void log_write_info_arp_icmp(struct log_fd *fd, struct packet_object *po) { struct log_header_info hi; int c, zerr; memset(&hi, 0, sizeof(struct log_header_info)); /* the mac address */ memcpy(&hi.L2_addr, &po->L2.src, MEDIA_ADDR_LEN); /* the ip address */ memcpy(&hi.L3_addr, &po->L3.src, sizeof(struct ip_addr)); /* set the distance */ if (po->L3.ttl > 1) hi.distance = TTL_PREDICTOR(po->L3.ttl) - po->L3.ttl + 1; else hi.distance = po->L3.ttl; /* resolve the host */ host_iptoa(&po->L3.src, hi.hostname); /* local, non local ecc ecc */ if (po->L3.proto == htons(LL_TYPE_ARP)) { hi.type |= LOG_ARP_HOST; hi.type |= FP_HOST_LOCAL; } else { hi.type = po->PASSIVE.flags; } LOG_LOCK; if (fd->type == LOG_COMPRESSED) { c = gzwrite(fd->cfd, &hi, sizeof(hi)); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); } else { c = write(fd->fd, &hi, sizeof(hi)); ON_ERROR(c, -1, "Can't write to logfile"); } LOG_UNLOCK; }
/* * details for a connection */ static void curses_connection_detail(void *conn) { struct conn_tail *c = (struct conn_tail *)conn; char tmp[MAX_ASCII_ADDR_LEN]; char *proto = ""; char name[MAX_HOSTNAME_LEN]; unsigned int row = 0; DEBUG_MSG("curses_connection_detail"); /* if the object already exist, set the focus to it */ if (wdg_conn_detail) { wdg_destroy_object(&wdg_conn_detail); wdg_conn_detail = NULL; } wdg_create_object(&wdg_conn_detail, WDG_WINDOW, WDG_OBJ_WANT_FOCUS); wdg_set_title(wdg_conn_detail, "Connection detail:", WDG_ALIGN_LEFT); wdg_set_size(wdg_conn_detail, 1, 2, 75, 23); wdg_set_color(wdg_conn_detail, WDG_COLOR_SCREEN, EC_COLOR); wdg_set_color(wdg_conn_detail, WDG_COLOR_WINDOW, EC_COLOR); wdg_set_color(wdg_conn_detail, WDG_COLOR_BORDER, EC_COLOR_BORDER); wdg_set_color(wdg_conn_detail, WDG_COLOR_FOCUS, EC_COLOR_FOCUS); wdg_set_color(wdg_conn_detail, WDG_COLOR_TITLE, EC_COLOR_TITLE); wdg_draw_object(wdg_conn_detail); wdg_set_focus(wdg_conn_detail); /* add the destroy callback */ wdg_add_destroy_key(wdg_conn_detail, CTRL('Q'), NULL); /* print the information */ wdg_window_print(wdg_conn_detail, 1, ++row, "Source MAC address : %s", mac_addr_ntoa(c->co->L2_addr1, tmp)); wdg_window_print(wdg_conn_detail, 1, ++row, "Destination MAC address : %s", mac_addr_ntoa(c->co->L2_addr2, tmp)); ++row; wdg_window_print(wdg_conn_detail, 1, ++row, "Source IP address : %s", ip_addr_ntoa(&(c->co->L3_addr1), tmp)); if (host_iptoa(&(c->co->L3_addr1), name) == E_SUCCESS) wdg_window_print(wdg_conn_detail, 1, ++row, "Source hostname : %s", name); #ifdef HAVE_GEOIP if (GBL_CONF->geoip_support_enable) wdg_window_print(wdg_conn_detail, 1, ++row, "Source location : %s", geoip_country_by_ip(&c->co->L3_addr1)); #endif wdg_window_print(wdg_conn_detail, 1, ++row, "Destination IP address : %s", ip_addr_ntoa(&(c->co->L3_addr2), tmp)); if (host_iptoa(&(c->co->L3_addr2), name) == E_SUCCESS) wdg_window_print(wdg_conn_detail, 1, ++row, "Destination hostname : %s", name); #ifdef HAVE_GEOIP if (GBL_CONF->geoip_support_enable) wdg_window_print(wdg_conn_detail, 1, ++row, "Destination location : %s", geoip_country_by_ip(&c->co->L3_addr2)); #endif ++row; switch (c->co->L4_proto) { case NL_TYPE_UDP: proto = "UDP"; break; case NL_TYPE_TCP: proto = "TCP"; break; } wdg_window_print(wdg_conn_detail, 1, ++row, "Protocol : %s", proto); wdg_window_print(wdg_conn_detail, 1, ++row, "Source port : %-5d %s", ntohs(c->co->L4_addr1), service_search(c->co->L4_addr1, c->co->L4_proto)); wdg_window_print(wdg_conn_detail, 1, ++row, "Destination port : %-5d %s", ntohs(c->co->L4_addr2), service_search(c->co->L4_addr2, c->co->L4_proto)); row++; wdg_window_print(wdg_conn_detail, 1, ++row, "--> %d <-- %d total: %d ", c->co->tx, c->co->rx, c->co->xferred); row++; if (c->co->DISSECTOR.user) { wdg_window_print(wdg_conn_detail, 1, ++row, "Account : %s / %s", c->co->DISSECTOR.user, c->co->DISSECTOR.pass); if (c->co->DISSECTOR.info) wdg_window_print(wdg_conn_detail, 1, ++row, "Additional Info : %s", c->co->DISSECTOR.info); } }
void log_write_info(struct log_fd *fd, struct packet_object *po) { struct log_header_info hi; struct log_header_info hid; int c, zerr; memset(&hi, 0, sizeof(struct log_header_info)); memset(&hid, 0, sizeof(struct log_header_info)); /* the mac address */ memcpy(&hi.L2_addr, &po->L2.src, MEDIA_ADDR_LEN); memcpy(&hid.L2_addr, &po->L2.dst, MEDIA_ADDR_LEN); /* the ip address */ memcpy(&hi.L3_addr, &po->L3.src, sizeof(struct ip_addr)); /* the account must be associated with the server, so use dst */ memcpy(&hid.L3_addr, &po->L3.dst, sizeof(struct ip_addr)); /* the protocol */ hi.L4_proto = po->L4.proto; hid.L4_proto = po->L4.proto; /* open on the source ? */ if (is_open_port(po->L4.proto, po->L4.src, po->L4.flags)) hi.L4_addr = po->L4.src; else if (po->DISSECTOR.banner) hi.L4_addr = po->L4.src; else hi.L4_addr = 0; /* open on the dest ? */ if (is_open_port(po->L4.proto, po->L4.dst, po->L4.flags)) hid.L4_addr = po->L4.dst; else if (po->DISSECTOR.user) hid.L4_addr = po->L4.dst; else hid.L4_addr = 0; /* * resolves the ip address. * * even if the resolv option was not specified, * the cache may have the dns answer passively sniffed. */ host_iptoa(&po->L3.src, hi.hostname); host_iptoa(&po->L3.dst, hid.hostname); /* * distance in hop : * * the distance is calculated as the difference between the * predicted initial ttl number and the current ttl value. */ hi.distance = TTL_PREDICTOR(po->L3.ttl) - po->L3.ttl + 1; /* our machine is at distance 0 (special case) */ if (!ip_addr_cmp(&po->L3.src, &EC_GBL_IFACE->ip)) hi.distance = 0; /* OS identification */ memcpy(&hi.fingerprint, po->PASSIVE.fingerprint, FINGER_LEN); /* local, non local ecc ecc */ hi.type = po->PASSIVE.flags; /* calculate if the dest is local or not */ switch (ip_addr_is_local(&po->L3.dst, NULL)) { case E_SUCCESS: hid.type |= FP_HOST_LOCAL; break; case -E_NOTFOUND: hid.type |= FP_HOST_NONLOCAL; break; case -E_INVALID: hid.type = FP_UNKNOWN; break; } /* set account information */ hid.failed = po->DISSECTOR.failed; memcpy(&hid.client, &po->L3.src, sizeof(struct ip_addr)); /* set the length of the fields */ if (po->DISSECTOR.user) hid.var.user_len = htons(strlen(po->DISSECTOR.user)); if (po->DISSECTOR.pass) hid.var.pass_len = htons(strlen(po->DISSECTOR.pass)); if (po->DISSECTOR.info) hid.var.info_len = htons(strlen(po->DISSECTOR.info)); if (po->DISSECTOR.banner) hi.var.banner_len = htons(strlen(po->DISSECTOR.banner)); /* check if the packet is interesting... else return */ if (hi.L4_addr == 0 && // the port is not open !strcmp((char*)hi.fingerprint, "") && // no fingerprint hid.var.user_len == 0 && // no user and pass infos... hid.var.pass_len == 0 && hid.var.info_len == 0 && hi.var.banner_len == 0 ) { return; } LOG_LOCK; if (fd->type == LOG_COMPRESSED) { c = gzwrite(fd->cfd, &hi, sizeof(hi)); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); /* and now write the variable fields */ if (po->DISSECTOR.banner) { c = gzwrite(fd->cfd, po->DISSECTOR.banner, strlen(po->DISSECTOR.banner) ); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); } } else { c = write(fd->fd, &hi, sizeof(hi)); ON_ERROR(c, -1, "Can't write to logfile"); if (po->DISSECTOR.banner) { c = write(fd->fd, po->DISSECTOR.banner, strlen(po->DISSECTOR.banner) ); ON_ERROR(c, -1, "Can't write to logfile"); } } /* write hid only if there is user and pass infos */ if (hid.var.user_len == 0 && hid.var.pass_len == 0 && hid.var.info_len == 0 ) { LOG_UNLOCK; return; } if (fd->type == LOG_COMPRESSED) { c = gzwrite(fd->cfd, &hid, sizeof(hi)); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); /* and now write the variable fields */ if (po->DISSECTOR.user) { c = gzwrite(fd->cfd, po->DISSECTOR.user, strlen(po->DISSECTOR.user) ); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); } if (po->DISSECTOR.pass) { c = gzwrite(fd->cfd, po->DISSECTOR.pass, strlen(po->DISSECTOR.pass) ); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); } if (po->DISSECTOR.info) { c = gzwrite(fd->cfd, po->DISSECTOR.info, strlen(po->DISSECTOR.info) ); ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr)); } } else { c = write(fd->fd, &hid, sizeof(hi)); ON_ERROR(c, -1, "Can't write to logfile"); if (po->DISSECTOR.user) { c = write(fd->fd, po->DISSECTOR.user, strlen(po->DISSECTOR.user) ); ON_ERROR(c, -1, "Can't write to logfile"); } if (po->DISSECTOR.pass) { c = write(fd->fd, po->DISSECTOR.pass, strlen(po->DISSECTOR.pass) ); ON_ERROR(c, -1, "Can't write to logfile"); } if (po->DISSECTOR.info) { c = write(fd->fd, po->DISSECTOR.info, strlen(po->DISSECTOR.info) ); ON_ERROR(c, -1, "Can't write to logfile"); } } LOG_UNLOCK; }
/* * details for a connection */ static void gtkui_connection_detail(void) { GtkTreeIter iter; GtkTreeModel *model; GtkTextBuffer *textbuf; char line[200]; struct conn_tail *c = NULL; char tmp[MAX_ASCII_ADDR_LEN]; char *proto = ""; char name[MAX_HOSTNAME_LEN]; DEBUG_MSG("gtk_connection_detail"); model = GTK_TREE_MODEL (ls_conns); if (gtk_tree_selection_get_selected (GTK_TREE_SELECTION (selection), &model, &iter)) { gtk_tree_model_get (model, &iter, 9, &c, -1); } else return; /* nothing is selected */ if(!c || !c->co) return; textbuf = gtkui_details_window("Connection Details"); snprintf(line, 200, "Source MAC address : %s\n", mac_addr_ntoa(c->co->L2_addr1, tmp)); gtkui_details_print(textbuf, line); snprintf(line, 200, "Destination MAC address : %s\n\n", mac_addr_ntoa(c->co->L2_addr2, tmp)); gtkui_details_print(textbuf, line); snprintf(line, 200, "Source IP address : \t%s\n", ip_addr_ntoa(&(c->co->L3_addr1), tmp)); gtkui_details_print(textbuf, line); if (host_iptoa(&(c->co->L3_addr1), name) == ESUCCESS) { snprintf(line, 200, " %s\n", name); gtkui_details_print(textbuf, line); } snprintf(line, 200, "Destination IP address : \t%s\n", ip_addr_ntoa(&(c->co->L3_addr2), tmp)); gtkui_details_print(textbuf, line); if (host_iptoa(&(c->co->L3_addr2), name) == ESUCCESS) { snprintf(line, 200, " %s\n", name); gtkui_details_print(textbuf, line); } gtkui_details_print(textbuf, "\n"); /* Protocol */ switch (c->co->L4_proto) { case NL_TYPE_UDP: proto = "UDP"; break; case NL_TYPE_TCP: proto = "TCP"; break; } snprintf(line, 200, "Protocol: \t\t\t%s\n", proto); gtkui_details_print(textbuf, line); snprintf(line, 200, "Source port: \t\t%-5d %s\n", ntohs(c->co->L4_addr1), service_search(c->co->L4_addr1, c->co->L4_proto)); gtkui_details_print(textbuf, line); snprintf(line, 200, "Destination port: \t%-5d %s\n\n", ntohs(c->co->L4_addr2), service_search(c->co->L4_addr2, c->co->L4_proto)); gtkui_details_print(textbuf, line); snprintf(line, 200, "Transferred bytes: %d\n\n", c->co->xferred); gtkui_details_print(textbuf, line); /* Login Information */ if (c->co->DISSECTOR.user) { snprintf(line, 200, "Account: \t%s / %s", c->co->DISSECTOR.user, c->co->DISSECTOR.pass); gtkui_details_print(textbuf, line); if (c->co->DISSECTOR.info) { snprintf(line, 200, " Additional Info: %s\n", c->co->DISSECTOR.info); gtkui_details_print(textbuf, line); } } }