Пример #1
0
/*--------------------------------------------------------------------
 * Function: LogTCPHeader(TextLog* )
 *
 * Purpose: Dump the TCP header info to the given TextLog
 *
 * Arguments: log => pointer to TextLog to print data to
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
void LogTCPHeader(TextLog*  log, Packet * p)
{
    char tcpFlags[9];

    if(p->tcph == NULL)
    {
        TextLog_Print(log, "TCP header truncated\n");
        return;
    }
    /* print TCP flags */
    CreateTCPFlagString(p, tcpFlags);
    TextLog_Puts(log, tcpFlags); /* We don't care about the NULL */

    /* print other TCP info */
    TextLog_Print(log, " Seq: 0x%lX  Ack: 0x%lX  Win: 0x%X  TcpLen: %d",
                  (u_long) ntohl(p->tcph->th_seq),
                  (u_long) ntohl(p->tcph->th_ack),
                  ntohs(p->tcph->th_win), TCP_OFFSET(p->tcph) << 2);

    if((p->tcph->th_flags & TH_URG) != 0)
    {
        TextLog_Print(log, "  UrgPtr: 0x%X\n", (uint16_t) ntohs(p->tcph->th_urp));
    }
    else
    {
        TextLog_NewLine(log);
    }

    /* dump the TCP options */
    if(p->tcp_option_count != 0)
    {
        LogTcpOptions(log, p);
    }
}
Пример #2
0
static void LogBuffer (const char* s, const uint8_t* p, unsigned n)
{
    char hex[(3*LOG_CHARS)+1];
    char txt[LOG_CHARS+1];
    unsigned odx = 0, idx = 0, at = 0;

    if ( !p )
        return;

    if ( n > snort_conf->event_trace_max )
        n = snort_conf->event_trace_max;

    for ( idx = 0; idx < n; idx++)
    {
        uint8_t byte = p[idx];
        sprintf(hex + 3*odx, "%2.02X ", byte);
        txt[odx++] = isprint(byte) ? byte : '.';

        if ( odx == LOG_CHARS )
        {
            txt[odx] = hex[3*odx] = '\0';
            TextLog_Print(tlog, "%s[%2u] %s %s\n", s, at, hex, txt);
            at = idx + 1;
            odx = 0;
        }
    }
    if ( odx )
    {
        txt[odx] = hex[3*odx] = '\0';
        TextLog_Print(tlog, "%s[%2u] %-48.48s %s\n", s, at, hex, txt);
    }
}
Пример #3
0
static void LogSLLHeader(TextLog* log, Packet* p)
{
    switch (ntohs(p->sllh->sll_pkttype)) {
    case LINUX_SLL_HOST:
        TextLog_Puts(log, "< ");
        break;
    case LINUX_SLL_BROADCAST:
        TextLog_Puts(log, "B ");
        break;
    case LINUX_SLL_MULTICAST:
        TextLog_Puts(log, "M ");
        break;
    case LINUX_SLL_OTHERHOST:
        TextLog_Puts(log, "P ");
        break;
    case LINUX_SLL_OUTGOING:
        TextLog_Puts(log, "> ");
        break;
    default:
        TextLog_Puts(log, "? ");
        break;
    }

    /* mac addr */
    TextLog_Print(log, "l/l len: %i l/l type: 0x%X %X:%X:%X:%X:%X:%X\n",
                  htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype),
                  p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2],
                  p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]);

    /* protocol and pkt size */
    TextLog_Print(log, "pkt type:0x%X proto: 0x%X len:0x%X\n",
                  ntohs(p->sllh->sll_pkttype),
                  ntohs(p->sllh->sll_protocol), p->pkth->len);
}
Пример #4
0
/*--------------------------------------------------------------------
 * Function: LogEmbeddedICMPHeader(TextLog* , ICMPHdr *)
 *
 * Purpose: Prints the 64 bits of the original IP payload in an ICMP packet
 *          that requires it
 *
 * Arguments: log => pointer to TextLog
 *            icmph  => ICMPHdr struct pointing to original ICMP
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
static void LogEmbeddedICMPHeader(TextLog* log, const ICMPHdr *icmph)
{
    if (log == NULL || icmph == NULL)
        return;

    TextLog_Print(log, "Type: %d  Code: %d  Csum: %u",
                  icmph->type, icmph->code, ntohs(icmph->csum));

    switch (icmph->type)
    {
    case ICMP_DEST_UNREACH:
    case ICMP_TIME_EXCEEDED:
    case ICMP_SOURCE_QUENCH:
        break;

    case ICMP_PARAMETERPROB:
        if (icmph->code == 0)
            TextLog_Print(log, "  Ptr: %u", icmph->s_icmp_pptr);
        break;

    case ICMP_REDIRECT:
#ifdef SUP_IP6
// XXX-IPv6 "NOT YET IMPLEMENTED - ICMP printing"
#else
        TextLog_Print(log, "  New Gwy: %s", inet_ntoa(icmph->s_icmp_gwaddr));
#endif
        break;

    case ICMP_ECHO:
    case ICMP_ECHOREPLY:
    case ICMP_TIMESTAMP:
    case ICMP_TIMESTAMPREPLY:
    case ICMP_INFO_REQUEST:
    case ICMP_INFO_REPLY:
    case ICMP_ADDRESS:
    case ICMP_ADDRESSREPLY:
        TextLog_Print(log, "  Id: %u  SeqNo: %u",
                      ntohs(icmph->s_icmp_id), ntohs(icmph->s_icmp_seq));
        break;

    case ICMP_ROUTER_ADVERTISE:
        TextLog_Print(log, "  Addrs: %u  Size: %u  Lifetime: %u",
                      icmph->s_icmp_num_addrs, icmph->s_icmp_wpa,
                      ntohs(icmph->s_icmp_lifetime));
        break;

    default:
        break;
    }

    TextLog_NewLine(log);

    return;
}
Пример #5
0
void EventTrace_Term (void)
{
    if ( tlog )
    {
        time_t now = time(NULL);
        const char* ts = ctime(&now);
        TextLog_Print(tlog, "\nTraced %u events\n", nEvents);
        TextLog_Print(tlog, "Trace stopped at %s", ts);
        TextLog_Term(tlog);
    }
}
Пример #6
0
/*--------------------------------------------------------------------
 * Function: LogUDPHeader(TextLog* )
 *
 * Purpose: Dump the UDP header to the given TextLog
 *
 * Arguments: log => pointer to TextLog
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
void LogUDPHeader(TextLog* log, Packet* p)
{

    if(p->udph == NULL)
    {
        TextLog_Print(log, "UDP header truncated\n");
        return;
    }
    /* not much to do here... */
    TextLog_Print(log, "Len: %d\n", ntohs(p->udph->uh_len) - UDP_HEADER_LEN);
}
Пример #7
0
/*--------------------------------------------------------------------
 * Function: LogEthHeader()
 *
 * Purpose: Print the packet Ethernet header to the given TextLog
 *
 * Arguments: log => pointer to TextLog to print to
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
static void LogEthHeader(TextLog* log, Packet* p)
{
    /* src addr */
    TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", p->eh->ether_src[0],
                  p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
                  p->eh->ether_src[4], p->eh->ether_src[5]);

    /* dest addr */
    TextLog_Print(log, "%X:%X:%X:%X:%X:%X ", p->eh->ether_dst[0],
                  p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
                  p->eh->ether_dst[4], p->eh->ether_dst[5]);

    /* protocol and pkt size */
    TextLog_Print(log, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len);
}
Пример #8
0
void EventTrace_Init (void)
{
    if ( snort_conf->event_trace_max > 0 )
    {
        time_t now = time(NULL);
        const char* ts = ctime(&now);

        char buf[STD_BUF];
        const char* dir = snort_conf->log_dir ? snort_conf->log_dir : ".";
        snprintf(buf, sizeof(buf), "%s/%s", dir, snort_conf->event_trace_file);

        tlog = TextLog_Init (buf, 128, 8*1024*1024);
        TextLog_Print(tlog, "\nTrace started at %s", ts);
        TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max);
    }
}
Пример #9
0
void LogTrHeader(TextLog* log, Packet* p)
{

    TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", p->trh->saddr[0],
                  p->trh->saddr[1], p->trh->saddr[2], p->trh->saddr[3],
                  p->trh->saddr[4], p->trh->saddr[5]);
    TextLog_Print(log, "%X:%X:%X:%X:%X:%X\n", p->trh->daddr[0],
                  p->trh->daddr[1], p->trh->daddr[2], p->trh->daddr[3],
                  p->trh->daddr[4], p->trh->daddr[5]);

    TextLog_Print(log, "access control:0x%X frame control:0x%X\n", p->trh->ac,
                  p->trh->fc);
    if(!p->trhllc)
        return;
    TextLog_Print(log, "DSAP: 0x%X SSAP 0x%X protoID: %X%X%X Ethertype: %X\n",
                  p->trhllc->dsap, p->trhllc->ssap, p->trhllc->protid[0],
                  p->trhllc->protid[1], p->trhllc->protid[2], p->trhllc->ethertype);
    if(p->trhmr)
    {
        TextLog_Print(log, "RIF structure is present:\n");
        TextLog_Print(log, "bcast: 0x%X length: 0x%X direction: 0x%X largest"
                      "fr. size: 0x%X res: 0x%X\n",
                      TRH_MR_BCAST(p->trhmr), TRH_MR_LEN(p->trhmr),
                      TRH_MR_DIR(p->trhmr), TRH_MR_LF(p->trhmr),
                      TRH_MR_RES(p->trhmr));
        TextLog_Print(log, "rseg -> %X:%X:%X:%X:%X:%X:%X:%X\n",
                      p->trhmr->rseg[0], p->trhmr->rseg[1], p->trhmr->rseg[2],
                      p->trhmr->rseg[3], p->trhmr->rseg[4], p->trhmr->rseg[5],
                      p->trhmr->rseg[6], p->trhmr->rseg[7]);
    }
}
Пример #10
0
/*--------------------------------------------------------------------
 * Function: LogPriorityData()
 *
 * Purpose: Prints out priority data associated with an alert
 *
 * Arguments: log => pointer to TextLog to write the data to
 *            doNewLine => tack a \n to the end of the line or not (bool)
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
void LogPriorityData(TextLog* log, uint32_t cid, uint32_t priority, bool doNewLine)
{
    ClassType			*cn = ClassTypeLookupById(barnyard2_conf, cid);

    if ( cn != NULL )
    {
        TextLog_Print(
            log, "[Classification: %s] [Priority: %d] ",
            cn->name, priority
        );
    }
    else
    {
        TextLog_Print(log, "[Priority: %d] ", priority);
    }
    if ( doNewLine )
        TextLog_NewLine(log);
}
Пример #11
0
/* print a reference node */
static void LogReference(TextLog* log, ReferenceNode *refNode)
{
    if(refNode)
    {
        if(refNode->system)
        {
            if(refNode->system->url)
                TextLog_Print(log, "[Xref => %s%s]", refNode->system->url,
                              refNode->id);
            else
                TextLog_Print(log, "[Xref => %s %s]", refNode->system->name,
                              refNode->id);
        }
        else
        {
            TextLog_Print(log, "[Xref => %s]", refNode->id);
        }
    }
    return;
}
Пример #12
0
void EventTrace_Log (const Packet* p, OptTreeNode* otn, int action)
{
    int i;
    const char* acts = (action < RULE_TYPE__MAX) ? rule_type[action] : "ERROR";

    if ( !tlog )
        return;

    TextLog_Print(tlog,
        "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n",
        event_id, otn->sigInfo.generator, 
        otn->sigInfo.id, otn->sigInfo.rev, acts
    );
    TextLog_Print(tlog,
        "Pkt=%lu, Sec=%u.%6u, Len=%u, Cap=%u\n",
        pc.total_from_daq, p->pkth->ts.tv_sec, p->pkth->ts.tv_usec,
        p->pkth->pktlen, p->pkth->caplen
    );
    TextLog_Print(tlog,
        "Pkt Bits: Flags=0x%X, PP=0x%X, PPR=0x%X, Proto=0x%X"
        ", Err=0x%X\n",
        p->packet_flags, p->preprocessor_bits, p->preproc_reassembly_pkt_bits,
        (unsigned)p->proto_bits, (unsigned)p->error_flags
    );
    TextLog_Print(tlog,
        "Pkt Cnts: Dsz=%u, Alt=%u, Uri=0x%X\n",
        (unsigned)p->dsize, (unsigned)p->alt_dsize, http_mask
    );
    TextLog_Print(tlog, "Detect: DoeFlags=0x%X, DetectFlags=0x%X, DetBuf=%u, B64=%u\n",
        doe_buf_flags, detect_flags, DetectBuffer.len, base64_decode_size
    );
    LogBuffer("Decode", DecodeBuffer.data, DecodeBuffer.len);
    LogBuffer("Detect", DetectBuffer.data, DetectBuffer.len);
    LogBuffer("FileData", file_data_ptr.data, file_data_ptr.len);
    LogBuffer("Base64", base64_decode_buf, base64_decode_size);
    if(mime_present)
        LogBuffer("Mime", file_data_ptr.data, file_data_ptr.len);

    for ( i = 0; i < HTTP_BUFFER_MAX; i++ )
    {
        const HttpBuffer* hb = GetHttpBuffer(i);

        if ( !hb )
            continue;

        TextLog_Print(tlog, "%s[%u] = 0x%X\n",
            http_buffer_name[i], hb->length, hb->encode_type);

        LogBuffer(http_buffer_name[i], hb->buf, hb->length);
    }
    nEvents++;
}
Пример #13
0
static void LogNetData (TextLog* log, const u_char* data, const int len)
{
    const u_char* pb = data;
    const u_char* end = data + len;

    int offset = 0;
    char conv[] = "0123456789ABCDEF";   /* xlation lookup table */

    if ( !len )
    {
        TextLog_NewLine(log);
        return;
    }
    if ( !data )
    {
        TextLog_Print(log, "Got NULL ptr in LogNetData()\n");
        return;
    }

    if ( len > IP_MAXPACKET )
    {
        if (BcLogVerbose())
        {
            TextLog_Print(
                log, "Got bogus buffer length (%d) for LogNetData, "
                "defaulting to %d bytes!\n", len, BYTES_PER_FRAME
            );
        }
        end = data + BYTES_PER_FRAME;
    }

    /* loop thru the whole buffer */
    while ( pb < end )
    {
        int i = 0;

        if (BcVerboseByteDump())
        {
            TextLog_Print(log, "0x%04X: ", offset);
            offset += BYTES_PER_FRAME;
        }
        /* process one frame */
        /* first print the binary as ascii hex */
        for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++)
        {
            char b = pb[i];
            TextLog_Putc(log, conv[(b & 0xFF) >> 4]);
            TextLog_Putc(log, conv[(b & 0xFF) & 0x0F]);
            TextLog_Putc(log, ' ');
        }
        /* print ' ' past end of packet and before ascii */
        TextLog_Puts(log, pad3+(3*i));

        /* then print the actual ascii chars */
        /* or a '.' for control chars */
        for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++)
        {
            char b = pb[i];

            if ( b > 0x1F && b < 0x7F)
                TextLog_Putc(log, (char)(b & 0xFF));
            else
                TextLog_Putc(log, '.');
        }
        pb += BYTES_PER_FRAME;
        TextLog_NewLine(log);
    }
    TextLog_NewLine(log);
}
Пример #14
0
static void LogMPLSHeader(TextLog* log, Packet* p)
{

    TextLog_Print(log,"label:0x%05X exp:0x%X bos:0x%X ttl:0x%X\n",
                  p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl);
}
Пример #15
0
/*--------------------------------------------------------------------
 * Function: LogWifiHeader(TextLog* )
 *
 * Purpose: Print the packet 802.11 header to the given TextLog
 *
 * Arguments: log => pointer to TextLog to print to
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
static void LogWifiHeader(TextLog* log, Packet * p)
{
    /* This assumes we are printing a data packet, could be changed
       to print other types as well */
    const u_char *da = NULL, *sa = NULL, *bssid = NULL, *ra = NULL,
                  *ta = NULL;
    /* per table 4, IEEE802.11 section 7.2.2 */
    if ((p->wifih->frame_control & WLAN_FLAG_TODS) &&
            (p->wifih->frame_control & WLAN_FLAG_FROMDS)) {
        ra = p->wifih->addr1;
        ta = p->wifih->addr2;
        da = p->wifih->addr3;
        sa = p->wifih->addr4;
    }
    else if (p->wifih->frame_control & WLAN_FLAG_TODS) {
        bssid = p->wifih->addr1;
        sa = p->wifih->addr2;
        da = p->wifih->addr3;
    }
    else if (p->wifih->frame_control & WLAN_FLAG_FROMDS) {
        da = p->wifih->addr1;
        bssid = p->wifih->addr2;
        sa = p->wifih->addr3;
    }
    else {
        da = p->wifih->addr1;
        sa = p->wifih->addr2;
        bssid = p->wifih->addr3;
    }

    /* DO this switch to provide additional info on the type */
    switch(p->wifih->frame_control & 0x00ff)
    {
    case WLAN_TYPE_MGMT_BEACON:
        TextLog_Puts(log, "Beacon ");
        break;
    /* management frames */
    case WLAN_TYPE_MGMT_ASREQ:
        TextLog_Puts(log, "Assoc. Req. ");
        break;
    case WLAN_TYPE_MGMT_ASRES:
        TextLog_Puts(log, "Assoc. Resp. ");
        break;
    case WLAN_TYPE_MGMT_REREQ:
        TextLog_Puts(log, "Reassoc. Req. ");
        break;
    case WLAN_TYPE_MGMT_RERES:
        TextLog_Puts(log, "Reassoc. Resp. ");
        break;
    case WLAN_TYPE_MGMT_PRREQ:
        TextLog_Puts(log, "Probe Req. ");
        break;
    case WLAN_TYPE_MGMT_PRRES:
        TextLog_Puts(log, "Probe Resp. ");
        break;
    case WLAN_TYPE_MGMT_ATIM:
        TextLog_Puts(log, "ATIM ");
        break;
    case WLAN_TYPE_MGMT_DIS:
        TextLog_Puts(log, "Dissassoc. ");
        break;
    case WLAN_TYPE_MGMT_AUTH:
        TextLog_Puts(log, "Authent. ");
        break;
    case WLAN_TYPE_MGMT_DEAUTH:
        TextLog_Puts(log, "Deauthent. ");
        break;

    /* Control frames */
    case WLAN_TYPE_CONT_PS:
    case WLAN_TYPE_CONT_RTS:
    case WLAN_TYPE_CONT_CTS:
    case WLAN_TYPE_CONT_ACK:
    case WLAN_TYPE_CONT_CFE:
    case WLAN_TYPE_CONT_CFACK:
        TextLog_Puts(log, "Control ");
        break;
    }

    if (sa != NULL) {
        TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", sa[0],
                      sa[1], sa[2], sa[3], sa[4], sa[5]);
    }
    else if (ta != NULL) {
        TextLog_Print(log, "ta: %X:%X:%X:%X:%X:%X da: ", ta[0],
                      ta[1], ta[2], ta[3], ta[4], ta[5]);
    }

    TextLog_Print(log, "%X:%X:%X:%X:%X:%X\n", da[0],
                  da[1], da[2], da[3], da[4], da[5]);

    if (bssid != NULL)
    {
        TextLog_Print(log, "bssid: %X:%X:%X:%X:%X:%X", bssid[0],
                      bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]);
    }

    if (ra != NULL) {
        TextLog_Print(log, " ra: %X:%X:%X:%X:%X:%X", ra[0],
                      ra[1], ra[2], ra[3], ra[4], ra[5]);
    }
    TextLog_Puts(log, " Flags:");
    if (p->wifih->frame_control & WLAN_FLAG_TODS)    TextLog_Puts(log," ToDs");
    if (p->wifih->frame_control & WLAN_FLAG_TODS)    TextLog_Puts(log," FrDs");
    if (p->wifih->frame_control & WLAN_FLAG_FRAG)    TextLog_Puts(log," Frag");
    if (p->wifih->frame_control & WLAN_FLAG_RETRY)   TextLog_Puts(log," Re");
    if (p->wifih->frame_control & WLAN_FLAG_PWRMGMT) TextLog_Puts(log," Pwr");
    if (p->wifih->frame_control & WLAN_FLAG_MOREDAT) TextLog_Puts(log," MD");
    if (p->wifih->frame_control & WLAN_FLAG_WEP)     TextLog_Puts(log," Wep");
    if (p->wifih->frame_control & WLAN_FLAG_ORDER)   TextLog_Puts(log," Ord");
    TextLog_NewLine(log);
}
Пример #16
0
/*--------------------------------------------------------------------
 * Function: LogICMPHeader(TextLog* )
 *
 * Purpose: Print ICMP header
 *
 * Arguments: log => pointer to TextLog
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
void LogICMPHeader(TextLog*  log, Packet * p)
{
#ifdef SUP_IP6
    /* 32 digits plus 7 colons and a NULL byte */
    char buf[8*4 + 7 + 1];
#endif

    if(p->icmph == NULL)
    {
        TextLog_Puts(log, "ICMP header truncated\n");
        return;
    }

    TextLog_Print(log, "Type:%d  Code:%d  ", p->icmph->type, p->icmph->code);

    switch(p->icmph->type)
    {
    case ICMP_ECHOREPLY:
        TextLog_Print(log, "ID:%d  Seq:%d  ", ntohs(p->icmph->s_icmp_id),
                      ntohs(p->icmph->s_icmp_seq));
        TextLog_Puts(log, "ECHO REPLY");
        break;

    case ICMP_DEST_UNREACH:
        TextLog_Puts(log, "DESTINATION UNREACHABLE: ");
        switch(p->icmph->code)
        {
        case ICMP_NET_UNREACH:
            TextLog_Puts(log, "NET UNREACHABLE");
            break;

        case ICMP_HOST_UNREACH:
            TextLog_Puts(log, "HOST UNREACHABLE");
            break;

        case ICMP_PROT_UNREACH:
            TextLog_Puts(log, "PROTOCOL UNREACHABLE");
            break;

        case ICMP_PORT_UNREACH:
            TextLog_Puts(log, "PORT UNREACHABLE");
            break;

        case ICMP_FRAG_NEEDED:
            TextLog_Print(log, "FRAGMENTATION NEEDED, DF SET\n"
                          "NEXT LINK MTU: %u",
                          ntohs(p->icmph->s_icmp_nextmtu));
            break;

        case ICMP_SR_FAILED:
            TextLog_Puts(log, "SOURCE ROUTE FAILED");
            break;

        case ICMP_NET_UNKNOWN:
            TextLog_Puts(log, "NET UNKNOWN");
            break;

        case ICMP_HOST_UNKNOWN:
            TextLog_Puts(log, "HOST UNKNOWN");
            break;

        case ICMP_HOST_ISOLATED:
            TextLog_Puts(log, "HOST ISOLATED");
            break;

        case ICMP_PKT_FILTERED_NET:
            TextLog_Puts(log, "ADMINISTRATIVELY PROHIBITED NETWORK FILTERED");
            break;

        case ICMP_PKT_FILTERED_HOST:
            TextLog_Puts(log, "ADMINISTRATIVELY PROHIBITED HOST FILTERED");
            break;

        case ICMP_NET_UNR_TOS:
            TextLog_Puts(log, "NET UNREACHABLE FOR TOS");
            break;

        case ICMP_HOST_UNR_TOS:
            TextLog_Puts(log, "HOST UNREACHABLE FOR TOS");
            break;

        case ICMP_PKT_FILTERED:
            TextLog_Puts(log, "ADMINISTRATIVELY PROHIBITED,\nPACKET FILTERED");
            break;

        case ICMP_PREC_VIOLATION:
            TextLog_Puts(log, "PREC VIOLATION");
            break;

        case ICMP_PREC_CUTOFF:
            TextLog_Puts(log, "PREC CUTOFF");
            break;

        default:
            TextLog_Puts(log, "UNKNOWN");
            break;

        }


        LogICMPEmbeddedIP(log, p);

        break;

    case ICMP_SOURCE_QUENCH:
        TextLog_Puts(log, "SOURCE QUENCH");

        LogICMPEmbeddedIP(log, p);

        break;

    case ICMP_REDIRECT:
        TextLog_Puts(log, "REDIRECT");
        switch(p->icmph->code)
        {
        case ICMP_REDIR_NET:
            TextLog_Puts(log, " NET");
            break;

        case ICMP_REDIR_HOST:
            TextLog_Puts(log, " HOST");
            break;

        case ICMP_REDIR_TOS_NET:
            TextLog_Puts(log, " TOS NET");
            break;

        case ICMP_REDIR_TOS_HOST:
            TextLog_Puts(log, " TOS HOST");
            break;
        }

#ifdef SUP_IP6
        /* written this way since inet_ntoa was typedef'ed to use sfip_ntoa
         * which requires sfip_t instead of inaddr's.  This call to inet_ntoa
         * is a rare case that doesn't use sfip_t's. */

// XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP

        /* no inet_ntop in Windows */
        sfip_raw_ntop(AF_INET, (const void *)(&p->icmph->s_icmp_gwaddr.s_addr),
                      buf, sizeof(buf));
        TextLog_Print(log, " NEW GW: %s", buf);
#else
        TextLog_Print(log, " NEW GW: %s", inet_ntoa(p->icmph->s_icmp_gwaddr));
#endif

        LogICMPEmbeddedIP(log, p);

        break;

    case ICMP_ECHO:
        TextLog_Print(log, "ID:%d   Seq:%d  ", ntohs(p->icmph->s_icmp_id),
                      ntohs(p->icmph->s_icmp_seq));
        TextLog_Puts(log, "ECHO");
        break;

    case ICMP_ROUTER_ADVERTISE:
        TextLog_Print(log, "ROUTER ADVERTISMENT: "
                      "Num addrs: %d Addr entry size: %d Lifetime: %u",
                      p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa,
                      ntohs(p->icmph->s_icmp_lifetime));
        break;

    case ICMP_ROUTER_SOLICIT:
        TextLog_Puts(log, "ROUTER SOLICITATION");
        break;

    case ICMP_TIME_EXCEEDED:
        TextLog_Puts(log, "TTL EXCEEDED");
        switch(p->icmph->code)
        {
        case ICMP_TIMEOUT_TRANSIT:
            TextLog_Puts(log, " IN TRANSIT");
            break;

        case ICMP_TIMEOUT_REASSY:
            TextLog_Puts(log, " TIME EXCEEDED IN FRAG REASSEMBLY");
            break;
        }

        LogICMPEmbeddedIP(log, p);

        break;

    case ICMP_PARAMETERPROB:
        TextLog_Puts(log, "PARAMETER PROBLEM");
        switch(p->icmph->code)
        {
        case ICMP_PARAM_BADIPHDR:
            TextLog_Print(log, ": BAD IP HEADER BYTE %u",
                          p->icmph->s_icmp_pptr);
            break;

        case ICMP_PARAM_OPTMISSING:
            TextLog_Puts(log, ": OPTION MISSING");
            break;

        case ICMP_PARAM_BAD_LENGTH:
            TextLog_Puts(log, ": BAD LENGTH");
            break;
        }

        LogICMPEmbeddedIP(log, p);

        break;

    case ICMP_TIMESTAMP:
        TextLog_Print(log, "ID: %u  Seq: %u  TIMESTAMP REQUEST",
                      ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq));
        break;

    case ICMP_TIMESTAMPREPLY:
        TextLog_Print(log, "ID: %u  Seq: %u  TIMESTAMP REPLY:\n"
                      "Orig: %u Rtime: %u  Ttime: %u",
                      ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq),
                      p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime,
                      p->icmph->s_icmp_ttime);
        break;

    case ICMP_INFO_REQUEST:
        TextLog_Print(log, "ID: %u  Seq: %u  INFO REQUEST",
                      ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq));
        break;

    case ICMP_INFO_REPLY:
        TextLog_Print(log, "ID: %u  Seq: %u  INFO REPLY",
                      ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq));
        break;

    case ICMP_ADDRESS:
        TextLog_Print(log, "ID: %u  Seq: %u  ADDRESS REQUEST",
                      ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq));
        break;

    case ICMP_ADDRESSREPLY:
        TextLog_Print(log, "ID: %u  Seq: %u  ADDRESS REPLY: 0x%08X",
                      ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq),
                      (u_int) ntohl(p->icmph->s_icmp_mask));
        break;

    default:
        TextLog_Puts(log, "UNKNOWN");

        break;
    }

    TextLog_NewLine(log);

}
Пример #17
0
/*--------------------------------------------------------------------
 * Function: LogICMPEmbeddedIP(TextLog* , Packet *)
 *
 * Purpose: Prints the original/encapsulated IP header + 64 bits of the
 *          original IP payload in an ICMP packet
 *
 * Arguments: log => pointer to TextLog
 *            p  => packet struct
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
static void LogICMPEmbeddedIP(TextLog* log, Packet *p)
{
    Packet op;
    Packet *orig_p;
    uint32_t orig_ip_hlen;

    if (log == NULL || p == NULL)
        return;

    memset((char*)&op, 0, sizeof(op));
    orig_p = &op;

    orig_p->iph = p->orig_iph;
    orig_p->tcph = p->orig_tcph;
    orig_p->udph = p->orig_udph;
    orig_p->sp = p->orig_sp;
    orig_p->dp = p->orig_dp;
    orig_p->icmph = p->orig_icmph;
#ifdef SUP_IP6
    orig_p->iph_api = p->orig_iph_api;
    orig_p->ip4h = p->orig_ip4h;
    orig_p->ip6h = p->orig_ip6h;
    orig_p->family = p->orig_family;
#endif

    if(orig_p->iph != NULL)
    {
        TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n");
        LogIPHeader(log, orig_p);
        orig_ip_hlen = IP_HLEN(p->orig_iph) << 2;

        switch(GET_IPH_PROTO(orig_p))
        {
        case IPPROTO_TCP:
            if(orig_p->tcph != NULL)
                TextLog_Print(log, "Seq: 0x%lX\n",
                              (u_long)ntohl(orig_p->tcph->th_seq));
            break;

        case IPPROTO_UDP:
            if(orig_p->udph != NULL)
                TextLog_Print(log, "Len: %d  Csum: %d\n",
                              ntohs(orig_p->udph->uh_len) - UDP_HEADER_LEN,
                              ntohs(orig_p->udph->uh_chk));
            break;

        case IPPROTO_ICMP:
            if(orig_p->icmph != NULL)
                LogEmbeddedICMPHeader(log, orig_p->icmph);
            break;

        default:
            TextLog_Print(log, "Protocol: 0x%X (unknown or "
                          "header truncated)", GET_IPH_PROTO(orig_p));
            break;
        }       /* switch */

        /* if more than 8 bytes of original IP payload sent */
        if (p->dsize - orig_ip_hlen > 8)
        {
            TextLog_Print(log, "(%d more bytes of original packet)\n",
                          p->dsize - orig_ip_hlen - 8);
        }

        TextLog_Puts(log, "** END OF DUMP");
    }
    else
    {
        TextLog_Puts(log, "\nORIGINAL DATAGRAM TRUNCATED");
    }
}
Пример #18
0
/*-------------------------------------------------------------------
 * IP stuff cloned from log.c
 *-------------------------------------------------------------------
 */
static void LogIpOptions(TextLog*  log, Packet * p)
{
    int i;
    int j;
    u_long init_offset;
    u_long print_offset;

    init_offset = TextLog_Tell(log);

    if(!p->ip_option_count || p->ip_option_count > 40)
        return;

    TextLog_Print(log, "IP Options (%d) => ", p->ip_option_count);

    for(i = 0; i < (int) p->ip_option_count; i++)
    {
        print_offset = TextLog_Tell(log);

        if((print_offset - init_offset) > 60)
        {
            TextLog_Puts(log, "\nIP Options => ");
            init_offset = TextLog_Tell(log);
        }

        switch(p->ip_options[i].code)
        {
        case IPOPT_RR:
            TextLog_Puts(log, "RR ");
            break;

        case IPOPT_EOL:
            TextLog_Puts(log, "EOL ");
            break;

        case IPOPT_NOP:
            TextLog_Puts(log, "NOP ");
            break;

        case IPOPT_TS:
            TextLog_Puts(log, "TS ");
            break;

        case IPOPT_ESEC:
            TextLog_Puts(log, "ESEC ");
            break;

        case IPOPT_SECURITY:
            TextLog_Puts(log, "SEC ");
            break;

        case IPOPT_LSRR:
        case IPOPT_LSRR_E:
            TextLog_Puts(log, "LSRR ");
            break;

        case IPOPT_SATID:
            TextLog_Puts(log, "SID ");
            break;

        case IPOPT_SSRR:
            TextLog_Puts(log, "SSRR ");
            break;

        case IPOPT_RTRALT:
            TextLog_Puts(log, "RTRALT ");
            break;

        default:
            TextLog_Print(log, "Opt %d: ", p->ip_options[i].code);

            if(p->ip_options[i].len)
            {
                for(j = 0; j < p->ip_options[i].len; j++)
                {
                    if (p->ip_options[i].data)
                        TextLog_Print(log, "%02X", p->ip_options[i].data[j]);
                    else
                        TextLog_Print(log, "%02X", 0);

                    if((j % 2) == 0)
                        TextLog_Putc(log, ' ');
                }
            }
            break;
        }
    }
    TextLog_NewLine(log);
}
Пример #19
0
/*--------------------------------------------------------------------
 * Function: LogIPHeader(TextLog* )
 *
 * Purpose: Dump the IP header info to the given TextLog
 *
 * Arguments: log => TextLog to print to
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
void LogIPHeader(TextLog*  log, Packet * p)
{
    if(!IPH_IS_VALID(p))
    {
        TextLog_Print(log, "IP header truncated\n");
        return;
    }

    if(p->frag_flag)
    {
        /* just print the straight IP header */
        TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
        TextLog_Puts(log, " -> ");
        TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
    }
    else
    {
        if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP)
        {
            /* just print the straight IP header */
            TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
            TextLog_Puts(log, " -> ");
            TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
        }
        else
        {
            if (!BcObfuscate())
            {
                /* print the header complete with port information */
                TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
                TextLog_Print(log, ":%d -> ", p->sp);
                TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
                TextLog_Print(log, ":%d", p->dp);
            }
            else
            {
                /* print the header complete with port information */
                if(IS_IP4(p))
                    TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
                else if(IS_IP6(p))
                    TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp);
            }
        }
    }

    if(!BcOutputDataLink())
    {
        TextLog_NewLine(log);
    }
    else
    {
        TextLog_Putc(log, ' ');
    }

    TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u",
                  protocol_names[GET_IPH_PROTO(p)],
                  GET_IPH_TTL(p),
                  GET_IPH_TOS(p),
                  IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)),
                  GET_IPH_HLEN(p) << 2,
                  GET_IP_DGMLEN(p));

    /* print the reserved bit if it's set */
    if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x8000) >> 15) == 1)
        TextLog_Puts(log, " RB");

    /* printf more frags/don't frag bits */
    if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x4000) >> 14) == 1)
        TextLog_Puts(log, " DF");

    if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x2000) >> 13) == 1)
        TextLog_Puts(log, " MF");

    TextLog_NewLine(log);

    /* print IP options */
    if(p->ip_option_count != 0)
    {
        LogIpOptions(log, p);
    }

    /* print fragment info if necessary */
    if(p->frag_flag)
    {
        TextLog_Print(log, "Frag Offset: 0x%04X   Frag Size: 0x%04X\n",
                      (p->frag_offset & 0x1FFF),
                      GET_IP_PAYLEN(p));
    }
}
Пример #20
0
/*-------------------------------------------------------------------
 * TCP stuff cloned from log.c
 *-------------------------------------------------------------------
 */
static void LogTcpOptions(TextLog*  log, Packet * p)
{
    int i;
    int j;
    u_char tmp[5];
    u_long init_offset;
    u_long print_offset;

    init_offset = TextLog_Tell(log);

    TextLog_Print(log, "TCP Options (%d) => ", p->tcp_option_count);

    if(p->tcp_option_count > 40 || !p->tcp_option_count)
        return;

    for(i = 0; i < (int) p->tcp_option_count; i++)
    {
        print_offset = TextLog_Tell(log);
        /**
        if((print_offset - init_offset) > 60)
        {
            TextLog_Puts(log, "\nTCP Options => ");
            init_offset = TextLog_Tell(log);
        }
        **/
        switch(p->tcp_options[i].code)
        {
        case TCPOPT_MAXSEG:
            memset((char*)tmp, 0, sizeof(tmp));
            TextLog_Puts(log, "MSS: ");
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 2);
            TextLog_Print(log, "%u ", EXTRACT_16BITS(tmp));
            break;

        case TCPOPT_EOL:
            TextLog_Puts(log, "EOL ");
            break;

        case TCPOPT_NOP:
            TextLog_Puts(log, "NOP ");
            break;

        case TCPOPT_WSCALE:
            if (p->tcp_options[i].data)
                TextLog_Print(log, "WS: %u ", p->tcp_options[i].data[0]);
            else
                TextLog_Print(log, "WS: %u ", 0);
            break;
        case TCPOPT_SACK:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data && (p->tcp_options[i].len >= 2))
                memcpy(tmp, p->tcp_options[i].data, 2);
            TextLog_Print(log, "Sack: %u@", EXTRACT_16BITS(tmp));
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data && (p->tcp_options[i].len >= 4))
                memcpy(tmp, (p->tcp_options[i].data) + 2, 2);
            TextLog_Print(log, "%u ", EXTRACT_16BITS(tmp));
            break;

        case TCPOPT_SACKOK:
            TextLog_Puts(log, "SackOK ");
            break;

        case TCPOPT_ECHO:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 4);
            TextLog_Print(log, "Echo: %u ", EXTRACT_32BITS(tmp));
            break;

        case TCPOPT_ECHOREPLY:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 4);
            TextLog_Print(log, "Echo Rep: %u ", EXTRACT_32BITS(tmp));
            break;

        case TCPOPT_TIMESTAMP:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 4);
            TextLog_Print(log, "TS: %u ", EXTRACT_32BITS(tmp));
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, (p->tcp_options[i].data) + 4, 4);
            TextLog_Print(log, "%u ", EXTRACT_32BITS(tmp));
            break;

        case TCPOPT_CC:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 4);
            TextLog_Print(log, "CC %u ", EXTRACT_32BITS(tmp));
            break;

        case TCPOPT_CCNEW:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 4);
            TextLog_Print(log, "CCNEW: %u ", EXTRACT_32BITS(tmp));
            break;

        case TCPOPT_CCECHO:
            memset((char*)tmp, 0, sizeof(tmp));
            if (p->tcp_options[i].data)
                memcpy(tmp, p->tcp_options[i].data, 4);
            TextLog_Print(log, "CCECHO: %u ", EXTRACT_32BITS(tmp));
            break;

        default:
            if(p->tcp_options[i].len)
            {
                TextLog_Print(log, "Opt %d (%d): ", p->tcp_options[i].code,
                              (int) p->tcp_options[i].len);

                for(j = 0; j < p->tcp_options[i].len; j++)
                {
                    if (p->tcp_options[i].data)
                        TextLog_Print(log, "%02X", p->tcp_options[i].data[j]);
                    else
                        TextLog_Print(log, "%02X", 0);

                    if ((j + 1) % 2 == 0)
                        TextLog_Putc(log, ' ');
                }

                TextLog_Putc(log, ' ');
            }
            else
            {
                TextLog_Print(log, "Opt %d ", p->tcp_options[i].code);
            }
            break;
        }
    }

    TextLog_NewLine(log);
}