static char * print(char *buf, size_t *len, char * const args[]) { static char s[2048]; char src[20], dst[20]; struct in_addr saddr, daddr; FLOWDESC *x; time_t ts; if (buf == NULL && args != NULL) { *len = sprintf(s, PRETTYHDR); return s; } if (buf == NULL && args == NULL) { *len = 0; return s; } x = (FLOWDESC *) buf; ts = (time_t)ntohl(x->ts); saddr.s_addr = N32(x->src_ip); daddr.s_addr = N32(x->dst_ip); sprintf(src, "%s", inet_ntoa(saddr)); sprintf(dst, "%s", inet_ntoa(daddr)); *len = sprintf(s, PRETTYFMT, asctime(localtime(&ts)), (uint) x->proto, src, (uint) H16(x->src_port), dst, (uint) H16(x->dst_port), NTOHLL(x->bytes), NTOHLL(x->pkts)); return s; };
static uint32_t hash(void *self, pkt_t *pkt) { if (pkt->l3type != ETHERTYPE_IP) return 0; /* must be the same source ip, dest ip, source port, dest port */ return (H32(IP(src_ip)) ^ H32(IP(dst_ip)) ^ (H16(TCP(dst_port)) << 3) ^ (H16(TCP(dst_port)) << 3)); }
static int update(pkt_t *pkt, void *fh, int isnew) { FLOWDESC *x = F(fh); if (isnew) { x->ts = TS2SEC(pkt->ts); x->bytes = 0; x->pkts = 0; x->proto = IP(proto); x->src_ip = IP(src_ip); x->dst_ip = IP(dst_ip); N16(x->src_port) = N16(x->dst_port) = 0; if (IP(proto) == IPPROTO_TCP || IP(proto) == IPPROTO_UDP) { x->src_port = UDP(src_port); x->dst_port = UDP(dst_port); } } x->bytes += H16(IP(len)); x->pkts++; return 0; }
static int update(pkt_t *pkt, void *fh, int isnew) { FLOWDESC *x = F(fh); if (isnew) { x->ts = TS2SEC(pkt->ts); x->bytes = 0; x->bytes_ivl = 0; x->hi_watermark = 0; x->last_watermark = pkt->ts; } x->bytes += H16(IP(len)); if (pkt->ts - x->last_watermark > WATERMARK_IVL) { x->last_watermark = pkt->ts; x->bytes_ivl = 0; } x->bytes_ivl += pkt->len; if (x->bytes_ivl > x->hi_watermark) x->hi_watermark = x->bytes_ivl; return 0; }
static int ematch(void *self, void *efh, void *fh) { pkt_t* pkt; int ret = 0; FLOWDESC *x = F(fh); EFLOWDESC *ex = EF(efh); pkt = (pkt_t *)x->buf; if (ex->full_flow == 0) { /* if its full, go to next export record */ ret = ((ex->dst_port == H16(TCP(dst_port))) && (ex->src_port == H16(TCP(src_port))) && (ex->src_ip == H32(IP(src_ip))) && (ex->dst_ip == H32(IP(dst_ip)))); } return ret; }
static int update(void * self, pkt_t *pkt, void *fh, int isnew) { FLOWDESC *x = F(fh); config_t * cf = CONFIG(self); if (isnew) { bzero(x, sizeof(FLOWDESC)); x->ts = COMO(ts); } if (COMO(type) == COMOTYPE_NF) { if (cf->iface == -1 || H16(NF(input)) == cf->iface) { x->bytes[0] += H32(NF(pktcount)) * COMO(len) * H16(NF(sampling)); x->pkts[0] += H32(NF(pktcount)) * (uint32_t) H16(NF(sampling)); } else if (H16(NF(output)) == cf->iface) { x->bytes[1] += H32(NF(pktcount)) * COMO(len) * H16(NF(sampling)); x->pkts[1] += H32(NF(pktcount)) * (uint32_t) H16(NF(sampling)); } } else if (COMO(type) == COMOTYPE_SFLOW) { x->bytes[0] += (uint64_t) COMO(len) * (uint64_t) H32(SFLOW(sampling_rate)); x->pkts[0] += H32(SFLOW(sampling_rate)); } else { x->bytes[0] += COMO(len); x->pkts[0]++; } return 0; }
void idt_dev_get_info(int fd, idt_dev_info_t* info) { uint32_t data; memset(info, 0, sizeof(idt_dev_info_t)); data = idt_reg_r32(fd, IDTR_DEV_IDENT_CAR); info->dev_id = H16(data); info->vendor_id = L16(data); data = idt_reg_r32(fd, IDTR_DEV_INF_CAR); info->major = (data >> DS2CPU(10)) & 0x03; info->minor = (data >> DS2CPU(15)) & 0x1f; }
/* * -- updateofs * * updates type and offset information in the pkt_t data structure. * requires the type of interface as input. */ __inline__ void updateofs(pkt_t * pkt, int type) { pkt->type = type; pkt->l2type = 0xFFFF; /* implies field unused */ switch (pkt->type) { case COMOTYPE_ETH: if (H16(ETH(type)) == ETHERTYPE_VLAN) { pkt->type = COMOTYPE_VLAN; pkt->l3type = H16(VLAN(ethtype)); } else if (isISL(pkt)) { pkt->type = COMOTYPE_ISL; pkt->l3type = H16(ISL(ethtype)); } else { pkt->l3type = H16(ETH(type)); } break; case COMOTYPE_HDLC: pkt->l3type = H16(HDLC(type)); break; case COMOTYPE_80211: pkt->l2type = H16(IEEE80211_HDR(fc)); if (FCTRL_TYPE(pkt->l2type) == WLANTYPE_DATA) pkt->l3type = H16(LLC_HDR(type)); else pkt->l3type = 0; break; case COMOTYPE_RADIO: pkt->l2type = H16(IEEE80211_HDR(fc)); /* 802.11 + XX byte capture hdr */ if (FCTRL_TYPE(pkt->l2type) == WLANTYPE_DATA) pkt->l3type = H16(LLC_HDR(type)); else pkt->l3type = 0; break; default: pkt->l3type = 0; break; } updatel4(pkt); }
static int update(__unused void * self, pkt_t *pkt, void *fh, int isnew) { FLOWDESC *x = F(fh); if (isnew) { x->ts = COMO(ts); x->bytes = 0; x->pkts = 0; } if (COMO(type) == COMOTYPE_NF) { x->bytes += H32(NF(pktcount)) * COMO(len) * H16(NF(sampling)); x->pkts += H32(NF(pktcount)) * (uint32_t) H16(NF(sampling)); } else if (COMO(type) == COMOTYPE_SFLOW) { x->bytes += (uint64_t) COMO(len) * (uint64_t) H32(SFLOW(sampling_rate)); x->pkts += (uint64_t) H32(SFLOW(sampling_rate)); } else { x->bytes += COMO(len); x->pkts++; } return 0; }
static int check(void *self, pkt_t *pkt) { CONFIGDESC *config = CONFIG(self); if (TCP(syn) == 0) { if (H16(IP(len)) == (IP(ihl)*4 + TCP(hlen)*4) || pkt->caplen == pkt->l7ofs) { /* captured length is equal to the data offset, so no data. */ return 0; } } return 1; }
/* * update callback */ static int update(void * self, pkt_t *pkt, void *fh, int isnew) { CONFIGDESC * config = CONFIG(self); FLOWDESC *x = F(fh); if (isnew) { x->ts = COMO(ts) - COMO(ts) % TIME2TS(config->meas_ivl, 0); x->channel = -1; x->signal = x->noise = 0; x->samples = 0; /* now find the information in the management frame. * get privacy bit to determine if wep is enabled */ x->wepmode = CAPINFO_PRIVACY(H16(MGMT_BODY(cap))) ? 1 : 0; /* get to the SSID information element */ if (MGMT_BODY(ssid_len) > 0) { x->len = (MGMT_BODY(ssid_len)); bcopy(MGMT_BODY(ssid), x->ssid, x->len); } else { x->len = 3; sprintf(x->ssid, "ANY"); } x->channel = MGMT_BODY(ch); } x->samples++; if (COMO(type) == COMOTYPE_RADIO) { x->signal += H32(RADIO(ssisignal)); x->noise += H32(RADIO(ssinoise)); } return 0; /* records are never full */ }
void capture(mdl_t *self, pkt_t *pkt, tuple_t *st, double srate) { config_t *config = mdl_get_config(self, config_t); int app, app1, app2; double b, p; if (! isTCP && ! isUDP) /* non-TCP, non-UDP traffic */ app = 1; else { /* TCP and UDP traffic */ if (isTCP) { app1 = config->tcp_port2app[H16(TCP(src_port))]; app2 = config->tcp_port2app[H16(TCP(dst_port))]; } else { app1 = config->udp_port2app[H16(UDP(src_port))]; app2 = config->tcp_port2app[H16(UDP(dst_port))]; } if (app1 == 0 || app2 == 0) /* at most 1 port matches a known app */ app = app1 + app2; else if (app1 == app2) /* both ports match the same app */ app = app1; else /* ports match different apps, unknown */ app = 0; } if (COMO(type) == COMOTYPE_NF) { b = H32(NF(pktcount)) * COMO(len) * H16(NF(sampling)); p = H32(NF(pktcount)) * (uint32_t) H16(NF(sampling)); } else if (COMO(type) == COMOTYPE_SFLOW) { b = (uint64_t) COMO(len) * (uint64_t) H32(SFLOW(sampling_rate)); p = H32(SFLOW(sampling_rate)); } else { b = COMO(len); p = 1; } /* scale with sampling rate */ st->bytes[app] += b / srate; st->pkts[app] += p / srate; }
/* * sniffer_next * * Fill a structure with a copy of the next packet and its metadata. * Return number of packets read. * */ static int sniffer_next(source_t * src, void *out_buf, size_t out_buf_size) { struct _snifferinfo * info = (struct _snifferinfo *) src->ptr; uint npkts; /* processed pkts */ uint out_buf_used; /* bytes in output buffer */ npkts = out_buf_used = 0; mb(); while (info->m->k2u_cons != info->m->k2u_prod) { uint ind; uint token; ushort iface; struct timeval tv; int len, pktofs; pkt_t *pkt; char * base; ind = info->m->k2u_cons % RING_SIZE; token = info->m->k2u_pipe[ind].token; iface = info->m->k2u_pipe[ind].interface; if (iface == (ushort)-1) { /* Kernel decided not to use this token. Return it. */ return_token(info->m, token); info->m->k2u_cons++; continue; } if (iface >= info->retimer_size || info->clock_retimers[iface] == NULL){ /* Clock calibration was incomplete. Uh oh. */ return_token(info->m, token); info->m->k2u_cons++; continue; } /* we have a good incoming packet; deal with it. */ base = info->packet_pool[token].payload; len = info->m->k2u_pipe[ind].len; getTime(info->clock_retimers[iface], info->m->k2u_pipe[ind].tstamp, &tv, NULL); /* check if we have enough space in output buffer */ if (sizeof(pkt_t) + len > out_buf_size - out_buf_used) break; /* * Now we have a packet: start filling a new pkt_t struct * (beware that it could be discarded later on) */ pkt = (pkt_t *) ((char *)out_buf + out_buf_used); pkt->ts = TIME2TS(tv.tv_sec, tv.tv_usec); pkt->len = len; pkt->type = COMO_L2_ETH; pkt->flags = 0; pkt->caplen = 0; /* NOTE: we update caplen as we go given * that we may not store all fields that * exists in the actual bpf packet (e.g., * IP options) */ bcopy(base, &pkt->layer2.eth, 14); if (H16(pkt->layer2.eth.type) != 0x0800) { /* * this is not an IP packet. discard and * go to next packet. */ logmsg(LOGSNIFFER, "non-IP packet received (%04x)\n", H16(pkt->layer2.eth.type)); continue; } pktofs = 14; base += 14; /* copy IP header */ pkt->ih = *(struct _como_iphdr *) base; pkt->caplen += sizeof(struct _como_iphdr); /* skip the IP header * * XXX we are losing IP options if any in the packets. * need to find a place to put them in the como packet * data structure... */ base += (IP(vhl) & 0x0f) << 2; pktofs += (IP(vhl) & 0x0f) << 2; /* copy layer 4 header and payload */ bcopy(base, &pkt->layer4, len - pktofs); pkt->caplen += (len - pktofs); /* done with this packet. return the token */ info->m->k2u_cons++; return_token(info->m, token); /* increment the number of processed packets */ npkts++; out_buf_used += STDPKT_LEN(pkt); } return npkts; }