diff options
| -rw-r--r-- | contrib/ptunnel-dissector.lua | 48 | ||||
| -rw-r--r-- | src/options.c | 2 | ||||
| -rw-r--r-- | src/pconfig.h | 1 |
3 files changed, 50 insertions, 1 deletions
diff --git a/contrib/ptunnel-dissector.lua b/contrib/ptunnel-dissector.lua new file mode 100644 index 0000000..d5a63a2 --- /dev/null +++ b/contrib/ptunnel-dissector.lua @@ -0,0 +1,48 @@ +ptunnel_protocol = Proto("PTunnel-NG", "PTunnel-NG Protocol") + +icmp_type = ProtoField.uint8("icmp.type", "type", base.HEX) +icmp_code = ProtoField.uint8("icmp.code", "code", base.HEX) +icmp_chksm = ProtoField.uint16("icmp.chksm", "chksm", base.HEX) + +magic = ProtoField.uint32("ptunnel.magic", "magic", base.HEX) + +ptunnel_protocol.fields = { icmp_type, icmp_code, icmp_chksm, magic } + +function ptunnel_protocol.dissector(buffer, pinfo, tree) + length = buffer:len() + if length == 0 then return end + + pinfo.cols.protocol = ptunnel_protocol.name + + local subtree = tree:add(ptunnel_protocol, buffer(), "PTunnel Protocol Data") + local icmpHeaderSubtree = subtree:add(ptunnel_protocol, buffer(), "ICMP Header") + + icmpHeaderSubtree:add_le(icmp_type, buffer(0,1)) + icmpHeaderSubtree:add_le(icmp_code, buffer(1,1)) + icmpHeaderSubtree:add_le(icmp_chksm, buffer(2,2)) + + icmpHeaderSubtree:add_le(magic, buffer(4,4)) +end + +local icmp = DissectorTable.get("ip.proto") +icmp:add(1, ptunnel_protocol) + +local function heuristic_checker(buffer, pinfo, tree) + length = buffer:len() + --if length < 28 + 8 then return false end + + local magic = buffer(8,4):uint32() + if magic == 0xdeadc0de + then + ptunnel_protocol.dissector(buffer, pinfo, tree) + return true + else + return false + end +end + +ptunnel_protocol:register_heuristic("ip", heuristic_checker) + +--for k,v in pairs(DissectorTable.list()) do +-- print(k,v) +--end diff --git a/src/options.c b/src/options.c index 84227ae..4d36a73 100644 --- a/src/options.c +++ b/src/options.c @@ -74,7 +74,7 @@ struct option_usage { static const struct option_usage usage[] = { /** --magic */ - {"magic", 0, OPT_HEX32, {.unum = 0xdeadc0de}, + {"magic", 0, OPT_HEX32, {.unum = kMagic_default}, "Set ptunnel magic hexadecimal number. (32-bit unsigned)\n" "It is an identifier for all ICMP/UDP packets\n" "and can be used to bypass Cisco IPS fingerprint scan.\n" diff --git a/src/pconfig.h b/src/pconfig.h index 140cad5..8c9fcba 100644 --- a/src/pconfig.h +++ b/src/pconfig.h @@ -47,6 +47,7 @@ #define PCONFIG_H 1 enum { + kMagic_default = 0xdeadc0de, /** Set this constant to the number of * concurrent connections you wish to handle by default. */ |