dsniff/dsniff-2.4-urlsnarf_timestamp.patch

Patch by Hilko Bengen <bengen@debian.org> for dsniff >= 2.4b1, which adds
the usage of timestamps from pcap file if available to urlsnarf. For some
more information, please have a look to Debian bug ID #573365.

--- dsniff-2.4/urlsnarf.c		2011-10-09 18:13:49.000000000 +0200
+++ dsniff-2.4/urlsnarf.c.timestamp	2011-10-09 18:37:33.000000000 +0200
@@ -36,6 +36,7 @@
 u_short		Opt_dns = 1;
 int		Opt_invert = 0;
 regex_t	       *pregex = NULL;
+time_t		tt = 0;
 
 static void
 usage(void)
@@ -57,9 +58,12 @@
 {
 	static char tstr[32], sign;
 	struct tm *t, gmt;
-	time_t tt = time(NULL);
 	int days, hours, tz, len;
 	
+	if (!nids_params.filename) {
+		tt = time(NULL);
+	}
+
 	gmt = *gmtime(&tt);
 	t = localtime(&tt);
 	
@@ -312,9 +316,48 @@
 
         nids_register_chksum_ctl(&chksum_ctl, 1);
 
-	nids_run();
-	
-	/* NOTREACHED */
+	pcap_t *p;
+	char pcap_errbuf[PCAP_ERRBUF_SIZE];
+	if (nids_params.filename == NULL) {
+		/* adapted from libnids.c:open_live() */
+		if (strcmp(nids_params.device, "all") == 0)
+			nids_params.device = "any";
+		p = pcap_open_live(nids_params.device, 16384, 
+				   (nids_params.promisc != 0),
+				   0, pcap_errbuf);
+		if (!p) {
+			fprintf(stderr, "pcap_open_live(): %s\n",
+				pcap_errbuf);
+			exit(1);
+		}
+	}
+	else {
+		p = pcap_open_offline(nids_params.filename, 
+				      pcap_errbuf);
+		if (!p) {
+			fprintf(stderr, "pcap_open_offline(%s): %s\n",
+				nids_params.filename, pcap_errbuf);
+		}
+	}
+
+	struct pcap_pkthdr *h;
+	u_char *d;
+	int rc;
+	while ((rc = pcap_next_ex(p, &h, &d)) == 1) {
+		tt = h->ts.tv_sec;
+		nids_pcap_handler(NULL, h, d);
+	}
+	switch (rc) {
+	case(-2): /* end of pcap file */
+	case(0):  /* timeout on live capture */
+		break;
+	case(-1):
+	default:
+		fprintf(stderr, "rc = %i\n", rc);
+		pcap_perror(p, "pcap_read_ex()");
+		exit(1);
+		break;
+	}
 	
 	exit(0);
 }