netsniff-ng: Add dissector for Linux "cooked" packets

Added dissector_sll.c which uses sockaddr_ll to lookup & print
higher L3 layer protocol.

This dissector is mapped by LINKTYPE_LINUX_SLL link type.

Sample output of dissected Netlink & Ethernet packets.
Truncated manually some longer lines by "...":

> nlmon0 20 1434193547s.717131169ns #6
 [ Linux "cooked" Pkt Type 4 (outgoing), If Type 824 (netlink), Addr Len 0, Src (), Proto 0x0 ]
 [ NLMSG Family 0 (routing), Len 20, Type 0x0003 (DONE)...

> wlp3s0 52 1434194181s.436224709ns #9
 [ Linux "cooked" Pkt Type 4 (outgoing), If Type 1 (ether), Addr Len 6, Src (XX:XX:XX:XX:XX:XX), Proto 0x800 ]
 [ IPv4 Addr (XXX.XXX.XXX.XXX => 212.42.76.253), Proto (6), TTL (64), TOS (0), ...
   ), CSum (0x1ef5) is ok ]
	[ Geo (local => Ukraine) ]
 [ TCP Port (45849 => 443 (https)), SN (0x1744209), AN (0x46ca9611), DataOff (8) ...
 [ Chr .....w.Rj).. ]
 [ Hex  XX XX XX XX XX XX XX XX XX XX XX XX ]

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

1 files changed, 113 insertions, 0 deletions

diff --git a/dissector_sll.c b/dissector_sll.c
new file mode 100644
index 0000000..e2e5bfa
--- /dev/null
+++ b/dissector_sll.c
@@ -0,0 +1,113 @@
+/*
+ * netsniff-ng - the packet sniffing beast
+ * Subject to the GPL, version 2.
+ */
+
+#include "oui.h"
+#include "protos.h"
+#include "pcap_io.h"
+#include "pkt_buff.h"
+#include "dissector.h"
+#include "dissector_sll.h"
+#include "dissector_eth.h"
+
+static char *pkt_type2str(uint8_t pkttype)
+{
+	switch (pkttype) {
+	case PACKET_HOST:
+		return "host";
+	case PACKET_BROADCAST:
+		return "broadcast";
+	case PACKET_MULTICAST:
+		return "multicast";
+	case PACKET_OTHERHOST:
+		return "other host";
+	case PACKET_OUTGOING:
+		return "outgoing";
+	case PACKET_USER:
+		return "user";
+	case PACKET_KERNEL:
+		return "kernel";
+	}
+
+	return "Unknown";
+}
+
+static void sll_print_full(struct pkt_buff *pkt)
+{
+	struct sockaddr_ll *sll = pkt->sll;
+	char addr_str[40] = {};
+
+	if (!pkt || !sll)
+		return;
+
+	tprintf(" [ Linux \"cooked\"");
+	tprintf(" Pkt Type %d (%s)", sll->sll_pkttype,
+			pkt_type2str(sll->sll_pkttype));
+	tprintf(", If Type %d (%s)", sll->sll_hatype,
+			device_type2str(sll->sll_hatype));
+	tprintf(", Addr Len %d", sll->sll_halen);
+	tprintf(", Src (%s)", device_addr2str(sll->sll_addr, sll->sll_halen,
+			sll->sll_hatype, addr_str, sizeof(addr_str)));
+	tprintf(", Proto 0x%x", ntohs(sll->sll_protocol));
+	tprintf(" ]\n");
+
+	switch (pcap_devtype_to_linktype(sll->sll_hatype)) {
+	case LINKTYPE_EN10MB:
+	case ___constant_swab32(LINKTYPE_EN10MB):
+		pkt_set_dissector(pkt, &eth_lay2, ntohs(sll->sll_protocol));
+		break;
+	case LINKTYPE_NETLINK:
+	case ___constant_swab32(LINKTYPE_NETLINK):
+		pkt->dissector = &nlmsg_ops;
+		break;
+	default:
+		tprintf(" [ Uknown protocol ]\n");
+	}
+}
+
+static void sll_print_less(struct pkt_buff *pkt)
+{
+	struct sockaddr_ll *sll = pkt->sll;
+	char addr_str[40] = {};
+
+	if (!pkt || !sll)
+		return;
+
+	tprintf(" Pkt Type %d (%s)", sll->sll_pkttype,
+			pkt_type2str(sll->sll_pkttype));
+	tprintf(", If Type %d (%s)", sll->sll_hatype,
+			device_type2str(sll->sll_hatype));
+	tprintf(", Addr Len %d", sll->sll_halen);
+	tprintf(", Src (%s)", device_addr2str(sll->sll_addr, sll->sll_halen,
+			sll->sll_hatype, addr_str, sizeof(addr_str)));
+	tprintf(", Proto 0x%x", ntohs(sll->sll_protocol));
+}
+
+struct protocol sll_ops = {
+	.key = 0,
+	.print_full = sll_print_full,
+	.print_less = sll_print_less,
+};
+
+struct protocol *dissector_get_sll_entry_point(void)
+{
+	return &sll_ops;
+}
+
+struct protocol *dissector_get_sll_exit_point(void)
+{
+	return &none_ops;
+}
+
+void dissector_init_sll(int fnttype)
+{
+	dissector_set_print_type(&sll_ops, fnttype);
+	dissector_set_print_type(&none_ops, fnttype);
+	dissector_init_oui();
+}
+
+void dissector_cleanup_sll(void)
+{
+	dissector_cleanup_oui();
+}