/* this will build libpcap filter text that will only
pass the packets related to the stream. There is a
chance that two streams could intersect, but not a
very good one */
char*
build_follow_filter( packet_info *pi ) {
char* buf;
int len;
conversation_t *conv=NULL;
struct tcp_analysis *tcpd;
if( ((pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4) ||
(pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6))
&& pi->ipproto == IP_PROTO_TCP
&& (conv=find_conversation(pi->fd->num, &pi->src, &pi->dst, pi->ptype,
pi->srcport, pi->destport, 0)) != NULL ) {
/* TCP over IPv4 */
tcpd=get_tcp_conversation_data(conv, pi);
if (tcpd) {
buf = g_strdup_printf("tcp.stream eq %d", tcpd->stream);
tcp_stream_to_follow = tcpd->stream;
if (pi->net_src.type == AT_IPv4) {
len = 4;
is_ipv6 = FALSE;
} else {
len = 16;
is_ipv6 = TRUE;
}
} else {
return NULL;
}
}
else if( pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4
&& pi->ipproto == IP_PROTO_UDP ) {
/* UDP over IPv4 */
buf = g_strdup_printf(
"(ip.addr eq %s and ip.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
ip_to_str((guint8 *)pi->net_src.data),
ip_to_str((guint8 *)pi->net_dst.data),
pi->srcport, pi->destport );
len = 4;
is_ipv6 = FALSE;
}
else if( pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6
&& pi->ipproto == IP_PROTO_UDP ) {
/* UDP over IPv6 */
buf = g_strdup_printf(
"(ipv6.addr eq %s and ipv6.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
ip6_to_str((const struct e_in6_addr *)pi->net_src.data),
ip6_to_str((const struct e_in6_addr *)pi->net_dst.data),
pi->srcport, pi->destport );
len = 16;
is_ipv6 = TRUE;
}
else {
return NULL;
}
memcpy(ip_address[0], pi->net_src.data, len);
memcpy(ip_address[1], pi->net_dst.data, len);
port[0] = pi->srcport;
port[1] = pi->destport;
return buf;
}
/* This will build a display filter text that will only
pass the packets related to the stream. There is a
chance that two streams could intersect, but not a
very good one */
gchar*
build_follow_conv_filter( packet_info *pi ) {
char* buf;
int len;
conversation_t *conv=NULL;
struct tcp_analysis *tcpd;
wmem_list_frame_t* protos;
int proto_id;
const char* proto_name;
gboolean is_tcp = FALSE, is_udp = FALSE;
protos = wmem_list_head(pi->layers);
/* walk the list of a available protocols in the packet to
figure out if any of them affect context sensitivity */
while (protos != NULL)
{
proto_id = GPOINTER_TO_INT(wmem_list_frame_data(protos));
proto_name = proto_get_protocol_filter_name(proto_id);
if (!strcmp(proto_name, "tcp")) {
is_tcp = TRUE;
} else if (!strcmp(proto_name, "udp")) {
is_udp = TRUE;
}
protos = wmem_list_frame_next(protos);
}
if( ((pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4) ||
(pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6))
&& is_tcp && (conv=find_conversation(pi->fd->num, &pi->src, &pi->dst, pi->ptype,
pi->srcport, pi->destport, 0)) != NULL ) {
/* TCP over IPv4 */
tcpd=get_tcp_conversation_data(conv, pi);
if (tcpd) {
buf = g_strdup_printf("tcp.stream eq %d", tcpd->stream);
tcp_stream_to_follow = tcpd->stream;
if (pi->net_src.type == AT_IPv4) {
len = 4;
is_ipv6 = FALSE;
} else {
len = 16;
is_ipv6 = TRUE;
}
} else {
return NULL;
}
}
else if( pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4
&& is_udp ) {
/* UDP over IPv4 */
buf = g_strdup_printf(
"(ip.addr eq %s and ip.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
ip_to_str((const guint8 *)pi->net_src.data),
ip_to_str((const guint8 *)pi->net_dst.data),
pi->srcport, pi->destport );
len = 4;
is_ipv6 = FALSE;
}
else if( pi->net_src.type == AT_IPv6 && pi->net_dst.type == AT_IPv6
&& is_udp ) {
/* UDP over IPv6 */
buf = g_strdup_printf(
"(ipv6.addr eq %s and ipv6.addr eq %s) and (udp.port eq %d and udp.port eq %d)",
ip6_to_str((const struct e_in6_addr *)pi->net_src.data),
ip6_to_str((const struct e_in6_addr *)pi->net_dst.data),
pi->srcport, pi->destport );
len = 16;
is_ipv6 = TRUE;
}
else {
return NULL;
}
memcpy(ip_address[0], pi->net_src.data, len);
memcpy(ip_address[1], pi->net_dst.data, len);
port[0] = pi->srcport;
port[1] = pi->destport;
return buf;
}
