# -sam k (commport5@lucidx.com) use pdump::Sniff; sub check_file { my ($alla, $call, $nite, $headers) = ($offset_all, $_[2], 0); $time = timem(); $untm = time(); $time =~ s/^.*?\.(.*?)$/$1/; $packet_all->bset($call, $alla); $prt = $packet_all->proto; $prt =~ /^(.{1})/; $prot = uc($1); $proto = $prt; ($vers,$ihl,$tos,$tot,$id,$frg,$ttl,$pro,$chc,$saddr,$daddr,$sport,$dport,$seq,$aseq,$dof,$res1,$res2,$urg,$ack,$psh,$rst,$syn,$fin,$win,$chk,$data) = $packet_all->get({ip=>['version','ihl','tos','tot_len','id','frag_off','ttl','protocol','check','saddr','daddr'],tcp=>[ 'source','dest','seq','ack_seq','doff','res1','res2','urg','ack','psh','rst','syn','fin','window','check','data']}); $seq =~ s/^-//; if ($dmth) { $flags = unpack("B8", substr($call, $allo+20+13, 1)); substr($flags, 6, 1) == '1' || substr($flags, 7, 1) == '1'; %pd = &getpckt($allo); if ($nons) { $sname = $pd{'saddr'}; $dname = $pd{'daddr'}; $stest = $sname; $dtest = $dname; } else { $sname = $pd{'shost'}; $dname = $pd{'dhost'}; $stest = $pd{'saddr'}; $dtest = $pd{'daddr'}; } } else { if ($nons) { $sname = &ip2dot($saddr); $dname = &ip2dot($daddr); $stest = $sname; $dtest = $dname; } else { $sname = &ip2name($saddr); $dname = &ip2name($daddr); $stest = &ip2dot($saddr); $dtest = &ip2dot($daddr); } } unless ($nosv) { @sserv = &port2serv($sport, $proto); @dserv = &port2serv($dport, $proto); } if ($sserv[0]) { $stype = $sserv[0]; } else { $stype = $sport; } if ($dserv[0]) { $dtype = $dserv[0]; } else { $dtype = $dport; } if ($nofl and !$fl) { $dname =~ s/^([^\.]+)\..*?$/$1/; $sname =~ s/^([^\.]+)\..*?$/$1/; } if ($sport == 139 or $dport == 139 or $sniff{'smb'}) { $escd = uri_escape($data); if (($file) = $escd =~ /%00%5C([^%]+)%00/) { $sniff{'smb'}++; print "SMB:\t\t$stest:$sport > $dtest:$dport: Remote saving to $file\n"; $file =~ s/(?:^|\/)([^\/]+)$/$1/; print "Saving file to $file\n"; $sniff{'smb-file'} = $file; } elsif ($sniff{'smb'} == 1 and $escd !~ /^%00%00%00\// and ($dats) = $escd =~ /!%00;%00!%00(.*?)$/) { $sniff{'smb'} = 2; $ndat = uri_unescape($dats); open(SMBSWIPE, ">>$sniff{'smb-file'}") || print "Could not append to $sniff{'smb-file'}: $!\n"; print SMBSWIPE $ndat; close(SMBSWIPE); } elsif ($sniff{'smb'} == 2 and $escd !~ /^%00%00%00\//) { open(SMBSWIPE, ">>$sniff{'smb-file'}") || print "Could not append to $sniff{'smb-file'}: $!\n"; print SMBSWIPE $data; close(SMBSWIPE); } elsif ($sniff{'smb'} == 2 and $escd =~ /^%00%00%00\//) { $sniff{'smb'} = 0; } } if ($sport > 1024 and $dport > 1024) { if (($nick, $nfos) = $data =~ /^PRIVMSG ([^\s]+) \cA?:\cA?DCC SEND (.*?)$/ and $sniff{'dcc'} == 0) { ($file, $lnip, $ptn, $size) = split(/\s+/, $nfos); $sniff{'dcc'} = 1; print "IRC DCC:\t$stest:$sport > $dtest:$dport: Remote (->$nick) saving to $file\n"; print "Saving file to $file\n"; $sniff{'dcc-file'} = $file; $smip = join ".", unpack "C4", pack("N", $lnip); } elsif (($hmsk, $nick, $nfos) = $data =~ /:([^\s]+![^\s]+\@[^\s]+) PRIVMSG ([^\s]+) \cA?:\cA?DCC SEND (.*?)$/ and $sniff{'dcc'} == 0) { ($file, $lnip, $ptn, $size) = split(/\s+/, $nfos); $sniff{'dcc'} = 1; print "IRC DCC:\t$stest:$sport > $dtest:$dport: Remote ($hmsk->$nick) saving to $file\n"; print "Saving file to $file\n"; $sniff{'dcc-file'} = $file; $smip = join ".", unpack "C4", pack("N", $lnip); } elsif ($sniff{'dcc'} == 1 and ($smip == $stest and $ptn == $sport) or ($smip == $dtest and $ptn == $dport)) { open(DCCSWIPE, ">>$sniff{'dcc-file'}") || print "Could not append to $sniff{'dcc-file'}: $!\n"; print DCCSWIPE $data; close(DCCSWIPE); $sniff{'dcc'} = 2; } elsif ($sniff{'dcc'} == 2 and $data ne "!" and ($smip == $stest and $ptn == $sport) or ($smip == $dtest and $ptn == $dport)) { open(DCCSWIPE, ">>$sniff{'dcc-file'}") || print "Could not append to $sniff{'dcc-file'}: $!\n"; print DCCSWIPE $data; close(DCCSWIPE); } elsif ($sniff{'dcc'} == 2 and $data eq "!" and ($smip == $stest and $ptn == $sport) or ($smip == $dtest and $ptn == $dport)) { $sniff{'dcc'} = 0; } } if ($sport == 21 or $dport == 21 or $sniff{'ftp'}) { if (($file) = $data =~ /STOR ([^(?:\n|$)]+)/) { $sniff{'ftp'}++; print "FTP:\t\t$stest:$sport > $dtest:$dport: Remote saving to $file\n"; $file =~ s/(?:^|\/)([^\/]+)$/$1/; print "Saving file to $file\n"; $sniff{'ftp-file'} = $file; } elsif ($sniff{'ftp'} == 1 and $data =~ /^\s*150/) { $sniff{'ftp'}++; } elsif ($sniff{'ftp'} == 2 and $data !~ /^\s*(?:PASV|22(?:6|7))/) { open(FTPSWIPE, ">>$sniff{'ftp-file'}") || print "Could not append to $sniff{'ftp-file'}: $!\n"; print FTPSWIPE $data; close(FTPSWIPE); } elsif ($sniff{'ftp'} == 1 or $sniff{'ftp'} == 2 and $data =~ /^\s*226/) { $sniff{'ftp'} = 0; } ⊤ } } 1;