Commit 231eac83 authored by 's avatar
Browse files

tracklib


git-svn-id: file:///home/svn/mapi/trunk@255 8d5bb341-7cf1-0310-8cf6-ba355fef3186
parent b77658bf
CC = gcc
INCLUDE = -I. -I..
CFLAGS = -g -Wall -Wsign-compare -Wpointer-arith -Wnested-externs \
-Wmissing-declarations -Wcast-align -D_GNU_SOURCE $(INCLUDE) \
-DDEBUG=1
TARGETS = tracklib.so
all: $(TARGETS)
tracklib.o: tracklib.c ../mapidflib.h ../mapi.h
$(CC) $(CFLAGS) -c $<
tracklib.so: tracklib.o trackftp.o ../flist.o
$(CC) $(CFLAGS) -shared -o $@ $^ -lfl -lrt -L.. -L. $(LIB_DIR)
cp tracklib.so ..
trackftp.o: trackftp.c
$(CC) $(CFLAGS) -c $<
clean:
rm -f *.o *.so *- $(TARGETS)
File added
/*******************************************
*
* Testing PKT_COUNTER
*
*******************************************/
#include <stdio.h>
#include <unistd.h>
#include "../mapi.h"
int main(MAPI_UNUSED int argc, char *argv[])
{
int fd;
int fid,fid2,fid3,fid4;
int *cnt,*cnt2,*cnt3,*cnt4;
if(!argv[1])
{
printf("\nWrong arguments\n");
return -1;
}
fd=mapi_create_offline_flow(argv[1],MFF_PCAP);
fid=mapi_apply_function(fd,"PKT_COUNTER");
fid2=mapi_apply_function(fd,"BYTE_COUNTER");
mapi_apply_function(fd,"TRACK_FTP");
fid3=mapi_apply_function(fd,"PKT_COUNTER");
fid4=mapi_apply_function(fd,"BYTE_COUNTER");
mapi_connect(fd);
cnt=mapi_read_results(fd,fid,MAPI_REF);
cnt2=mapi_read_results(fd,fid2,MAPI_REF);
cnt3=mapi_read_results(fd,fid3,MAPI_REF);
cnt4=mapi_read_results(fd,fid4,MAPI_REF);
while(1)
{
sleep(1);
printf("Total packets: %d Total bytes: %d FTP packets: %d FTP bytes: %d\n",*cnt,*cnt2,*cnt3,*cnt4);
}
mapi_close_flow(fd);
printf("\nPKT_COUNTER OK\n");
return 0;
}
#include <stdlib.h>
#include <stdio.h>
#include <sys/shm.h>
#include <string.h>
#include <errno.h>
#include "mapidflib.h"
#include "mapidlib.h"
#include "mapidevices.h"
#include "mapid.h"
#include "fhelp.h"
#include <netinet/in.h>
#include "list.h"
#include "protocols.h"
#include "trackftp.h"
static int trackftp_init(mapidflib_function_instance_t *instance,
flist_t *flist)
{
/*
* Initialise list of filters, counters.
*/
//list_init(filters, NULL);
instance->internal_data = malloc(sizeof(track_ftp_results));
((track_ftp_results *)(instance->internal_data))->total_byte_count=0;
((track_ftp_results *)(instance->internal_data))->total_pkt_count=0;
((track_ftp_results *)(instance->internal_data))->filters=malloc(sizeof(flist_t));
flist_init(((track_ftp_results *)(instance->internal_data))->filters);
return 0;
}
void add_to_list(flist_t *list,unsigned int address1,unsigned short port1,unsigned int address2,unsigned short port2) {
struct extract_filter *newnode;
newnode=malloc(sizeof(struct extract_filter));
newnode->address1=address1;
newnode->address2=address2;
newnode->port1=port1;
newnode->port2=port2;
flist_append(list,0,newnode);
}
int extract_ports(char *payload,int len,struct extract_res *res) {
int i=0;
/*printf("-----------\n");
for(i=0;i<len;i++)
printf("%c",payload[i]);
printf("\n\n");
*/
unsigned char *ptr,*tmp;
unsigned char address[4];
unsigned char port[2];
unsigned int *addr;
if(strncmp(payload,"PORT",4)==0 || strncmp(payload,"PASV",4)==0) {
ptr=payload+5;
for(i=0;i<4;i++) {
tmp=ptr;
while(*tmp!=',')
tmp++;
*tmp='\0';
address[i]=atoi(ptr);
ptr=tmp+1;
}
tmp=ptr;
while(*tmp!=',')
tmp++;
*tmp='\0';
port[0]=atoi(ptr);
ptr=tmp+1;
while(*tmp!='\r')
tmp++;
*tmp='\0';
port[1]=atoi(ptr);
res->port=ntohs((port[0]<<8)+port[1]);
addr=(unsigned int *)(&address[0]);
res->address=*addr;
printf("port: %d\n",res->port);
if(strncmp(payload,"PORT",4)==0)
res->method=METHOD_PORT;
else
res->method=METHOD_PASV;
return 1;
}
return 0;
}
static int trackftp_process(mapidflib_function_instance_t *instance,
const unsigned char* dev_pkt,
const unsigned char* link_pkt,
mapid_pkthdr_t* pkt_head)
{
/*
* Process is as follows:
* 1. If packet's src/dst port == 21, then..
* a. Increase counters,
* b. If packet implies the start of a transfer, add a filter to the list.
* 2. If packet's src/dst port and src/dst hostname match those in the list..
* a. Increase counters.
* b. If packet implies the end of a transfer, remove filter from list.
*/
ether_header *eth = NULL;
ip_header *ip = NULL;
tcp_header *tcp = NULL;
udp_header *udp = NULL;
int ether_len = 0, ip_len = 0, tcp_len = 0;
unsigned int src_ip,dst_ip;
unsigned short dst_port, src_port;
struct extract_res res;
unsigned char *payload;
int len;
flist_node_t *node;
struct extract_filter *filter;
track_ftp_results *data = (track_ftp_results *)instance->internal_data;
eth = (ether_header *)link_pkt;
ether_len = sizeof(ether_header);
ip = (ip_header *) (link_pkt + ether_len);
ip_len = (ip->ver_ihl & 0xf) * 4;
src_ip = *((unsigned int *)&(ip->saddr));
dst_ip = *((unsigned int *)&(ip->daddr));
switch(ip->ptcl)
{
case IPPROTO_TCP:
tcp = (tcp_header *)(link_pkt + ether_len + ip_len);
tcp_len = tcp->off * 4;
src_port = ntohs(tcp->sport);
dst_port = ntohs(tcp->dport);
if(src_port == 21 || dst_port == 21)
{
data->total_pkt_count++;
data->total_byte_count += pkt_head->wlen;
payload = link_pkt + ether_len + ip_len + tcp_len;
len = pkt_head->wlen - (payload-link_pkt);
//printf("FTP Packet with payload len: %d\n",len);
if(len>4 && extract_ports(payload,len,&res)){
if(res.method==METHOD_PORT) {
add_to_list(data->filters,res.address,res.port,dst_ip,ntohs(20));
}
else { //PASV
add_to_list(data->filters,res.address,res.port,dst_ip,tcp->dport);
}
}
return 1;
}
node=flist_head(data->filters);
while(node) {
filter=flist_data(node);
//printf("Packet:: %u,%d -> %u,%d Filter:: %u,%d -> %u,%d \n",src_ip,tcp->sport,dst_ip,tcp->dport,filter->address1,filter->port1,filter->address2,filter->port2);
if(
(src_ip==filter->address1 && dst_ip==filter->address2 && tcp->sport==filter->port1 && tcp->dport==filter->port2)
||(src_ip==filter->address2 && dst_ip==filter->address1 && tcp->sport==filter->port2 && tcp->dport==filter->port1)) {
//printf("Match!!!!!!!!\n");
data->total_pkt_count++;
data->total_byte_count += pkt_head->wlen;
return 1;
}
node=flist_next(node);
}
break;
}
return 0;
}
static int trackftp_reset(mapidflib_function_instance_t *instance)
{
((track_ftp_results *)instance->result.data)->total_pkt_count = 0;
((track_ftp_results *)instance->result.data)->total_byte_count = 0;
return 0;
}
static int trackftp_cleanup(mapidflib_function_instance_t *instance)
{
return 0;
}
/*
static int <funct_name>_client_init(mapidflib_function_instance_t *instance,
void* data)
{
return 0;
}
static int <funct_name>_client_read_result(mapidflib_function_instance_t* instance,
mapid_result_t *res)
{
return 0;
}
static int <funct_name>_client_cleanup(mapidflib_function_instance_t* instance)
{
return 0;
}
*/
static mapidflib_function_def_t finfo={
"", //libname
"TRACK_FTP", //name
"Keeps track of all FTP traffic.\n", //descr
"", //argdescr
MAPI_DEVICE_ALL, //devtype
MAPIRES_SHM, //Method for returning results
sizeof(track_ftp_results), //shm size
0, //modifies_pkts
NULL, //instance
trackftp_init, //init
trackftp_process, //process
NULL, //get_result,
NULL, //change_args
trackftp_reset, //reset
trackftp_cleanup, //cleanup
NULL, //client_init
NULL, //client_read_result
NULL //client_cleanup
};
mapidflib_function_def_t* trackftp_get_funct_info();
mapidflib_function_def_t* trackftp_get_funct_info() {
return &finfo;
};
#ifndef _TRACK_FTP
#define _TRACK_FTP
#define METHOD_PASV 1
#define METHOD_PORT 2
struct extract_res {
unsigned int address;
unsigned short port;
char method;
};
typedef struct _track_ftp_results
{
unsigned long long total_pkt_count;
unsigned long long total_byte_count;
list_t *filters;
} track_ftp_results;
struct extract_filter {
unsigned int address1;
unsigned short port1;
unsigned int address2;
unsigned short port2;
};
int extract_ports(char *, int, struct extract_res *);
#endif
//Thu Nov 10 12:30:25 2005
//This file was created automatically by createlib.pl
#include <stdio.h>
#include "mapidflib.h"
#include "debug.h"
char libname[]="tracklib";
__attribute__ ((constructor)) void init ();
__attribute__ ((destructor)) void fini ();
mapidflib_functionlist_t functions[1];
extern mapidflib_function_def_t * trackftp_get_funct_info();
mapidflib_functionlist_t* mapidflib_get_function_list()
{
functions[0].def=trackftp_get_funct_info();
functions[0].def->libname=libname;
functions[0].next=NULL;
return &functions[0];
}
char *mapidflib_get_libname() {
return libname;
}
__attribute__ ((constructor))
void init ()
{
DEBUG_CMD(printf ("Library tracklib loaded\n"));
}
__attribute__ ((destructor))
void fini ()
{
DEBUG_CMD(printf ("Library tracklib unloaded\n"));
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment