struct tcp_stream *
find_stream(struct tcphdr * this_tcphdr, struct ip * this_iphdr,
int *from_client)
{
struct tuple4 this_addr, reversed;
int hash_index;
struct tcp_stream *a_tcp;
this_addr.source = ntohs(this_tcphdr->th_sport);
this_addr.dest = ntohs(this_tcphdr->th_dport);
this_addr.saddr = this_iphdr->ip_src.s_addr;
this_addr.daddr = this_iphdr->ip_dst.s_addr;
hash_index = mk_hash_index(this_addr);
for (a_tcp = tcp_stream_table[hash_index];
a_tcp && !b_comp(a_tcp->addr, this_addr);
a_tcp = a_tcp->next_node);
if (a_tcp) {
*from_client = 1;
return a_tcp;
}
reversed.source = ntohs(this_tcphdr->th_dport);
reversed.dest = ntohs(this_tcphdr->th_sport);
reversed.saddr = this_iphdr->ip_dst.s_addr;
reversed.daddr = this_iphdr->ip_src.s_addr;
hash_index = mk_hash_index(reversed);
for (a_tcp = tcp_stream_table[hash_index];
a_tcp && !b_comp(a_tcp->addr, reversed);
a_tcp = a_tcp->next_node);
if (a_tcp) {
*from_client = 0;
return a_tcp;
}
else
return 0;
}
static void
add_new_tcp(struct tcphdr * this_tcphdr, struct ip * this_iphdr)
{
struct tcp_stream *tolink;
struct tcp_stream *a_tcp;
int hash_index;
struct tuple4 addr;
addr.source = ntohs(this_tcphdr->th_sport);
addr.dest = ntohs(this_tcphdr->th_dport);
addr.saddr = this_iphdr->ip_src.s_addr;
addr.daddr = this_iphdr->ip_dst.s_addr;
hash_index = mk_hash_index(addr);
if (tcp_num > max_stream) {
struct lurker_node *i;
tcp_oldest->nids_state = NIDS_TIMED_OUT;
for (i = tcp_oldest->listeners; i; i = i->next)
(i->item) (tcp_oldest, &i->data);
free_tcp(tcp_oldest);
nids_params.syslog(NIDS_WARN_TCP, NIDS_WARN_TCP_TOOMUCH, ugly_iphdr, this_tcphdr);
}
a_tcp = free_streams;
if (!a_tcp) {
fprintf(stderr, "gdb me ...\n");
#ifdef WIN32 /* Exit here, I do not know of a function similar to pause() in WIN32 -- Mike */
exit(-1);
#else
pause();
#endif
}
free_streams = a_tcp->next_free;
tcp_num++;
tolink = tcp_stream_table[hash_index];
memset(a_tcp, 0, sizeof(struct tcp_stream));
a_tcp->hash_index = hash_index;
a_tcp->addr = addr;
a_tcp->client.state = TCP_SYN_SENT;
a_tcp->client.seq = ntohl(this_tcphdr->th_seq) + 1;
a_tcp->client.first_data_seq = a_tcp->client.seq;
a_tcp->client.window = ntohs(this_tcphdr->th_win);
a_tcp->client.ts_on = get_ts(this_tcphdr, &a_tcp->client.curr_ts);
a_tcp->server.state = TCP_CLOSE;
a_tcp->next_node = tolink;
a_tcp->prev_node = 0;
if (tolink)
tolink->prev_node = a_tcp;
tcp_stream_table[hash_index] = a_tcp;
a_tcp->next_time = tcp_latest;
a_tcp->prev_time = 0;
if (!tcp_oldest)
tcp_oldest = a_tcp;
if (tcp_latest)
tcp_latest->prev_time = a_tcp;
tcp_latest = a_tcp;
}
struct tcp_stream *
nids_find_tcp_stream(struct tuple4 *addr)
{
int hash_index;
struct tcp_stream *a_tcp;
hash_index = mk_hash_index(*addr);
for (a_tcp = tcp_stream_table[hash_index];
a_tcp && memcmp(&a_tcp->addr, addr, sizeof (struct tuple4));
a_tcp = a_tcp->next_node);
return a_tcp ? a_tcp : 0;
}
static void
add_new_tcp(struct tcphdr * this_tcphdr, struct ip * this_iphdr)
{
struct tcp_stream *tolink;
struct tcp_stream *a_tcp;
int hash_index;
struct tuple4 addr;
addr.source = ntohs(this_tcphdr->th_sport);
addr.dest = ntohs(this_tcphdr->th_dport);
addr.saddr = this_iphdr->ip_src.s_addr;
addr.daddr = this_iphdr->ip_dst.s_addr;
hash_index = mk_hash_index(addr);
if (tcp_num > max_stream) {
struct lurker_node *i;
int orig_client_state=tcp_oldest->client.state;
tcp_oldest->nids_state = NIDS_TIMED_OUT;
for (i = tcp_oldest->listeners; i; i = i->next)
(i->item) (tcp_oldest, &i->data);
nids_free_tcp_stream(tcp_oldest);
if (orig_client_state!=TCP_SYN_SENT)
nids_params.syslog(NIDS_WARN_TCP, NIDS_WARN_TCP_TOOMUCH, ugly_iphdr, this_tcphdr);
}
a_tcp = free_streams;
if (!a_tcp) {
fprintf(stderr, "gdb me ...\n");
pause();
}
free_streams = a_tcp->next_free;
tcp_num++;
tolink = tcp_stream_table[hash_index];
memset(a_tcp, 0, sizeof(struct tcp_stream));
#ifdef OSPLIT
struct ipfrag *frag_tag=this_fragments;
struct ipfrag *ip_frag_next;
if(this_fragments)
ip_frag_next=this_fragments->next;
a_tcp->fp=split_file[(TCP_file_idx++)%SPLIT_FILE_NUM];
/*write all fragment(s) to fp trace file*/
if(is_frag==0) {
write_pcap_hdr(a_tcp->fp,(char*)nids_last_pcap_header,sizeof(struct pcap_sf_pkthdr));
write_ip(a_tcp->fp,(char*)this_iphdr,ntohs(this_iphdr->ip_len),(char*)nids_last_pcap_header);
}
else {
/*fragments*/
while(frag_tag!=NULL) {
write_pcap_hdr(a_tcp->fp,(char*)(&(frag_tag->pcap_header)),sizeof(struct pcap_sf_pkthdr));
write_ip(a_tcp->fp,(char*)frag_tag->skb->data,frag_tag->wtrace_len,(char*)(&(frag_tag->pcap_header)));
free(frag_tag);
frag_tag=ip_frag_next;
if(ip_frag_next!=NULL)
ip_frag_next=ip_frag_next->next;
}
is_frag=0;
}
/*set statistic info*/
store_flag=1;
#endif
a_tcp->hash_index = hash_index;
a_tcp->addr = addr;
a_tcp->client.state = TCP_SYN_SENT;
a_tcp->client.seq = ntohl(this_tcphdr->th_seq) + 1;
a_tcp->client.first_data_seq = a_tcp->client.seq;
a_tcp->client.window = ntohs(this_tcphdr->th_win);
a_tcp->client.ts_on = get_ts(this_tcphdr, &a_tcp->client.curr_ts);
a_tcp->client.wscale_on = get_wscale(this_tcphdr, &a_tcp->client.wscale);
a_tcp->server.state = TCP_CLOSE;
a_tcp->next_node = tolink;
a_tcp->prev_node = 0;
if (tolink)
tolink->prev_node = a_tcp;
tcp_stream_table[hash_index] = a_tcp;
a_tcp->next_time = tcp_latest;
a_tcp->prev_time = 0;
if (!tcp_oldest)
tcp_oldest = a_tcp;
if (tcp_latest)
tcp_latest->prev_time = a_tcp;
tcp_latest = a_tcp;
}
