static void CaPei(pei *ppei, const char *prot_name, tca_priv *priv, time_t *cap_sec, time_t *end_cap) { char val[TCP_CA_FILENAME_PATH_SIZE]; char dns[TCP_CA_FILENAME_PATH_SIZE]; float latitude; float longitude; pei_component *cmpn; char *cc; latitude = longitude = 0; cc = NULL; dns[0] = '\0'; /* pei components */ if (priv->ipv6) { FTString(&priv->ip_s, FT_IPv6, val); PeiNewComponent(&cmpn, pei_ip_src_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); FTString(&priv->ip_d, FT_IPv6, val); PeiNewComponent(&cmpn, pei_ip_dst_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); DnsDbSearch(&priv->ip_d, FT_IPv6, dns, TCP_CA_FILENAME_PATH_SIZE); GeoIPLocIP(&priv->ip_d, FT_IPv6, &latitude, &longitude, &cc); } else { FTString(&priv->ip_s, FT_IPv4, val); PeiNewComponent(&cmpn, pei_ip_src_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); FTString(&priv->ip_d, FT_IPv4, val); PeiNewComponent(&cmpn, pei_ip_dst_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); DnsDbSearch(&priv->ip_d, FT_IPv4, dns, TCP_CA_FILENAME_PATH_SIZE); GeoIPLocIP(&priv->ip_d, FT_IPv4, &latitude, &longitude, &cc); } PeiNewComponent(&cmpn, pei_dns_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, dns); PeiAddComponent(ppei, cmpn); sprintf(val, "%i", priv->port_s); PeiNewComponent(&cmpn, pei_port_src_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%i", priv->port_d); PeiNewComponent(&cmpn, pei_port_dst_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); PeiNewComponent(&cmpn, pei_l7protocol_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, prot_name); PeiAddComponent(ppei, cmpn); sprintf(val, "%f", latitude); PeiNewComponent(&cmpn, pei_lat_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%f", longitude); PeiNewComponent(&cmpn, pei_long_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); if (cc != NULL) { PeiNewComponent(&cmpn, pei_country_code_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, cc); PeiAddComponent(ppei, cmpn); } sprintf(val, "%zu", priv->bsent); PeiNewComponent(&cmpn, pei_bsent_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%zu", priv->breceiv); PeiNewComponent(&cmpn, pei_brecv_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%zu", priv->blost_sent); PeiNewComponent(&cmpn, pei_blost_sent_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%zu", priv->blost_receiv); PeiNewComponent(&cmpn, pei_blost_recv_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%lu", priv->pkt_sent); PeiNewComponent(&cmpn, pei_pkt_sent_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); sprintf(val, "%lu", priv->pkt_receiv); PeiNewComponent(&cmpn, pei_pkt_recv_id); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddStingBuff(cmpn, val); PeiAddComponent(ppei, cmpn); if (priv->img1[0] != '\0') { PeiNewComponent(&cmpn, pei_trace_img); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddFile(cmpn, "client.png", priv->img1, 0); PeiAddComponent(ppei, cmpn); } if (priv->img2[0] != '\0') { PeiNewComponent(&cmpn, pei_trace_img); PeiCompCapTime(cmpn, *cap_sec); PeiCompCapEndTime(cmpn, *end_cap); PeiCompAddFile(cmpn, "server.png", priv->img2, 0); PeiAddComponent(ppei, cmpn); } }
static packet *SyslogDissector(int flow_id) { packet *pkt; const pstack_f *udp, *ip; const char *msg; ftval val; char file_log[SYSLOG_FILENAME_PATH_SIZE]; char host[SYSLOG_FILENAME_PATH_SIZE]; pei *ppei; pei_component *cmpn; time_t cap_sec, end_cap; int cntpkt, len; short pri, fac, sev; FILE *fp; ppei = NULL; LogPrintf(LV_DEBUG, "Syslog id: %d", flow_id); cntpkt = 0; /* ip version and number */ udp = FlowStack(flow_id); /* udp frame */ ip = ProtGetNxtFrame(udp); /* ip/ipv6 frame */ ProtStackFrmDisp(udp, TRUE); /* host */ len = 0; if (ProtFrameProtocol(ip) == ip_id) { ProtGetAttr(ip, ip_src_id, &val); if (DnsDbSearch(&val, FT_IPv4, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) { FTString(&val, FT_IPv4, host+len); } len = strlen(host); host[len++] = ' '; host[len++] = '-'; host[len++] = ' '; ProtGetAttr(ip, ip_dst_id, &val); if (DnsDbSearch(&val, FT_IPv4, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) { FTString(&val, FT_IPv4, host+len); } } else { ProtGetAttr(ip, ipv6_src_id, &val); if (DnsDbSearch(&val, FT_IPv6, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) { FTString(&val, FT_IPv6, host+len); } host[len++] = ' '; host[len++] = '-'; host[len++] = ' '; ProtGetAttr(ip, ipv6_dst_id, &val); if (DnsDbSearch(&val, FT_IPv6, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) { FTString(&val, FT_IPv6, host+len); } } len = strlen(host); /* syslog file */ sprintf(file_log, "%s/%s/syslog_%p_%lu.log", ProtTmpDir(), SYSLOG_TMP_DIR, file_log,incr++); fp = fopen(file_log, "w"); /* first packet */ pkt = FlowGetPkt(flow_id); if (pkt != NULL) { /* pei definition */ PeiNew(&ppei, prot_id); PeiCapTime(ppei, pkt->cap_sec); PeiMarker(ppei, pkt->serial); PeiStackFlow(ppei, udp); cap_sec = pkt->cap_sec; } if (fp != NULL) { while (pkt != NULL) { cntpkt++; end_cap = pkt->cap_sec; pri = SyslogPri(pkt->data, pkt->len); if (pri != -1) { msg = SyslogMsg(pkt->data, pkt->len); if (msg != NULL) { sev = pri & 0x07; fac = pri >> 3; fprintf(fp, "{%s.%s} %s", facility[fac], severity[sev], msg); } } PktFree(pkt); pkt = FlowGetPkt(flow_id); }
static packet *TelnetDissector(int flow_id) { packet *pkt; const pstack_f *tcp, *ip; ftval lost, ip_host, port; unsigned short port_host; bool ipv6; long offset, len, size; char host[TELNET_FILENAME_PATH_SIZE]; char user[TELNET_BUF_SIZE]; char password[TELNET_BUF_SIZE]; char cmd_file[TELNET_FILENAME_PATH_SIZE]; FILE *fp; char *buf; pei *ppei; time_t cap_sec, end_cap; int cntpkt; LogPrintf(LV_DEBUG, "Telnet id: %d", flow_id); cntpkt = 0; /* init (this for each telnet stream) */ user[0] = '\0'; password[0] = '\0'; sprintf(cmd_file, "%s/%s/telnet_%lu_%p_%i.txt", ProtTmpDir(), TELNET_TMP_DIR, time(NULL), cmd_file, incr); incr++; fp = fopen(cmd_file, "w"); ipv6 = FALSE; buf = DMemMalloc(TELNET_LOGIN_SIZE); buf[0] = '\0'; len = 0; /* ip version and number */ tcp = FlowStack(flow_id); /* tcp frame */ ip = ProtGetNxtFrame(tcp); /* ip/ipv6 frame */ ProtGetAttr(tcp, port_dst_id, &port); port_host = port.uint16; if (ProtFrameProtocol(ip) == ipv6_id) { ipv6 = TRUE; } if (ipv6 == FALSE) { ProtGetAttr(ip, ip_dst_id, &ip_host); if (DnsDbSearch(&(ip_host), FT_IPv4, host, TELNET_FILENAME_PATH_SIZE) != 0) { FTString(&(ip_host), FT_IPv4, host); } } else { ProtGetAttr(ip, ipv6_dst_id, &ip_host); if (DnsDbSearch(&(ip_host), FT_IPv6, host, TELNET_FILENAME_PATH_SIZE) != 0) { FTString(&(ip_host), FT_IPv6, host); } } sprintf(host+strlen(host), ":%i", port_host); /* first packet */ pkt = FlowGetPkt(flow_id); if (pkt != NULL) { /* pei definition */ PeiNew(&ppei, telnet_id); PeiCapTime(ppei, pkt->cap_sec); PeiMarker(ppei, pkt->serial); PeiStackFlow(ppei, tcp); cap_sec = pkt->cap_sec; } while (pkt != NULL) { cntpkt++; end_cap = pkt->cap_sec; offset = 0; /* check if there are packet lost */ ProtGetAttr(pkt->stk, lost_id, &lost); //ProtStackFrmDisp(pkt->stk, TRUE); /* this function display the structure of packet stack of this packet */ if (lost.uint8 == FALSE && pkt->len != 0) { /* no packet lost and packet with data */ /* skip the telnet commands, we are interested only in readable data */ #warning "to do: reassemble telnet message from many tcp packets" offset = TelnetSkipCommand((unsigned char *)(pkt->data), (unsigned char *)(pkt->data + pkt->len)); if (offset < pkt->len) { TelnetConvertZeros((unsigned char *)(pkt->data + offset), (unsigned char *)(pkt->data + pkt->len)); size = pkt->len - offset; fwrite(pkt->data + offset, 1, size, fp); if (len + size < TELNET_LOGIN_SIZE) { memcpy(buf+len, pkt->data + offset, size); len += size; buf[len] = '\0'; } } } else if (lost.uint8) { fprintf(fp, "-----> xplico: packets lost (size: %lub) <-----", pkt->len); } /* new/next packet */ PktFree(pkt); pkt = FlowGetPkt(flow_id); } /* search login */ buf[TELNET_LOGIN_SIZE - 1] = '\0'; TelnetLogin(buf, user, password, TELNET_BUF_SIZE); /* free memory and close file */ DMemFree(buf); if (fp != NULL) { fclose(fp); } if (len != 0) { /* compose pei */ TelnetPei(ppei, host, user, password, cmd_file, &cap_sec, &end_cap); /* insert pei */ PeiIns(ppei); } LogPrintf(LV_DEBUG, "Telnet... bye bye. (count:%i)", cntpkt); return NULL; }