7 #include <sys/socket.h>
11 #include "radiotap_iter.h"
12 #include <curl/curl.h>
13 #include <json-c/json.h>
15 #include <lorcon2/lorcon.h>
17 const struct pcap_pkthdr* callback_header;
22 char *ssid_buf[50][2] = { NULL, NULL };
23 char *probe_resp_buf[50][3] = { NULL, NULL };
24 char *probe_buf[50][2] = { NULL, NULL };
29 //char post_url[255] = "http://intranet.spangdorfia.com/butler/sohoinput.php";
30 char *post_url = NULL;
32 static uint8_t insecure = 0;
34 static const struct radiotap_align_size align_size_000000_00[] = {
35 [0] = { .align = 1, .size = 4, },
36 [52] = { .align = 1, .size = 4, },
48 u_int16_t wr_chan_freq;
53 } __attribute__((__packed__)) ieee80211_radiotap;
55 struct json_object *obj1, *obj2, *array, *tmp1, *tmp2;
58 int change_chan(context) {
62 gchannel=lorcon_get_channel(context);
63 printf("got channel %d", gchannel);
68 printf("Setting channel %d\n", lchannel);
69 lorcon_set_channel(context, lchannel);
75 void send_data(json_object *array) {
77 //printf("curl start\n");
81 struct curl_slist *headers = NULL;
83 headers = curl_slist_append(headers, "Accept: application/json");
84 headers = curl_slist_append(headers, "Content-Type: application/json");
86 //json_object *obj1 = json_object_new_object();
87 //json_object *jvs = json_object_new_string("1");
88 //json_object *japmac = json_object_new_string(ap_mac);
89 //json_object *jlat = json_object_new_double(lat);
90 //json_object *jlng = json_object_new_double(lng);
92 //json_object_object_add(obj1,"v", jvs);
93 //json_object_object_add(obj1,"ap_mac", japmac);
94 //json_object_object_add(obj1,"data", array);
95 //json_object_object_add(obj1,"lat", jlat);
96 //json_object_object_add(obj1,"lng", jlng);
98 curl = curl_easy_init();
102 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL);
103 curl_easy_setopt(curl, CURLOPT_URL, post_url);
104 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
105 curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
106 curl_easy_setopt(curl, CURLOPT_USERAGENT, "SoHoSIGINT");
107 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_object_to_json_string(array));
110 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
113 //printf("Sending this: %s\n",json_object_to_json_string(array));
115 //openlog(SYSLOG_NAME, LOG_PID|LOG_CONS, LOG_USER);
116 res = curl_easy_perform(curl);
118 if(res != CURLE_OK) {
119 printf("There was a problem sending to %s\n", post_url);
120 //syslog (LOG_INFO, "couldn't send JSON.");
122 //printf("sent JSON to %s\n", post_url);
125 curl_easy_cleanup(curl);
126 curl_slist_free_all(headers);
127 //json_object_put(obj1);
130 curl_global_cleanup();
131 //printf("curl end\n");
135 void my_callback(u_char *args,const struct pcap_pkthdr* pkthdr,const u_char* packet) {
137 int err, radiotap_header_len, ssid_len, i;
138 int8_t rssi, rate, flags, fcsfail;
154 if ( json_object_get_type(array) != json_type_array) {
155 //printf("type of json= %d\n", json_object_get_type(array) == json_type_array);
156 array = json_object_new_array();
159 struct ieee80211_radiotap_iterator iter;
161 radiotap_header_len = iter._max_length;
163 err = ieee80211_radiotap_iterator_init(&iter, (void*)packet, pkthdr->caplen, NULL);
167 radiotap_header_len = iter._max_length;
170 while (!(err = ieee80211_radiotap_iterator_next(&iter))) {
171 if (iter.this_arg_index == IEEE80211_RADIOTAP_DBM_ANTSIGNAL) {
172 rssi = (int8_t)iter.this_arg[0];
174 if (iter.this_arg_index == IEEE80211_RADIOTAP_CHANNEL) {
175 channel = (*(uint16_t *)iter.this_arg);
177 if (iter.this_arg_index == IEEE80211_RADIOTAP_RATE) {
178 rate = (u_int8_t)iter.this_arg[0];
180 if (iter.this_arg_index == IEEE80211_RADIOTAP_FLAGS) {
181 flags = (*(u_int8_t *)iter.this_arg);
182 if (flags & IEEE80211_RADIOTAP_F_BADFCS) {
187 if (flags & IEEE80211_RADIOTAP_F_FRAG) {
190 if (flags & IEEE80211_RADIOTAP_F_CFP) {
196 sprintf(tmp_channel, "%04x", channel);
197 sprintf(tmp_rssi, "%d", rssi);
199 if (pkthdr->len >= 24) {
201 //hlen = packet[2]+(packet[3]<<8); //Usually 18 or 13 in some cases
203 switch (packet[hlen]) {
204 case 0x40: //probe request
205 //printf("probe request\n");
207 memset(ssid, 0, sizeof(ssid));
209 for (i=0;i<ssid_len;++i){
210 sprintf(ssid+i, "%c", packet[62+i]);
213 memset(client_mac, 0, sizeof(client_mac));
214 sprintf(client_mac, "%02x:%02x:%02x:%02x:%02x:%02x", packet[46], packet[47],packet[48],packet[49],packet[50],packet[51]);
216 for (i=0; i<50; i++) {
217 if (probe_buf[i][0] != NULL) {
218 if ((strcoll(probe_buf[i][0], ssid) == 0 && strcoll(probe_buf[i][1], client_mac) == 0)) {
222 if (probe_buf[i][0] == NULL) {
226 //printf("probe element: %d\n", element);
227 probe_buf[i][0] = strdup(ssid);
228 probe_buf[i][1] = strdup(client_mac);
229 obj2 = json_object_new_object();
230 json_object *type = json_object_new_string("40");
231 json_object *tssid = json_object_new_string(ssid);
232 json_object *tclient_mac = json_object_new_string(client_mac);
233 json_object *tchannel = json_object_new_string(tmp_channel);
234 json_object *jrssi = json_object_new_string(tmp_rssi);
235 json_object_object_add(obj2,"type", type);
236 json_object_object_add(obj2,"ssid", tssid);
237 json_object_object_add(obj2,"client_mac", tclient_mac);
238 json_object_object_add(obj2,"channel", tchannel);
239 json_object_object_add(obj2,"rssi", jrssi);
240 json_object_array_add(array,obj2);
246 case 0x50: //probe response
247 //printf("probe response\n");
249 for (i=0;i<ssid_len;++i){
250 sprintf(ssid+i, "%c", packet[hlen+38+i]);
253 sprintf(client_mac, "%02x:%02x:%02x:%02x:%02x:%02x", packet[40], packet[41],packet[42],packet[43],packet[44],packet[45]);
254 sprintf(bssid_mac, "%02x:%02x:%02x:%02x:%02x:%02x", packet[52], packet[53],packet[54],packet[55],packet[56],packet[57]);
256 for (i=0; i<50; i++) {
257 if (probe_resp_buf[i][0] != NULL) {
258 if ((strcoll(probe_resp_buf[i][0], ssid) == 0 && strcoll(probe_resp_buf[i][1], client_mac) == 0)) {
262 if (probe_resp_buf[i][0] == NULL) {
266 //printf("probe response element: %d\n", element);
267 probe_resp_buf[i][0] = strdup(ssid);
268 probe_resp_buf[i][1] = strdup(client_mac);
269 probe_resp_buf[i][2] = strdup(bssid_mac);
270 obj2 = json_object_new_object();
271 json_object *type = json_object_new_string("50");
272 json_object *tssid = json_object_new_string(ssid);
273 json_object *tclient_mac = json_object_new_string(client_mac);
274 json_object *tbssid_mac = json_object_new_string(bssid_mac);
275 json_object *tchannel = json_object_new_string(tmp_channel);
276 json_object *jrssi = json_object_new_string(tmp_rssi);
277 json_object_object_add(obj2,"type", type);
278 json_object_object_add(obj2,"ssid", tssid);
279 json_object_object_add(obj2,"client_mac", tclient_mac);
280 json_object_object_add(obj2,"bssid_mac", tbssid_mac);
281 json_object_object_add(obj2,"channel", tchannel);
282 json_object_object_add(obj2,"rssi", jrssi);
283 json_object_array_add(array,obj2);
289 //printf("beacon\n");
292 for (i=0;i<ssid_len;++i){
293 sprintf(ssid+i, "%c", packet[hlen+38+i]);
296 sprintf(ssid,"[HIDDEN]");
299 if (ssid_len == 15 && strlen(ssid) == 0) {
300 sprintf(ssid,"[truncated]");
302 //printf("debug ssid: %s fieldlen: %d strlen: %d\n", ssid, ssid_len, strlen(ssid));
303 sprintf(client_mac, "%02x:%02x:%02x:%02x:%02x:%02x", packet[52], packet[53],packet[54],packet[55],packet[56],packet[57]);
305 for (i=0; i<50; i++) {
306 if (ssid_buf[i][0] != NULL) {
307 if ((strcoll(ssid_buf[i][0], ssid) == 0 && strcoll(ssid_buf[i][1], client_mac) == 0)) {
311 if (ssid_buf[i][0] == NULL) {
315 //printf("ssid element: %d\n", element);
316 ssid_buf[i][0] = strdup(ssid);
317 ssid_buf[i][1] = strdup(client_mac);
318 obj2 = json_object_new_object();
319 json_object *type = json_object_new_string("80");
320 json_object *tssid = json_object_new_string(ssid);
321 json_object *tclient_mac = json_object_new_string(client_mac);
322 json_object *tchannel = json_object_new_string(tmp_channel);
323 json_object *jrssi = json_object_new_string(tmp_rssi);
324 json_object_object_add(obj2,"type", type);
325 json_object_object_add(obj2,"ssid", tssid);
326 json_object_object_add(obj2,"bssid", tclient_mac);
327 json_object_object_add(obj2,"channel", tchannel);
328 json_object_object_add(obj2,"rssi", jrssi);
329 json_object_array_add(array,obj2);
335 // printf("Got something different: %02x\n", packet[hlen]);
336 // printf("hlen: %d\n", hlen);
343 if ((diff >= 5) || (element == 25)) {
344 //printf("time to barf!\n");
345 //printf("size: %d\n", element);
346 //change_chan(context);
348 gchannel=lorcon_get_channel(context);
349 //printf("got channel %d", gchannel);
351 if (lchannel == 14) {
354 //printf("Setting channel %d\n", lchannel);
355 lorcon_set_channel(context, lchannel);
357 lorcon_set_channel(context, lchannel);
358 //for (i=0; i<34; i++) {
359 // printf("barf beacons: buffer %d, ssid: %s \t\t mac: %s channel: %s rssi: %s\n", i, ssid_buf[i][0], ssid_buf[i][1], ssid_buf[i][2], ssid_buf[i][3]);
361 //for (i=0; i<34; i++) {
362 // printf("barf probe reponses: buffer %d, ssid: %s \t mac: %s mac: %s channel: %s rssi: %s\n", i, probe_resp_buf[i][0], probe_resp_buf[i][1], probe_resp_buf[i][2], probe_resp_buf[i][3], probe_resp_buf[i][4]);
364 //for (i=0; i<34; i++) {
365 //printf("barf probes: buffer %d, ssid: %s \t mac: %s channel: %s rssi: %s\n", i, probe_buf[i][0], probe_buf[i][1], probe_buf[i][2], probe_buf[i][3]);
369 //printf("barfing\n");
371 //printf ("The json object created: %s\n",json_object_to_json_string(array));
372 json_object_put(array);
374 memset(ssid_buf, 0, sizeof(ssid_buf));
375 memset(probe_resp_buf, 0, sizeof(probe_resp_buf));
376 memset(probe_buf, 0, sizeof(probe_buf));
381 //printf("rate: %d channel: %04x rssi: %d\n", rate, channel, rssi);
384 int main(int argc,char **argv)
388 char *interface = NULL;
389 lorcon_driver_t *drvlist, *driver;
391 char errbuf[PCAP_ERRBUF_SIZE];
393 struct bpf_program fp; /* hold compiled program */
394 bpf_u_int32 maskp; /* subnet mask */
395 bpf_u_int32 netp; /* ip */
397 char filter_exp[] = "";
398 char *totpacket = NULL;
400 while ((c = getopt (argc, argv, "ha:i:p:")) != -1)
412 printf("./disect -a -i\n\t-a : number of packets to sniff. (default 10)\n\t-i : wlan interface.\n\t-p : URL for your collector.\n");
418 if (totpacket == NULL) {
420 printf("-a not specified... looping forever.\n");
423 if (interface == NULL) {
424 printf("You forgot -i\n");
428 if (post_url == NULL) {
429 printf("You forgot -p\n");
433 //printf ("%s %s\n", totpacket, dev);
435 //if(interface == NULL) {
436 // printf("%s\n",errbuf);
440 if ( (driver = lorcon_auto_driver(interface)) == NULL) {
441 printf("[!] Could not determine the driver for %s\n",interface);
444 printf("[+]\t Driver: %s\n",driver->name);
447 // Create LORCON context
448 if ((context = lorcon_create(interface, driver)) == NULL) {
449 printf("[!]\t Failed to create context");
453 // Create Monitor Mode Interface
454 if (lorcon_open_monitor(context) < 0) {
455 printf("[!]\t Could not create Monitor Mode interface!\n");
458 printf("[+]\t Monitor Mode VAP: %s\n",lorcon_get_vap(context));
459 lorcon_free_driver_list(driver);
462 // Set the channel we'll be injecting on
463 lorcon_set_channel(context, lchannel);
465 dev=lorcon_get_vap(context);
467 /* ask pcap for the network address and mask of the device */
468 pcap_lookupnet(dev,&netp,&maskp,errbuf);
470 /* open device for reading. NOTE: defaulting to
472 pcap = pcap_open_live(dev,2346,1,1000,errbuf);
473 pcap_set_promisc(pcap, 1);
476 printf("pcap_open_live(): %s\n",errbuf);
480 pcap_set_datalink(pcap, DLT_IEEE802_11);
481 pcap_set_datalink(pcap, DLT_IEEE802_11_RADIO_AVS);
482 pcap_set_datalink(pcap, DLT_IEEE802_11_RADIO);
484 //pcap_setnonblock(pcap, 1, errbuf);
486 int link_layer_type = pcap_datalink(pcap);
488 //printf("type: %d\n", link_layer_type);
490 if (link_layer_type == DLT_PRISM_HEADER ||
491 link_layer_type == DLT_IEEE802_11_RADIO ||
492 link_layer_type == DLT_IEEE802_11_RADIO_AVS ||
493 link_layer_type == DLT_IEEE802_11 ||
494 link_layer_type == DLT_PPI ||
495 link_layer_type == 127 ) {
496 if (pcap_compile(pcap, &fp, filter_exp, 0, netp) == -1) {
497 fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(pcap));
500 if (pcap_setfilter(pcap, &fp) == -1) {
501 fprintf(stderr, "Couldn't install filter %s: %s\n",
502 filter_exp, pcap_geterr(pcap));
505 printf("starting\n");
507 pcap_loop(pcap,atoi(totpacket),my_callback,NULL);
509 fprintf(stderr, "Not using the Wi-Fi interface, are you testing something?\n");
511 fprintf(stdout,"\nfinished\n");