static inline DetectThresholdEntry *DetectThresholdEntryAlloc(DetectThresholdData *td, Packet *p, Signature *s) {
SCEnter();
DetectThresholdEntry *ste = SCMalloc(sizeof(DetectThresholdEntry));
if (ste == NULL) {
SCReturnPtr(NULL, "DetectThresholdEntry");
}
if (PKT_IS_IPV4(p))
ste->ipv = 4;
else if (PKT_IS_IPV6(p))
ste->ipv = 6;
ste->sid = s->id;
ste->gid = s->gid;
if (td->track == TRACK_DST) {
COPY_ADDRESS(&p->dst, &ste->addr);
} else if (td->track == TRACK_SRC) {
COPY_ADDRESS(&p->src, &ste->addr);
}
ste->track = td->track;
ste->seconds = td->seconds;
ste->tv_timeout = 0;
SCReturnPtr(ste, "DetectThresholdEntry");
}
static void wslua_udp_to_table(lua_State* L, const void* p) { e_udphdr* v = (void*)p; lua_newtable(L);
lua_pushstring(L,"ip_dst"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->ip_dst)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"ip_src"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->ip_src)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"uh_dport"); lua_pushnumber(L,(lua_Number)v->uh_dport); lua_settable(L,-3);
lua_pushstring(L,"uh_sport"); lua_pushnumber(L,(lua_Number)v->uh_sport); lua_settable(L,-3);
lua_pushstring(L,"uh_sum"); lua_pushnumber(L,(lua_Number)v->uh_sum); lua_settable(L,-3);
lua_pushstring(L,"uh_sum_cov"); lua_pushnumber(L,(lua_Number)v->uh_sum_cov); lua_settable(L,-3);
lua_pushstring(L,"uh_ulen"); lua_pushnumber(L,(lua_Number)v->uh_ulen); lua_settable(L,-3);
}
static void wslua_ip_to_table(lua_State* L, const void* p) { ws_ip* v = (void*)p; lua_newtable(L);
lua_pushstring(L,"ip_dst"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->ip_dst)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"ip_id"); lua_pushnumber(L,(lua_Number)v->ip_id); lua_settable(L,-3);
lua_pushstring(L,"ip_len"); lua_pushnumber(L,(lua_Number)v->ip_len); lua_settable(L,-3);
lua_pushstring(L,"ip_off"); lua_pushnumber(L,(lua_Number)v->ip_off); lua_settable(L,-3);
lua_pushstring(L,"ip_p"); lua_pushnumber(L,(lua_Number)v->ip_p); lua_settable(L,-3);
lua_pushstring(L,"ip_src"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->ip_src)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"ip_sum"); lua_pushnumber(L,(lua_Number)v->ip_sum); lua_settable(L,-3);
lua_pushstring(L,"ip_tos"); lua_pushnumber(L,(lua_Number)v->ip_tos); lua_settable(L,-3);
lua_pushstring(L,"ip_ttl"); lua_pushnumber(L,(lua_Number)v->ip_ttl); lua_settable(L,-3);
lua_pushstring(L,"ip_v_hl"); lua_pushnumber(L,(lua_Number)v->ip_v_hl); lua_settable(L,-3);
}
void
iousers_process_address_packet(io_users_t *iu, const address *src, const address *dst, guint64 pkt_len,
nstime_t *ts)
{
const address *addr1, *addr2;
io_users_item_t *iui;
if(CMP_ADDRESS(src, dst)>0){
addr1=src;
addr2=dst;
} else {
addr2=src;
addr1=dst;
}
for(iui=iu->items;iui;iui=iui->next){
if((!CMP_ADDRESS(&iui->addr1, addr1))
&&(!CMP_ADDRESS(&iui->addr2, addr2)) ){
break;
}
}
if(!iui){
iui=g_malloc(sizeof(io_users_item_t));
iui->next=iu->items;
iu->items=iui;
COPY_ADDRESS(&iui->addr1, addr1);
iui->name1=g_strdup(ep_address_to_str(addr1));
COPY_ADDRESS(&iui->addr2, addr2);
iui->name2=g_strdup(ep_address_to_str(addr2));
iui->frames1=0;
iui->frames2=0;
iui->bytes1=0;
iui->bytes2=0;
memcpy(&iui->start_rel_time, ts, sizeof(iui->start_rel_time));
memcpy(&iui->stop_rel_time, ts, sizeof(iui->stop_rel_time));
}
else {
if (nstime_cmp(ts, &iui->stop_rel_time) > 0) {
memcpy(&iui->stop_rel_time, ts, sizeof(iui->stop_rel_time));
} else if (nstime_cmp(ts, &iui->start_rel_time) < 0) {
memcpy(&iui->start_rel_time, ts, sizeof(iui->start_rel_time));
}
}
if(!CMP_ADDRESS(dst, &iui->addr1)){
iui->frames1++;
iui->bytes1+=pkt_len;
} else {
iui->frames2++;
iui->bytes2+=pkt_len;
}
}
/* clone a binding (uses g_malloc) */
static decode_dcerpc_bind_values_t *
decode_dcerpc_binding_clone(decode_dcerpc_bind_values_t *binding_in)
{
decode_dcerpc_bind_values_t *stored_binding;
stored_binding = g_malloc(sizeof(decode_dcerpc_bind_values_t));
*stored_binding = *binding_in;
COPY_ADDRESS(&stored_binding->addr_a, &binding_in->addr_a);
COPY_ADDRESS(&stored_binding->addr_b, &binding_in->addr_b);
stored_binding->ifname = g_string_new(binding_in->ifname->str);
return stored_binding;
}
static void wslua_tcp_to_table(lua_State* L, const void* p) { tcp_info_t* v = (void*)p; lua_newtable(L);
lua_pushstring(L,"ip_dst"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->ip_dst)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"ip_src"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->ip_src)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"th_ack"); lua_pushnumber(L,(lua_Number)v->th_ack); lua_settable(L,-3);
lua_pushstring(L,"th_dport"); lua_pushnumber(L,(lua_Number)v->th_dport); lua_settable(L,-3);
lua_pushstring(L,"th_flags"); lua_pushnumber(L,(lua_Number)v->th_flags); lua_settable(L,-3);
lua_pushstring(L,"th_have_seglen"); lua_pushboolean(L,(int)v->th_have_seglen); lua_settable(L,-3);
lua_pushstring(L,"th_hlen"); lua_pushnumber(L,(lua_Number)v->th_hlen); lua_settable(L,-3);
lua_pushstring(L,"th_seglen"); lua_pushnumber(L,(lua_Number)v->th_seglen); lua_settable(L,-3);
lua_pushstring(L,"th_seq"); lua_pushnumber(L,(lua_Number)v->th_seq); lua_settable(L,-3);
lua_pushstring(L,"th_sport"); lua_pushnumber(L,(lua_Number)v->th_sport); lua_settable(L,-3);
lua_pushstring(L,"th_stream"); lua_pushnumber(L,(lua_Number)v->th_stream); lua_settable(L,-3);
lua_pushstring(L,"th_win"); lua_pushnumber(L,(lua_Number)v->th_win); lua_settable(L,-3);
}
/* WSLUA_ATTRIBUTE Pinfo_lo RO lower Address of this Packet. */
static int Pinfo_get_lo(lua_State *L) {
Pinfo pinfo = checkPinfo(L,1);
Address addr;
addr = (Address)g_malloc(sizeof(address));
if (CMP_ADDRESS(&(pinfo->ws_pinfo->src), &(pinfo->ws_pinfo->dst) ) < 0) {
COPY_ADDRESS(addr, &(pinfo->ws_pinfo->src));
} else {
COPY_ADDRESS(addr, &(pinfo->ws_pinfo->dst));
}
pushAddress(L,addr);
return 1;
}
static IPPair *IPPairNew(Address *a, Address *b)
{
IPPair *p = IPPairAlloc();
if (p == NULL)
goto error;
/* copy addresses */
COPY_ADDRESS(a, &p->a[0]);
COPY_ADDRESS(b, &p->a[1]);
return p;
error:
return NULL;
}
static void dissect_wimax_fch_decoder(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
gint offset = 0;
proto_item *fch_item = NULL;
proto_tree *fch_tree = NULL;
/* save the base station address (once) */
if(!bs_address.len)
COPY_ADDRESS(&bs_address, &(pinfo->src));
/* update the info column */
col_append_sep_str(pinfo->cinfo, COL_INFO, NULL, "FCH");
if (tree)
{ /* we are being asked for details */
/* display FCH dissector info */
fch_item = proto_tree_add_protocol_format(tree, proto_wimax_fch_decoder, tvb, offset, 3, "DL Frame Prefix (24 bits)");
/* add FCH subtree */
fch_tree = proto_item_add_subtree(fch_item, ett_wimax_fch_decoder);
/* Decode and display the used sub-channel groups */
proto_tree_add_item(fch_tree, hf_fch_used_subchannel_group0, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_used_subchannel_group1, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_used_subchannel_group2, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_used_subchannel_group3, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_used_subchannel_group4, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_used_subchannel_group5, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_reserved_1, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
/* Decode and display the repetition coding indication */
proto_tree_add_item(fch_tree, hf_fch_repetition_coding_indication, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
/* Decode and display the coding indication */
proto_tree_add_item(fch_tree, hf_fch_coding_indication, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
/* Decode and display the DL MAP length */
proto_tree_add_item(fch_tree, hf_fch_dlmap_length, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
proto_tree_add_item(fch_tree, hf_fch_reserved_2, tvb, offset, FCH_BURST_LENGTH, ENC_BIG_ENDIAN);
}
}
static sctp_ep_t* alloc_sctp_ep(struct _sctp_info *si)
{
sctp_ep_t* ep;
guint16 chunk_type;
if(!si)
return NULL;
if (!(ep = g_malloc(sizeof(sctp_ep_t))))
return NULL;
COPY_ADDRESS(&ep->src,&si->ip_src);
COPY_ADDRESS(&ep->dst,&si->ip_dst);
ep->sport = si->sport;
ep->dport = si->dport;
ep->next = NULL;
for(chunk_type = 0; chunk_type < 256; chunk_type++)
ep->chunk_count[chunk_type] = 0;
return ep;
}
Host *HostNew(Address *a) {
Host *h = HostAlloc();
if (h == NULL)
goto error;
/* copy address */
COPY_ADDRESS(a, &h->a);
return h;
error:
return NULL;
}
static void DefragTrackerInit(DefragTracker *dt, Packet *p)
{
/* copy address */
COPY_ADDRESS(&p->src, &dt->src_addr);
COPY_ADDRESS(&p->dst, &dt->dst_addr);
if (PKT_IS_IPV4(p)) {
dt->id = (int32_t)IPV4_GET_IPID(p);
dt->af = AF_INET;
} else {
dt->id = (int32_t)IPV6_EXTHDR_GET_FH_ID(p);
dt->af = AF_INET6;
}
dt->proto = IP_GET_IPPROTO(p);
dt->vlan_id[0] = p->vlan_id[0];
dt->vlan_id[1] = p->vlan_id[1];
dt->policy = DefragGetOsPolicy(p);
dt->host_timeout = DefragPolicyGetHostTimeout(p);
dt->remove = 0;
dt->seen_last = 0;
TAILQ_INIT(&dt->frags);
(void) DefragTrackerIncrUsecnt(dt);
}
void
add_hostlist_table_data(conv_hash_t *ch, const address *addr, guint32 port, gboolean sender, int num_frames, int num_bytes, hostlist_dissector_info_t *host_info, port_type port_type_val)
{
hostlist_talker_t *talker=NULL;
int talker_idx=0;
/* XXX should be optimized to allocate n extra entries at a time
instead of just one */
/* if we dont have any entries at all yet */
if(ch->conv_array==NULL){
ch->conv_array=g_array_sized_new(FALSE, FALSE, sizeof(hostlist_talker_t), 10000);
ch->hashtable = g_hash_table_new_full(host_hash,
host_match, /* key_equal_func */
g_free, /* key_destroy_func */
NULL); /* value_destroy_func */
}
else {
/* try to find it among the existing known conversations */
host_key_t existing_key;
existing_key.myaddress = *addr;
existing_key.port = port;
if (g_hash_table_lookup_extended(ch->hashtable, &existing_key, NULL, (gpointer *) &talker_idx)) {
talker = &g_array_index(ch->conv_array, hostlist_talker_t, talker_idx);
}
}
/* if we still dont know what talker this is it has to be a new one
and we have to allocate it and append it to the end of the list */
if(talker==NULL){
host_key_t *new_key;
hostlist_talker_t host;
COPY_ADDRESS(&host.myaddress, addr);
host.dissector_info = host_info;
host.ptype=port_type_val;
host.port=port;
host.rx_frames=0;
host.tx_frames=0;
host.rx_bytes=0;
host.tx_bytes=0;
host.modified = TRUE;
g_array_append_val(ch->conv_array, host);
talker_idx= ch->conv_array->len - 1;
talker=&g_array_index(ch->conv_array, hostlist_talker_t, talker_idx);
/* hl->hosts address is not a constant but address.data is */
new_key = g_new(host_key_t,1);
SET_ADDRESS(&new_key->myaddress, talker->myaddress.type, talker->myaddress.len, talker->myaddress.data);
new_key->port = port;
g_hash_table_insert(ch->hashtable, new_key, GUINT_TO_POINTER(talker_idx));
}
/* if this is a new talker we need to initialize the struct */
talker->modified = TRUE;
/* update the talker struct */
if( sender ){
talker->tx_frames+=num_frames;
talker->tx_bytes+=num_bytes;
} else {
talker->rx_frames+=num_frames;
talker->rx_bytes+=num_bytes;
}
}
static void wslua_wlan_to_table(lua_State* L, const void* p) { const wlan_hdr_t* v _U_; v = (const wlan_hdr_t*)p; lua_newtable(L);
lua_pushstring(L,"bssid"); { Address a = (Address)g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->bssid)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"dst"); { Address a = (Address)g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->dst)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"src"); { Address a = (Address)g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->src)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"type"); lua_pushnumber(L,(lua_Number)v->type); lua_settable(L,-3);
}
/* Broadcasts are searches, offers or promises.
*
* Searches are sent by
* a peer when it needs a file (ie. while applying its policy, when it needs
* files such as installers to install software.)
*
* Each broadcast relates to one file and each file is identified only by its
* checksum - no file names are ever used. A search times out after 10 seconds
* (configurable) and the peer will then attempt to act on any offers by
* downloading (via push or pull - see dissect_ldss_transfer) from those peers.
*
* If no offers are received, the search fails and the peer fetches the file
* from a remote server, generally a HTTP server on the other side of a WAN.
* The protocol exists to minimize the number of WAN downloads needed.
*
* While downloading from WAN the peer sends promises to inform other peers
* when it will be available for them to download. This prevents multiple peers
* simultaneously downloading the same file. Promises also inform other peers
* how much download bandwidth is being used by their download. Other peers use
* this information and the configured knowledge of the WAN bandwidth to avoid
* saturating the WAN link, as file downloads are a non-time-critical and
* non-business-critical network function. LDSS is intended for networks of
* 5-20 machines connected by slow WAN link. The current implementation of the
* protocol allows administrator to configure "time windows" when WAN usage is
* throttled/unthrottled, though this isn't visible in LDSS.
*
* Once a WAN download or a LAN transfer (see below above dissect_ldss_transfer)
* has complete the peer will offer the file to other peers on the LAN so they
* don't need to download it themselves.
*
* Peers also notify when they shut down in case any other peer is waiting for
* a file. */
static int
dissect_ldss_broadcast(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
guint16 messageID;
guint8 digest_type;
guint8 compression;
guint32 cookie;
guint8 *digest;
guint64 size;
guint64 offset;
guint32 targetTime;
guint16 port;
guint16 rate;
guint16 messageDetail = INFERRED_NONE;
proto_tree *ti, *ldss_tree;
const gchar *packet_type, *packet_detail;
messageID = tvb_get_ntohs (tvb, 0);
digest_type = tvb_get_guint8 (tvb, 2);
compression = tvb_get_guint8 (tvb, 3);
cookie = tvb_get_ntohl (tvb, 4);
digest = (guint8 *)tvb_memdup (tvb, 8, DIGEST_LEN);
size = tvb_get_ntoh64 (tvb, 40);
offset = tvb_get_ntoh64 (tvb, 48);
targetTime = tvb_get_ntohl (tvb, 56);
port = tvb_get_ntohs (tvb, 64);
rate = tvb_get_ntohs (tvb, 66);
packet_type = val_to_str_const(messageID, ldss_message_id_value, "unknown");
if (messageID == MESSAGE_ID_WILLSEND) {
if (cookie == 0) {
/* Shutdown: Dishonor promises from this peer. Current
* implementation abuses WillSend for this. */
messageDetail = INFERRED_PEERSHUTDOWN;
}
else if (size == 0 && offset == 0) {
/* NeedFile search failed - going to WAN */
messageDetail = INFERRED_WANDOWNLOAD;
}
else if (size > 0) {
/* Size is known (not always the case) */
if (size == offset) {
/* File is available for pull on this peer's TCP port */
messageDetail = INFERRED_OFFER;
}
else {
/* WAN download progress announcement from this peer */
messageDetail = INFERRED_PROMISE;
}
}
}
else if (messageID == MESSAGE_ID_NEEDFILE) {
messageDetail = INFERRED_SEARCH;
}
packet_detail = val_to_str_const(messageDetail, ldss_inferred_info, "unknown");
/* Set the info column */
col_add_fstr(pinfo->cinfo, COL_INFO, "LDSS Broadcast (%s%s)",
packet_type,
packet_detail);
/* If we have a non-null tree (ie we are building the proto_tree
* instead of just filling out the columns), then give more detail. */
if (tree) {
ti = proto_tree_add_item(tree, proto_ldss,
tvb, 0, (tvb_length(tvb) > 72) ? tvb_length(tvb) : 72, ENC_NA);
ldss_tree = proto_item_add_subtree(ti, ett_ldss_broadcast);
proto_tree_add_item(ldss_tree, hf_ldss_message_id,
tvb, 0, 2, ENC_BIG_ENDIAN);
ti = proto_tree_add_uint(ldss_tree, hf_ldss_message_detail,
tvb, 0, 0, messageDetail);
PROTO_ITEM_SET_GENERATED(ti);
proto_tree_add_item(ldss_tree, hf_ldss_digest_type,
tvb, 2, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(ldss_tree, hf_ldss_compression,
tvb, 3, 1, ENC_BIG_ENDIAN);
proto_tree_add_uint_format_value(ldss_tree, hf_ldss_cookie,
tvb, 4, 4, FALSE,
"0x%x%s",
cookie,
(cookie == 0)
? " - shutdown (promises from this peer are no longer valid)"
: "");
proto_tree_add_item(ldss_tree, hf_ldss_digest,
tvb, 8, DIGEST_LEN, ENC_NA);
proto_tree_add_item(ldss_tree, hf_ldss_size,
tvb, 40, 8, ENC_BIG_ENDIAN);
proto_tree_add_item(ldss_tree, hf_ldss_offset,
tvb, 48, 8, ENC_BIG_ENDIAN);
proto_tree_add_uint_format_value(ldss_tree, hf_ldss_target_time,
tvb, 56, 4, FALSE,
"%d:%02d:%02d",
(int)(targetTime / 3600),
(int)((targetTime / 60) % 60),
(int)(targetTime % 60));
proto_tree_add_item(ldss_tree, hf_ldss_reserved_1,
tvb, 60, 4, ENC_BIG_ENDIAN);
proto_tree_add_uint_format_value(ldss_tree, hf_ldss_port,
tvb, 64, 2, FALSE,
"%d%s",
port,
(messageID == MESSAGE_ID_WILLSEND &&
size > 0 &&
size == offset)
? " - file can be pulled at this TCP port"
: (messageID == MESSAGE_ID_NEEDFILE
? " - file can be pushed to this TCP port"
: ""));
proto_tree_add_uint_format_value(ldss_tree, hf_ldss_rate,
tvb, 66, 2, FALSE,
"%ld",
(rate > 0)
? (long)floor(exp(rate * G_LN2 / 2048))
: 0);
proto_tree_add_item(ldss_tree, hf_ldss_priority,
tvb, 68, 2, ENC_BIG_ENDIAN);
proto_tree_add_item(ldss_tree, hf_ldss_property_count,
tvb, 70, 2, ENC_BIG_ENDIAN);
if (tvb_length(tvb) > 72) {
proto_tree_add_item(ldss_tree, hf_ldss_properties,
tvb, 72, tvb_length(tvb) - 72, ENC_NA);
}
}
/* Finally, store the broadcast and register ourselves to dissect
* any pushes or pulls that result from this broadcast. All data
* is pushed/pulled over TCP using the port from the broadcast
* packet's port field.
* Track each by a TCP conversation with the remote end wildcarded.
* The TCP conv tracks back to a broadcast conv to determine what it
* is in response to.
*
* These steps only need to be done once per packet, so a variable
* tracks the highest frame number seen. Handles the case of first frame
* being frame zero. */
if (messageDetail != INFERRED_PEERSHUTDOWN &&
(highest_num_seen == 0 ||
highest_num_seen < pinfo->fd->num)) {
ldss_broadcast_t *data;
/* Populate data from the broadcast */
data = se_new0(ldss_broadcast_t);
data->num = pinfo->fd->num;
data->ts = pinfo->fd->abs_ts;
data->message_id = messageID;
data->message_detail = messageDetail;
data->port = port;
data->size = size;
data->offset = offset;
data->compression = compression;
data->file = se_new0(ldss_file_t);
data->file->digest = digest;
data->file->digest_type = digest_type;
data->broadcaster = se_new0(ldss_broadcaster_t);
COPY_ADDRESS(&data->broadcaster->addr, &pinfo->src);
data->broadcaster->port = port;
/* Dissect any future pushes/pulls */
if (port > 0) {
prepare_ldss_transfer_conv(data);
}
/* Record that the frame was processed */
highest_num_seen = pinfo->fd->num;
}
return tvb_length(tvb);
}
void
add_conversation_table_data_with_conv_id(
conv_hash_t *ch,
const address *src,
const address *dst,
guint32 src_port,
guint32 dst_port,
conv_id_t conv_id,
int num_frames,
int num_bytes,
nstime_t *ts,
nstime_t *abs_ts,
ct_dissector_info_t *ct_info,
port_type ptype)
{
const address *addr1, *addr2;
guint32 port1, port2;
conv_item_t *conv_item = NULL;
unsigned int conversation_idx = 0;
if (src_port > dst_port) {
addr1 = src;
addr2 = dst;
port1 = src_port;
port2 = dst_port;
} else if (src_port < dst_port) {
addr2 = src;
addr1 = dst;
port2 = src_port;
port1 = dst_port;
} else if (CMP_ADDRESS(src, dst) < 0) {
addr1 = src;
addr2 = dst;
port1 = src_port;
port2 = dst_port;
} else {
addr2 = src;
addr1 = dst;
port2 = src_port;
port1 = dst_port;
}
/* if we dont have any entries at all yet */
if (ch->conv_array == NULL) {
ch->conv_array = g_array_sized_new(FALSE, FALSE, sizeof(conv_item_t), 10000);
ch->hashtable = g_hash_table_new_full(conversation_hash,
conversation_equal, /* key_equal_func */
g_free, /* key_destroy_func */
NULL); /* value_destroy_func */
} else {
/* try to find it among the existing known conversations */
conv_key_t existing_key;
existing_key.addr1 = *addr1;
existing_key.addr2 = *addr2;
existing_key.port1 = port1;
existing_key.port2 = port2;
existing_key.conv_id = conv_id;
if (g_hash_table_lookup_extended(ch->hashtable, &existing_key, NULL, (gpointer *) &conversation_idx)) {
conv_item = &g_array_index(ch->conv_array, conv_item_t, conversation_idx);
}
}
/* if we still dont know what conversation this is it has to be a new one
and we have to allocate it and append it to the end of the list */
if (conv_item == NULL) {
conv_key_t *new_key;
conv_item_t new_conv_item;
COPY_ADDRESS(&new_conv_item.src_address, addr1);
COPY_ADDRESS(&new_conv_item.dst_address, addr2);
new_conv_item.dissector_info = ct_info;
new_conv_item.ptype = ptype;
new_conv_item.src_port = port1;
new_conv_item.dst_port = port2;
new_conv_item.conv_id = conv_id;
new_conv_item.rx_frames = 0;
new_conv_item.tx_frames = 0;
new_conv_item.rx_bytes = 0;
new_conv_item.tx_bytes = 0;
new_conv_item.modified = TRUE;
if (ts) {
memcpy(&new_conv_item.start_time, ts, sizeof(new_conv_item.start_time));
memcpy(&new_conv_item.stop_time, ts, sizeof(new_conv_item.stop_time));
memcpy(&new_conv_item.start_abs_time, abs_ts, sizeof(new_conv_item.start_abs_time));
} else {
nstime_set_unset(&new_conv_item.start_abs_time);
nstime_set_unset(&new_conv_item.start_time);
nstime_set_unset(&new_conv_item.stop_time);
}
g_array_append_val(ch->conv_array, new_conv_item);
conversation_idx = ch->conv_array->len - 1;
conv_item = &g_array_index(ch->conv_array, conv_item_t, conversation_idx);
/* ct->conversations address is not a constant but src/dst_address.data are */
new_key = g_new(conv_key_t, 1);
SET_ADDRESS(&new_key->addr1, conv_item->src_address.type, conv_item->src_address.len, conv_item->src_address.data);
SET_ADDRESS(&new_key->addr2, conv_item->dst_address.type, conv_item->dst_address.len, conv_item->dst_address.data);
new_key->port1 = port1;
new_key->port2 = port2;
new_key->conv_id = conv_id;
g_hash_table_insert(ch->hashtable, new_key, GUINT_TO_POINTER(conversation_idx));
}
/* update the conversation struct */
conv_item->modified = TRUE;
if ( (!CMP_ADDRESS(src, addr1)) && (!CMP_ADDRESS(dst, addr2)) && (src_port==port1) && (dst_port==port2) ) {
conv_item->tx_frames += num_frames;
conv_item->tx_bytes += num_bytes;
} else {
conv_item->rx_frames += num_frames;
conv_item->rx_bytes += num_bytes;
}
if (ts) {
if (nstime_cmp(ts, &conv_item->stop_time) > 0) {
memcpy(&conv_item->stop_time, ts, sizeof(conv_item->stop_time));
} else if (nstime_cmp(ts, &conv_item->start_time) < 0) {
memcpy(&conv_item->start_time, ts, sizeof(conv_item->start_time));
memcpy(&conv_item->start_abs_time, abs_ts, sizeof(conv_item->start_abs_time));
}
}
}
static gboolean lbm_uimflow_add_to_graph(seq_analysis_info_t * seq_info, packet_info * pinfo, const lbm_uim_stream_info_t * stream_info)
{
lbm_uim_stream_endpoint_t epa;
lbm_uim_stream_endpoint_t epb;
seq_analysis_item_t * item;
gchar * ctxinst1 = NULL;
gchar * ctxinst2 = NULL;
gboolean swap_endpoints = FALSE;
int rc;
if (stream_info->endpoint_a.type != stream_info->endpoint_b.type)
{
return (FALSE);
}
if (stream_info->endpoint_a.type == lbm_uim_instance_stream)
{
rc = memcmp((void *)stream_info->endpoint_a.stream_info.ctxinst.ctxinst,
(void *)stream_info->endpoint_b.stream_info.ctxinst.ctxinst,
LBM_CONTEXT_INSTANCE_BLOCK_SZ);
if (rc <= 0)
{
swap_endpoints = FALSE;
}
else
{
swap_endpoints = TRUE;
}
}
else
{
if (stream_info->endpoint_a.stream_info.dest.domain < stream_info->endpoint_b.stream_info.dest.domain)
{
swap_endpoints = FALSE;
}
else if (stream_info->endpoint_a.stream_info.dest.domain > stream_info->endpoint_b.stream_info.dest.domain)
{
swap_endpoints = TRUE;
}
else
{
int compare;
compare = CMP_ADDRESS(&(stream_info->endpoint_a.stream_info.dest.addr), &(stream_info->endpoint_b.stream_info.dest.addr));
if (compare < 0)
{
swap_endpoints = FALSE;
}
else if (compare > 0)
{
swap_endpoints = TRUE;
}
else
{
if (stream_info->endpoint_a.stream_info.dest.port <= stream_info->endpoint_b.stream_info.dest.port)
{
swap_endpoints = FALSE;
}
else
{
swap_endpoints = TRUE;
}
}
}
}
if (swap_endpoints == FALSE)
{
epa = stream_info->endpoint_a;
epb = stream_info->endpoint_b;
}
else
{
epb = stream_info->endpoint_a;
epa = stream_info->endpoint_b;
}
item = (seq_analysis_item_t *)g_malloc(sizeof(seq_analysis_item_t));
COPY_ADDRESS(&(item->src_addr), &(pinfo->src));
COPY_ADDRESS(&(item->dst_addr), &(pinfo->dst));
item->fd = pinfo->fd;
item->port_src = pinfo->srcport;
item->port_dst = pinfo->destport;
if (stream_info->description == NULL)
{
item->frame_label = g_strdup_printf("(%" G_GUINT32_FORMAT ")", stream_info->sqn);
}
else
{
item->frame_label = g_strdup_printf("%s (%" G_GUINT32_FORMAT ")", stream_info->description, stream_info->sqn);
}
if (epa.type == lbm_uim_instance_stream)
{
ctxinst1 = bytes_to_str(pinfo->pool, epa.stream_info.ctxinst.ctxinst, sizeof(epa.stream_info.ctxinst.ctxinst));
ctxinst2 = bytes_to_str(pinfo->pool, epb.stream_info.ctxinst.ctxinst, sizeof(epb.stream_info.ctxinst.ctxinst));
item->comment = g_strdup_printf("%s <-> %s [%" G_GUINT64_FORMAT "]",
ctxinst1,
ctxinst2,
stream_info->channel);
}
else
{
item->comment = g_strdup_printf("%" G_GUINT32_FORMAT ":%s:%" G_GUINT16_FORMAT " <-> %" G_GUINT32_FORMAT ":%s:%" G_GUINT16_FORMAT " [%" G_GUINT64_FORMAT "]",
epa.stream_info.dest.domain,
address_to_str(pinfo->pool, &(epa.stream_info.dest.addr)),
epa.stream_info.dest.port,
epb.stream_info.dest.domain,
address_to_str(pinfo->pool, &(epb.stream_info.dest.addr)),
epb.stream_info.dest.port,
stream_info->channel);
}
item->conv_num = (guint16)LBM_CHANNEL_ID(stream_info->channel);
item->display = TRUE;
item->line_style = 1;
g_queue_push_tail(seq_info->items, item);
return (TRUE);
}
static int DetectThresholdTestSig3(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
DetectThresholdData *td = NULL;
DetectThresholdEntry *lookup_tsh = NULL;
DetectThresholdEntry *ste = NULL;
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
td = SigGetThresholdType(s,p);
/* setup the Entry we use to search our hash with */
ste = SCMalloc(sizeof(DetectThresholdEntry));
if (ste == NULL)
goto end;
memset(ste, 0x00, sizeof(ste));
if (PKT_IS_IPV4(p))
ste->ipv = 4;
else if (PKT_IS_IPV6(p))
ste->ipv = 6;
ste->sid = s->id;
ste->gid = s->gid;
if (td->track == TRACK_DST) {
COPY_ADDRESS(&p->dst, &ste->addr);
} else if (td->track == TRACK_SRC) {
COPY_ADDRESS(&p->src, &ste->addr);
}
ste->track = td->track;
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
lookup_tsh = (DetectThresholdEntry *)HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, ste, sizeof(DetectThresholdEntry));
if (lookup_tsh == NULL) {
printf("lookup_tsh is NULL: ");
goto cleanup;
}
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (lookup_tsh)
alerts = lookup_tsh->current_count;
if (alerts == 3)
result = 1;
else {
printf("alerts %u != 3: ", alerts);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
void HostInit(Host *h, Address *a) {
COPY_ADDRESS(a, &h->a);
(void) HostIncrUsecnt(h);
}
/**
* \brief Make the threshold logic for signatures
*
* \param de_ctx Dectection Context
* \param tsh_ptr Threshold element
* \param p Packet structure
* \param s Signature structure
*
* \retval 1 alert on this event
* \retval 0 do not alert on this event
*/
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
DetectThresholdData *td, Packet *p, Signature *s)
{
SCEnter();
int ret = 0;
DetectThresholdEntry *lookup_tsh = NULL;
DetectThresholdEntry ste;
if (td == NULL) {
SCReturnInt(0);
}
/* setup the Entry we use to search our hash with */
if (PKT_IS_IPV4(p))
ste.ipv = 4;
else if (PKT_IS_IPV6(p))
ste.ipv = 6;
else {
SCReturnInt(0);
}
ste.sid = s->id;
ste.gid = s->gid;
if (td->track == TRACK_DST) {
COPY_ADDRESS(&p->dst, &ste.addr);
} else if (td->track == TRACK_SRC) {
COPY_ADDRESS(&p->src, &ste.addr);
}
ste.track = td->track;
ste.seconds = td->seconds;
SCMutexLock(&de_ctx->ths_ctx.threshold_table_lock);
switch(td->type) {
case TYPE_LIMIT:
{
SCLogDebug("limit");
lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p);
SCLogDebug("lookup_tsh %p", lookup_tsh);
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
if (lookup_tsh->current_count < td->count) {
ret = 1;
}
lookup_tsh->current_count++;
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
ret = 1;
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, s);
if (e == NULL) {
break;
}
e->tv_sec1 = p->ts.tv_sec;
e->current_count = 1;
e->ipv = ste.ipv;
ret = 1;
ThresholdHashAdd(de_ctx, e, p);
}
break;
}
case TYPE_THRESHOLD:
{
SCLogDebug("threshold");
lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p);
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
ret = 1;
lookup_tsh->current_count = 0;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} else {
if (td->count == 1) {
ret = 1;
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, s);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->ipv = ste.ipv;
ThresholdHashAdd(de_ctx, e, p);
}
}
break;
}
case TYPE_BOTH:
{
SCLogDebug("both");
lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p);
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count == td->count) {
ret = 1;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, s);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->ipv = ste.ipv;
ThresholdHashAdd(de_ctx, e, p);
/* for the first match we return 1 to
* indicate we should alert */
if (td->count == 1) {
ret = 1;
}
}
break;
}
/* detection_filter */
case TYPE_DETECTION:
{
SCLogDebug("detection_filter");
lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p);
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
ret = 1;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} else {
if (td->count == 1) {
ret = 1;
}
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, s);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->ipv = ste.ipv;
ThresholdHashAdd(de_ctx, e, p);
}
break;
}
/* rate_filter */
case TYPE_RATE:
{
SCLogDebug("rate_filter");
/* tracking by src/dst or by rule? */
if (td->track != TRACK_RULE)
lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p);
else
lookup_tsh = (DetectThresholdEntry *)de_ctx->ths_ctx.th_entry[s->num];
if (lookup_tsh != NULL) {
/* Check if we have a timeout enabled, if so,
* we still matching (and enabling the new_action) */
if ( (p->ts.tv_sec - lookup_tsh->tv_timeout) > td->timeout) {
/* Ok, we are done, timeout reached */
td->timeout = 0;
} else {
/* Already matching */
/* Take the action to perform */
switch (td->new_action) {
case TH_ACTION_ALERT:
ALERT_PACKET(p);
break;
case TH_ACTION_DROP:
DROP_PACKET(p);
break;
case TH_ACTION_REJECT:
REJECT_PACKET(p);
break;
case TH_ACTION_PASS:
PASS_PACKET(p);
break;
default:
/* Weird, leave the default action */
break;
}
ret = 1;
}
/* Update the matching state with the timeout interval */
if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
/* Then we must enable the new action by setting a
* timeout */
lookup_tsh->tv_timeout = p->ts.tv_sec;
/* Take the action to perform */
switch (td->new_action) {
case TH_ACTION_ALERT:
ALERT_PACKET(p);
break;
case TH_ACTION_DROP:
DROP_PACKET(p);
break;
case TH_ACTION_REJECT:
REJECT_PACKET(p);
break;
case TH_ACTION_PASS:
PASS_PACKET(p);
break;
default:
/* Weird, leave the default action */
break;
}
ret = 1;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} else {
if (td->count == 1) {
ret = 1;
}
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, s);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->tv_timeout = 0;
e->ipv = ste.ipv;
/** The track is by src/dst or by rule? */
if (td->track != TRACK_RULE)
ThresholdHashAdd(de_ctx, e, p);
else
de_ctx->ths_ctx.th_entry[s->num] = e;
}
break;
}
}
/* handle timing out entries */
ThresholdTimeoutRemove(de_ctx, &p->ts);
SCMutexUnlock(&de_ctx->ths_ctx.threshold_table_lock);
SCReturnInt(ret);
}
Iax2AnalysisDialog::Iax2AnalysisDialog(QWidget &parent, CaptureFile &cf) :
WiresharkDialog(parent, cf),
ui(new Ui::Iax2AnalysisDialog),
port_src_fwd_(0),
port_dst_fwd_(0),
port_src_rev_(0),
port_dst_rev_(0)
{
ui->setupUi(this);
setWindowSubtitle(tr("IAX2 Stream Analysis"));
// XXX Use recent settings instead
resize(parent.width() * 4 / 5, parent.height() * 4 / 5);
ui->progressFrame->hide();
stream_ctx_menu_.addAction(ui->actionGoToPacket);
stream_ctx_menu_.addAction(ui->actionNextProblem);
stream_ctx_menu_.addSeparator();
stream_ctx_menu_.addAction(ui->actionSaveAudio);
stream_ctx_menu_.addAction(ui->actionSaveForwardAudio);
stream_ctx_menu_.addAction(ui->actionSaveReverseAudio);
stream_ctx_menu_.addSeparator();
stream_ctx_menu_.addAction(ui->actionSaveCsv);
stream_ctx_menu_.addAction(ui->actionSaveForwardCsv);
stream_ctx_menu_.addAction(ui->actionSaveReverseCsv);
stream_ctx_menu_.addSeparator();
stream_ctx_menu_.addAction(ui->actionSaveGraph);
ui->forwardTreeWidget->installEventFilter(this);
ui->forwardTreeWidget->setContextMenuPolicy(Qt::CustomContextMenu);
connect(ui->forwardTreeWidget, SIGNAL(customContextMenuRequested(QPoint)),
SLOT(showStreamMenu(QPoint)));
ui->reverseTreeWidget->installEventFilter(this);
ui->reverseTreeWidget->setContextMenuPolicy(Qt::CustomContextMenu);
connect(ui->reverseTreeWidget, SIGNAL(customContextMenuRequested(QPoint)),
SLOT(showStreamMenu(QPoint)));
connect(ui->streamGraph, SIGNAL(mousePress(QMouseEvent*)),
this, SLOT(graphClicked(QMouseEvent*)));
graph_ctx_menu_.addAction(ui->actionSaveGraph);
QStringList header_labels;
for (int i = 0; i < ui->forwardTreeWidget->columnCount(); i++) {
header_labels << ui->forwardTreeWidget->headerItem()->text(i);
}
ui->reverseTreeWidget->setHeaderLabels(header_labels);
memset(&src_fwd_, 0, sizeof(address));
memset(&dst_fwd_, 0, sizeof(address));
memset(&src_rev_, 0, sizeof(address));
memset(&dst_rev_, 0, sizeof(address));
QList<QCheckBox *> graph_cbs = QList<QCheckBox *>()
<< ui->fJitterCheckBox << ui->fDiffCheckBox
<< ui->rJitterCheckBox << ui->rDiffCheckBox;
for (int i = 0; i < num_graphs_; i++) {
QCPGraph *graph = ui->streamGraph->addGraph();
graph->setPen(QPen(ColorUtils::graph_colors_[i]));
graph->setName(graph_cbs[i]->text());
graphs_ << graph;
graph_cbs[i]->setChecked(true);
graph_cbs[i]->setIcon(StockIcon::colorIcon(ColorUtils::graph_colors_[i], QPalette::Text));
}
ui->streamGraph->xAxis->setLabel("Arrival Time");
ui->streamGraph->yAxis->setLabel("Value (ms)");
// We keep our temp files open for the lifetime of the dialog. The GTK+
// UI opens and closes at various points.
QString tempname = QString("%1/wireshark_iax2_f").arg(QDir::tempPath());
fwd_tempfile_ = new QTemporaryFile(tempname, this);
fwd_tempfile_->open();
tempname = QString("%1/wireshark_iax2_r").arg(QDir::tempPath());
rev_tempfile_ = new QTemporaryFile(tempname, this);
rev_tempfile_->open();
if (fwd_tempfile_->error() != QFile::NoError || rev_tempfile_->error() != QFile::NoError) {
err_str_ = tr("Unable to save RTP data.");
ui->actionSaveAudio->setEnabled(false);
ui->actionSaveForwardAudio->setEnabled(false);
ui->actionSaveReverseAudio->setEnabled(false);
}
QMenu *save_menu = new QMenu();
save_menu->addAction(ui->actionSaveAudio);
save_menu->addAction(ui->actionSaveForwardAudio);
save_menu->addAction(ui->actionSaveReverseAudio);
save_menu->addSeparator();
save_menu->addAction(ui->actionSaveCsv);
save_menu->addAction(ui->actionSaveForwardCsv);
save_menu->addAction(ui->actionSaveReverseCsv);
save_menu->addSeparator();
save_menu->addAction(ui->actionSaveGraph);
ui->buttonBox->button(QDialogButtonBox::Save)->setMenu(save_menu);
const gchar *filter_text = "iax2 && (ip || ipv6)";
dfilter_t *sfcode;
gchar *err_msg;
if (!dfilter_compile(filter_text, &sfcode, &err_msg)) {
QMessageBox::warning(this, tr("No IAX2 packets found"), QString("%1").arg(err_msg));
g_free(err_msg);
close();
}
if (!cap_file_.capFile() || !cap_file_.capFile()->current_frame) close();
frame_data *fdata = cap_file_.capFile()->current_frame;
if (!cf_read_record(cap_file_.capFile(), fdata)) close();
epan_dissect_t edt;
epan_dissect_init(&edt, cap_file_.capFile()->epan, TRUE, FALSE);
epan_dissect_prime_dfilter(&edt, sfcode);
epan_dissect_run(&edt, cap_file_.capFile()->cd_t, &cap_file_.capFile()->phdr,
frame_tvbuff_new_buffer(fdata, &cap_file_.capFile()->buf), fdata, NULL);
// This shouldn't happen (the menu item should be disabled) but check anyway
if (!dfilter_apply_edt(sfcode, &edt)) {
epan_dissect_cleanup(&edt);
dfilter_free(sfcode);
err_str_ = tr("Please select an IAX2 packet");
updateWidgets();
return;
}
dfilter_free(sfcode);
/* ok, it is a IAX2 frame, so let's get the ip and port values */
COPY_ADDRESS(&(src_fwd_), &(edt.pi.src));
COPY_ADDRESS(&(dst_fwd_), &(edt.pi.dst));
port_src_fwd_ = edt.pi.srcport;
port_dst_fwd_ = edt.pi.destport;
/* assume the inverse ip/port combination for the reverse direction */
COPY_ADDRESS(&(src_rev_), &(edt.pi.dst));
COPY_ADDRESS(&(dst_rev_), &(edt.pi.src));
port_src_rev_ = edt.pi.destport;
port_dst_rev_ = edt.pi.srcport;
#if 0
/* check if it is Voice or MiniPacket */
bool ok;
getIntFromProtoTree(edt.tree, "iax2", "iax2.call", &ok);
if (!ok) {
err_str_ = tr("Please select an IAX2 packet.");
updateWidgets();
return;
}
#endif
#ifdef IAX2_RTP_STREAM_CHECK
rtpstream_tapinfot tapinfo;
/* Register the tap listener */
memset(&tapinfo, 0, sizeof(rtpstream_tapinfot));
tapinfo.tap_data = this;
tapinfo.mode = TAP_ANALYSE;
// register_tap_listener_rtp_stream(&tapinfo, NULL);
/* Scan for RTP streams (redissect all packets) */
rtpstream_scan(&tapinfo, cap_file_.capFile(), NULL);
int num_streams = 0;
GList *filtered_list = NULL;
for (GList *strinfo_list = g_list_first(tapinfo.strinfo_list); strinfo_list; strinfo_list = g_list_next(strinfo_list)) {
rtp_stream_info_t * strinfo = (rtp_stream_info_t*)(strinfo_list->data);
<< address_to_qstring(&strinfo->dest_addr) << address_to_qstring(&src_rev_) << address_to_qstring(&dst_rev_);
if (ADDRESSES_EQUAL(&(strinfo->src_addr), &(src_fwd_))
&& (strinfo->src_port == port_src_fwd_)
&& (ADDRESSES_EQUAL(&(strinfo->dest_addr), &(dst_fwd_)))
&& (strinfo->dest_port == port_dst_fwd_))
{
++num_streams;
filtered_list = g_list_prepend(filtered_list, strinfo);
}
if (ADDRESSES_EQUAL(&(strinfo->src_addr), &(src_rev_))
&& (strinfo->src_port == port_src_rev_)
&& (ADDRESSES_EQUAL(&(strinfo->dest_addr), &(dst_rev_)))
&& (strinfo->dest_port == port_dst_rev_))
{
++num_streams;
filtered_list = g_list_append(filtered_list, strinfo);
}
}
static void wslua_eth_to_table(lua_State* L, const void* p) { eth_hdr* v = (void*)p; lua_newtable(L);
lua_pushstring(L,"dst"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->dst)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"src"); { Address a = g_malloc(sizeof(address)); COPY_ADDRESS(a, &(v->src)); pushAddress(L,a); } lua_settable(L,-3);
lua_pushstring(L,"type"); lua_pushnumber(L,(lua_Number)v->type); lua_settable(L,-3);
}
static void IPPairInit(IPPair *h, Address *a, Address *b)
{
COPY_ADDRESS(a, &h->a[0]);
COPY_ADDRESS(b, &h->a[1]);
(void) IPPairIncrUsecnt(h);
}
