.src, ip.src)
                    && has_integer(&carn->ip, tcp.dst, tcp.dst)) {
                    char tbuf[64];
                    formatNow(tbuf, sizeof(tbuf));
                    logprint(carn, "%s, %d.%d.%d.%d, %d.%d.%d.%d, %d\n",
                        tbuf, P_IP_ADDR(ip.src), P_IP_ADDR(ip.dst),
                        tcp.dst);
                }
            }
            else
            switch (tcp.dst) {
            case 25:
                cn.server_ip = ip.dst;
                cn.client_ip = ip.src;
                cn.server_port = tcp.dst;
                cn.client_port = tcp.src;
                cn.server_seqno = tcp.ackno;
                cn.client_seqno = tcp.seqno;
                sniffSmtp(carn, &cn, tcp.flags | TCP_TO_SERVER, 
                                buf, tcp.data_offset, ip.max_offset);
                break;
            }
        } else if (ip.proto == 17) {
            /*UDP*/
            tcp.offset = ip.data_offset;
            tcp.dst = TCP_DST(buf,tcp.offset);
            tcp.src = TCP_SRC(buf,tcp.offset);
            tcp.data_offset = tcp.offset + 8;
            if (tcp.dst == 1812 || tcp.dst == 1813 
                || tcp.dst == 1645 || tcp.dst == 1646
                || tcp.src == 1812 || tcp.src == 1813 
                || tcp.src == 1645 || tcp.src == 1646) {
                /* This looks like a RADIUS packet, either using the
                 * old port number or the new one. We are going to 
                 * track both RADIUS authentication packets as well
                 * as accounting packets (depending upon whwere we
                 * are tapped into the network, we might see one,
                 * the other, or both).*/
                sniffRadius(carn, ip.src, ip.dst, 
                                buf, tcp.data_offset, ip.max_offset);
            }
    
        }
    
        /* If one of the filters was successful, then save this packet
         * to the tracefile. This is only done*/
        if (carn->do_filter)
            carnSavePacket(carn, buf, max_offset, timestamp, usecs);
    
        return 0;
    }
    
    
    /**
     * A callback function that handles each packet as the 'libpcap'
     * subsystem receives it from the network.
     */
    void pcapHandlePacket(unsigned char *carn, 
        const struct pcap_pkthdr *framehdr, const unsigned char *buf)
    {
        int max_offset = framehdr->caplen;
        sniffPacket((Carnivore*)carn, buf, max_offset, 
            framehdr->ts.tv_sec, framehdr->ts.tv_usec);
    }
    
    
    
    
    
    /**
     * Sets the mode of operation according to the input parameter.
     */
    void 
    carnSetMode(Carnivore *carn, const char *value)
    {
        if (startsWith(value, "email-head"))
            carn->mode = mode_email_headers;
        else if (startsWith(value, "email-addr"))
            carn->mode = mode_email_headers;
        else if (startsWith(value, "server-access"))
            carn->mode = mode_server_access;
        else if (startsWith(value, "email-content"))
            carn->mode = mode_email_content;
        else if (startsWith(value, "ip-content"))
            carn->mode = mode_ip_content;
        else
            carn->mode = -1;
    }
    
    /**
     * Parses the IP address. I use this rather than the sockets
     * inet_addr() for portability reasons. 
     */
    int 
    my_inet_addr(const char addr[])
    {
        int num = 0;
        int offset=0;
    
        while (addr[offset] && !isalnum(addr[offset]))
            offset++;
    
        for (; addr[offset]; offset++) {
            char c = addr[offset];
            if (isdigit(c))
                num = (num&0xFFFFFF00) | (((num&0xFF)*10) + (c - '0'));
            else if (c == '.')
                num <<= 8;
            else
                break;
        }
    
        return num;
    }
    
    
    /**
     * Reads in the configuration from a a file such as "altivore.ini".
     */
    void 
    carnReadConfiguration(Carnivore *carn, const char filename[])
    {
        FILE *fp;
        
        fp = fopen(filename, "r");
        if (fp == NULL)
            perror(filename);
        else {
            char line[1024];
    
            /* For all lines within the file */
            while (fgets(line, sizeof(line), fp)) {
                char *name = line;
                char *value;
                while (*name && isspace(*name))
                    name++; /*strip leading whitespace*/
                if (*name == '\0' || ispunct(*name))
                    continue;/*ignore blank lines and comments*/
                value = strchr(name, '=');
                if (value == NULL)
                    continue; /*ignore when no equals sign*/
                else 
                    value++; /*skip the equals itself*/
                while (*value && isspace(*value))
                    value++; /*strip leading whitespace*/
                while (*value && isspace(value[strlen(value)-1]))
                    value[strlen(value)-1] = '\0'; /*strip trailing WS*/
    
                if (startsWith(name, "mode"))
                    carn->mode = parseMode(value);
                else if (startsWith(name, "email.address"))
                    straAddElement(&carn->email_addresses, value);
                else if (startsWith(name, "radius.account"))
                    straAddElement(&carn->radius_accounts, value);
                else if (startsWith(name, "ip.address"))
                    add_integer(&carn->ip, my_inet_addr(value));
                else if (startsWith(name, "tracefile")) 
                    setString(&carn->tracefile, value, 0, -1);
                else if (startsWith(name, "logfile"))
                    setString(&carn->logfile, value, 0, -1);
                else if (startsWith(name, "testinput"))
                    straAddElement(&carn->testinput, value);
                else if (startsWith(name, "interface"))
                    straAddElement(&carn->interfaces, value);
                else if (startsWith(name, "server.port"))
                    add_integer(&carn->ip, strtol(value,0,0));
                else
                    fprintf(stderr, "bad param: %s\n", line);
            }
            fclose(fp);
        }
    }
    
    
    /**
     * Process a test input file.
     */
    void 
    processFile(Carnivore *carn, const char filename[])
    {
        char errbuf[1024]; /*TODO: how long should this be?*/
        pcap_t *hPcap;
        
        /* Open the file */
        hPcap = pcap_open_offline(filename, errbuf);
        if (hPcap == NULL) {
            fprintf(stderr, "%s: %s\n", filename, errbuf);
            return; /*ignore this file and go onto next*/
        }
    
        /* Pump packets through it */
        for (;;) {
            int packets_read = pcap_dispatch(
                                    hPcap, /*handle to PCAP*/
                                    10,        /*next 10 packets*/
                                    pcapHandlePacket, /*callback*/
                                    (unsigned char*)carn /*canivore*/
                                    );
            if (packets_read == 0)
                break;
        }
    
        /* Close the file and go onto the next one */
        pcap_close(hPcap);
    }
    
    
    /**
     * Sniff the wire for packets and process them using the libpcap
     * interface
     */
    void 
    processPackets(Carnivore *carn, const char devicename[])
    {
        int traffic_seen = FALSE;
        int total_packets_processed = 0;
        pcap_t *hPcap;
        char errbuf[1024];
    
        hPcap = pcap_open_live(    (char*)devicename,
                                2000,    /*snap len*/
                                1,        /*promiscuous*/
                                10,        /*10-ms read timeout*/
                                errbuf
                                );
        if (hPcap == NULL) {
            fprintf(stderr, "%s: %s\n", devicename, errbuf);
            return;
        }
    
        /* Pump packets through it */
        for (;;) {
            int packets_read;
            
            packets_read = pcap_dispatch(
                                    hPcap, /*handle to PCAP*/
                                    10,        /*next 10 packets*/
                                    pcapHandlePacket, /*callback*/
                                    (unsigned char*)carn /*canivore*/
                                    );
            total_packets_processed += packets_read;
            if (!traffic_seen && total_packets_processed > 0) {
                fprintf(stderr, "Traffic seen\n");
                traffic_seen = TRUE;
            }
        }
    
        /* Close the file and go onto the next one */
        pcap_close(hPcap);
    }
    
    /*----------------------------------------------------------------*/
    int 
    main(int argc, char *argv[])
    {
        int i;
        Carnivore *carn;
    
        printf("--- ALTIVORE ---\n");
        printf("Copyright (c) 2000 by Network ICE Corporation\n");
        printf("Public disclosure of the source code does not\n");
        printf("constitute a license to use this software.\n");
        printf("Use \"altivore -?\" for help.\n");
    
        /* Create the carnivore subsystem */
        carn = (Carnivore*)malloc(sizeof(Carnivore));
        memset(carn, 0, sizeof(*carn));
    
    
        /* Read configuration info from "altivore.ini". */
        carnReadConfiguration(carn, "altivore.ini");
    
        /* Parse all the options from the command-line. Normally,
         * you wouldn't have any command-line options, you would
         * simply use the configuration file above. */
        for (i=1; i<argc; i++) {
            if (argv[i][0] != '-')
                straAddElement(&carn->email_addresses, argv[i]);
            else switch (argv[i][1]) {
                case 'h':
                    add_integer(&carn->ip, my_inet_addr(argv[i]+2));
                    break;
                case 'i':
                    straAddElement(&carn->interfaces, argv[i]+2);
                    break;
                case 'l':
                    setString(&carn->logfile, argv[i]+2, 0, -1);
                    break;
                case 'm':
                    carn->mode = parseMode(argv[i]+2);
                    break;
                case 'p':
                    add_integer(&carn->port, strtol(argv[i]+2,0,0));
                    break;
                case 'r':
                    straAddElement(&carn->testinput, argv[i]+2);
                    break;
                case 'w':
                    setString(&carn->tracefile, argv[i]+2, 0, -1);
                    break;
                case '?':
                    printf("Options:\n"
                        "<email-address> address to filter for, e.g.:\n"
                        "  rob@altivore.com (exact match)\n"
                        "  *@altivore.com (partial match)\n"
                        "  * (match all emails)\n"
                        );
                    printf("-h<ip-address>\n"
                        "\tIP of host to sniff\n");
                    printf("-i<devicename>\n"
                        "\tNetwork interface to sniff on\n");
                    printf("-l<logfile>\n"
                        "\tText-output logging\n");
                    printf("-m<mode>\n"
                        "\tMode to run in, see docs\n");
                    printf("-p<port>\n"
                        "\tServer port to filter on\n");
                    printf("-r<tracefile>\n"
                        "\tTest input\n");
                    printf("-w<tracefile>\n"
                        "\tEvidence tracefile to write packets to\n");
                    return 1;
                default:
                    fprintf(stderr, "Unknown parm: %s\n", argv[i]);
                    break;
            }
        }
    
        /* Print the configuration for debugging purposes */
        printf("\tmode = %s\n", modeNames[carn->mode]);
        if (carn->tracefile)
            printf("\ttracefile = %s\n", carn->tracefile);
        if (carn->logfile)
            printf("\tlogfile = %s\n", carn->logfile);
        for (i=0; i<carn->ip.count; i++)
            printf("\tip = %d.%d.%d.%d\n", P_IP_ADDR(carn->ip.list[i]));
        for (i=0; i<carn->port.count; i++)
            printf("\tport = %d\n", carn->port.list);
        for (i=0; i<carn->email_addresses.length; i++)    
            printf("\temail.address = %s\n", carn->email_addresses.str[i]);
        for (i=0; i<carn->radius_accounts.length; i++)    
            printf("\tradius.accounts = %s\n", carn->radius_accounts.str[i]);
        for (i=0; i<carn->testinput.length; i++)    
            printf("\ttestinput = %s\n", carn->testinput.str[i]);
        for (i=0; i<carn->interfaces.length; i++)    
            printf("\tinterface = %s\n", carn->interfaces.str[i]);
    
        /* Testing only: user can specify tracefiles containing network
         * traffic for test purposes. */
        if (carn->testinput.length > 0) {
            int i;
            for (i=0; i<carn->testinput.length; i++)
                processFile(carn, carn->testinput.str[i]);
            return 0;
        }
    
        /* Open adapters and rea*/
        if (carn->interfaces.length > 0) {
            /*TODO: allow multiple adapters to be opened*/
            char *devicename = carn->interfaces.str[0];
            processPackets(carn, devicename);
        } else {
            char *devicename;
            char errbuf[1024];
            devicename = pcap_lookupdev(errbuf);
            if (devicename == NULL)
                fprintf(stderr, "%s\n", errbuf);
            else
                processPackets(carn, devicename);
        }
    
        return 0;
    }
    
    


    TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
    Site design & layout copyright © 1986-2014 AOH