/*
* Copyright (c) 2015, Arista Networks, inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-includes.h>
#include <net-snmp/library/large_fd_set.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <pcap/pcap.h>
#define FAKE_FD 3
/*
* This is a funny little program, hooking together callbacks
* to get packets from a pcap format file to go through
* net-snmp's main loop. Both net-snmp and libpcap have
* callback-based processing, so:
*
* We create a fake snmp transport that calls snmppcap_recv()
* to receive a packet, and use snmp_add() to add the session
* and the transport directly.
*
* We create a session callback on the session that just
* prints out the varbind list that we got.
*
* We use the libpcap pcap_dispatch() to loop through all
* the packets in the pcap file, and then pretend to snmp_read2()
* that a fake file descriptor is ready. Luckily, there is
* only one session active, and it happens to also claim to
* be using that file descriptor, so snmplib calls the transport
* receive function, snmppcap_recv(). If the packet parses,
* we get a callback at snmppcap_callback(). If it doesn't,
* you may need to use the -D options.
*/
typedef struct mystuff {
int pktnum;
} mystuff_t;
/*
* These two globals are used to communicate between handle_pcap()
* and snmppcap_recv(). Don't try to multi-thread! :-)
*/
const void *recv_data;
int recv_datalen;
int
snmppcap_recv(netsnmp_transport *t, void *buf, int bufsiz, void **opaque, int *opaque_len)
{
if (bufsiz > recv_datalen) {
memcpy(buf, recv_data, recv_datalen);
return recv_datalen;
} else {
return -1;
}
}
/*
* snmplib calls us back with the received packet.
*/
static int
snmppcap_callback(int op, netsnmp_session *sess, int reqid, netsnmp_pdu *pdu,
void *magic)
{
mystuff_t *mystuff = (mystuff_t *)magic;
netsnmp_variable_list *vars;
/*
* We ignore op, since we know there is only way we can be
* called back, since this is not a "real" transport.
*/
printf( "Packet %d PDU contents:\n", mystuff->pktnum );
/*
* TODO: print PDU type and other info?
*/
for (vars = pdu->variables; vars; vars = vars->next_variable) {
printf( " " );
print_variable(vars->name, vars->name_length, vars );
}
return 0;
}
void
handle_pcap(u_char *user, const struct pcap_pkthdr *h,
const u_char *bytes)
{
size_t len;
const u_char *buf;
int skip;
mystuff_t *mystuff = (mystuff_t *)user;
netsnmp_large_fd_set lfdset;
mystuff->pktnum++;
/*
* If it's not a full packet, then we can't parse it.
*/
if ( h->caplen < h->len ) {
printf( "Skipping packet #%d; we only have %d of %d bytes\n", mystuff->pktnum, h->caplen, h->len );
return;
}
/*
* For now, no error checking and almost no parsing.
* Assume that we have all Ethernet/IPv4/UDP/SNMP.
*/
skip = 14 /* Ethernet */ + 20 /* IPv4 */ + 8 /* UDP */;
buf = bytes + skip;
len = h->len - skip;
printf( "Packet #%d:\n", mystuff->pktnum );
/*
* Store the data in the globals that we use to communicate
*/
recv_data = buf;
recv_datalen = len;
/*
* We call snmp_read2() pretending that our
* fake file descriptor is ready to read.
* This is a funny API to fake up - we need to
* set our fake file descriptor so that our fake
* receive function gets called.
*/
netsnmp_large_fd_set_init(&lfdset, FD_SETSIZE);
netsnmp_large_fd_setfd(FAKE_FD, &lfdset);
snmp_read2(&lfdset);
netsnmp_large_fd_set_cleanup(&lfdset);
}
void
usage(void)
{
fprintf(stderr, "USAGE: snmppcap [OPTIONS] FILE\n\n");
/* can't use snmp_parse_args_usage because it assumes an agent */
snmp_parse_args_descriptions(stderr);
}
int main(int argc, char **argv)
{
netsnmp_session *ss;
netsnmp_transport *transport;
int arg;
char errbuf[PCAP_ERRBUF_SIZE];
char *fname;
pcap_t *p;
mystuff_t mystuff;
ss = SNMP_MALLOC_TYPEDEF(netsnmp_session);
/*
* snmp_parse_args usage here is totally overkill, but trying to
* parse -D
*/
switch (arg = snmp_parse_args(argc, argv, ss, "", NULL)) {
case NETSNMP_PARSE_ARGS_ERROR:
exit(1);
case NETSNMP_PARSE_ARGS_SUCCESS_EXIT:
exit(0);
case NETSNMP_PARSE_ARGS_ERROR_USAGE:
usage();
exit(1);
default:
break;
}
if (arg != argc) {
fprintf(stderr, "Specify exactly one file name\n");
usage();
exit(1);
}
fname = argv[ arg-1 ];
p = pcap_open_offline( fname, errbuf );
if ( p == NULL ) {
fprintf(stderr, "%s: %s\n", fname, errbuf );
return 1;
}
if ( pcap_datalink( p ) != DLT_EN10MB) {
fprintf(stderr, "Only Ethernet pcaps currently supported\n");
return 2;
}
transport = SNMP_MALLOC_TYPEDEF(netsnmp_transport);
if ( transport == NULL ) {
fprintf(stderr, "Could not malloc transport\n" );
return 3;
}
/*
* We set up just enough of the transport to fake the main
* loop into calling us back.
*/
transport->sock = FAKE_FD; /* nobody actually uses this as a file descriptor */
transport->f_recv = snmppcap_recv;
ss->callback = snmppcap_callback;
ss->callback_magic = (void *)&mystuff;
/* todo: add the option of a filter here */
mystuff.pktnum = 0;
/* todo: user, etc. parsing. */
ss->securityModel = SNMP_SEC_MODEL_USM;
printf("flags %lx securityModel %d version %ld securityNameLen %" NETSNMP_PRIz "d securityEngineIDLen %" NETSNMP_PRIz "d\n",
ss->flags, ss->securityModel, ss->version,
ss->securityNameLen, ss->securityEngineIDLen);
create_user_from_session(ss);
/*
* We use snmp_add() to specify the transport
* explicitly.
*/
snmp_add(ss, transport, NULL, NULL);
pcap_loop(p, -1, handle_pcap, (void *)&mystuff);
return 0;
}