void process_stats(void) { process_cpuload(); process_freemem(); process_interfaces(); process_dns(); process_dhcp(); process_nemon(); }
int main(int argc, const char * argv[]) { #ifdef ICMP // get the ping socket int ping = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); { // Drop privelege immediately errno_t ping_errno = errno; setuid(getuid()); if (0 > ping) { errno = ping_errno; DIE(EX_OSERR, "open ping socket"); } LOG(2, "ping socket: %d", ping); } #endif // ICMP #ifdef DNS // get the dns socket int dns = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP); { if (0 > dns) { DIE(EX_OSERR, "open dns socket"); } LOG(2, "dns socket: %d", dns); } #endif // DNS struct pollfd fds[2] = { #ifdef ICMP { ping, POLLIN, 0 } #endif // ICMP #ifdef BOTH , #endif // BOTH #ifdef DNS { dns, POLLIN, 0 } #endif // DNS }; int fd_count = 0; #ifdef ICMP int ping_index = fd_count++; #endif // ICMP #ifdef DNS int dns_index = fd_count++; #endif // DNS // process arguments struct opts_t opts; get_opts(argc, argv, &opts); const struct addrinfo * addr = get_one_host(opts.target); #ifdef ICMP int sequence = -1; struct icmp icmp_template; construct_icmp_template(&icmp_template); #endif // ICMP #ifdef DNS void * dns_template; size_t template_size = construct_dns_template(&dns_template, opts.query); LOG(3, "template: "); if (verbose() >= 3) { fputbuf(stderr, dns_template, template_size);fputc('\n', stderr); } #endif // DNS // initialize the prng srandomdev(); int count = -1; while (1) { ++count; #ifdef ICMP struct icmp icmp_message; size_t icmp_message_size; icmp_message_size = construct_icmp(&icmp_template, &icmp_message, ++sequence); ssize_t icmp_sent = sendto(ping, (const void *)&icmp_message, icmp_message_size, 0, addr->ai_addr, addr->ai_addrlen); if (0 > icmp_sent) DIE(EX_OSERR, "sendto ping"); LOG(1, "ping sent %d bytes", icmp_sent); long icmp_send_time = now_us(); long icmp_recv_time = -1; #endif // ICMP #ifdef DNS void * dns_message; size_t dns_message_size; short dns_id = (short)random(); dns_message_size = construct_dns(dns_template, template_size, &dns_message, dns_id); ssize_t dns_sent = sendto(dns, (const void *)dns_message, dns_message_size, 0, addr->ai_addr, addr->ai_addrlen); LOG(1, "dns sent %d bytes", dns_sent); if (verbose() >= 3) { fputbuf(stderr, dns_message, dns_message_size);fputc('\n', stderr); } if (0 > dns_sent) DIE(EX_OSERR, "sendto dns"); long dns_send_time = now_us(); long dns_recv_time = -1; #endif // DNS long ttd_ms = now_ms() + opts.period_ms; int poll_time = (int)opts.period_ms; int ret; while ((ret = poll(fds, fd_count, poll_time))) { if (0 > ret) DIE(EX_OSERR, "poll"); #ifdef ICMP if (fds[ping_index].revents & POLLERR) { int error = 0; socklen_t errlen = sizeof(error); if (0 < getsockopt(fds[0].fd, SOL_SOCKET, SO_ERROR, (void *)&error, &errlen)) DIE(EX_OSERR, "getsockopt on ping while handling POLLERR"); errno = error; DIE(EX_OSERR, "POLLERR on ping"); } if (fds[ping_index].revents & POLLIN) { icmp_recv_time = process_ping(fds[ping_index].fd, sequence); } #endif // ICMP #ifdef DNS if (fds[dns_index].revents & POLLERR) { int error = 0; socklen_t errlen = sizeof(error); if (0 < getsockopt(fds[1].fd, SOL_SOCKET, SO_ERROR, (void *)&error, &errlen)) DIE(EX_OSERR, "getsockopt on dns while handling POLLERR"); errno = error; DIE(EX_OSERR, "POLLERR on dns"); } if (fds[dns_index].revents & POLLIN) { dns_recv_time = process_dns(fds[dns_index].fd, dns_id); } #endif // DNS poll_time = (int)(ttd_ms - now_ms()); if (poll_time < 0) break; } LOG(1, "poll period %d ended", count); #ifdef ICMP REPORT("icmp", icmp_send_time, icmp_recv_time, sequence); #endif // ICMP #ifdef DNS REPORT("dns", dns_send_time, dns_recv_time, dns_id); #endif // DNS } return 0; }
struct flow_record * process_udp(const struct pcap_pkthdr *h, const void *udp_start, int udp_len, struct flow_key *key) { unsigned int udp_hdr_len; const unsigned char *payload; unsigned int size_payload; const struct udp_hdr *udp = (const struct udp_hdr *)udp_start; struct flow_record *record = NULL; if (output_level > none) { fprintf(output, " protocol: UDP\n"); } udp_hdr_len = 8; if (udp_len < 8) { // fprintf(output, " * Invalid UDP packet length: %u bytes\n", udp_len); return NULL; } payload = (unsigned char *)(udp_start + udp_hdr_len); size_payload = udp_len - udp_hdr_len; if (output_level > none) { fprintf(output, " src port: %d\n", ntohs(udp->src_port)); fprintf(output, " dst port: %d\n", ntohs(udp->dst_port)); fprintf(output, "payload len: %d\n", size_payload); } /* * Print payload data; it might be binary, so don't just * treat it as a string. */ if (size_payload > 0) { if (output_level > packet_summary) { fprintf(output, " payload (%d bytes):\n", size_payload); print_payload(payload, size_payload); } } key->sp = ntohs(udp->src_port); key->dp = ntohs(udp->dst_port); record = flow_key_get_record(key, CREATE_RECORDS); if (record == NULL) { return NULL; } if (record->op < num_pkt_len) { if (report_dns && (key->dp == 53 || key->sp == 53)) { process_dns(h, payload, size_payload, record); } if (include_zeroes || (size_payload != 0)) { record->pkt_len[record->op] = size_payload; record->pkt_time[record->op] = h->ts; record->op++; } } record->ob += size_payload; flow_record_update_byte_count(record, payload, size_payload); flow_record_update_compact_byte_count(record, payload, size_payload); flow_record_update_byte_dist_mean_var(record, payload, size_payload); wht_update(&record->wht, payload, size_payload, report_wht); if (nfv9_capture_port && (key->dp == nfv9_capture_port)) { process_nfv9(h, payload, size_payload, record); } return record; }
void process_udp(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length) { unsigned offset=0; struct { unsigned src_port; unsigned dst_port; unsigned length; unsigned checksum; } udp; if (length == 0) { FRAMERR(frame, "udp: frame empty\n"); return; } if (length < 8) { FRAMERR(frame, "udp: frame too short\n"); return; } udp.src_port = ex16be(px+0); udp.dst_port = ex16be(px+2); udp.length = ex16be(px+4); udp.checksum = ex16be(px+6); frame->src_port = udp.src_port; frame->dst_port = udp.dst_port; if (udp.length < 8) { FRAMERR_TRUNCATED(frame, "udp"); return; } if (length > udp.length) length = udp.length; offset += 8; switch (frame->dst_ipv4) { case 0xe0000123: /* 224.0.1.35 - SLP */ if (udp.dst_port == 427) SAMPLE("SLP", "packet", REC_SZ, "test",-1); else FRAMERR(frame, "unknown port %d\n", udp.dst_port); return; } SAMPLE("UDP", "src", REC_UNSIGNED, &udp.src_port, sizeof(udp.src_port)); SAMPLE("UDP", "dst", REC_UNSIGNED, &udp.dst_port, sizeof(udp.dst_port)); switch (udp.src_port) { case 68: case 67: process_dhcp(seap, frame, px+offset, length-offset); break; case 53: process_dns(seap, frame, px+offset, length-offset); break; case 137: process_dns(seap, frame, px+offset, length-offset); break; case 138: process_netbios_dgm(seap, frame, px+offset, length-offset); break; case 389: process_ldap(seap, frame, px+offset, length-offset); break; case 631: if (udp.dst_port == 631) { process_cups(seap, frame, px+offset, length-offset); } break; case 1900: if (length-offset > 9 && memicmp(px+offset, "HTTP/1.1 ", 9) == 0) { process_upnp_response(seap, frame, px+offset, length-offset); } break; case 14906: /* ??? */ break; case 4500: break; default: switch (udp.dst_port) { case 0: break; case 68: case 67: process_dhcp(seap, frame, px+offset, length-offset); break; case 53: case 5353: process_dns(seap, frame, px+offset, length-offset); break; case 137: process_dns(seap, frame, px+offset, length-offset); break; case 138: process_netbios_dgm(seap, frame, px+offset, length-offset); break; case 1900: if (frame->dst_ipv4 == 0xeffffffa) process_ssdp(seap, frame, px+offset, length-offset); break; case 5369: break; case 29301: break; case 123: break; case 5499: break; case 2233: /*intel/shiva vpn*/ break; case 27900: /* GameSpy*/ break; case 9283: process_callwave_iam(seap, frame, px+offset, length-offset); break; case 161: process_snmp(seap, frame, px+offset, length-offset); break; case 192: /* ??? */ break; case 389: process_ldap(seap, frame, px+offset, length-offset); break; case 427: /* SRVLOC */ process_srvloc(seap, frame, px+offset, length-offset); break; case 14906: /* ??? */ break; case 500: process_isakmp(seap, frame, px+offset, length-offset); break; case 2222: break; default: if (frame->dst_ipv4 == 0xc0a8a89b || frame->src_ipv4 == 0xc0a8a89b) ; else FRAMERR(frame, "udp: unknown, [%d.%d.%d.%d]->[%d.%d.%d.%d] src=%d, dst=%d\n", (frame->src_ipv4>>24)&0xFF,(frame->src_ipv4>>16)&0xFF,(frame->src_ipv4>>8)&0xFF,(frame->src_ipv4>>0)&0xFF, (frame->dst_ipv4>>24)&0xFF,(frame->dst_ipv4>>16)&0xFF,(frame->dst_ipv4>>8)&0xFF,(frame->dst_ipv4>>0)&0xFF, frame->src_port, frame->dst_port); } } }