void log_write_info_arp_icmp(struct log_fd *fd, struct packet_object *po)
{
struct log_header_info hi;
int c, zerr;
memset(&hi, 0, sizeof(struct log_header_info));
/* the mac address */
memcpy(&hi.L2_addr, &po->L2.src, MEDIA_ADDR_LEN);
/* the ip address */
memcpy(&hi.L3_addr, &po->L3.src, sizeof(struct ip_addr));
/* set the distance */
if (po->L3.ttl > 1)
hi.distance = TTL_PREDICTOR(po->L3.ttl) - po->L3.ttl + 1;
else
hi.distance = po->L3.ttl;
/* resolve the host */
host_iptoa(&po->L3.src, hi.hostname);
/* local, non local ecc ecc */
if (po->L3.proto == htons(LL_TYPE_ARP)) {
hi.type |= LOG_ARP_HOST;
hi.type |= FP_HOST_LOCAL;
} else {
hi.type = po->PASSIVE.flags;
}
LOG_LOCK;
if (fd->type == LOG_COMPRESSED) {
c = gzwrite(fd->cfd, &hi, sizeof(hi));
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
} else {
c = write(fd->fd, &hi, sizeof(hi));
ON_ERROR(c, -1, "Can't write to logfile");
}
LOG_UNLOCK;
}
/*
* details for a connection
*/
static void curses_connection_detail(void *conn)
{
struct conn_tail *c = (struct conn_tail *)conn;
char tmp[MAX_ASCII_ADDR_LEN];
char *proto = "";
char name[MAX_HOSTNAME_LEN];
unsigned int row = 0;
DEBUG_MSG("curses_connection_detail");
/* if the object already exist, set the focus to it */
if (wdg_conn_detail) {
wdg_destroy_object(&wdg_conn_detail);
wdg_conn_detail = NULL;
}
wdg_create_object(&wdg_conn_detail, WDG_WINDOW, WDG_OBJ_WANT_FOCUS);
wdg_set_title(wdg_conn_detail, "Connection detail:", WDG_ALIGN_LEFT);
wdg_set_size(wdg_conn_detail, 1, 2, 75, 23);
wdg_set_color(wdg_conn_detail, WDG_COLOR_SCREEN, EC_COLOR);
wdg_set_color(wdg_conn_detail, WDG_COLOR_WINDOW, EC_COLOR);
wdg_set_color(wdg_conn_detail, WDG_COLOR_BORDER, EC_COLOR_BORDER);
wdg_set_color(wdg_conn_detail, WDG_COLOR_FOCUS, EC_COLOR_FOCUS);
wdg_set_color(wdg_conn_detail, WDG_COLOR_TITLE, EC_COLOR_TITLE);
wdg_draw_object(wdg_conn_detail);
wdg_set_focus(wdg_conn_detail);
/* add the destroy callback */
wdg_add_destroy_key(wdg_conn_detail, CTRL('Q'), NULL);
/* print the information */
wdg_window_print(wdg_conn_detail, 1, ++row, "Source MAC address : %s",
mac_addr_ntoa(c->co->L2_addr1, tmp));
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination MAC address : %s",
mac_addr_ntoa(c->co->L2_addr2, tmp));
++row;
wdg_window_print(wdg_conn_detail, 1, ++row, "Source IP address : %s",
ip_addr_ntoa(&(c->co->L3_addr1), tmp));
if (host_iptoa(&(c->co->L3_addr1), name) == E_SUCCESS)
wdg_window_print(wdg_conn_detail, 1, ++row, "Source hostname : %s",
name);
#ifdef HAVE_GEOIP
if (GBL_CONF->geoip_support_enable)
wdg_window_print(wdg_conn_detail, 1, ++row, "Source location : %s",
geoip_country_by_ip(&c->co->L3_addr1));
#endif
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination IP address : %s",
ip_addr_ntoa(&(c->co->L3_addr2), tmp));
if (host_iptoa(&(c->co->L3_addr2), name) == E_SUCCESS)
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination hostname : %s", name);
#ifdef HAVE_GEOIP
if (GBL_CONF->geoip_support_enable)
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination location : %s",
geoip_country_by_ip(&c->co->L3_addr2));
#endif
++row;
switch (c->co->L4_proto) {
case NL_TYPE_UDP:
proto = "UDP";
break;
case NL_TYPE_TCP:
proto = "TCP";
break;
}
wdg_window_print(wdg_conn_detail, 1, ++row, "Protocol : %s", proto);
wdg_window_print(wdg_conn_detail, 1, ++row, "Source port : %-5d %s",
ntohs(c->co->L4_addr1), service_search(c->co->L4_addr1, c->co->L4_proto));
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination port : %-5d %s",
ntohs(c->co->L4_addr2), service_search(c->co->L4_addr2, c->co->L4_proto));
row++;
wdg_window_print(wdg_conn_detail, 1, ++row, "--> %d <-- %d total: %d ", c->co->tx, c->co->rx, c->co->xferred);
row++;
if (c->co->DISSECTOR.user) {
wdg_window_print(wdg_conn_detail, 1, ++row, "Account : %s / %s", c->co->DISSECTOR.user, c->co->DISSECTOR.pass);
if (c->co->DISSECTOR.info)
wdg_window_print(wdg_conn_detail, 1, ++row, "Additional Info : %s", c->co->DISSECTOR.info);
}
}
void log_write_info(struct log_fd *fd, struct packet_object *po)
{
struct log_header_info hi;
struct log_header_info hid;
int c, zerr;
memset(&hi, 0, sizeof(struct log_header_info));
memset(&hid, 0, sizeof(struct log_header_info));
/* the mac address */
memcpy(&hi.L2_addr, &po->L2.src, MEDIA_ADDR_LEN);
memcpy(&hid.L2_addr, &po->L2.dst, MEDIA_ADDR_LEN);
/* the ip address */
memcpy(&hi.L3_addr, &po->L3.src, sizeof(struct ip_addr));
/* the account must be associated with the server, so use dst */
memcpy(&hid.L3_addr, &po->L3.dst, sizeof(struct ip_addr));
/* the protocol */
hi.L4_proto = po->L4.proto;
hid.L4_proto = po->L4.proto;
/* open on the source ? */
if (is_open_port(po->L4.proto, po->L4.src, po->L4.flags))
hi.L4_addr = po->L4.src;
else if (po->DISSECTOR.banner)
hi.L4_addr = po->L4.src;
else
hi.L4_addr = 0;
/* open on the dest ? */
if (is_open_port(po->L4.proto, po->L4.dst, po->L4.flags))
hid.L4_addr = po->L4.dst;
else if (po->DISSECTOR.user)
hid.L4_addr = po->L4.dst;
else
hid.L4_addr = 0;
/*
* resolves the ip address.
*
* even if the resolv option was not specified,
* the cache may have the dns answer passively sniffed.
*/
host_iptoa(&po->L3.src, hi.hostname);
host_iptoa(&po->L3.dst, hid.hostname);
/*
* distance in hop :
*
* the distance is calculated as the difference between the
* predicted initial ttl number and the current ttl value.
*/
hi.distance = TTL_PREDICTOR(po->L3.ttl) - po->L3.ttl + 1;
/* our machine is at distance 0 (special case) */
if (!ip_addr_cmp(&po->L3.src, &EC_GBL_IFACE->ip))
hi.distance = 0;
/* OS identification */
memcpy(&hi.fingerprint, po->PASSIVE.fingerprint, FINGER_LEN);
/* local, non local ecc ecc */
hi.type = po->PASSIVE.flags;
/* calculate if the dest is local or not */
switch (ip_addr_is_local(&po->L3.dst, NULL)) {
case E_SUCCESS:
hid.type |= FP_HOST_LOCAL;
break;
case -E_NOTFOUND:
hid.type |= FP_HOST_NONLOCAL;
break;
case -E_INVALID:
hid.type = FP_UNKNOWN;
break;
}
/* set account information */
hid.failed = po->DISSECTOR.failed;
memcpy(&hid.client, &po->L3.src, sizeof(struct ip_addr));
/* set the length of the fields */
if (po->DISSECTOR.user)
hid.var.user_len = htons(strlen(po->DISSECTOR.user));
if (po->DISSECTOR.pass)
hid.var.pass_len = htons(strlen(po->DISSECTOR.pass));
if (po->DISSECTOR.info)
hid.var.info_len = htons(strlen(po->DISSECTOR.info));
if (po->DISSECTOR.banner)
hi.var.banner_len = htons(strlen(po->DISSECTOR.banner));
/* check if the packet is interesting... else return */
if (hi.L4_addr == 0 && // the port is not open
!strcmp((char*)hi.fingerprint, "") && // no fingerprint
hid.var.user_len == 0 && // no user and pass infos...
hid.var.pass_len == 0 &&
hid.var.info_len == 0 &&
hi.var.banner_len == 0
) {
return;
}
LOG_LOCK;
if (fd->type == LOG_COMPRESSED) {
c = gzwrite(fd->cfd, &hi, sizeof(hi));
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
/* and now write the variable fields */
if (po->DISSECTOR.banner) {
c = gzwrite(fd->cfd, po->DISSECTOR.banner, strlen(po->DISSECTOR.banner) );
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
}
} else {
c = write(fd->fd, &hi, sizeof(hi));
ON_ERROR(c, -1, "Can't write to logfile");
if (po->DISSECTOR.banner) {
c = write(fd->fd, po->DISSECTOR.banner, strlen(po->DISSECTOR.banner) );
ON_ERROR(c, -1, "Can't write to logfile");
}
}
/* write hid only if there is user and pass infos */
if (hid.var.user_len == 0 &&
hid.var.pass_len == 0 &&
hid.var.info_len == 0
) {
LOG_UNLOCK;
return;
}
if (fd->type == LOG_COMPRESSED) {
c = gzwrite(fd->cfd, &hid, sizeof(hi));
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
/* and now write the variable fields */
if (po->DISSECTOR.user) {
c = gzwrite(fd->cfd, po->DISSECTOR.user, strlen(po->DISSECTOR.user) );
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
}
if (po->DISSECTOR.pass) {
c = gzwrite(fd->cfd, po->DISSECTOR.pass, strlen(po->DISSECTOR.pass) );
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
}
if (po->DISSECTOR.info) {
c = gzwrite(fd->cfd, po->DISSECTOR.info, strlen(po->DISSECTOR.info) );
ON_ERROR(c, -1, "%s", gzerror(fd->cfd, &zerr));
}
} else {
c = write(fd->fd, &hid, sizeof(hi));
ON_ERROR(c, -1, "Can't write to logfile");
if (po->DISSECTOR.user) {
c = write(fd->fd, po->DISSECTOR.user, strlen(po->DISSECTOR.user) );
ON_ERROR(c, -1, "Can't write to logfile");
}
if (po->DISSECTOR.pass) {
c = write(fd->fd, po->DISSECTOR.pass, strlen(po->DISSECTOR.pass) );
ON_ERROR(c, -1, "Can't write to logfile");
}
if (po->DISSECTOR.info) {
c = write(fd->fd, po->DISSECTOR.info, strlen(po->DISSECTOR.info) );
ON_ERROR(c, -1, "Can't write to logfile");
}
}
LOG_UNLOCK;
}
/*
* details for a connection
*/
static void gtkui_connection_detail(void)
{
GtkTreeIter iter;
GtkTreeModel *model;
GtkTextBuffer *textbuf;
char line[200];
struct conn_tail *c = NULL;
char tmp[MAX_ASCII_ADDR_LEN];
char *proto = "";
char name[MAX_HOSTNAME_LEN];
DEBUG_MSG("gtk_connection_detail");
model = GTK_TREE_MODEL (ls_conns);
if (gtk_tree_selection_get_selected (GTK_TREE_SELECTION (selection), &model, &iter)) {
gtk_tree_model_get (model, &iter, 9, &c, -1);
} else
return; /* nothing is selected */
if(!c || !c->co)
return;
textbuf = gtkui_details_window("Connection Details");
snprintf(line, 200, "Source MAC address : %s\n", mac_addr_ntoa(c->co->L2_addr1, tmp));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Destination MAC address : %s\n\n", mac_addr_ntoa(c->co->L2_addr2, tmp));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Source IP address : \t%s\n", ip_addr_ntoa(&(c->co->L3_addr1), tmp));
gtkui_details_print(textbuf, line);
if (host_iptoa(&(c->co->L3_addr1), name) == ESUCCESS) {
snprintf(line, 200, " %s\n", name);
gtkui_details_print(textbuf, line);
}
snprintf(line, 200, "Destination IP address : \t%s\n", ip_addr_ntoa(&(c->co->L3_addr2), tmp));
gtkui_details_print(textbuf, line);
if (host_iptoa(&(c->co->L3_addr2), name) == ESUCCESS) {
snprintf(line, 200, " %s\n", name);
gtkui_details_print(textbuf, line);
}
gtkui_details_print(textbuf, "\n");
/* Protocol */
switch (c->co->L4_proto) {
case NL_TYPE_UDP:
proto = "UDP";
break;
case NL_TYPE_TCP:
proto = "TCP";
break;
}
snprintf(line, 200, "Protocol: \t\t\t%s\n", proto);
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Source port: \t\t%-5d %s\n", ntohs(c->co->L4_addr1), service_search(c->co->L4_addr1, c->co->L4_proto));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Destination port: \t%-5d %s\n\n", ntohs(c->co->L4_addr2), service_search(c->co->L4_addr2, c->co->L4_proto));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Transferred bytes: %d\n\n", c->co->xferred);
gtkui_details_print(textbuf, line);
/* Login Information */
if (c->co->DISSECTOR.user) {
snprintf(line, 200, "Account: \t%s / %s", c->co->DISSECTOR.user, c->co->DISSECTOR.pass);
gtkui_details_print(textbuf, line);
if (c->co->DISSECTOR.info) {
snprintf(line, 200, " Additional Info: %s\n", c->co->DISSECTOR.info);
gtkui_details_print(textbuf, line);
}
}
}
