static void CaPei(pei *ppei, const char *prot_name, tca_priv *priv, time_t *cap_sec, time_t *end_cap)
{
char val[TCP_CA_FILENAME_PATH_SIZE];
char dns[TCP_CA_FILENAME_PATH_SIZE];
float latitude;
float longitude;
pei_component *cmpn;
char *cc;
latitude = longitude = 0;
cc = NULL;
dns[0] = '\0';
/* pei components */
if (priv->ipv6) {
FTString(&priv->ip_s, FT_IPv6, val);
PeiNewComponent(&cmpn, pei_ip_src_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
FTString(&priv->ip_d, FT_IPv6, val);
PeiNewComponent(&cmpn, pei_ip_dst_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
DnsDbSearch(&priv->ip_d, FT_IPv6, dns, TCP_CA_FILENAME_PATH_SIZE);
GeoIPLocIP(&priv->ip_d, FT_IPv6, &latitude, &longitude, &cc);
}
else {
FTString(&priv->ip_s, FT_IPv4, val);
PeiNewComponent(&cmpn, pei_ip_src_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
FTString(&priv->ip_d, FT_IPv4, val);
PeiNewComponent(&cmpn, pei_ip_dst_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
DnsDbSearch(&priv->ip_d, FT_IPv4, dns, TCP_CA_FILENAME_PATH_SIZE);
GeoIPLocIP(&priv->ip_d, FT_IPv4, &latitude, &longitude, &cc);
}
PeiNewComponent(&cmpn, pei_dns_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, dns);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%i", priv->port_s);
PeiNewComponent(&cmpn, pei_port_src_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%i", priv->port_d);
PeiNewComponent(&cmpn, pei_port_dst_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
PeiNewComponent(&cmpn, pei_l7protocol_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, prot_name);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%f", latitude);
PeiNewComponent(&cmpn, pei_lat_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%f", longitude);
PeiNewComponent(&cmpn, pei_long_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
if (cc != NULL) {
PeiNewComponent(&cmpn, pei_country_code_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, cc);
PeiAddComponent(ppei, cmpn);
}
sprintf(val, "%zu", priv->bsent);
PeiNewComponent(&cmpn, pei_bsent_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%zu", priv->breceiv);
PeiNewComponent(&cmpn, pei_brecv_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%zu", priv->blost_sent);
PeiNewComponent(&cmpn, pei_blost_sent_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%zu", priv->blost_receiv);
PeiNewComponent(&cmpn, pei_blost_recv_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%lu", priv->pkt_sent);
PeiNewComponent(&cmpn, pei_pkt_sent_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
sprintf(val, "%lu", priv->pkt_receiv);
PeiNewComponent(&cmpn, pei_pkt_recv_id);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddStingBuff(cmpn, val);
PeiAddComponent(ppei, cmpn);
if (priv->img1[0] != '\0') {
PeiNewComponent(&cmpn, pei_trace_img);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddFile(cmpn, "client.png", priv->img1, 0);
PeiAddComponent(ppei, cmpn);
}
if (priv->img2[0] != '\0') {
PeiNewComponent(&cmpn, pei_trace_img);
PeiCompCapTime(cmpn, *cap_sec);
PeiCompCapEndTime(cmpn, *end_cap);
PeiCompAddFile(cmpn, "server.png", priv->img2, 0);
PeiAddComponent(ppei, cmpn);
}
}
static packet *SyslogDissector(int flow_id)
{
packet *pkt;
const pstack_f *udp, *ip;
const char *msg;
ftval val;
char file_log[SYSLOG_FILENAME_PATH_SIZE];
char host[SYSLOG_FILENAME_PATH_SIZE];
pei *ppei;
pei_component *cmpn;
time_t cap_sec, end_cap;
int cntpkt, len;
short pri, fac, sev;
FILE *fp;
ppei = NULL;
LogPrintf(LV_DEBUG, "Syslog id: %d", flow_id);
cntpkt = 0;
/* ip version and number */
udp = FlowStack(flow_id); /* udp frame */
ip = ProtGetNxtFrame(udp); /* ip/ipv6 frame */
ProtStackFrmDisp(udp, TRUE);
/* host */
len = 0;
if (ProtFrameProtocol(ip) == ip_id) {
ProtGetAttr(ip, ip_src_id, &val);
if (DnsDbSearch(&val, FT_IPv4, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) {
FTString(&val, FT_IPv4, host+len);
}
len = strlen(host);
host[len++] = ' ';
host[len++] = '-';
host[len++] = ' ';
ProtGetAttr(ip, ip_dst_id, &val);
if (DnsDbSearch(&val, FT_IPv4, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) {
FTString(&val, FT_IPv4, host+len);
}
}
else {
ProtGetAttr(ip, ipv6_src_id, &val);
if (DnsDbSearch(&val, FT_IPv6, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) {
FTString(&val, FT_IPv6, host+len);
}
host[len++] = ' ';
host[len++] = '-';
host[len++] = ' ';
ProtGetAttr(ip, ipv6_dst_id, &val);
if (DnsDbSearch(&val, FT_IPv6, host+len, SYSLOG_FILENAME_PATH_SIZE - len) != 0) {
FTString(&val, FT_IPv6, host+len);
}
}
len = strlen(host);
/* syslog file */
sprintf(file_log, "%s/%s/syslog_%p_%lu.log", ProtTmpDir(), SYSLOG_TMP_DIR, file_log,incr++);
fp = fopen(file_log, "w");
/* first packet */
pkt = FlowGetPkt(flow_id);
if (pkt != NULL) {
/* pei definition */
PeiNew(&ppei, prot_id);
PeiCapTime(ppei, pkt->cap_sec);
PeiMarker(ppei, pkt->serial);
PeiStackFlow(ppei, udp);
cap_sec = pkt->cap_sec;
}
if (fp != NULL) {
while (pkt != NULL) {
cntpkt++;
end_cap = pkt->cap_sec;
pri = SyslogPri(pkt->data, pkt->len);
if (pri != -1) {
msg = SyslogMsg(pkt->data, pkt->len);
if (msg != NULL) {
sev = pri & 0x07;
fac = pri >> 3;
fprintf(fp, "{%s.%s} %s", facility[fac], severity[sev], msg);
}
}
PktFree(pkt);
pkt = FlowGetPkt(flow_id);
}
static packet *TelnetDissector(int flow_id)
{
packet *pkt;
const pstack_f *tcp, *ip;
ftval lost, ip_host, port;
unsigned short port_host;
bool ipv6;
long offset, len, size;
char host[TELNET_FILENAME_PATH_SIZE];
char user[TELNET_BUF_SIZE];
char password[TELNET_BUF_SIZE];
char cmd_file[TELNET_FILENAME_PATH_SIZE];
FILE *fp;
char *buf;
pei *ppei;
time_t cap_sec, end_cap;
int cntpkt;
LogPrintf(LV_DEBUG, "Telnet id: %d", flow_id);
cntpkt = 0;
/* init (this for each telnet stream) */
user[0] = '\0';
password[0] = '\0';
sprintf(cmd_file, "%s/%s/telnet_%lu_%p_%i.txt", ProtTmpDir(), TELNET_TMP_DIR, time(NULL), cmd_file, incr);
incr++;
fp = fopen(cmd_file, "w");
ipv6 = FALSE;
buf = DMemMalloc(TELNET_LOGIN_SIZE);
buf[0] = '\0';
len = 0;
/* ip version and number */
tcp = FlowStack(flow_id); /* tcp frame */
ip = ProtGetNxtFrame(tcp); /* ip/ipv6 frame */
ProtGetAttr(tcp, port_dst_id, &port);
port_host = port.uint16;
if (ProtFrameProtocol(ip) == ipv6_id) {
ipv6 = TRUE;
}
if (ipv6 == FALSE) {
ProtGetAttr(ip, ip_dst_id, &ip_host);
if (DnsDbSearch(&(ip_host), FT_IPv4, host, TELNET_FILENAME_PATH_SIZE) != 0) {
FTString(&(ip_host), FT_IPv4, host);
}
}
else {
ProtGetAttr(ip, ipv6_dst_id, &ip_host);
if (DnsDbSearch(&(ip_host), FT_IPv6, host, TELNET_FILENAME_PATH_SIZE) != 0) {
FTString(&(ip_host), FT_IPv6, host);
}
}
sprintf(host+strlen(host), ":%i", port_host);
/* first packet */
pkt = FlowGetPkt(flow_id);
if (pkt != NULL) {
/* pei definition */
PeiNew(&ppei, telnet_id);
PeiCapTime(ppei, pkt->cap_sec);
PeiMarker(ppei, pkt->serial);
PeiStackFlow(ppei, tcp);
cap_sec = pkt->cap_sec;
}
while (pkt != NULL) {
cntpkt++;
end_cap = pkt->cap_sec;
offset = 0;
/* check if there are packet lost */
ProtGetAttr(pkt->stk, lost_id, &lost);
//ProtStackFrmDisp(pkt->stk, TRUE); /* this function display the structure of packet stack of this packet */
if (lost.uint8 == FALSE && pkt->len != 0) {
/* no packet lost and packet with data */
/* skip the telnet commands, we are interested only in readable data */
#warning "to do: reassemble telnet message from many tcp packets"
offset = TelnetSkipCommand((unsigned char *)(pkt->data), (unsigned char *)(pkt->data + pkt->len));
if (offset < pkt->len) {
TelnetConvertZeros((unsigned char *)(pkt->data + offset), (unsigned char *)(pkt->data + pkt->len));
size = pkt->len - offset;
fwrite(pkt->data + offset, 1, size, fp);
if (len + size < TELNET_LOGIN_SIZE) {
memcpy(buf+len, pkt->data + offset, size);
len += size;
buf[len] = '\0';
}
}
}
else if (lost.uint8) {
fprintf(fp, "-----> xplico: packets lost (size: %lub) <-----", pkt->len);
}
/* new/next packet */
PktFree(pkt);
pkt = FlowGetPkt(flow_id);
}
/* search login */
buf[TELNET_LOGIN_SIZE - 1] = '\0';
TelnetLogin(buf, user, password, TELNET_BUF_SIZE);
/* free memory and close file */
DMemFree(buf);
if (fp != NULL) {
fclose(fp);
}
if (len != 0) {
/* compose pei */
TelnetPei(ppei, host, user, password, cmd_file, &cap_sec, &end_cap);
/* insert pei */
PeiIns(ppei);
}
LogPrintf(LV_DEBUG, "Telnet... bye bye. (count:%i)", cntpkt);
return NULL;
}
