/***************************************************************************
 *   Copyright (C) 2010 by Velan.   *
 *   vlabs.c@gmail.com  *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 *   You should have received a copy of the GNU General Public License     *
 *   along with this program; if not, write to the                         *
 *   Free Software Foundation, Inc.,                                       *
 *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
 ***************************************************************************/
// 0.0.5 - included ethernet header, modified ARP header, changing APR processing by including ntohs; etc
// dependencies - libpcap -> tcpdump.org
// compilation - g++ arp_sniff.cc -o arp_sniff -lpcap -w 


#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

//#include <iostream>
//#include <cstdlib>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

//#include <features.h>
#include <sys/types.h>
#include <sys/socket.h>

#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>

#include <pcap.h>

using namespace std;

void List_Devices();
void Sniff_Device(char *Device);
void Got_ARP_Packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet);

	// Ethernet header
typedef u_int32_t tcp_seq;



main(int argc, char *argv[])
{
	//printf("Shellcode detector. \n");
	char *ArgDevice;
	ArgDevice = (char*)malloc(256);
	bzero(ArgDevice, 256);

	printf("Sniffer Lite. by Velan. vlabs.c@gmail.com\nThis module contains the ARPSniffer.\n");
	if(argc < 2)
	{
		printf("\nUsage: %s [ld] [device name]\narg\t\tfunction\n", argv[0]);
		printf("-l\t\tlisting available devices\n");
		printf("-d\t\tuse default device\n");
		printf("\n");
		exit(0);
	}
	else if(strncmp(argv[1], "-l", 2) == 0)
	{
		List_Devices();
	}
	else if(strncmp(argv[1], "-d", 2) == 0)
	{
		printf("Selecting default device. ");
		snprintf(ArgDevice, 3, "%s", "-d");
		Sniff_Device(ArgDevice);
	}
	else if(argc == 2 && strncmp(argv[1], "-l", 2) != 0 && strncmp(argv[1], "-d", 2) != 0)
	{
		snprintf(ArgDevice, 256, "%s", argv[1]);
		Sniff_Device(ArgDevice);
	}
}

void List_Devices()
{
	pcap_if_t *All_Devices_SP, *d;
	int ret = 0;
	char pcap_errbuf[PCAP_ERRBUF_SIZE];

	printf("Listing available devices.\n");
	ret = pcap_findalldevs(&All_Devices_SP, pcap_errbuf);
	if(ret == -1)
	{
		printf("Error in looking up all available devices. %s\n", pcap_errbuf);
		exit(-1);
	}
	
	printf("\n----------------------------\nDevice\t\tDescription\n----------------------------\n");
	for(d = All_Devices_SP; d; d = d->next)
	{
		printf("%s\t\t%s\n", d->name, d->description);

	}
	printf("\n");
	exit(0);
}


void Sniff_Device(char *Device)
{
	char *dev = NULL;
	char pcap_errbuf[PCAP_ERRBUF_SIZE];
	const u_char *packet = NULL;
	int ret = 0, i = 0;
	unsigned int ts = 0;

	pcap_t *pcap_handle;
	bpf_u_int32 pcap_device_mask;
	bpf_u_int32 pcap_device_ip;
	struct pcap_pkthdr header;
	struct bpf_program filter;
	
	dev = (char*) malloc(256);
	if(strncmp(Device, "-d", 2) == 0)
	{
		dev = pcap_lookupdev(pcap_errbuf);
		printf("Default device: %s, ", dev);
	}
	else
	{	
		snprintf(dev, 256, "%s", Device);
	}

	if(dev == NULL)
	{
		printf("Error in looking up default device. %s\n", pcap_errbuf);
		exit(0);
	}
	ret = pcap_lookupnet(dev, &pcap_device_ip, &pcap_device_mask, pcap_errbuf);
	if(ret == -1)
	{
		printf("Error in lookup device. %s\n", pcap_errbuf);
		exit(0);
	}	
	printf("opening the device %s for sniffing\n", dev);

	// print sniffing IP - start
	ts = pcap_device_ip;
	ts = (ts << 24) >> 24;
	printf("Sniffing device IP: %u.", ts);

	ts = pcap_device_ip;
	ts = (ts << 16) >> 24;
	printf("%u.", ts);

	ts = pcap_device_ip;
	ts = (ts << 8) >> 24;
	printf("%u.", ts);

	ts = pcap_device_ip;
	ts = (ts >> 24);
	printf("%u, ", ts);
	// print sniffing IP - end

	// print sniffing IP Mask - start
	ts = pcap_device_mask;
	ts = (ts << 24) >> 24;
	printf("Mask: %u.", ts);

	ts = pcap_device_mask;
	ts = (ts << 16) >> 24;
	printf("%u.", ts);
	
	ts = pcap_device_mask;
	ts = (ts << 8) >> 24;
	printf("%u.", ts);

	ts = pcap_device_mask;
	ts = (ts >> 24);
	printf("%u\n", ts);
	// print sniffing IP Mask - end
	printf("\n\n");

	pcap_handle = pcap_open_live(dev, 1000, 0, 10000, pcap_errbuf);
	if(pcap_handle == NULL){	printf("Error!\n");	}

	pcap_compile(pcap_handle, &filter, "arp", 1, pcap_device_mask);	// create filter to grab only ARP
	pcap_setfilter(pcap_handle, &filter);				// apply the filter to the handle
	printf("______________________________________________________\n\n");
	pcap_loop(pcap_handle, -1, Got_ARP_Packet, NULL);		// -1 means unlimited packet
	
}


void Got_ARP_Packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{

typedef struct EthernetHeader_StructMain{
	u_char DestinationMACAddress[6];
	u_char SourceMACAddress[6];
	u_short Type;
}Struct_EthernetHeader;					// 14 bytes


typedef struct ARPHeader_StructMain{
	u_int16_t HardwareType;				// hardware type 
	u_int16_t ProtocolType;				// protocol type

	u_char HardwareAddressLength;			// harware address length
	u_char ProtocolAddressLength;			// protocol address length
	u_int16_t Opcode;				// opcode - request, reply, re request

	u_char SourceHardwareAddress[6];		// source MAC address
	u_char SourceProtocolAddress[4];		// source IP address
	u_char DestinationHardwareAddress[6];		// target MAC address
	u_char DestinationProtocolAddress[4];		// target IP address
}Struct_ARPHeader;					// 28 bytes

	unsigned int ts = 0, j = 0 ;
	u_int16_t HardwareType_Host = 0, ProtocolType_Host = 0, Opcode_Host = 0;
	u_char HardwareAddressLength_Host = 0, ProtocolAddressLength_Host = 0;

	Struct_EthernetHeader *EthernetHeader = NULL;
	Struct_ARPHeader *ARPHeader = NULL;
	bzero(&EthernetHeader, sizeof(Struct_EthernetHeader));
	bzero(&ARPHeader, sizeof(Struct_ARPHeader));
	
	EthernetHeader = (Struct_EthernetHeader *) packet;
	ARPHeader = (Struct_ARPHeader *) (packet+14);

	HardwareType_Host = ntohs(ARPHeader->HardwareType);
	ProtocolType_Host = ntohs(ARPHeader->ProtocolType);
	Opcode_Host = ntohs(ARPHeader->Opcode);

	HardwareAddressLength_Host = ARPHeader->HardwareAddressLength;
	ProtocolAddressLength_Host = ARPHeader->ProtocolAddressLength;

	// print Ethernet header - 14 bytes - start

	printf("Ethernet packet - Frame II: ");
	// print source MAC address
	for(j = 0; j < 6; j++)
	{	
		//printf("(%u, %02X)", ARPHeader->SourceHardwareAddress[j], ARPHeader->SourceHardwareAddress[j]);
		printf("%02X", EthernetHeader->SourceMACAddress[j]);
		if(j != 5){	printf(":");	}
	}
	printf(" > ");
	// print destination MAC address
	for(j = 0; j < 6; j++)
	{	
		//printf("(%u, %02X)", ARPHeader->SourceHardwareAddress[j], ARPHeader->SourceHardwareAddress[j]);
		printf("%02X", EthernetHeader->DestinationMACAddress[j]);
		if(j != 5){	printf(":");	}
	}
	// print Ethernet type
	printf(", Type: 0x%X", ntohs(EthernetHeader->Type));

	// print Ethernet header - 14 bytes - end

	printf("\n");

	// print ARP header - 28 bytes - start

	printf("ARP Header: ");
	
	// print source ip address
	for(j = 0; j < 4; j++)
	{	
		printf("%d", ARPHeader->SourceProtocolAddress[j]);
		if(j != 3){	printf(".");	}
	}	
	printf(" > ");
	// print target ip address
	for(j = 0; j < 4; j++)
	{	
		printf("%d", ARPHeader->DestinationProtocolAddress[j]);
		if(j != 3){	printf(".");	}
	}	
	
	printf("\t\t=\t");
	//printf("\n\t\t");
	printf("MAC: ");

	// print source hardware address
	for(j = 0; j < 6; j++)
	{	
		//printf("(%u, %02X)", ARPHeader->SourceHardwareAddress[j], ARPHeader->SourceHardwareAddress[j]);
		printf("%02X", ARPHeader->SourceHardwareAddress[j]);
		if(j != 5){	printf(":");	}
	}
	printf(" > ");
	// print target hardware address
	for(j = 0; j < 6; j++)
	{	
		printf("%02X", ARPHeader->DestinationHardwareAddress[j]);
		if(j != 5){	printf(":");	}
	}
	printf("\n\t\t");

	//print hardware type - start
	printf("Hardware type: ");
	
	if(HardwareType_Host == 0)
	{	printf("Reserved");	}
	else if(HardwareType_Host == 1)
	{	printf("Ethernet");	}
	else if(HardwareType_Host == 2)
	{	printf("Experimental Ethernet");	}
	else if(HardwareType_Host == 3)
	{	printf("Amateur Radio AX25");	}
	else if(HardwareType_Host == 4)
	{	printf("Proteon ProNET Token Ring");	}
	else if(HardwareType_Host == 5)
	{	printf("Chaos");	}
	else if(HardwareType_Host == 6)
	{	printf("IEEE 802");	}
	else if(HardwareType_Host == 7)
	{	printf("ARCNET");	}
	else if(HardwareType_Host == 8)
	{	printf("Hyperchannel");	}
	else if(HardwareType_Host == 9)
	{	printf("Lanstar");	}
	else if(HardwareType_Host == 10)
	{	printf("Atuonet Short Address");	}
	else if(HardwareType_Host == 11)
	{	printf("LocalTalk");	}
	else if(HardwareType_Host == 12)
	{	printf("LocalNet (IBM PCNet or SYTEK LocalNET)");	}
	else if(HardwareType_Host == 13)
	{	printf("Ultra link");	}
	else if(HardwareType_Host == 14)
	{	printf("SMDS");	}
	else if(HardwareType_Host == 15)
	{	printf("Frame Relay");	}
	else if(HardwareType_Host == 16)
	{	printf("ATM, Asynchronous Transmission Mode");	}
	else if(HardwareType_Host == 17)
	{	printf("HDLC");	}
	else if(HardwareType_Host == 18)
	{	printf("Fibre Channel");	}
	else if(HardwareType_Host == 19)
	{	printf("ATM, Asynchronous Transmission Mode");	}
	else if(HardwareType_Host == 20)
	{	printf("Serial Line");	}
	else if(HardwareType_Host == 21)
	{	printf("ATM, Asynchronous Transmission Mode");	}
	else if(HardwareType_Host == 22)
	{	printf("MIL-STD-188-220");	}
	else if(HardwareType_Host == 23)
	{	printf("Metricom");	}
	else if(HardwareType_Host == 24)
	{	printf("IEEE 1394.1995");	}
	else if(HardwareType_Host == 25)
	{	printf("MAPOS");	}
	else if(HardwareType_Host == 26)
	{	printf("Twinazial");	}
	else if(HardwareType_Host == 27)
	{	printf("EUI-64");	}
	else if(HardwareType_Host == 28)
	{	printf("HIPARP");	}
	else if(HardwareType_Host == 29)
	{	printf("IP and ARP over ISO 7816-3");	}
	else if(HardwareType_Host == 30)
	{	printf("ARPSec");	}
	else if(HardwareType_Host == 31)
	{	printf("IPsec tunnel");	}
	else if(HardwareType_Host == 32)
	{	printf("Infiniband");	}
	else if(HardwareType_Host == 33)
	{	printf("CAI, TIA-102 Project 25 Common Air Interface");	}
	else if(HardwareType_Host == 34)
	{	printf("Wiegand Interface");	}
	else if(HardwareType_Host == 35)
	{	printf("Pure IP");	}
	else if(HardwareType_Host == 36)
	{	printf("HW_EXP1");	}
	else if(HardwareType_Host > 36 && HardwareType_Host <256)
	{	printf("Unknown");	}
	else if(HardwareType_Host == 256)
	{	printf("HW_EXP2");	}
	else if(HardwareType_Host > 256 && HardwareType_Host <65535)
	{	printf("Unknown");	}
	else if(HardwareType_Host == 65535)
	{	printf("Reserved");	}
	printf(" (0x%X)", HardwareType_Host);
	// print hardware type - end

	// print protocol type - start
	printf(", ");
	printf("Protocol: ");
	if(ProtocolType_Host == 0x0800)		// 0x0800 - IP
	{	printf("IP ");	}
	printf(" (0x%X)", ProtocolType_Host);
	// print protocol type - end

	
	// print opcode type - start
	printf(", ");
	printf("Opcode: ");
	if(Opcode_Host == 0)
	{	printf("Reserved");	}
	else if(Opcode_Host == 1)
	{	printf("Request");	}
	else if(Opcode_Host == 2)
	{	printf("Reply");	}
	else if(Opcode_Host == 3)
	{	printf("Request Reverse");	}
	else if(Opcode_Host == 4)
	{	printf("Reply Reverse");	}
	else if(Opcode_Host == 5)
	{	printf("DRARP Request");	}
	else if(Opcode_Host == 6)
	{	printf("DRARP Reply");	}
	else if(Opcode_Host == 7)
	{	printf("DRARP Error");	}
	else if(Opcode_Host == 8)
	{	printf("InARP Request");	}
	else if(Opcode_Host == 9)
	{	printf("InARP Reply");	}
	else if(Opcode_Host == 10)
	{	printf("ARP NAK");	}
	else if(Opcode_Host == 11)
	{	printf("MARS Request");	}
	else if(Opcode_Host == 12)
	{	printf("MARS Multi");	}
	else if(Opcode_Host == 13)
	{	printf("MARS MServ");	}
	else if(Opcode_Host == 14)
	{	printf("MARS Join");	}
	else if(Opcode_Host == 15)
	{	printf("MARS Leave");	}
	else if(Opcode_Host == 16)
	{	printf("MARS NAK");	}
	else if(Opcode_Host == 17)
	{	printf("MARS Unserv");	}
	else if(Opcode_Host == 18)
	{	printf("MARS SJoin");	}
	else if(Opcode_Host == 19)
	{	printf("MARS SLeave");	}
	else if(Opcode_Host == 20)
	{	printf("MARS Grouplist Reply");	}
	else if(Opcode_Host == 21)
	{	printf("MARS Grouplist Reply");	}
	else if(Opcode_Host == 22)
	{	printf("MARS Redirect Map");	}
	else if(Opcode_Host == 23)
	{	printf("MAPOS UNARP");	}
	else if(Opcode_Host == 24)
	{	printf("OP_EXP1");	}
	else if(Opcode_Host == 25)
	{	printf("OP_EXP2");	}
	else if(Opcode_Host > 25 && Opcode_Host < 65535)
	{	printf("Unknown");	}
	else if(Opcode_Host == 65535)
	{	printf("Unknown");	}
	printf(" (0x%X)", Opcode_Host);
	// print opcode type - end

	printf("\n\t\t");

	// print hardware address length and protocol address length - start
	printf("Hardware address length: %u, Protocol address length: %u", HardwareAddressLength_Host, ProtocolAddressLength_Host);
	// print hardware address length and protocol address length - end

	printf("\n\t\t");

	// print hardware vendor name - start

	// 000000, 000001, 000002, 000003, 000004, 000005, 000006, 000007, 000008, 000009 - XEROX CORPORATION.
	// 00000C - CISCO SYSTEMS, INC.
	// 00001A - ADVANCED MICRO DEVICES
	// 0002B3 - Intel Corporation.
	// 0001E6 - Hewlett-Packard Company.
	// 000255 - IBM Corporation
	// 00065B - Dell Computer Corp.
	// 000102 - 3COM CORPORATION
	// 00178D - Checkpoint Systems, Inc.
	// 000585 - Juniper Networks, Inc.	
	//000569, 000C29, 001C14, 005056 - VMWare Inc.

	char *MAC_IDs[23] = {"000000", "000001", "000002", "000003", "000004", "000005", "000006", "000007", "000008", "000009", "00000C", "00001A", "0002B3", "0001E6", "000255", "00065B", "000102", "00178D", "000585", "000569", "000C29", "001C14", "005056"};

	char *MAC_Vendors[23] = {"XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "CISCO SYSTEMS, INC.", "ADVANCED MICRO DEVICES", "Intel Corporation.", "Hewlett-Packard Company.", "IBM Corporation", "Dell Computer Corp.", "3COM CORPORATION", "Checkpoint Systems, Inc.", "Juniper Networks, Inc.", "VMWare Inc.", "VMWare Inc.", "VMWare Inc.", "VMWare Inc."};
	char *MACID;

	MACID = (char *)malloc(6);
	sprintf(MACID, "%02X%02X%02X", ARPHeader->SourceHardwareAddress[0], ARPHeader->SourceHardwareAddress[1], ARPHeader->SourceHardwareAddress[2]);

	printf("Source Ethernet Vendor: ");
	ts = 0;
	for(j = 0; j < 23; j++)
	{
		if(strncmp(MAC_IDs[j], MACID, 6) == 0)
		{
			printf("%s\n", MAC_Vendors[j]);
			ts = 1;
			break;
		}
	}
	if(ts == 0)
	{
		printf("Unknown. oui id: %s. Refer http://standards.ieee.org/regauth/oui/oui.txt\n", MACID);
	}
	// print hardware vendor name - end

	// print ARP header - 28 bytes - end

	printf("\n______________________________________________________\n\n");
}