From 73b361bd016d279827e8eebb8d37e03e76a79997 Mon Sep 17 00:00:00 2001 From: leebrotherston Date: Mon, 7 Mar 2016 15:10:22 -0500 Subject: [PATCH] Update to add the "-P" flag. This allows the user to specify a pcap file to which client hello's which do not match a fingerprint in the database will be stored. These samples can be used to verify fingerprints which are generated. This will also allow me to being creating a library of samples to use for unit testing later. --- fingerprintls/fingerprintls.c | 24 ++++++++++-------------- fingerprintls/fingerprintls.h | 2 +- fingerprintls/packet_processing.c | 4 ++++ fingerprintls/signal.c | 7 ++++++- fingerprintls/tlsfp.db | Bin 44122 -> 44115 bytes fingerprints/fingerprints.json | 2 +- 6 files changed, 22 insertions(+), 17 deletions(-) diff --git a/fingerprintls/fingerprintls.c b/fingerprintls/fingerprintls.c index f6ece7e..30b15ab 100644 --- a/fingerprintls/fingerprintls.c +++ b/fingerprintls/fingerprintls.c @@ -71,7 +71,7 @@ void print_usage(char *bin_name) { fprintf(stderr, " -h This message\n"); fprintf(stderr, " -i Sniff packets from specified interface\n"); fprintf(stderr, " -p Read packets from specified pcap file\n"); -// fprintf(stderr, " -P Save packets to specified pcap file for unknown fingerprints\n"); + fprintf(stderr, " -P Save packets to specified pcap file for unknown fingerprints\n"); fprintf(stderr, " -j Output JSON fingerprints\n"); fprintf(stderr, " -l Output logfile (JSON format)\n"); // fprintf(stderr, " -s Output JSON signatures of unknown connections to stdout\n"); // Comment this out as I'm trying to deprecate this @@ -93,7 +93,7 @@ int main(int argc, char **argv) { char *unpriv_user = NULL; /* User for dropping privs */ char errbuf[PCAP_ERRBUF_SIZE]; /* error buffer */ extern pcap_t *handle; /* packet capture handle */ -// extern pcap_dumper_t *output_handle; /* output to pcap handle */ + extern pcap_dumper_t *output_handle; /* output to pcap handle */ char *filter_exp = default_filter; int arg_start = 1, i; @@ -135,18 +135,14 @@ int main(int argc, char **argv) { printf("Reading from file: %s\n", argv[i]); break; case 'P': - /* Open existing file to append */ -// output_handle = pcap_dump_open_append(argv[++i], errbuf); - /* That failed, try creating a new one */ -// if(output_handle == NULL) { -// output_handle = pcap_dump_open(argv[i], errbuf); -// } -// if(output_handle == NULL) { -// printf("Problem writing output pcap: %s\n", errbuf); -// exit (-1); -// } else { -// printf("Writing samples to file: %s\n", argv[i]); -// } + /* Open the file */ + output_handle = pcap_dump_open(pcap_open_dead(DLT_EN10MB, 65535), argv[++i]); + if (output_handle != NULL) { + printf("Writing samples to file: %s\n", argv[i]); + } else { + printf("Could not save samples: %s\n", errbuf); + exit(-1); + } break; case 'i': /* Open the interface */ diff --git a/fingerprintls/fingerprintls.h b/fingerprintls/fingerprintls.h index 9df7e16..77fa027 100644 --- a/fingerprintls/fingerprintls.h +++ b/fingerprintls/fingerprintls.h @@ -222,7 +222,7 @@ char hostname[HOST_NAME_MAX]; /* store the hostname once to save multiple look /* These were in main, but this let's the signal handler close as needed */ pcap_t *handle = NULL; /* packet capture handle */ -//pcap_dumper_t *output_handle = NULL; /* output to pcap handle */ +pcap_dumper_t *output_handle = NULL; /* output to pcap handle */ struct bpf_program fp; /* compiled filter program (expression) */ /* --------------------------------------------------------------------- */ diff --git a/fingerprintls/packet_processing.c b/fingerprintls/packet_processing.c index 651c85c..b328b81 100644 --- a/fingerprintls/packet_processing.c +++ b/fingerprintls/packet_processing.c @@ -881,6 +881,10 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha /* END OF RECORD - OR SOMETHING */ /* **************************** */ + /* Write the sample packet out */ + if(output_handle != NULL) { + pcap_dump((u_char *)output_handle, pcap_header, packet); + } /* Setup the new fp_packet for the next incoming packet. Next call to this function will cause a malloc. diff --git a/fingerprintls/signal.c b/fingerprintls/signal.c index 08066df..1d3bc4c 100644 --- a/fingerprintls/signal.c +++ b/fingerprintls/signal.c @@ -22,8 +22,9 @@ void sig_handler (int signo) { extern FILE *json_fd; extern FILE *fpdb_fd; extern pcap_t *handle; /* packet capture handle */ + extern pcap_dumper_t *output_handle; extern struct bpf_program fp; /* compiled filter program (expression) */ - + switch (signo) { /* Placeholder, will use this for some debugging */ @@ -51,6 +52,10 @@ void sig_handler (int signo) { // No checking because accoring to the man page, they don't return anything useful o_O pcap_freecode(&fp); pcap_close(handle); + if(output_handle != NULL) { + pcap_dump_close(output_handle); + } + exit(1); break; diff --git a/fingerprintls/tlsfp.db b/fingerprintls/tlsfp.db index e42593fd50b3750b00cc321c6fae9826c05ecc41..d1aaba3267fe7196130533ac4b5819aa626e4c74 100644 GIT binary patch delta 16 Ycmcb0gX!`OrVVFSF>-IdvZ{>{08HQrOaK4? delta 23 fcmcb7gXz`{rVVFSaR`MJWfo+XC~Q8vs*Mo