/*-------------------------------------------------------------------- * Function: LogTCPHeader(TextLog* ) * * Purpose: Dump the TCP header info to the given TextLog * * Arguments: log => pointer to TextLog to print data to * * Returns: void function *-------------------------------------------------------------------- */ void LogTCPHeader(TextLog* log, Packet * p) { char tcpFlags[9]; if(p->tcph == NULL) { TextLog_Print(log, "TCP header truncated\n"); return; } /* print TCP flags */ CreateTCPFlagString(p, tcpFlags); TextLog_Puts(log, tcpFlags); /* We don't care about the NULL */ /* print other TCP info */ TextLog_Print(log, " Seq: 0x%lX Ack: 0x%lX Win: 0x%X TcpLen: %d", (u_long) ntohl(p->tcph->th_seq), (u_long) ntohl(p->tcph->th_ack), ntohs(p->tcph->th_win), TCP_OFFSET(p->tcph) << 2); if((p->tcph->th_flags & TH_URG) != 0) { TextLog_Print(log, " UrgPtr: 0x%X\n", (uint16_t) ntohs(p->tcph->th_urp)); } else { TextLog_NewLine(log); } /* dump the TCP options */ if(p->tcp_option_count != 0) { LogTcpOptions(log, p); } }
static void LogBuffer (const char* s, const uint8_t* p, unsigned n) { char hex[(3*LOG_CHARS)+1]; char txt[LOG_CHARS+1]; unsigned odx = 0, idx = 0, at = 0; if ( !p ) return; if ( n > snort_conf->event_trace_max ) n = snort_conf->event_trace_max; for ( idx = 0; idx < n; idx++) { uint8_t byte = p[idx]; sprintf(hex + 3*odx, "%2.02X ", byte); txt[odx++] = isprint(byte) ? byte : '.'; if ( odx == LOG_CHARS ) { txt[odx] = hex[3*odx] = '\0'; TextLog_Print(tlog, "%s[%2u] %s %s\n", s, at, hex, txt); at = idx + 1; odx = 0; } } if ( odx ) { txt[odx] = hex[3*odx] = '\0'; TextLog_Print(tlog, "%s[%2u] %-48.48s %s\n", s, at, hex, txt); } }
static void LogSLLHeader(TextLog* log, Packet* p) { switch (ntohs(p->sllh->sll_pkttype)) { case LINUX_SLL_HOST: TextLog_Puts(log, "< "); break; case LINUX_SLL_BROADCAST: TextLog_Puts(log, "B "); break; case LINUX_SLL_MULTICAST: TextLog_Puts(log, "M "); break; case LINUX_SLL_OTHERHOST: TextLog_Puts(log, "P "); break; case LINUX_SLL_OUTGOING: TextLog_Puts(log, "> "); break; default: TextLog_Puts(log, "? "); break; } /* mac addr */ TextLog_Print(log, "l/l len: %i l/l type: 0x%X %X:%X:%X:%X:%X:%X\n", htons(p->sllh->sll_halen), ntohs(p->sllh->sll_hatype), p->sllh->sll_addr[0], p->sllh->sll_addr[1], p->sllh->sll_addr[2], p->sllh->sll_addr[3], p->sllh->sll_addr[4], p->sllh->sll_addr[5]); /* protocol and pkt size */ TextLog_Print(log, "pkt type:0x%X proto: 0x%X len:0x%X\n", ntohs(p->sllh->sll_pkttype), ntohs(p->sllh->sll_protocol), p->pkth->len); }
/*-------------------------------------------------------------------- * Function: LogEmbeddedICMPHeader(TextLog* , ICMPHdr *) * * Purpose: Prints the 64 bits of the original IP payload in an ICMP packet * that requires it * * Arguments: log => pointer to TextLog * icmph => ICMPHdr struct pointing to original ICMP * * Returns: void function *-------------------------------------------------------------------- */ static void LogEmbeddedICMPHeader(TextLog* log, const ICMPHdr *icmph) { if (log == NULL || icmph == NULL) return; TextLog_Print(log, "Type: %d Code: %d Csum: %u", icmph->type, icmph->code, ntohs(icmph->csum)); switch (icmph->type) { case ICMP_DEST_UNREACH: case ICMP_TIME_EXCEEDED: case ICMP_SOURCE_QUENCH: break; case ICMP_PARAMETERPROB: if (icmph->code == 0) TextLog_Print(log, " Ptr: %u", icmph->s_icmp_pptr); break; case ICMP_REDIRECT: #ifdef SUP_IP6 // XXX-IPv6 "NOT YET IMPLEMENTED - ICMP printing" #else TextLog_Print(log, " New Gwy: %s", inet_ntoa(icmph->s_icmp_gwaddr)); #endif break; case ICMP_ECHO: case ICMP_ECHOREPLY: case ICMP_TIMESTAMP: case ICMP_TIMESTAMPREPLY: case ICMP_INFO_REQUEST: case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_ADDRESSREPLY: TextLog_Print(log, " Id: %u SeqNo: %u", ntohs(icmph->s_icmp_id), ntohs(icmph->s_icmp_seq)); break; case ICMP_ROUTER_ADVERTISE: TextLog_Print(log, " Addrs: %u Size: %u Lifetime: %u", icmph->s_icmp_num_addrs, icmph->s_icmp_wpa, ntohs(icmph->s_icmp_lifetime)); break; default: break; } TextLog_NewLine(log); return; }
void EventTrace_Term (void) { if ( tlog ) { time_t now = time(NULL); const char* ts = ctime(&now); TextLog_Print(tlog, "\nTraced %u events\n", nEvents); TextLog_Print(tlog, "Trace stopped at %s", ts); TextLog_Term(tlog); } }
/*-------------------------------------------------------------------- * Function: LogUDPHeader(TextLog* ) * * Purpose: Dump the UDP header to the given TextLog * * Arguments: log => pointer to TextLog * * Returns: void function *-------------------------------------------------------------------- */ void LogUDPHeader(TextLog* log, Packet* p) { if(p->udph == NULL) { TextLog_Print(log, "UDP header truncated\n"); return; } /* not much to do here... */ TextLog_Print(log, "Len: %d\n", ntohs(p->udph->uh_len) - UDP_HEADER_LEN); }
/*-------------------------------------------------------------------- * Function: LogEthHeader() * * Purpose: Print the packet Ethernet header to the given TextLog * * Arguments: log => pointer to TextLog to print to * * Returns: void function *-------------------------------------------------------------------- */ static void LogEthHeader(TextLog* log, Packet* p) { /* src addr */ TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", p->eh->ether_src[0], p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3], p->eh->ether_src[4], p->eh->ether_src[5]); /* dest addr */ TextLog_Print(log, "%X:%X:%X:%X:%X:%X ", p->eh->ether_dst[0], p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3], p->eh->ether_dst[4], p->eh->ether_dst[5]); /* protocol and pkt size */ TextLog_Print(log, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len); }
void EventTrace_Init (void) { if ( snort_conf->event_trace_max > 0 ) { time_t now = time(NULL); const char* ts = ctime(&now); char buf[STD_BUF]; const char* dir = snort_conf->log_dir ? snort_conf->log_dir : "."; snprintf(buf, sizeof(buf), "%s/%s", dir, snort_conf->event_trace_file); tlog = TextLog_Init (buf, 128, 8*1024*1024); TextLog_Print(tlog, "\nTrace started at %s", ts); TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max); } }
void LogTrHeader(TextLog* log, Packet* p) { TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", p->trh->saddr[0], p->trh->saddr[1], p->trh->saddr[2], p->trh->saddr[3], p->trh->saddr[4], p->trh->saddr[5]); TextLog_Print(log, "%X:%X:%X:%X:%X:%X\n", p->trh->daddr[0], p->trh->daddr[1], p->trh->daddr[2], p->trh->daddr[3], p->trh->daddr[4], p->trh->daddr[5]); TextLog_Print(log, "access control:0x%X frame control:0x%X\n", p->trh->ac, p->trh->fc); if(!p->trhllc) return; TextLog_Print(log, "DSAP: 0x%X SSAP 0x%X protoID: %X%X%X Ethertype: %X\n", p->trhllc->dsap, p->trhllc->ssap, p->trhllc->protid[0], p->trhllc->protid[1], p->trhllc->protid[2], p->trhllc->ethertype); if(p->trhmr) { TextLog_Print(log, "RIF structure is present:\n"); TextLog_Print(log, "bcast: 0x%X length: 0x%X direction: 0x%X largest" "fr. size: 0x%X res: 0x%X\n", TRH_MR_BCAST(p->trhmr), TRH_MR_LEN(p->trhmr), TRH_MR_DIR(p->trhmr), TRH_MR_LF(p->trhmr), TRH_MR_RES(p->trhmr)); TextLog_Print(log, "rseg -> %X:%X:%X:%X:%X:%X:%X:%X\n", p->trhmr->rseg[0], p->trhmr->rseg[1], p->trhmr->rseg[2], p->trhmr->rseg[3], p->trhmr->rseg[4], p->trhmr->rseg[5], p->trhmr->rseg[6], p->trhmr->rseg[7]); } }
/*-------------------------------------------------------------------- * Function: LogPriorityData() * * Purpose: Prints out priority data associated with an alert * * Arguments: log => pointer to TextLog to write the data to * doNewLine => tack a \n to the end of the line or not (bool) * * Returns: void function *-------------------------------------------------------------------- */ void LogPriorityData(TextLog* log, uint32_t cid, uint32_t priority, bool doNewLine) { ClassType *cn = ClassTypeLookupById(barnyard2_conf, cid); if ( cn != NULL ) { TextLog_Print( log, "[Classification: %s] [Priority: %d] ", cn->name, priority ); } else { TextLog_Print(log, "[Priority: %d] ", priority); } if ( doNewLine ) TextLog_NewLine(log); }
/* print a reference node */ static void LogReference(TextLog* log, ReferenceNode *refNode) { if(refNode) { if(refNode->system) { if(refNode->system->url) TextLog_Print(log, "[Xref => %s%s]", refNode->system->url, refNode->id); else TextLog_Print(log, "[Xref => %s %s]", refNode->system->name, refNode->id); } else { TextLog_Print(log, "[Xref => %s]", refNode->id); } } return; }
void EventTrace_Log (const Packet* p, OptTreeNode* otn, int action) { int i; const char* acts = (action < RULE_TYPE__MAX) ? rule_type[action] : "ERROR"; if ( !tlog ) return; TextLog_Print(tlog, "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n", event_id, otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, acts ); TextLog_Print(tlog, "Pkt=%lu, Sec=%u.%6u, Len=%u, Cap=%u\n", pc.total_from_daq, p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, p->pkth->pktlen, p->pkth->caplen ); TextLog_Print(tlog, "Pkt Bits: Flags=0x%X, PP=0x%X, PPR=0x%X, Proto=0x%X" ", Err=0x%X\n", p->packet_flags, p->preprocessor_bits, p->preproc_reassembly_pkt_bits, (unsigned)p->proto_bits, (unsigned)p->error_flags ); TextLog_Print(tlog, "Pkt Cnts: Dsz=%u, Alt=%u, Uri=0x%X\n", (unsigned)p->dsize, (unsigned)p->alt_dsize, http_mask ); TextLog_Print(tlog, "Detect: DoeFlags=0x%X, DetectFlags=0x%X, DetBuf=%u, B64=%u\n", doe_buf_flags, detect_flags, DetectBuffer.len, base64_decode_size ); LogBuffer("Decode", DecodeBuffer.data, DecodeBuffer.len); LogBuffer("Detect", DetectBuffer.data, DetectBuffer.len); LogBuffer("FileData", file_data_ptr.data, file_data_ptr.len); LogBuffer("Base64", base64_decode_buf, base64_decode_size); if(mime_present) LogBuffer("Mime", file_data_ptr.data, file_data_ptr.len); for ( i = 0; i < HTTP_BUFFER_MAX; i++ ) { const HttpBuffer* hb = GetHttpBuffer(i); if ( !hb ) continue; TextLog_Print(tlog, "%s[%u] = 0x%X\n", http_buffer_name[i], hb->length, hb->encode_type); LogBuffer(http_buffer_name[i], hb->buf, hb->length); } nEvents++; }
static void LogNetData (TextLog* log, const u_char* data, const int len) { const u_char* pb = data; const u_char* end = data + len; int offset = 0; char conv[] = "0123456789ABCDEF"; /* xlation lookup table */ if ( !len ) { TextLog_NewLine(log); return; } if ( !data ) { TextLog_Print(log, "Got NULL ptr in LogNetData()\n"); return; } if ( len > IP_MAXPACKET ) { if (BcLogVerbose()) { TextLog_Print( log, "Got bogus buffer length (%d) for LogNetData, " "defaulting to %d bytes!\n", len, BYTES_PER_FRAME ); } end = data + BYTES_PER_FRAME; } /* loop thru the whole buffer */ while ( pb < end ) { int i = 0; if (BcVerboseByteDump()) { TextLog_Print(log, "0x%04X: ", offset); offset += BYTES_PER_FRAME; } /* process one frame */ /* first print the binary as ascii hex */ for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++) { char b = pb[i]; TextLog_Putc(log, conv[(b & 0xFF) >> 4]); TextLog_Putc(log, conv[(b & 0xFF) & 0x0F]); TextLog_Putc(log, ' '); } /* print ' ' past end of packet and before ascii */ TextLog_Puts(log, pad3+(3*i)); /* then print the actual ascii chars */ /* or a '.' for control chars */ for (i = 0; i < BYTES_PER_FRAME && pb+i < end; i++) { char b = pb[i]; if ( b > 0x1F && b < 0x7F) TextLog_Putc(log, (char)(b & 0xFF)); else TextLog_Putc(log, '.'); } pb += BYTES_PER_FRAME; TextLog_NewLine(log); } TextLog_NewLine(log); }
static void LogMPLSHeader(TextLog* log, Packet* p) { TextLog_Print(log,"label:0x%05X exp:0x%X bos:0x%X ttl:0x%X\n", p->mplsHdr.label, p->mplsHdr.exp, p->mplsHdr.bos, p->mplsHdr.ttl); }
/*-------------------------------------------------------------------- * Function: LogWifiHeader(TextLog* ) * * Purpose: Print the packet 802.11 header to the given TextLog * * Arguments: log => pointer to TextLog to print to * * Returns: void function *-------------------------------------------------------------------- */ static void LogWifiHeader(TextLog* log, Packet * p) { /* This assumes we are printing a data packet, could be changed to print other types as well */ const u_char *da = NULL, *sa = NULL, *bssid = NULL, *ra = NULL, *ta = NULL; /* per table 4, IEEE802.11 section 7.2.2 */ if ((p->wifih->frame_control & WLAN_FLAG_TODS) && (p->wifih->frame_control & WLAN_FLAG_FROMDS)) { ra = p->wifih->addr1; ta = p->wifih->addr2; da = p->wifih->addr3; sa = p->wifih->addr4; } else if (p->wifih->frame_control & WLAN_FLAG_TODS) { bssid = p->wifih->addr1; sa = p->wifih->addr2; da = p->wifih->addr3; } else if (p->wifih->frame_control & WLAN_FLAG_FROMDS) { da = p->wifih->addr1; bssid = p->wifih->addr2; sa = p->wifih->addr3; } else { da = p->wifih->addr1; sa = p->wifih->addr2; bssid = p->wifih->addr3; } /* DO this switch to provide additional info on the type */ switch(p->wifih->frame_control & 0x00ff) { case WLAN_TYPE_MGMT_BEACON: TextLog_Puts(log, "Beacon "); break; /* management frames */ case WLAN_TYPE_MGMT_ASREQ: TextLog_Puts(log, "Assoc. Req. "); break; case WLAN_TYPE_MGMT_ASRES: TextLog_Puts(log, "Assoc. Resp. "); break; case WLAN_TYPE_MGMT_REREQ: TextLog_Puts(log, "Reassoc. Req. "); break; case WLAN_TYPE_MGMT_RERES: TextLog_Puts(log, "Reassoc. Resp. "); break; case WLAN_TYPE_MGMT_PRREQ: TextLog_Puts(log, "Probe Req. "); break; case WLAN_TYPE_MGMT_PRRES: TextLog_Puts(log, "Probe Resp. "); break; case WLAN_TYPE_MGMT_ATIM: TextLog_Puts(log, "ATIM "); break; case WLAN_TYPE_MGMT_DIS: TextLog_Puts(log, "Dissassoc. "); break; case WLAN_TYPE_MGMT_AUTH: TextLog_Puts(log, "Authent. "); break; case WLAN_TYPE_MGMT_DEAUTH: TextLog_Puts(log, "Deauthent. "); break; /* Control frames */ case WLAN_TYPE_CONT_PS: case WLAN_TYPE_CONT_RTS: case WLAN_TYPE_CONT_CTS: case WLAN_TYPE_CONT_ACK: case WLAN_TYPE_CONT_CFE: case WLAN_TYPE_CONT_CFACK: TextLog_Puts(log, "Control "); break; } if (sa != NULL) { TextLog_Print(log, "%X:%X:%X:%X:%X:%X -> ", sa[0], sa[1], sa[2], sa[3], sa[4], sa[5]); } else if (ta != NULL) { TextLog_Print(log, "ta: %X:%X:%X:%X:%X:%X da: ", ta[0], ta[1], ta[2], ta[3], ta[4], ta[5]); } TextLog_Print(log, "%X:%X:%X:%X:%X:%X\n", da[0], da[1], da[2], da[3], da[4], da[5]); if (bssid != NULL) { TextLog_Print(log, "bssid: %X:%X:%X:%X:%X:%X", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]); } if (ra != NULL) { TextLog_Print(log, " ra: %X:%X:%X:%X:%X:%X", ra[0], ra[1], ra[2], ra[3], ra[4], ra[5]); } TextLog_Puts(log, " Flags:"); if (p->wifih->frame_control & WLAN_FLAG_TODS) TextLog_Puts(log," ToDs"); if (p->wifih->frame_control & WLAN_FLAG_TODS) TextLog_Puts(log," FrDs"); if (p->wifih->frame_control & WLAN_FLAG_FRAG) TextLog_Puts(log," Frag"); if (p->wifih->frame_control & WLAN_FLAG_RETRY) TextLog_Puts(log," Re"); if (p->wifih->frame_control & WLAN_FLAG_PWRMGMT) TextLog_Puts(log," Pwr"); if (p->wifih->frame_control & WLAN_FLAG_MOREDAT) TextLog_Puts(log," MD"); if (p->wifih->frame_control & WLAN_FLAG_WEP) TextLog_Puts(log," Wep"); if (p->wifih->frame_control & WLAN_FLAG_ORDER) TextLog_Puts(log," Ord"); TextLog_NewLine(log); }
/*-------------------------------------------------------------------- * Function: LogICMPHeader(TextLog* ) * * Purpose: Print ICMP header * * Arguments: log => pointer to TextLog * * Returns: void function *-------------------------------------------------------------------- */ void LogICMPHeader(TextLog* log, Packet * p) { #ifdef SUP_IP6 /* 32 digits plus 7 colons and a NULL byte */ char buf[8*4 + 7 + 1]; #endif if(p->icmph == NULL) { TextLog_Puts(log, "ICMP header truncated\n"); return; } TextLog_Print(log, "Type:%d Code:%d ", p->icmph->type, p->icmph->code); switch(p->icmph->type) { case ICMP_ECHOREPLY: TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); TextLog_Puts(log, "ECHO REPLY"); break; case ICMP_DEST_UNREACH: TextLog_Puts(log, "DESTINATION UNREACHABLE: "); switch(p->icmph->code) { case ICMP_NET_UNREACH: TextLog_Puts(log, "NET UNREACHABLE"); break; case ICMP_HOST_UNREACH: TextLog_Puts(log, "HOST UNREACHABLE"); break; case ICMP_PROT_UNREACH: TextLog_Puts(log, "PROTOCOL UNREACHABLE"); break; case ICMP_PORT_UNREACH: TextLog_Puts(log, "PORT UNREACHABLE"); break; case ICMP_FRAG_NEEDED: TextLog_Print(log, "FRAGMENTATION NEEDED, DF SET\n" "NEXT LINK MTU: %u", ntohs(p->icmph->s_icmp_nextmtu)); break; case ICMP_SR_FAILED: TextLog_Puts(log, "SOURCE ROUTE FAILED"); break; case ICMP_NET_UNKNOWN: TextLog_Puts(log, "NET UNKNOWN"); break; case ICMP_HOST_UNKNOWN: TextLog_Puts(log, "HOST UNKNOWN"); break; case ICMP_HOST_ISOLATED: TextLog_Puts(log, "HOST ISOLATED"); break; case ICMP_PKT_FILTERED_NET: TextLog_Puts(log, "ADMINISTRATIVELY PROHIBITED NETWORK FILTERED"); break; case ICMP_PKT_FILTERED_HOST: TextLog_Puts(log, "ADMINISTRATIVELY PROHIBITED HOST FILTERED"); break; case ICMP_NET_UNR_TOS: TextLog_Puts(log, "NET UNREACHABLE FOR TOS"); break; case ICMP_HOST_UNR_TOS: TextLog_Puts(log, "HOST UNREACHABLE FOR TOS"); break; case ICMP_PKT_FILTERED: TextLog_Puts(log, "ADMINISTRATIVELY PROHIBITED,\nPACKET FILTERED"); break; case ICMP_PREC_VIOLATION: TextLog_Puts(log, "PREC VIOLATION"); break; case ICMP_PREC_CUTOFF: TextLog_Puts(log, "PREC CUTOFF"); break; default: TextLog_Puts(log, "UNKNOWN"); break; } LogICMPEmbeddedIP(log, p); break; case ICMP_SOURCE_QUENCH: TextLog_Puts(log, "SOURCE QUENCH"); LogICMPEmbeddedIP(log, p); break; case ICMP_REDIRECT: TextLog_Puts(log, "REDIRECT"); switch(p->icmph->code) { case ICMP_REDIR_NET: TextLog_Puts(log, " NET"); break; case ICMP_REDIR_HOST: TextLog_Puts(log, " HOST"); break; case ICMP_REDIR_TOS_NET: TextLog_Puts(log, " TOS NET"); break; case ICMP_REDIR_TOS_HOST: TextLog_Puts(log, " TOS HOST"); break; } #ifdef SUP_IP6 /* written this way since inet_ntoa was typedef'ed to use sfip_ntoa * which requires sfip_t instead of inaddr's. This call to inet_ntoa * is a rare case that doesn't use sfip_t's. */ // XXX-IPv6 NOT YET IMPLEMENTED - IPV6 addresses technically not supported - need to change ICMP /* no inet_ntop in Windows */ sfip_raw_ntop(AF_INET, (const void *)(&p->icmph->s_icmp_gwaddr.s_addr), buf, sizeof(buf)); TextLog_Print(log, " NEW GW: %s", buf); #else TextLog_Print(log, " NEW GW: %s", inet_ntoa(p->icmph->s_icmp_gwaddr)); #endif LogICMPEmbeddedIP(log, p); break; case ICMP_ECHO: TextLog_Print(log, "ID:%d Seq:%d ", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); TextLog_Puts(log, "ECHO"); break; case ICMP_ROUTER_ADVERTISE: TextLog_Print(log, "ROUTER ADVERTISMENT: " "Num addrs: %d Addr entry size: %d Lifetime: %u", p->icmph->s_icmp_num_addrs, p->icmph->s_icmp_wpa, ntohs(p->icmph->s_icmp_lifetime)); break; case ICMP_ROUTER_SOLICIT: TextLog_Puts(log, "ROUTER SOLICITATION"); break; case ICMP_TIME_EXCEEDED: TextLog_Puts(log, "TTL EXCEEDED"); switch(p->icmph->code) { case ICMP_TIMEOUT_TRANSIT: TextLog_Puts(log, " IN TRANSIT"); break; case ICMP_TIMEOUT_REASSY: TextLog_Puts(log, " TIME EXCEEDED IN FRAG REASSEMBLY"); break; } LogICMPEmbeddedIP(log, p); break; case ICMP_PARAMETERPROB: TextLog_Puts(log, "PARAMETER PROBLEM"); switch(p->icmph->code) { case ICMP_PARAM_BADIPHDR: TextLog_Print(log, ": BAD IP HEADER BYTE %u", p->icmph->s_icmp_pptr); break; case ICMP_PARAM_OPTMISSING: TextLog_Puts(log, ": OPTION MISSING"); break; case ICMP_PARAM_BAD_LENGTH: TextLog_Puts(log, ": BAD LENGTH"); break; } LogICMPEmbeddedIP(log, p); break; case ICMP_TIMESTAMP: TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_TIMESTAMPREPLY: TextLog_Print(log, "ID: %u Seq: %u TIMESTAMP REPLY:\n" "Orig: %u Rtime: %u Ttime: %u", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), p->icmph->s_icmp_otime, p->icmph->s_icmp_rtime, p->icmph->s_icmp_ttime); break; case ICMP_INFO_REQUEST: TextLog_Print(log, "ID: %u Seq: %u INFO REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_INFO_REPLY: TextLog_Print(log, "ID: %u Seq: %u INFO REPLY", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESS: TextLog_Print(log, "ID: %u Seq: %u ADDRESS REQUEST", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: TextLog_Print(log, "ID: %u Seq: %u ADDRESS REPLY: 0x%08X", ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq), (u_int) ntohl(p->icmph->s_icmp_mask)); break; default: TextLog_Puts(log, "UNKNOWN"); break; } TextLog_NewLine(log); }
/*-------------------------------------------------------------------- * Function: LogICMPEmbeddedIP(TextLog* , Packet *) * * Purpose: Prints the original/encapsulated IP header + 64 bits of the * original IP payload in an ICMP packet * * Arguments: log => pointer to TextLog * p => packet struct * * Returns: void function *-------------------------------------------------------------------- */ static void LogICMPEmbeddedIP(TextLog* log, Packet *p) { Packet op; Packet *orig_p; uint32_t orig_ip_hlen; if (log == NULL || p == NULL) return; memset((char*)&op, 0, sizeof(op)); orig_p = &op; orig_p->iph = p->orig_iph; orig_p->tcph = p->orig_tcph; orig_p->udph = p->orig_udph; orig_p->sp = p->orig_sp; orig_p->dp = p->orig_dp; orig_p->icmph = p->orig_icmph; #ifdef SUP_IP6 orig_p->iph_api = p->orig_iph_api; orig_p->ip4h = p->orig_ip4h; orig_p->ip6h = p->orig_ip6h; orig_p->family = p->orig_family; #endif if(orig_p->iph != NULL) { TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n"); LogIPHeader(log, orig_p); orig_ip_hlen = IP_HLEN(p->orig_iph) << 2; switch(GET_IPH_PROTO(orig_p)) { case IPPROTO_TCP: if(orig_p->tcph != NULL) TextLog_Print(log, "Seq: 0x%lX\n", (u_long)ntohl(orig_p->tcph->th_seq)); break; case IPPROTO_UDP: if(orig_p->udph != NULL) TextLog_Print(log, "Len: %d Csum: %d\n", ntohs(orig_p->udph->uh_len) - UDP_HEADER_LEN, ntohs(orig_p->udph->uh_chk)); break; case IPPROTO_ICMP: if(orig_p->icmph != NULL) LogEmbeddedICMPHeader(log, orig_p->icmph); break; default: TextLog_Print(log, "Protocol: 0x%X (unknown or " "header truncated)", GET_IPH_PROTO(orig_p)); break; } /* switch */ /* if more than 8 bytes of original IP payload sent */ if (p->dsize - orig_ip_hlen > 8) { TextLog_Print(log, "(%d more bytes of original packet)\n", p->dsize - orig_ip_hlen - 8); } TextLog_Puts(log, "** END OF DUMP"); } else { TextLog_Puts(log, "\nORIGINAL DATAGRAM TRUNCATED"); } }
/*------------------------------------------------------------------- * IP stuff cloned from log.c *------------------------------------------------------------------- */ static void LogIpOptions(TextLog* log, Packet * p) { int i; int j; u_long init_offset; u_long print_offset; init_offset = TextLog_Tell(log); if(!p->ip_option_count || p->ip_option_count > 40) return; TextLog_Print(log, "IP Options (%d) => ", p->ip_option_count); for(i = 0; i < (int) p->ip_option_count; i++) { print_offset = TextLog_Tell(log); if((print_offset - init_offset) > 60) { TextLog_Puts(log, "\nIP Options => "); init_offset = TextLog_Tell(log); } switch(p->ip_options[i].code) { case IPOPT_RR: TextLog_Puts(log, "RR "); break; case IPOPT_EOL: TextLog_Puts(log, "EOL "); break; case IPOPT_NOP: TextLog_Puts(log, "NOP "); break; case IPOPT_TS: TextLog_Puts(log, "TS "); break; case IPOPT_ESEC: TextLog_Puts(log, "ESEC "); break; case IPOPT_SECURITY: TextLog_Puts(log, "SEC "); break; case IPOPT_LSRR: case IPOPT_LSRR_E: TextLog_Puts(log, "LSRR "); break; case IPOPT_SATID: TextLog_Puts(log, "SID "); break; case IPOPT_SSRR: TextLog_Puts(log, "SSRR "); break; case IPOPT_RTRALT: TextLog_Puts(log, "RTRALT "); break; default: TextLog_Print(log, "Opt %d: ", p->ip_options[i].code); if(p->ip_options[i].len) { for(j = 0; j < p->ip_options[i].len; j++) { if (p->ip_options[i].data) TextLog_Print(log, "%02X", p->ip_options[i].data[j]); else TextLog_Print(log, "%02X", 0); if((j % 2) == 0) TextLog_Putc(log, ' '); } } break; } } TextLog_NewLine(log); }
/*-------------------------------------------------------------------- * Function: LogIPHeader(TextLog* ) * * Purpose: Dump the IP header info to the given TextLog * * Arguments: log => TextLog to print to * * Returns: void function *-------------------------------------------------------------------- */ void LogIPHeader(TextLog* log, Packet * p) { if(!IPH_IS_VALID(p)) { TextLog_Print(log, "IP header truncated\n"); return; } if(p->frag_flag) { /* just print the straight IP header */ TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); TextLog_Puts(log, " -> "); TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); } else { if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP) { /* just print the straight IP header */ TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); TextLog_Puts(log, " -> "); TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); } else { if (!BcObfuscate()) { /* print the header complete with port information */ TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); TextLog_Print(log, ":%d -> ", p->sp); TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); TextLog_Print(log, ":%d", p->dp); } else { /* print the header complete with port information */ if(IS_IP4(p)) TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp); else if(IS_IP6(p)) TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp); } } } if(!BcOutputDataLink()) { TextLog_NewLine(log); } else { TextLog_Putc(log, ' '); } TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u", protocol_names[GET_IPH_PROTO(p)], GET_IPH_TTL(p), GET_IPH_TOS(p), IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)), GET_IPH_HLEN(p) << 2, GET_IP_DGMLEN(p)); /* print the reserved bit if it's set */ if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x8000) >> 15) == 1) TextLog_Puts(log, " RB"); /* printf more frags/don't frag bits */ if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x4000) >> 14) == 1) TextLog_Puts(log, " DF"); if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x2000) >> 13) == 1) TextLog_Puts(log, " MF"); TextLog_NewLine(log); /* print IP options */ if(p->ip_option_count != 0) { LogIpOptions(log, p); } /* print fragment info if necessary */ if(p->frag_flag) { TextLog_Print(log, "Frag Offset: 0x%04X Frag Size: 0x%04X\n", (p->frag_offset & 0x1FFF), GET_IP_PAYLEN(p)); } }
/*------------------------------------------------------------------- * TCP stuff cloned from log.c *------------------------------------------------------------------- */ static void LogTcpOptions(TextLog* log, Packet * p) { int i; int j; u_char tmp[5]; u_long init_offset; u_long print_offset; init_offset = TextLog_Tell(log); TextLog_Print(log, "TCP Options (%d) => ", p->tcp_option_count); if(p->tcp_option_count > 40 || !p->tcp_option_count) return; for(i = 0; i < (int) p->tcp_option_count; i++) { print_offset = TextLog_Tell(log); /** if((print_offset - init_offset) > 60) { TextLog_Puts(log, "\nTCP Options => "); init_offset = TextLog_Tell(log); } **/ switch(p->tcp_options[i].code) { case TCPOPT_MAXSEG: memset((char*)tmp, 0, sizeof(tmp)); TextLog_Puts(log, "MSS: "); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 2); TextLog_Print(log, "%u ", EXTRACT_16BITS(tmp)); break; case TCPOPT_EOL: TextLog_Puts(log, "EOL "); break; case TCPOPT_NOP: TextLog_Puts(log, "NOP "); break; case TCPOPT_WSCALE: if (p->tcp_options[i].data) TextLog_Print(log, "WS: %u ", p->tcp_options[i].data[0]); else TextLog_Print(log, "WS: %u ", 0); break; case TCPOPT_SACK: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data && (p->tcp_options[i].len >= 2)) memcpy(tmp, p->tcp_options[i].data, 2); TextLog_Print(log, "Sack: %u@", EXTRACT_16BITS(tmp)); memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data && (p->tcp_options[i].len >= 4)) memcpy(tmp, (p->tcp_options[i].data) + 2, 2); TextLog_Print(log, "%u ", EXTRACT_16BITS(tmp)); break; case TCPOPT_SACKOK: TextLog_Puts(log, "SackOK "); break; case TCPOPT_ECHO: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 4); TextLog_Print(log, "Echo: %u ", EXTRACT_32BITS(tmp)); break; case TCPOPT_ECHOREPLY: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 4); TextLog_Print(log, "Echo Rep: %u ", EXTRACT_32BITS(tmp)); break; case TCPOPT_TIMESTAMP: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 4); TextLog_Print(log, "TS: %u ", EXTRACT_32BITS(tmp)); memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, (p->tcp_options[i].data) + 4, 4); TextLog_Print(log, "%u ", EXTRACT_32BITS(tmp)); break; case TCPOPT_CC: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 4); TextLog_Print(log, "CC %u ", EXTRACT_32BITS(tmp)); break; case TCPOPT_CCNEW: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 4); TextLog_Print(log, "CCNEW: %u ", EXTRACT_32BITS(tmp)); break; case TCPOPT_CCECHO: memset((char*)tmp, 0, sizeof(tmp)); if (p->tcp_options[i].data) memcpy(tmp, p->tcp_options[i].data, 4); TextLog_Print(log, "CCECHO: %u ", EXTRACT_32BITS(tmp)); break; default: if(p->tcp_options[i].len) { TextLog_Print(log, "Opt %d (%d): ", p->tcp_options[i].code, (int) p->tcp_options[i].len); for(j = 0; j < p->tcp_options[i].len; j++) { if (p->tcp_options[i].data) TextLog_Print(log, "%02X", p->tcp_options[i].data[j]); else TextLog_Print(log, "%02X", 0); if ((j + 1) % 2 == 0) TextLog_Putc(log, ' '); } TextLog_Putc(log, ' '); } else { TextLog_Print(log, "Opt %d ", p->tcp_options[i].code); } break; } } TextLog_NewLine(log); }