struct tcp_stream * find_stream(struct tcphdr * this_tcphdr, struct ip * this_iphdr, int *from_client) { struct tuple4 this_addr, reversed; int hash_index; struct tcp_stream *a_tcp; this_addr.source = ntohs(this_tcphdr->th_sport); this_addr.dest = ntohs(this_tcphdr->th_dport); this_addr.saddr = this_iphdr->ip_src.s_addr; this_addr.daddr = this_iphdr->ip_dst.s_addr; hash_index = mk_hash_index(this_addr); for (a_tcp = tcp_stream_table[hash_index]; a_tcp && !b_comp(a_tcp->addr, this_addr); a_tcp = a_tcp->next_node); if (a_tcp) { *from_client = 1; return a_tcp; } reversed.source = ntohs(this_tcphdr->th_dport); reversed.dest = ntohs(this_tcphdr->th_sport); reversed.saddr = this_iphdr->ip_dst.s_addr; reversed.daddr = this_iphdr->ip_src.s_addr; hash_index = mk_hash_index(reversed); for (a_tcp = tcp_stream_table[hash_index]; a_tcp && !b_comp(a_tcp->addr, reversed); a_tcp = a_tcp->next_node); if (a_tcp) { *from_client = 0; return a_tcp; } else return 0; }
static void add_new_tcp(struct tcphdr * this_tcphdr, struct ip * this_iphdr) { struct tcp_stream *tolink; struct tcp_stream *a_tcp; int hash_index; struct tuple4 addr; addr.source = ntohs(this_tcphdr->th_sport); addr.dest = ntohs(this_tcphdr->th_dport); addr.saddr = this_iphdr->ip_src.s_addr; addr.daddr = this_iphdr->ip_dst.s_addr; hash_index = mk_hash_index(addr); if (tcp_num > max_stream) { struct lurker_node *i; tcp_oldest->nids_state = NIDS_TIMED_OUT; for (i = tcp_oldest->listeners; i; i = i->next) (i->item) (tcp_oldest, &i->data); free_tcp(tcp_oldest); nids_params.syslog(NIDS_WARN_TCP, NIDS_WARN_TCP_TOOMUCH, ugly_iphdr, this_tcphdr); } a_tcp = free_streams; if (!a_tcp) { fprintf(stderr, "gdb me ...\n"); #ifdef WIN32 /* Exit here, I do not know of a function similar to pause() in WIN32 -- Mike */ exit(-1); #else pause(); #endif } free_streams = a_tcp->next_free; tcp_num++; tolink = tcp_stream_table[hash_index]; memset(a_tcp, 0, sizeof(struct tcp_stream)); a_tcp->hash_index = hash_index; a_tcp->addr = addr; a_tcp->client.state = TCP_SYN_SENT; a_tcp->client.seq = ntohl(this_tcphdr->th_seq) + 1; a_tcp->client.first_data_seq = a_tcp->client.seq; a_tcp->client.window = ntohs(this_tcphdr->th_win); a_tcp->client.ts_on = get_ts(this_tcphdr, &a_tcp->client.curr_ts); a_tcp->server.state = TCP_CLOSE; a_tcp->next_node = tolink; a_tcp->prev_node = 0; if (tolink) tolink->prev_node = a_tcp; tcp_stream_table[hash_index] = a_tcp; a_tcp->next_time = tcp_latest; a_tcp->prev_time = 0; if (!tcp_oldest) tcp_oldest = a_tcp; if (tcp_latest) tcp_latest->prev_time = a_tcp; tcp_latest = a_tcp; }
struct tcp_stream * nids_find_tcp_stream(struct tuple4 *addr) { int hash_index; struct tcp_stream *a_tcp; hash_index = mk_hash_index(*addr); for (a_tcp = tcp_stream_table[hash_index]; a_tcp && memcmp(&a_tcp->addr, addr, sizeof (struct tuple4)); a_tcp = a_tcp->next_node); return a_tcp ? a_tcp : 0; }
static void add_new_tcp(struct tcphdr * this_tcphdr, struct ip * this_iphdr) { struct tcp_stream *tolink; struct tcp_stream *a_tcp; int hash_index; struct tuple4 addr; addr.source = ntohs(this_tcphdr->th_sport); addr.dest = ntohs(this_tcphdr->th_dport); addr.saddr = this_iphdr->ip_src.s_addr; addr.daddr = this_iphdr->ip_dst.s_addr; hash_index = mk_hash_index(addr); if (tcp_num > max_stream) { struct lurker_node *i; int orig_client_state=tcp_oldest->client.state; tcp_oldest->nids_state = NIDS_TIMED_OUT; for (i = tcp_oldest->listeners; i; i = i->next) (i->item) (tcp_oldest, &i->data); nids_free_tcp_stream(tcp_oldest); if (orig_client_state!=TCP_SYN_SENT) nids_params.syslog(NIDS_WARN_TCP, NIDS_WARN_TCP_TOOMUCH, ugly_iphdr, this_tcphdr); } a_tcp = free_streams; if (!a_tcp) { fprintf(stderr, "gdb me ...\n"); pause(); } free_streams = a_tcp->next_free; tcp_num++; tolink = tcp_stream_table[hash_index]; memset(a_tcp, 0, sizeof(struct tcp_stream)); #ifdef OSPLIT struct ipfrag *frag_tag=this_fragments; struct ipfrag *ip_frag_next; if(this_fragments) ip_frag_next=this_fragments->next; a_tcp->fp=split_file[(TCP_file_idx++)%SPLIT_FILE_NUM]; /*write all fragment(s) to fp trace file*/ if(is_frag==0) { write_pcap_hdr(a_tcp->fp,(char*)nids_last_pcap_header,sizeof(struct pcap_sf_pkthdr)); write_ip(a_tcp->fp,(char*)this_iphdr,ntohs(this_iphdr->ip_len),(char*)nids_last_pcap_header); } else { /*fragments*/ while(frag_tag!=NULL) { write_pcap_hdr(a_tcp->fp,(char*)(&(frag_tag->pcap_header)),sizeof(struct pcap_sf_pkthdr)); write_ip(a_tcp->fp,(char*)frag_tag->skb->data,frag_tag->wtrace_len,(char*)(&(frag_tag->pcap_header))); free(frag_tag); frag_tag=ip_frag_next; if(ip_frag_next!=NULL) ip_frag_next=ip_frag_next->next; } is_frag=0; } /*set statistic info*/ store_flag=1; #endif a_tcp->hash_index = hash_index; a_tcp->addr = addr; a_tcp->client.state = TCP_SYN_SENT; a_tcp->client.seq = ntohl(this_tcphdr->th_seq) + 1; a_tcp->client.first_data_seq = a_tcp->client.seq; a_tcp->client.window = ntohs(this_tcphdr->th_win); a_tcp->client.ts_on = get_ts(this_tcphdr, &a_tcp->client.curr_ts); a_tcp->client.wscale_on = get_wscale(this_tcphdr, &a_tcp->client.wscale); a_tcp->server.state = TCP_CLOSE; a_tcp->next_node = tolink; a_tcp->prev_node = 0; if (tolink) tolink->prev_node = a_tcp; tcp_stream_table[hash_index] = a_tcp; a_tcp->next_time = tcp_latest; a_tcp->prev_time = 0; if (!tcp_oldest) tcp_oldest = a_tcp; if (tcp_latest) tcp_latest->prev_time = a_tcp; tcp_latest = a_tcp; }