/* XXX - We depend on the UDP dissector finding the conversation first */
void
add_udp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command) {
conversation_t *conv;
struct udp_analysis *udpd;
udp_flow_t *flow = NULL;
if (!udp_process_info) {
return;
}
conv = find_conversation(frame_num, local_addr, remote_addr, PT_UDP, local_port, remote_port, 0);
if (!conv) {
return;
}
udpd = (struct udp_analysis *)conversation_get_proto_data(conv, proto_udp);
if (!udpd) {
return;
}
if (CMP_ADDRESS(local_addr, &conv->key_ptr->addr1) == 0 && local_port == conv->key_ptr->port1) {
flow = &udpd->flow1;
} else if (CMP_ADDRESS(remote_addr, &conv->key_ptr->addr1) == 0 && remote_port == conv->key_ptr->port1) {
flow = &udpd->flow2;
}
if (!flow || flow->command) {
return;
}
flow->process_uid = uid;
flow->process_pid = pid;
flow->username = se_strdup(username);
flow->command = se_strdup(command);
}
void
iousers_process_address_packet(io_users_t *iu, const address *src, const address *dst, guint64 pkt_len,
nstime_t *ts)
{
const address *addr1, *addr2;
io_users_item_t *iui;
if(CMP_ADDRESS(src, dst)>0){
addr1=src;
addr2=dst;
} else {
addr2=src;
addr1=dst;
}
for(iui=iu->items;iui;iui=iui->next){
if((!CMP_ADDRESS(&iui->addr1, addr1))
&&(!CMP_ADDRESS(&iui->addr2, addr2)) ){
break;
}
}
if(!iui){
iui=g_malloc(sizeof(io_users_item_t));
iui->next=iu->items;
iu->items=iui;
COPY_ADDRESS(&iui->addr1, addr1);
iui->name1=g_strdup(ep_address_to_str(addr1));
COPY_ADDRESS(&iui->addr2, addr2);
iui->name2=g_strdup(ep_address_to_str(addr2));
iui->frames1=0;
iui->frames2=0;
iui->bytes1=0;
iui->bytes2=0;
memcpy(&iui->start_rel_time, ts, sizeof(iui->start_rel_time));
memcpy(&iui->stop_rel_time, ts, sizeof(iui->stop_rel_time));
}
else {
if (nstime_cmp(ts, &iui->stop_rel_time) > 0) {
memcpy(&iui->stop_rel_time, ts, sizeof(iui->stop_rel_time));
} else if (nstime_cmp(ts, &iui->start_rel_time) < 0) {
memcpy(&iui->start_rel_time, ts, sizeof(iui->start_rel_time));
}
}
if(!CMP_ADDRESS(dst, &iui->addr1)){
iui->frames1++;
iui->bytes1+=pkt_len;
} else {
iui->frames2++;
iui->bytes2+=pkt_len;
}
}
WSLUA_METAMETHOD Address__lt(lua_State* L) { /* Compares two Addresses */
Address addr1 = checkAddress(L,1);
Address addr2 = checkAddress(L,2);
gboolean result = FALSE;
if (CMP_ADDRESS(addr1, addr2) < 0)
result = TRUE;
lua_pushboolean(L,result);
return 1;
}
static int
cmp_conv_address( gconstpointer p1, gconstpointer p2 )
{
const tacplus_key_entry *a1=p1;
const tacplus_key_entry *a2=p2;
gint32 ret;
/*
printf("p1=>");
tacplus_print_key_entry( p1, NULL );
printf("p2=>");
tacplus_print_key_entry( p2, NULL );
*/
ret=CMP_ADDRESS( a1->s, a2->s );
if( !ret ) {
ret=CMP_ADDRESS( a1->c, a2->c );
/*
if(ret)
printf("No Client found!"); */
} else {
/* printf("No Server found!"); */
}
return ret;
}
/* WSLUA_ATTRIBUTE Pinfo_lo RO lower Address of this Packet. */
static int Pinfo_get_lo(lua_State *L) {
Pinfo pinfo = checkPinfo(L,1);
Address addr;
addr = (Address)g_malloc(sizeof(address));
if (CMP_ADDRESS(&(pinfo->ws_pinfo->src), &(pinfo->ws_pinfo->dst) ) < 0) {
COPY_ADDRESS(addr, &(pinfo->ws_pinfo->src));
} else {
COPY_ADDRESS(addr, &(pinfo->ws_pinfo->dst));
}
pushAddress(L,addr);
return 1;
}
struct udp_analysis *
get_udp_conversation_data(conversation_t *conv, packet_info *pinfo)
{
int direction;
struct udp_analysis *udpd=NULL;
/* Did the caller supply the conversation pointer? */
if (conv == NULL)
conv = find_or_create_conversation(pinfo);
/* Get the data for this conversation */
udpd=(struct udp_analysis *)conversation_get_proto_data(conv, hfi_udp->id);
/* If the conversation was just created or it matched a
* conversation with template options, udpd will not
* have been initialized. So, initialize
* a new udpd structure for the conversation.
*/
if (!udpd) {
udpd = init_udp_conversation_data();
conversation_add_proto_data(conv, hfi_udp->id, udpd);
}
if (!udpd) {
return NULL;
}
/* check direction and get ua lists */
direction=CMP_ADDRESS(&pinfo->src, &pinfo->dst);
/* if the addresses are equal, match the ports instead */
if (direction == 0) {
direction= (pinfo->srcport > pinfo->destport) ? 1 : -1;
}
if (direction >= 0) {
udpd->fwd=&(udpd->flow1);
udpd->rev=&(udpd->flow2);
} else {
udpd->fwd=&(udpd->flow2);
udpd->rev=&(udpd->flow1);
}
return udpd;
}
gcp_msg_t* gcp_msg(packet_info* pinfo, int o, gboolean keep_persistent_data) {
gcp_msg_t* m;
guint32 framenum = (guint32)pinfo->fd->num;
guint32 offset = (guint32)o;
address* src = &(pinfo->src);
address* dst = &(pinfo->dst);
address* lo_addr;
address* hi_addr;
if (keep_persistent_data) {
emem_tree_key_t key[] = {
{1,&(framenum)},
{1,&offset},
{0,NULL}
};
if (( m = se_tree_lookup32_array(msgs,key) )) {
m->commited = TRUE;
return m;
} else {
m = se_alloc(sizeof(gcp_msg_t));
m->framenum = framenum;
m->time = pinfo->fd->abs_ts;
m->trxs = NULL;
m->commited = FALSE;
se_tree_insert32_array(msgs,key,m);
}
} else {
m = ep_new0(gcp_msg_t);
m->framenum = framenum;
m->trxs = NULL;
m->commited = FALSE;
}
if (CMP_ADDRESS(src, dst) < 0) {
lo_addr = src;
hi_addr = dst;
} else {
lo_addr = dst;
hi_addr = src;
}
switch(lo_addr->type) {
case AT_NONE:
m->lo_addr = 0;
m->hi_addr = 0;
break;
case AT_IPv4:
memcpy((guint8*)&(m->hi_addr),hi_addr->data,4);
memcpy((guint8*)&(m->lo_addr),lo_addr->data,4);
break;
case AT_SS7PC:
m->hi_addr = mtp3_pc_hash((const mtp3_addr_pc_t *)hi_addr->data);
m->lo_addr = mtp3_pc_hash((const mtp3_addr_pc_t *)lo_addr->data);
break;
default:
/* XXX: heuristic and error prone */
m->hi_addr = g_str_hash(ep_address_to_str(hi_addr));
m->lo_addr = g_str_hash(ep_address_to_str(lo_addr));
break;
}
return m;
}
void
add_conversation_table_data_with_conv_id(
conv_hash_t *ch,
const address *src,
const address *dst,
guint32 src_port,
guint32 dst_port,
conv_id_t conv_id,
int num_frames,
int num_bytes,
nstime_t *ts,
nstime_t *abs_ts,
ct_dissector_info_t *ct_info,
port_type ptype)
{
const address *addr1, *addr2;
guint32 port1, port2;
conv_item_t *conv_item = NULL;
unsigned int conversation_idx = 0;
if (src_port > dst_port) {
addr1 = src;
addr2 = dst;
port1 = src_port;
port2 = dst_port;
} else if (src_port < dst_port) {
addr2 = src;
addr1 = dst;
port2 = src_port;
port1 = dst_port;
} else if (CMP_ADDRESS(src, dst) < 0) {
addr1 = src;
addr2 = dst;
port1 = src_port;
port2 = dst_port;
} else {
addr2 = src;
addr1 = dst;
port2 = src_port;
port1 = dst_port;
}
/* if we dont have any entries at all yet */
if (ch->conv_array == NULL) {
ch->conv_array = g_array_sized_new(FALSE, FALSE, sizeof(conv_item_t), 10000);
ch->hashtable = g_hash_table_new_full(conversation_hash,
conversation_equal, /* key_equal_func */
g_free, /* key_destroy_func */
NULL); /* value_destroy_func */
} else {
/* try to find it among the existing known conversations */
conv_key_t existing_key;
existing_key.addr1 = *addr1;
existing_key.addr2 = *addr2;
existing_key.port1 = port1;
existing_key.port2 = port2;
existing_key.conv_id = conv_id;
if (g_hash_table_lookup_extended(ch->hashtable, &existing_key, NULL, (gpointer *) &conversation_idx)) {
conv_item = &g_array_index(ch->conv_array, conv_item_t, conversation_idx);
}
}
/* if we still dont know what conversation this is it has to be a new one
and we have to allocate it and append it to the end of the list */
if (conv_item == NULL) {
conv_key_t *new_key;
conv_item_t new_conv_item;
COPY_ADDRESS(&new_conv_item.src_address, addr1);
COPY_ADDRESS(&new_conv_item.dst_address, addr2);
new_conv_item.dissector_info = ct_info;
new_conv_item.ptype = ptype;
new_conv_item.src_port = port1;
new_conv_item.dst_port = port2;
new_conv_item.conv_id = conv_id;
new_conv_item.rx_frames = 0;
new_conv_item.tx_frames = 0;
new_conv_item.rx_bytes = 0;
new_conv_item.tx_bytes = 0;
new_conv_item.modified = TRUE;
if (ts) {
memcpy(&new_conv_item.start_time, ts, sizeof(new_conv_item.start_time));
memcpy(&new_conv_item.stop_time, ts, sizeof(new_conv_item.stop_time));
memcpy(&new_conv_item.start_abs_time, abs_ts, sizeof(new_conv_item.start_abs_time));
} else {
nstime_set_unset(&new_conv_item.start_abs_time);
nstime_set_unset(&new_conv_item.start_time);
nstime_set_unset(&new_conv_item.stop_time);
}
g_array_append_val(ch->conv_array, new_conv_item);
conversation_idx = ch->conv_array->len - 1;
conv_item = &g_array_index(ch->conv_array, conv_item_t, conversation_idx);
/* ct->conversations address is not a constant but src/dst_address.data are */
new_key = g_new(conv_key_t, 1);
SET_ADDRESS(&new_key->addr1, conv_item->src_address.type, conv_item->src_address.len, conv_item->src_address.data);
SET_ADDRESS(&new_key->addr2, conv_item->dst_address.type, conv_item->dst_address.len, conv_item->dst_address.data);
new_key->port1 = port1;
new_key->port2 = port2;
new_key->conv_id = conv_id;
g_hash_table_insert(ch->hashtable, new_key, GUINT_TO_POINTER(conversation_idx));
}
/* update the conversation struct */
conv_item->modified = TRUE;
if ( (!CMP_ADDRESS(src, addr1)) && (!CMP_ADDRESS(dst, addr2)) && (src_port==port1) && (dst_port==port2) ) {
conv_item->tx_frames += num_frames;
conv_item->tx_bytes += num_bytes;
} else {
conv_item->rx_frames += num_frames;
conv_item->rx_bytes += num_bytes;
}
if (ts) {
if (nstime_cmp(ts, &conv_item->stop_time) > 0) {
memcpy(&conv_item->stop_time, ts, sizeof(conv_item->stop_time));
} else if (nstime_cmp(ts, &conv_item->start_time) < 0) {
memcpy(&conv_item->start_time, ts, sizeof(conv_item->start_time));
memcpy(&conv_item->start_abs_time, abs_ts, sizeof(conv_item->start_abs_time));
}
}
}
static gboolean lbm_uimflow_add_to_graph(seq_analysis_info_t * seq_info, packet_info * pinfo, const lbm_uim_stream_info_t * stream_info)
{
lbm_uim_stream_endpoint_t epa;
lbm_uim_stream_endpoint_t epb;
seq_analysis_item_t * item;
gchar * ctxinst1 = NULL;
gchar * ctxinst2 = NULL;
gboolean swap_endpoints = FALSE;
int rc;
if (stream_info->endpoint_a.type != stream_info->endpoint_b.type)
{
return (FALSE);
}
if (stream_info->endpoint_a.type == lbm_uim_instance_stream)
{
rc = memcmp((void *)stream_info->endpoint_a.stream_info.ctxinst.ctxinst,
(void *)stream_info->endpoint_b.stream_info.ctxinst.ctxinst,
LBM_CONTEXT_INSTANCE_BLOCK_SZ);
if (rc <= 0)
{
swap_endpoints = FALSE;
}
else
{
swap_endpoints = TRUE;
}
}
else
{
if (stream_info->endpoint_a.stream_info.dest.domain < stream_info->endpoint_b.stream_info.dest.domain)
{
swap_endpoints = FALSE;
}
else if (stream_info->endpoint_a.stream_info.dest.domain > stream_info->endpoint_b.stream_info.dest.domain)
{
swap_endpoints = TRUE;
}
else
{
int compare;
compare = CMP_ADDRESS(&(stream_info->endpoint_a.stream_info.dest.addr), &(stream_info->endpoint_b.stream_info.dest.addr));
if (compare < 0)
{
swap_endpoints = FALSE;
}
else if (compare > 0)
{
swap_endpoints = TRUE;
}
else
{
if (stream_info->endpoint_a.stream_info.dest.port <= stream_info->endpoint_b.stream_info.dest.port)
{
swap_endpoints = FALSE;
}
else
{
swap_endpoints = TRUE;
}
}
}
}
if (swap_endpoints == FALSE)
{
epa = stream_info->endpoint_a;
epb = stream_info->endpoint_b;
}
else
{
epb = stream_info->endpoint_a;
epa = stream_info->endpoint_b;
}
item = (seq_analysis_item_t *)g_malloc(sizeof(seq_analysis_item_t));
COPY_ADDRESS(&(item->src_addr), &(pinfo->src));
COPY_ADDRESS(&(item->dst_addr), &(pinfo->dst));
item->fd = pinfo->fd;
item->port_src = pinfo->srcport;
item->port_dst = pinfo->destport;
if (stream_info->description == NULL)
{
item->frame_label = g_strdup_printf("(%" G_GUINT32_FORMAT ")", stream_info->sqn);
}
else
{
item->frame_label = g_strdup_printf("%s (%" G_GUINT32_FORMAT ")", stream_info->description, stream_info->sqn);
}
if (epa.type == lbm_uim_instance_stream)
{
ctxinst1 = bytes_to_str(pinfo->pool, epa.stream_info.ctxinst.ctxinst, sizeof(epa.stream_info.ctxinst.ctxinst));
ctxinst2 = bytes_to_str(pinfo->pool, epb.stream_info.ctxinst.ctxinst, sizeof(epb.stream_info.ctxinst.ctxinst));
item->comment = g_strdup_printf("%s <-> %s [%" G_GUINT64_FORMAT "]",
ctxinst1,
ctxinst2,
stream_info->channel);
}
else
{
item->comment = g_strdup_printf("%" G_GUINT32_FORMAT ":%s:%" G_GUINT16_FORMAT " <-> %" G_GUINT32_FORMAT ":%s:%" G_GUINT16_FORMAT " [%" G_GUINT64_FORMAT "]",
epa.stream_info.dest.domain,
address_to_str(pinfo->pool, &(epa.stream_info.dest.addr)),
epa.stream_info.dest.port,
epb.stream_info.dest.domain,
address_to_str(pinfo->pool, &(epb.stream_info.dest.addr)),
epb.stream_info.dest.port,
stream_info->channel);
}
item->conv_num = (guint16)LBM_CHANNEL_ID(stream_info->channel);
item->display = TRUE;
item->line_style = 1;
g_queue_push_tail(seq_info->items, item);
return (TRUE);
}
gcp_msg_t* gcp_msg(packet_info* pinfo, int o, gboolean keep_persistent_data) {
gcp_msg_t* m;
guint32 framenum = (guint32)pinfo->fd->num;
guint32 offset = (guint32)o;
address* src = &(pinfo->src);
address* dst = &(pinfo->dst);
address* lo_addr;
address* hi_addr;
if (keep_persistent_data) {
wmem_tree_key_t key[3];
key[0].length = 1;
key[0].key = &(framenum);
key[1].length = 1;
key[1].key = &offset;
key[2].length = 0;
key[2].key =NULL;
if (( m = (gcp_msg_t *)wmem_tree_lookup32_array(msgs,key) )) {
m->committed = TRUE;
return m;
} else {
m = wmem_new(wmem_file_scope(), gcp_msg_t);
m->framenum = framenum;
m->time = pinfo->fd->abs_ts;
m->trxs = NULL;
m->committed = FALSE;
wmem_tree_insert32_array(msgs,key,m);
}
} else {
m = wmem_new0(wmem_packet_scope(), gcp_msg_t);
m->framenum = framenum;
m->trxs = NULL;
m->committed = FALSE;
}
if (CMP_ADDRESS(src, dst) < 0) {
lo_addr = src;
hi_addr = dst;
} else {
lo_addr = dst;
hi_addr = src;
}
switch(lo_addr->type) {
case AT_NONE:
m->lo_addr = 0;
m->hi_addr = 0;
break;
case AT_IPv4:
memcpy((guint8*)&(m->hi_addr),hi_addr->data,4);
memcpy((guint8*)&(m->lo_addr),lo_addr->data,4);
break;
case AT_SS7PC:
m->hi_addr = mtp3_pc_hash((const mtp3_addr_pc_t *)hi_addr->data);
m->lo_addr = mtp3_pc_hash((const mtp3_addr_pc_t *)lo_addr->data);
break;
default:
/* XXX: heuristic and error prone */
m->hi_addr = g_str_hash(address_to_str(wmem_packet_scope(), hi_addr));
m->lo_addr = g_str_hash(address_to_str(wmem_packet_scope(), lo_addr));
break;
}
return m;
}