4 files changed, 769 insertions, 37 deletions

diff --git a/LLCSNAP.hs b/LLCSNAP.hs
new file mode 100644
index 00000000..417c36ba
--- /dev/null
+++ b/LLCSNAP.hs
@@ -0,0 +1,49 @@
+module LLCSNAP where
+
+import Data.Bits
+import Data.Word
+
+import Net.PacketParsing
+
+
+-- 802.2 LLC Header                                  : SNAP extension
+-- --------------------------------------------------------------------------
+-- DSAP             : SSAP           : Control       : OUI      : Protocol ID
+-- 1 octet          : 1 octet        : 1 or 2 octets : 3 octets : 2 octets
+
+data LLCSNAP = LLCSNAP
+    { dsap    :: Word8
+    , ssap    :: Word8
+    , control :: Word16 -- 1 or 2 bytes
+    , oui     :: Word32 -- 3 bytes
+    , protoid :: Word16
+    }
+ deriving (Eq,Ord,Read,Show)
+
+instance Parse LLCSNAP where
+    parse = do
+        -- LLC
+        dsap <- word8
+        ssap <- word8
+        control <- fromIntegral <$> word8
+        -- Based on "Understanding Logical Link Control" at
+        --   https://www.cisco.com/c/en/us/support/docs/ibm-technologies/logical-link-control-llc/12247-45.html
+        --
+        -- Unless the low two bits are set, there's
+        -- another byte of the control field.
+        nr <- if 0x0003 == control .&. 0x0003
+                then return 0
+                else fromIntegral <$> word8
+        -- SNAP
+        ouilo <- fromIntegral <$> word16
+        ouihi <- fromIntegral <$> word8
+        protoid <- word16
+        return LLCSNAP
+            { dsap    = dsap
+            , ssap    = ssap
+            , control = control + 256 * nr
+            , oui     = ouilo + 65536 * ouihi
+            , protoid = protoid
+            }
+
+
diff --git a/WifiHeader.hs b/WifiHeader.hs
new file mode 100644
index 00000000..90e77003
--- /dev/null
+++ b/WifiHeader.hs
@@ -0,0 +1,335 @@
+{-# LANGUAGE FlexibleInstances          #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE PatternSynonyms            #-}
+module WifiHeader where
+
+import Data.Bits
+import Data.Word
+
+import Net.Ethernet as Mac (Addr(..))
+import Net.Packet
+import Net.PacketParsing
+
+import LLCSNAP
+
+-- 802.11 Mac header
+--
+-- 23 bytes
+
+-- Wikipedia:
+--
+-- Frames are divided into very specific and standardized sections. Each frame
+-- consists of a MAC header, payload, and frame check sequence (FCS).
+--
+-- Data frames carry packets from web pages, files, etc. within the body.[51]
+-- The body begins with an IEEE 802.2 header, with the Destination Service
+-- Access Point (DSAP) specifying the protocol; however, if the DSAP is hex AA,
+-- the 802.2 header is followed by a Subnetwork Access Protocol (SNAP) header,
+-- with the Organizationally Unique Identifier (OUI) and protocol ID (PID)
+-- fields specifying the protocol. If the OUI is all zeroes, the protocol ID
+-- field is an EtherType value.[52] Almost all 802.11 data frames use 802.2 and
+-- SNAP headers, and most use an OUI of 00:00:00 and an EtherType value.
+--
+-- [51] http://www.wi-fiplanet.com/tutorials/article.php/1447501
+
+-- The first two bytes of the MAC header form a frame control field...
+--
+-- The next two bytes are reserved for the Duration ID field
+--
+-- An 802.11 frame can have up to four address fields. Each field can carry a
+-- MAC address.  The first 4 bits are used for the fragmentation number, and
+-- the last 12 bits are the sequence number.
+--
+-- The Sequence Control field is a two-byte section used for identifying
+-- message order as well as eliminating duplicate frames.
+--
+-- An optional two-byte Quality of Service control field that was added with
+-- 802.11e.
+--
+-- The payload or frame body field is variable in size, from 0 to 2304 bytes
+-- plus any overhead from security encapsulation, and contains information from
+-- higher layers
+--
+-- The Frame Check Sequence (FCS) is the last four bytes in the standard 802.11
+-- frame. Often referred to as the Cyclic Redundancy Check (CRC), it allows for
+-- integrity check of retrieved frames.
+
+-- 2 bits
+data Type = Management
+          | Control
+          | Data
+          | Reserved
+ deriving (Eq,Ord,Enum,Read,Show)
+
+-- 4 bits
+data SubType = AssociationRequest
+             | SubType1
+             | SubType2
+             | SubType3
+             | ProbeRequest
+             | SubType5
+             | SubType6
+             | SubType7
+
+             -- Any of the following used with type 'Data' means the optional
+             -- QoS field is present.
+             | Beacon
+             | SubType9
+             | Disassociation
+             | SubTypeB
+             | SubTypeC
+             | SubTypeD
+             | SubTypeE
+             | SubTypeF
+ deriving (Eq,Ord,Enum,Read,Show)
+
+-- Byte 0 (Frame Control Field 1)
+wifiTypeBits :: Word8 -> Maybe (Type,SubType)
+wifiTypeBits b
+    | version/=0 = Nothing
+    | otherwise  = Just (typ,subtyp)
+ where
+    version = b .&. 0x03
+    typ     = toEnum $ fromIntegral $ 0x03 .&. shiftR b 2
+    subtyp  = toEnum $ fromIntegral $ 0x0F .&. shiftR b 4
+
+
+
+-- Byte 1 (Frame Control Field 2)
+newtype Flags = Flags Word8
+ deriving (Eq,Ord,Bits,Read,Show)
+
+pattern ToDS            = Flags 0x01
+pattern FromDS          = Flags 0x02
+pattern MoreFragments   = Flags 0x04
+pattern Retry           = Flags 0x08
+pattern PowerManagement = Flags 0x10
+pattern MoreData        = Flags 0x20
+pattern Protected       = Flags 0x40
+pattern Order           = Flags 0x80
+
+flagNames :: [(Flags, String)]
+flagNames =
+    [( ToDS, "ToDS" )
+    ,( FromDS, "FromDS" )
+    ,( MoreFragments, "MoreFragments" )
+    ,( Retry, "Retry" )
+    ,( PowerManagement, "PowerManagement" )
+    ,( MoreData, "MoreData" )
+    ,( Protected, "Protected" )
+    ,( Order, "Order" )]
+
+-- Bytes 2,3
+-- Duration/ID field
+--
+-- This field is of size 16 bits. It carries following fields.
+--
+-- •  In control type frames of subtype Power Save (PS)-Poll, the Duration/ID
+-- field carries the association identity (AID) of the station that transmitted
+-- the frame in the 14 least significant bits (LSB), with the 2 most
+-- significant bits (MSB) both set to 1. AID value varies between values from 1
+-- to 2007.
+--
+-- •  In all the other frames, this field contains duration value as specified
+-- for each of the frame. For all the frames transmitted during the CFP
+-- (contention free time period) this field is set to 32,768. If the content of
+-- this field is less than 32768, it is used to update NAV (Network Allocation
+-- Vector).
+newtype DurationID = DurationID Word16
+ deriving (Eq,Ord,Read,Show)
+
+instance Parse DurationID where parse = DurationID <$> parse -- (big endian)
+
+
+
+-- Bytes 4-(21/27) (+18 or +24 bytes long)
+--
+-- Wikipedia claimed: Address 1 is the receiver, Address 2 is the transmitter,
+-- Address 3 is used for filtering purposes by the receiver.[dubious – discuss]
+--
+-- But http://www.rfwireless-world.com/Articles/WLAN-MAC-layer-protocol.html
+-- says:
+--
+-- ToDS   FromDS   addr1   addr2   addr3   addr4
+-- ----   ------   -----   -----   -----   -----
+-- 0      0        DA      SA      BSSID   -
+-- 0      1        DA      BSSID   SA      -
+-- 1      0        BSSID   SA      DA      -
+-- 1      1        RA      TA      DA      SA
+--
+-- DataFrames:
+--
+-- http://www.rfwireless-world.com/images/WLAN-MAC-Data-Frame.jpg
+--
+-- Note 1: The address-1 always holds the RA(Receiver Address) of the intended
+-- receiver or receivers(e.g. in multicast operation). Note 2 : The address-2
+-- always holds the address of STA which is transmitting the MAC frame.
+
+data Addresses = Addresses
+    { bssid   :: Maybe Mac.Addr -- BSSID
+    , srcAddr :: Mac.Addr       -- SA
+    , dstAddr :: Mac.Addr       -- DA
+    , txAddr  :: Maybe Mac.Addr -- TA
+    , rxAddr  :: Maybe Mac.Addr -- RA
+    }
+ deriving (Eq,Ord,Show)
+
+parseAddresses :: Flags -> PacketParser Addresses
+parseAddresses fc = case fc .&. (ToDS .|. FromDS) of
+    Flags 0 -> do
+        -- 0      0        DA      SA      BSSID   -
+        _da    <- parse
+        _sa    <- parse
+        _bssid <- parse
+        return Addresses
+            { bssid   = Just _bssid
+            , srcAddr = _sa
+            , dstAddr = _da
+            , txAddr  = Nothing
+            , rxAddr  = Nothing
+            }
+    FromDS -> do
+        -- 0      1        DA      BSSID   SA      -
+        _da    <- parse
+        _bssid <- parse
+        _sa    <- parse
+        return Addresses
+            { bssid   = Just _bssid
+            , srcAddr = _sa
+            , dstAddr = _da
+            , txAddr  = Nothing
+            , rxAddr  = Nothing
+            }
+    ToDS -> do
+        -- 1      0        BSSID   SA      DA      -
+        _bssid <- parse
+        _sa    <- parse
+        _da    <- parse
+        return Addresses
+            { bssid   = Just _bssid
+            , srcAddr = _sa
+            , dstAddr = _da
+            , txAddr  = Nothing
+            , rxAddr  = Nothing
+            }
+    Flags 0x03 -> do
+        -- 1      1        RA      TA      DA      SA
+        _ra    <- parse
+        _ta    <- parse
+        _da    <- parse
+        -- http://www.rfwireless-world.com/Articles/WLAN-MAC-layer-protocol-p2.html
+        -- indicates that there is a SequenceControl field here.
+        _sa    <- parse
+        return Addresses
+            { bssid   = Nothing
+            , srcAddr = _sa
+            , dstAddr = _da
+            , txAddr  = Just _ta
+            , rxAddr  = Just _ra
+            }
+
+-- Bytes 22/28-23/29 (2 bytes)
+--
+-- The Sequence Control field.
+--
+-- A two-byte section used for identifying message order as well as eliminating
+-- duplicate frames. The first 4 bits are used for the fragmentation number,
+-- and the last 12 bits are the sequence number.
+newtype SequenceControl = SequenceControl Word16
+ deriving (Eq,Ord,Read,Show)
+
+instance Parse SequenceControl where parse = SequenceControl <$> parse -- (big endian)
+
+-- Optional: Bytes 24/30 - 25/31
+--
+-- An optional two-byte Quality of Service control field that was added with 802.11e.
+newtype QoS = QoS Word16
+ deriving (Eq,Ord,Read,Show)
+
+-- Bytes 24/30 (802.11e maybe 26/32) - ? variable length
+--
+-- Frame Body
+
+-- Last 4 bytes.
+--
+-- FCS
+--
+--  Wikipedia cites https://wayback.archive.org/web/20090124151617/http://wifi.cs.st-andrews.ac.uk/wififrame.html
+--
+--  From http://www.rfwireless-world.com/Articles/WLAN-MAC-layer-protocol.html
+--
+--  The WLAN FCS field is a 32-bit field containing a 32-bit CRC. The FCS is
+--  calculated over all the fields of the MAC header and the Frame Body field.
+--  These are referred to as the calculation fields.
+--
+--  The FCS is calculated using the following standard generator polynomial of
+--  degree 32: G(x) = x³² + x²⁶ + x²³ + x²² + x¹⁶ + x¹² + x¹¹ + x¹⁰ + x⁸ + x⁷ +
+--  x⁵ + x⁴ + x² + x + 1
+--
+--  The FCS is the 1's complement of the sum (modulo 2) of the following:
+--
+--  •  The remainder of xk * (x³¹+x³⁰+x²⁹+...+x² + x + 1) divided (modulo 2) by
+--  G(x), where k is the number of bits in the calculation fields.
+--
+--  •  The remainder after multiplication of the contents (treated as a
+--  polynomial) of the calculation fields by x³² and then division by G(x)
+newtype FCS = FCS Word32
+ deriving (Eq,Ord,Read,Show)
+
+data Packet a = Packet
+    { wifiType        :: Type
+    , subtype         :: SubType
+    , flags           :: Flags
+    , duration        :: DurationID
+    , addresses       :: Addresses
+    , sequenceControl :: SequenceControl
+    , qos             :: Maybe QoS
+    , llcsnap         :: Maybe LLCSNAP
+    , content         :: a
+    , fcs             :: Maybe FCS
+    }
+ deriving (Eq,Ord,Show)
+
+-- Hardcoded flag to disable parsing FCS checksum.
+hasFCS :: Bool
+hasFCS = False -- DLT_IEEE802_11 has no trailing 4-byte FCS checksum
+               --
+               -- Other link types might include this:
+               -- See: DLT_IEEE802_11_RADIO
+               --   or DLT_IEEE802_11_RADIO_AVS
+
+instance Parse (Packet InPacket) where
+    parse = do
+        Just (typ,subtyp) <- wifiTypeBits <$> word8
+        flgs <- Flags <$> word8
+        durid <- DurationID <$> word16
+        addrs <- parseAddresses flgs
+        sc <- SequenceControl <$> word16 -- TODO: Sometimes this precedes the 4th address.
+        qos <- if typ == Data && subtyp > SubType7
+                then Just . QoS <$> parse
+                else return Nothing
+        llcsnap <- case typ of
+            Data -> Just <$> parse
+            _    -> return Nothing
+        rst <- therest
+        let (payload,fcs) = if hasFCS
+                then
+                    let payload = takeInPack (len rst - 4) rst
+                        fcshi = rst `wordAt` (len rst - 4)
+                        fcslo = rst `wordAt` (len rst - 2)
+                        fcs = FCS $ fromIntegral fcshi * 65536
+                                  + fromIntegral fcslo
+                    in (payload,Just fcs)
+                else (rst,Nothing)
+        return Packet
+            { wifiType        = typ
+            , subtype         = subtyp
+            , flags           = flgs
+            , duration        = durid
+            , addresses       = addrs
+            , sequenceControl = sc
+            , qos             = qos
+            , llcsnap         = llcsnap
+            , content         = payload
+            , fcs             = fcs
+            }
diff --git a/readpackets.hs b/readpackets.hs
index f02df538..690aa91e 100644
--- a/readpackets.hs
+++ b/readpackets.hs
@@ -1,6 +1,9 @@
-{-# LANGUAGE PackageImports #-}
+{-# LANGUAGE PackageImports     #-}
+{-# LANGUAGE StandaloneDeriving #-}
 module Main where
 
+import Control.Arrow
+import Data.Maybe
 import           Data.Binary.Get      (runGet)
 import qualified Data.ByteString      as BS
 import qualified Data.ByteString      as B
@@ -8,30 +11,63 @@ import qualified Data.ByteString.Lazy as LZ
 import qualified Data.ByteString.Lazy.Char8 as L8
 import           Data.IORef
 import           Data.List
+import           Data.Word
 import           Debug.Trace
 import           Text.Printf
 import           Text.Show.Pretty     as PP
-import "network-house" Net.Packet
+import "network-house" Net.Packet as House
 import qualified "network-house" Net.IPv4 as IP4
 import qualified "network-house" Net.IPv6 as IP6
-import "network-house" Net.PacketParsing
+import "network-house" Net.PacketParsing as House
+import "network-house" Net.PortNumber as TCP
+import "network-house" Net.ICMP as ICMP
+import "network-house" Net.TCP as TCP
 import "network-house" Net.UDP as UDP
 import "pcap"          Network.Pcap
 import qualified Data.Serialize as S
 import qualified Network.Socket as HS
 import Control.Applicative
+import Control.Monad
+import System.Environment
+import Control.Exception
+
+import Hans.Checksum
+import WifiHeader as Wifi
 
 import Crypto.Tox
 import Network.Tox.DHT.Transport as Tox
 import Data.BEncode as BE
 import Data.BEncode.Pretty
 -- import Data.IKE.Message
+import Text.XXD
 
 -- traceM string = trace string $ return ()
 
+
+-- IPv4   : rfc 791
+-- IPv6   : rfc 2460 (8200)
+-- TCP    : rfc 793
+-- UDP    : rfc 768
+-- ICMP   : rfc 792
+-- ICMPv6 : rfc 4443
+-- ARP    : rfc 826
+-- SNAP   : rfc 1042
+
+deriving instance Show IP6.Word4
+deriving instance Show IP6.Word20
+deriving instance Show IP6.Addr
+deriving instance Show a => Show (IP6.Packet a)
+
 bs2chunk :: BS.ByteString -> UArray Int Word8
 bs2chunk bs = listArray (0,subtract 33 $ BS.length bs) $ drop 32 $ BS.unpack bs
+-- 23 + 9 = 32
+
+mkchunk :: Int -> BS.ByteString -> Maybe (UArray Int Word8)
+mkchunk n bs
+    | (BS.length bs < n) = Nothing
+    | otherwise          = Just $ listArray (0,subtract (n+1) $ BS.length bs) $ drop n $ BS.unpack bs
 
+{-
 hex :: BS.ByteString -> String
 hex = concatMap (printf "%02x") . B.unpack
 
@@ -40,43 +76,219 @@ hexlines bs = ss
     where xs = zip [0..] $ hex bs
           ls = groupBy (\(n,_) (m,_)-> n `div` 32 == m `div` 32) xs
           ss = map (map snd) ls
+-}
+
+udpPacket :: PktHdr -> BS.ByteString -> Maybe (IO ())
+udpPacket hdr buf = do
+    chunk <- mkchunk 32 buf
+    udp <- House.doParse $ House.toInPack chunk
+    -- traceM $ "got udp: " ++ show udp
+    -- traceM $ "got udp content: " ++ show (content udp)
+    let plen = House.len $ UDP.content udp
+    bs <- fmap BS.pack . parseInPacket (bytes plen) $ UDP.content udp
+    -- traceM $ "Got bs " ++ show bs
+    (checksum,blob) <- Just $ BS.splitAt 2 bs -- extra 2 bytes in pcap capture, i'm assuming its a checksum
+    --  (first4,truncated) = BS.splitAt 4 blob
+    --  -- First 4 bytes being zero is how we distinguish between
+    --  -- ESP and IKEv2 packets on port 4500.
+    --  dta = if destPort udp /= Port 500 && first4==BS.pack [0,0,0,0]
+    --           then truncated
+    --           else blob
+    Just $ do
+    putStrLn $ "UDP." ++ show udp
+    mapM_ putStrLn $ xxd2 0 blob
+
+parseIP4 :: InPacket -> Maybe (IP4.Packet InPacket)
+parseIP4 inpkt = do
+    ip <- House.doParse inpkt
+    4 <- Just $ IP4.version ip
+    return ip
+
+ipPacket4 :: PktHdr -> BS.ByteString -> Maybe (IO ())
+ipPacket4 hdr buf = do
+    chunk <- mkchunk 23 buf
+    ip <- parseIP4 $ House.toInPack chunk
+    Just $ do
+    putStrLn $ "-- ipPacket4 --"
+    putStrLn $ "IP4." ++ show ip
+
+parseIP6 :: InPacket -> Maybe (IP6.Packet InPacket)
+parseIP6 inpkt = do
+    ip <- House.doParse inpkt
+    IP6.Word4 6 <- Just $ IP6.version ip
+    return ip
+
+ipPacket6 :: PktHdr -> BS.ByteString -> Maybe (IO ())
+ipPacket6 hdr buf = do
+    chunk <- mkchunk 23 buf
+    ip <- parseIP6 $ House.toInPack chunk
+    Just $ do
+    putStrLn $ "-- ipPacket6 --"
+    putStrLn $ "IP6." ++ show ip
+
+showTruncated hdr s
+    | hdrCaptureLength hdr == hdrWireLength hdr
+                = s
+    | otherwise = unwords
+        [ s
+        , "(truncated"
+        , show $ hdrCaptureLength hdr
+        , "of"
+        , show (hdrWireLength hdr) ++ ")"
+        ]
+
+wifiPacket hdr buf = do
+    (Data,_) <- wifiTypeBits $ BS.index buf 0 -- Filter all but data packets.
+    guard (BS.length buf >= 28)
+    chunk <- mkchunk 0 buf
+    wifi <- House.doParse $ House.toInPack chunk
+    Just $ do
+    -- putStrLn $ "-- wifiPacket --"
+    -- putStrLn $ "Wifi." ++ show wifi
+    let parseip = do
+            Wifi.Data <- Just $ wifiType wifi
+            c <- Just $ Wifi.content wifi
+            (Left <$> parseIP4 c) <|> (Right <$> parseIP6 c)
+    let mdta = parseip >>= ipPacket
+    forM_ mdta $ \dta -> do
+    let src = saddr (left fst $ right fst $ ipAddrs dta)
+                    (fromMaybe 0 $ fst <$> ipPorts dta)
+        dst = saddr (left snd $ right snd $ ipAddrs dta)
+                    (fromMaybe 0 $ snd <$> ipPorts dta)
+        srcmac = Wifi.srcAddr (Wifi.addresses wifi)
+        dstmac = Wifi.dstAddr (Wifi.addresses wifi)
+        r = [ maybe "" (("bssid "++) . show) $ Wifi.bssid (Wifi.addresses wifi)
+            , "<-- " ++ show src ++ " (" ++ show srcmac ++ ")"
+            , "--> " ++ show dst ++ " (" ++ show dstmac ++ ")"
+            , showTruncated hdr (ipProtocol dta)
+            ]
+    case ipPayload dta of
+        Nothing -> mapM_ putStrLn r
+        Just bs -> mapM_ putStrLn $ sideBySide (xxd2 0 bs) r
+    putStrLn ""
+
+sideBySide (x:xs) (y:ys) = (take 72 (x ++ repeat ' ') ++ y) : sideBySide xs ys
+sideBySide []     (y:ys) = (replicate 72 ' '          ++ y) : sideBySide [] ys
+sideBySide xs     []     = xs
+
+saddr (Left  ip4) port = HS.SockAddrInet  (fromIntegral port) addr
+    where IP4.Addr a b c d = ip4
+          addr = fromIntegral a
+               + fromIntegral b * 256
+               + fromIntegral c * 65536
+               + fromIntegral d * 16777216
+saddr (Right ip6) port = HS.SockAddrInet6 (fromIntegral port) 0 addr 0
+    where IP6.Addr ah al bh bl ch cl dh dl = ip6
+          addr = ( fromIntegral ah * 65536 + fromIntegral al
+                 , fromIntegral bh * 65536 + fromIntegral bl
+                 , fromIntegral ch * 65536 + fromIntegral cl
+                 , fromIntegral dh * 65536 + fromIntegral dl
+                 )
+
+data IPData = IPData
+    { ipPayload  :: Maybe BS.ByteString
+    , ipProtocol :: String
+    , ipPorts    :: Maybe (Word16,Word16)
+    , ipAddrs    :: Either (IP4.Addr,IP4.Addr)
+                           (IP6.Addr,IP6.Addr)
+    }
+
+ip4addrs pkt = (IP4.source pkt, IP4.dest pkt)
+
+ip6addrs pkt = (IP6.source pkt, IP6.dest pkt)
+
+ipPacket ip = do
+    let udp = do
+            IP4.UDP <- Just $ either IP4.protocol IP6.next_header ip
+            pkt <- House.doParse $ either IP4.content IP6.content ip
+            let ulen = House.len $ UDP.content pkt
+                mbs = fmap BS.pack . parseInPacket (bytes ulen) $ UDP.content pkt
+            let UDP.Port sport = UDP.sourcePort pkt
+                UDP.Port dport = UDP.destPort pkt
+            return IPData
+                { ipPayload  = mbs
+                , ipProtocol = "UDP"
+                , ipPorts    = Just (sport,dport)
+                , ipAddrs    = either (Left . ip4addrs) (Right . ip6addrs) ip
+                }
+        tcp = do
+            IP4.TCP <- Just $ either IP4.protocol IP6.next_header ip
+            pkt <- House.doParse $ either IP4.content IP6.content ip
+            let ulen = House.len $ TCP.content pkt
+                mbs = fmap BS.pack . parseInPacket (bytes ulen) $ TCP.content pkt
+            let TCP.Port sport = TCP.sourcePort pkt
+                TCP.Port dport = TCP.destPort pkt
+            return IPData
+                { ipPayload  = mbs
+                , ipProtocol = "TCP"
+                , ipPorts    = Just (sport,dport)
+                , ipAddrs    = either (Left . ip4addrs) (Right . ip6addrs) ip
+                }
+        icmp = do
+            IP4.ICMP <- Just $ either IP4.protocol IP6.next_header ip
+            pkt <- House.doParse $ either IP4.content IP6.content ip
+            let ping = do
+                    EchoRequest msg <- Just pkt
+                    return ("Ping", echoData msg)
+                pong = do
+                    EchoReply msg <- Just pkt
+                    return ("Pong", echoData msg)
+                other = do
+                    Other { type_ = typ, content = chunk } <- Just pkt
+                    return (show typ, chunk)
+            (typ,chunk) <- ping <|> pong <|> other
+            let p = House.toInPack chunk
+                ulen = House.len p
+                mbs = fmap BS.pack . parseInPacket (bytes ulen) $ p
+            return IPData
+                { ipPayload  = mbs
+                , ipProtocol = "ICMP "++typ
+                , ipPorts    = Nothing
+                , ipAddrs    = either (Left . ip4addrs) (Right . ip6addrs) ip
+                }
+        unknown = do
+            IP4.Unknown proto <- Just $ either IP4.protocol IP6.next_header ip
+            pkt <- Just $ either IP4.content IP6.content ip
+            let ulen = House.len pkt
+                mbs = fmap BS.pack . parseInPacket (bytes ulen) $ pkt
+            return IPData
+                { ipPayload  = mbs
+                , ipProtocol = "proto "++show proto
+                , ipPorts    = Nothing
+                , ipAddrs    = either (Left . ip4addrs) (Right . ip6addrs) ip
+                }
+    udp <|> icmp <|> tcp <|> unknown
+
 
 parsePacket :: IORef Int -> PktHdr -> BS.ByteString -> IO ()
 parsePacket cnt hdr buf = do
-    print hdr
-    let -- mb :: Maybe (BS.ByteString, Message Encrypted)
-        mb = do
-            udp <- doParse $ toInPack $ bs2chunk buf
-            -- traceM $ "got udp: " ++ show udp
-            -- traceM $ "got udp content: " ++ show (content udp)
-            let plen = Net.Packet.len $ content udp
-            bs <- fmap BS.pack . parseInPacket (bytes plen) $ content udp
-            -- traceM $ "Got bs " ++ show bs
-            let (checksum,blob) = BS.splitAt 2 bs -- extra 2 bytes in pcap capture, i'm assuming its a checksum
---                 (first4,truncated) = BS.splitAt 4 blob
---                 -- First 4 bytes being zero is how we distinguish between
---                 -- ESP and IKEv2 packets on port 4500.
---                 dta = if destPort udp /= Port 500 && first4==BS.pack [0,0,0,0]
---                         then truncated
---                         else blob
-                dta = blob
-            let d = BE.decode {- runGet getMessage $ LZ.fromStrict -} dta
-                saddr = HS.SockAddrInet 0 0 -- TODO
-                -- e = S.decode dta :: Either String (DHTMessage Encrypted8)
-                e = case Tox.parseDHTAddr (dta,saddr) :: Either (DHTMessage Encrypted8,NodeInfo) (BS.ByteString,HS.SockAddr) of
-                        Left toxpkt -> Right toxpkt
-                        Right _     -> Left "tox parse fail"
-            return $ (udp, bs, fmap Left d <|> fmap Right e)
-    flip (maybe $ return ()) mb $ \(udp, bs,m) -> do
-        putStrLn $ show udp
-        mapM_ putStrLn $ hexlines bs
-        -- putStrLn $ PP.ppShow m
-        either putStrLn (L8.putStrLn . either showBEncode (L8.pack . show)) m
+    sequence_ $ wifiPacket hdr buf
     modifyIORef' cnt (+1)
 
+sampleHdr :: PktHdr
+sampleHdr = PktHdr {hdrSeconds = 1511875620, hdrUseconds = 464364, hdrCaptureLength = 347, hdrWireLength = 347}
+
+sampleBytes :: BS.ByteString
+sampleBytes = "\136\n0\NULT\242\SOH\243\ENQ\153\NUL\rg\144\162\a\244>\157\ETXV\213\240 \ETX\NUL\170\170\ETX\NUL\NUL\NUL\b\NULE\NUL\SOH9\191\170@\NUL@\ACK\174\176\192,D\ENQ\n\235\188G\NULP\202\220R\199)\154R\199+\247\128\DC1\b\NUL\204\196\NUL\NUL\SOH\SOH\b\n\NUL\243\150\&6\NUL\243\150\&1HTTP/1.1 302 Found \r\nLocation: https://wifilogin.xfinity.com/start.php?h=kozHorIQv1nb851zZcMfnWdD4wtjyIymVSIwanl8KXaQLMHBm0oJhcubjREusjojI%2B8f0UNFoG1p2lD33OXGlpw3uvJ5SeKeX37jANRRu%2FPZOwWw%2F70foAx70wBVohtmhWksbshKhR4lAWuv2FAB0%2BPVkpfSjNIE0HwQO%2BnRZR8%3D\r\n\r\n"
+
+sampleHdr2 = PktHdr {hdrSeconds = 1511841845, hdrUseconds = 681965, hdrCaptureLength = 10, hdrWireLength = 10}
+sampleBytes2 =
+    [ 0xc4, 0x00, 0x8a, 0x00
+    , 0x8c, 0xf5, 0xa3, 0x12, 0xdf, 0x80 ]
+
 main = do
-    cnt <- newIORef 0
-    pcap <- openOffline "packets.pcap"
-    loopResult <- loopBS pcap (-1) $ parsePacket cnt
-    pktcnt <- readIORef cnt
-    putStrLn $ "read "++show pktcnt ++" packets."
+    args <- getArgs
+    forM_ args $ \fname -> do
+        cnt <- newIORef 0
+        parsePacket cnt sampleHdr sampleBytes
+        pcap <- openOffline fname -- "packets.pcap"
+        linktype <- datalink pcap
+        putStrLn $ unwords ["Opened:",fname,"Link:",show linktype]
+        -- Opened: opnwep.dat-08.cap Link: DLT_IEEE802_11
+        -- Opened: packets.pcap Link: DLT_EN10MB
+        -- DLT_IEEE802_11
+        -- DLT_IEEE802_11_RADIO
+        -- DLT_IEEE802_11_RADIO_AVS
+        loopResult <- loopBS pcap (-1) $ parsePacket cnt
+        pktcnt <- readIORef cnt
+        putStrLn $ "read "++show pktcnt ++" packets from " ++ fname ++ "."
diff --git a/src/Hans/Checksum.hs b/src/Hans/Checksum.hs
new file mode 100644
index 00000000..7afc93c7
--- /dev/null
+++ b/src/Hans/Checksum.hs
@@ -0,0 +1,136 @@
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE BangPatterns #-}
+
+-- BANNERSTART
+-- - Copyright 2006-2008, Galois, Inc.
+-- - This software is distributed under a standard, three-clause BSD license.
+-- - Please see the file LICENSE, distributed with this software, for specific
+-- - terms and conditions.
+-- Author: Adam Wick <awick@galois.com>
+-- BANNEREND
+-- |A module providing checksum computations to other parts of Hans. The
+-- checksum here is the standard Internet 16-bit checksum (the one's 
+-- complement of the one's complement sum of the data).
+
+module Hans.Checksum(
+    -- * Checksums
+    computeChecksum,
+    Checksum(..),
+    PartialChecksum(),
+    emptyPartialChecksum,
+    finalizeChecksum,
+    stepChecksum,
+
+    Pair8(..),
+  ) where
+
+import           Data.Bits (Bits(shiftL,shiftR,complement,clearBit,(.&.)))
+import           Data.List (foldl')
+import           Data.Word (Word8,Word16,Word32)
+import qualified Data.ByteString        as S
+import qualified Data.ByteString.Lazy   as L
+import qualified Data.ByteString.Short  as Sh
+import qualified Data.ByteString.Unsafe as S
+
+
+data PartialChecksum = PartialChecksum { pcAccum :: {-# UNPACK #-} !Word32
+                                       , pcCarry ::                !(Maybe Word8)
+                                       } deriving (Eq,Show)
+
+emptyPartialChecksum :: PartialChecksum
+emptyPartialChecksum  = PartialChecksum
+  { pcAccum = 0
+  , pcCarry = Nothing
+  }
+
+finalizeChecksum :: PartialChecksum -> Word16
+finalizeChecksum pc = complement (fromIntegral (fold32 (fold32 result)))
+  where
+  fold32 :: Word32 -> Word32
+  fold32 x = (x .&. 0xFFFF) + (x `shiftR` 16)
+
+  result = case pcCarry pc of
+    Nothing   -> pcAccum pc
+    Just prev -> stepChecksum (pcAccum pc) prev 0
+{-# INLINE finalizeChecksum #-}
+
+
+computeChecksum :: Checksum a => a -> Word16
+computeChecksum a = finalizeChecksum (extendChecksum a emptyPartialChecksum)
+{-# INLINE computeChecksum #-}
+
+-- | Incremental checksum computation interface.
+class Checksum a where
+  extendChecksum :: a -> PartialChecksum -> PartialChecksum
+
+
+data Pair8 = Pair8 !Word8 !Word8
+
+instance Checksum Pair8 where
+  extendChecksum (Pair8 hi lo) = \ PartialChecksum { .. } ->
+    case pcCarry of
+      Nothing -> PartialChecksum { pcAccum = stepChecksum pcAccum hi lo
+                                 , pcCarry = Nothing }
+      Just c  -> PartialChecksum { pcAccum = stepChecksum pcAccum c hi
+                                 , pcCarry = Just lo }
+  {-# INLINE extendChecksum #-}
+
+instance Checksum Word16 where
+  extendChecksum w = \pc -> extendChecksum (Pair8 hi lo) pc
+    where
+    lo = fromIntegral  w
+    hi = fromIntegral (w `shiftR` 8)
+  {-# INLINE extendChecksum #-}
+
+instance Checksum Word32 where
+  extendChecksum w = \pc ->
+    extendChecksum (fromIntegral  w              :: Word16) $
+    extendChecksum (fromIntegral (w `shiftR` 16) :: Word16) pc
+  {-# INLINE extendChecksum #-}
+  
+instance Checksum a => Checksum [a] where
+  extendChecksum as = \pc -> foldl' (flip extendChecksum) pc as
+  {-# INLINE extendChecksum #-}
+
+instance Checksum L.ByteString where
+  extendChecksum lbs = \pc -> extendChecksum (L.toChunks lbs) pc
+  {-# INLINE extendChecksum #-}
+
+-- XXX this could be faster if we could mirror the structure of the instance for
+-- S.ByteString
+instance Checksum Sh.ShortByteString where
+  extendChecksum shb = \ pc -> extendChecksum (Sh.fromShort shb) pc
+
+
+instance Checksum S.ByteString where
+  extendChecksum b pc
+    | S.null b  = pc
+    | otherwise = case pcCarry pc of
+        Nothing   -> result
+        Just prev -> extendChecksum (S.tail b) PartialChecksum
+          { pcCarry = Nothing
+          , pcAccum = stepChecksum (pcAccum pc) prev (S.unsafeIndex b 0)
+          }
+    where
+
+    n' = S.length b
+    n  = clearBit n' 0 -- aligned to two
+
+    result = PartialChecksum
+      { pcAccum = loop (pcAccum pc) 0
+      , pcCarry = carry
+      }
+
+    carry
+      | odd n'    = Just $! S.unsafeIndex b n
+      | otherwise = Nothing
+
+    loop !acc off
+      | off < n   = loop (stepChecksum acc hi lo) (off + 2)
+      | otherwise = acc
+      where hi    = S.unsafeIndex b off
+            lo    = S.unsafeIndex b (off+1)
+
+stepChecksum :: Word32 -> Word8 -> Word8 -> Word32
+stepChecksum acc hi lo = acc + fromIntegral hi `shiftL` 8 + fromIntegral lo
+{-# INLINE stepChecksum #-}