void process_stats(void) {
process_cpuload();
process_freemem();
process_interfaces();
process_dns();
process_dhcp();
process_nemon();
}
int main(int argc, const char * argv[]) {
#ifdef ICMP
// get the ping socket
int ping = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
{
// Drop privelege immediately
errno_t ping_errno = errno;
setuid(getuid());
if (0 > ping) {
errno = ping_errno;
DIE(EX_OSERR, "open ping socket");
}
LOG(2, "ping socket: %d", ping);
}
#endif // ICMP
#ifdef DNS
// get the dns socket
int dns = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
{
if (0 > dns) {
DIE(EX_OSERR, "open dns socket");
}
LOG(2, "dns socket: %d", dns);
}
#endif // DNS
struct pollfd fds[2] = {
#ifdef ICMP
{ ping, POLLIN, 0 }
#endif // ICMP
#ifdef BOTH
,
#endif // BOTH
#ifdef DNS
{ dns, POLLIN, 0 }
#endif // DNS
};
int fd_count = 0;
#ifdef ICMP
int ping_index = fd_count++;
#endif // ICMP
#ifdef DNS
int dns_index = fd_count++;
#endif // DNS
// process arguments
struct opts_t opts;
get_opts(argc, argv, &opts);
const struct addrinfo * addr = get_one_host(opts.target);
#ifdef ICMP
int sequence = -1;
struct icmp icmp_template;
construct_icmp_template(&icmp_template);
#endif // ICMP
#ifdef DNS
void * dns_template;
size_t template_size = construct_dns_template(&dns_template, opts.query);
LOG(3, "template: ");
if (verbose() >= 3) { fputbuf(stderr, dns_template, template_size);fputc('\n', stderr); }
#endif // DNS
// initialize the prng
srandomdev();
int count = -1;
while (1) {
++count;
#ifdef ICMP
struct icmp icmp_message;
size_t icmp_message_size;
icmp_message_size = construct_icmp(&icmp_template, &icmp_message, ++sequence);
ssize_t icmp_sent = sendto(ping, (const void *)&icmp_message, icmp_message_size, 0, addr->ai_addr, addr->ai_addrlen);
if (0 > icmp_sent) DIE(EX_OSERR, "sendto ping");
LOG(1, "ping sent %d bytes", icmp_sent);
long icmp_send_time = now_us();
long icmp_recv_time = -1;
#endif // ICMP
#ifdef DNS
void * dns_message;
size_t dns_message_size;
short dns_id = (short)random();
dns_message_size = construct_dns(dns_template, template_size, &dns_message, dns_id);
ssize_t dns_sent = sendto(dns, (const void *)dns_message, dns_message_size, 0, addr->ai_addr, addr->ai_addrlen);
LOG(1, "dns sent %d bytes", dns_sent);
if (verbose() >= 3) { fputbuf(stderr, dns_message, dns_message_size);fputc('\n', stderr); }
if (0 > dns_sent) DIE(EX_OSERR, "sendto dns");
long dns_send_time = now_us();
long dns_recv_time = -1;
#endif // DNS
long ttd_ms = now_ms() + opts.period_ms;
int poll_time = (int)opts.period_ms;
int ret;
while ((ret = poll(fds, fd_count, poll_time))) {
if (0 > ret) DIE(EX_OSERR, "poll");
#ifdef ICMP
if (fds[ping_index].revents & POLLERR) {
int error = 0;
socklen_t errlen = sizeof(error);
if (0 < getsockopt(fds[0].fd, SOL_SOCKET, SO_ERROR, (void *)&error, &errlen))
DIE(EX_OSERR, "getsockopt on ping while handling POLLERR");
errno = error;
DIE(EX_OSERR, "POLLERR on ping");
}
if (fds[ping_index].revents & POLLIN) {
icmp_recv_time = process_ping(fds[ping_index].fd, sequence);
}
#endif // ICMP
#ifdef DNS
if (fds[dns_index].revents & POLLERR) {
int error = 0;
socklen_t errlen = sizeof(error);
if (0 < getsockopt(fds[1].fd, SOL_SOCKET, SO_ERROR, (void *)&error, &errlen))
DIE(EX_OSERR, "getsockopt on dns while handling POLLERR");
errno = error;
DIE(EX_OSERR, "POLLERR on dns");
}
if (fds[dns_index].revents & POLLIN) {
dns_recv_time = process_dns(fds[dns_index].fd, dns_id);
}
#endif // DNS
poll_time = (int)(ttd_ms - now_ms());
if (poll_time < 0) break;
}
LOG(1, "poll period %d ended", count);
#ifdef ICMP
REPORT("icmp", icmp_send_time, icmp_recv_time, sequence);
#endif // ICMP
#ifdef DNS
REPORT("dns", dns_send_time, dns_recv_time, dns_id);
#endif // DNS
}
return 0;
}
struct flow_record *
process_udp(const struct pcap_pkthdr *h, const void *udp_start, int udp_len, struct flow_key *key) {
unsigned int udp_hdr_len;
const unsigned char *payload;
unsigned int size_payload;
const struct udp_hdr *udp = (const struct udp_hdr *)udp_start;
struct flow_record *record = NULL;
if (output_level > none) {
fprintf(output, " protocol: UDP\n");
}
udp_hdr_len = 8;
if (udp_len < 8) {
// fprintf(output, " * Invalid UDP packet length: %u bytes\n", udp_len);
return NULL;
}
payload = (unsigned char *)(udp_start + udp_hdr_len);
size_payload = udp_len - udp_hdr_len;
if (output_level > none) {
fprintf(output, " src port: %d\n", ntohs(udp->src_port));
fprintf(output, " dst port: %d\n", ntohs(udp->dst_port));
fprintf(output, "payload len: %d\n", size_payload);
}
/*
* Print payload data; it might be binary, so don't just
* treat it as a string.
*/
if (size_payload > 0) {
if (output_level > packet_summary) {
fprintf(output, " payload (%d bytes):\n", size_payload);
print_payload(payload, size_payload);
}
}
key->sp = ntohs(udp->src_port);
key->dp = ntohs(udp->dst_port);
record = flow_key_get_record(key, CREATE_RECORDS);
if (record == NULL) {
return NULL;
}
if (record->op < num_pkt_len) {
if (report_dns && (key->dp == 53 || key->sp == 53)) {
process_dns(h, payload, size_payload, record);
}
if (include_zeroes || (size_payload != 0)) {
record->pkt_len[record->op] = size_payload;
record->pkt_time[record->op] = h->ts;
record->op++;
}
}
record->ob += size_payload;
flow_record_update_byte_count(record, payload, size_payload);
flow_record_update_compact_byte_count(record, payload, size_payload);
flow_record_update_byte_dist_mean_var(record, payload, size_payload);
wht_update(&record->wht, payload, size_payload, report_wht);
if (nfv9_capture_port && (key->dp == nfv9_capture_port)) {
process_nfv9(h, payload, size_payload, record);
}
return record;
}
void process_udp(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length)
{
unsigned offset=0;
struct {
unsigned src_port;
unsigned dst_port;
unsigned length;
unsigned checksum;
} udp;
if (length == 0) {
FRAMERR(frame, "udp: frame empty\n");
return;
}
if (length < 8) {
FRAMERR(frame, "udp: frame too short\n");
return;
}
udp.src_port = ex16be(px+0);
udp.dst_port = ex16be(px+2);
udp.length = ex16be(px+4);
udp.checksum = ex16be(px+6);
frame->src_port = udp.src_port;
frame->dst_port = udp.dst_port;
if (udp.length < 8) {
FRAMERR_TRUNCATED(frame, "udp");
return;
}
if (length > udp.length)
length = udp.length;
offset += 8;
switch (frame->dst_ipv4) {
case 0xe0000123: /* 224.0.1.35 - SLP */
if (udp.dst_port == 427)
SAMPLE("SLP", "packet", REC_SZ, "test",-1);
else
FRAMERR(frame, "unknown port %d\n", udp.dst_port);
return;
}
SAMPLE("UDP", "src", REC_UNSIGNED, &udp.src_port, sizeof(udp.src_port));
SAMPLE("UDP", "dst", REC_UNSIGNED, &udp.dst_port, sizeof(udp.dst_port));
switch (udp.src_port) {
case 68:
case 67:
process_dhcp(seap, frame, px+offset, length-offset);
break;
case 53:
process_dns(seap, frame, px+offset, length-offset);
break;
case 137:
process_dns(seap, frame, px+offset, length-offset);
break;
case 138:
process_netbios_dgm(seap, frame, px+offset, length-offset);
break;
case 389:
process_ldap(seap, frame, px+offset, length-offset);
break;
case 631:
if (udp.dst_port == 631) {
process_cups(seap, frame, px+offset, length-offset);
}
break;
case 1900:
if (length-offset > 9 && memicmp(px+offset, "HTTP/1.1 ", 9) == 0) {
process_upnp_response(seap, frame, px+offset, length-offset);
}
break;
case 14906: /* ??? */
break;
case 4500:
break;
default:
switch (udp.dst_port) {
case 0:
break;
case 68:
case 67:
process_dhcp(seap, frame, px+offset, length-offset);
break;
case 53:
case 5353:
process_dns(seap, frame, px+offset, length-offset);
break;
case 137:
process_dns(seap, frame, px+offset, length-offset);
break;
case 138:
process_netbios_dgm(seap, frame, px+offset, length-offset);
break;
case 1900:
if (frame->dst_ipv4 == 0xeffffffa)
process_ssdp(seap, frame, px+offset, length-offset);
break;
case 5369:
break;
case 29301:
break;
case 123:
break;
case 5499:
break;
case 2233: /*intel/shiva vpn*/
break;
case 27900: /* GameSpy*/
break;
case 9283:
process_callwave_iam(seap, frame, px+offset, length-offset);
break;
case 161:
process_snmp(seap, frame, px+offset, length-offset);
break;
case 192: /* ??? */
break;
case 389:
process_ldap(seap, frame, px+offset, length-offset);
break;
case 427: /* SRVLOC */
process_srvloc(seap, frame, px+offset, length-offset);
break;
case 14906: /* ??? */
break;
case 500:
process_isakmp(seap, frame, px+offset, length-offset);
break;
case 2222:
break;
default:
if (frame->dst_ipv4 == 0xc0a8a89b || frame->src_ipv4 == 0xc0a8a89b)
;
else
FRAMERR(frame, "udp: unknown, [%d.%d.%d.%d]->[%d.%d.%d.%d] src=%d, dst=%d\n",
(frame->src_ipv4>>24)&0xFF,(frame->src_ipv4>>16)&0xFF,(frame->src_ipv4>>8)&0xFF,(frame->src_ipv4>>0)&0xFF,
(frame->dst_ipv4>>24)&0xFF,(frame->dst_ipv4>>16)&0xFF,(frame->dst_ipv4>>8)&0xFF,(frame->dst_ipv4>>0)&0xFF,
frame->src_port, frame->dst_port);
}
}
}
