D4
/
analyzer-d4-pibs
mirror of https://github.com/D4-project/analyzer-d4-pibs
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [pibs] added option to bypass synseen logic

master
Gerard Wagener 2020-02-19 17:18:06 +01:00
parent 347d6e4d71
commit 38036c3f47
1 changed files with 29 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
bin/synseen.c
View File

@ -145,35 +145,37 @@ void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth,
uint32_t ip; uint32_t ip;
struct pcap_pkthdr pchdr; struct pcap_pkthdr pchdr;
memcpy(&ip, &ipv4->ip_src, 4); memcpy(&ip, &ipv4->ip_src, 4);
// Record only source ips where syn flag is set if (!pibs->bypass) {
// TODO check other connection establishment alternatives // Record only source ips where syn flag is set
if (tcp->th_flags == 2 ){ // TODO check other connection establishment alternatives
insert_ip(pibs, ip, wth->rec.ts.secs); if (tcp->th_flags == 2 ){
return; insert_ip(pibs, ip, wth->rec.ts.secs);
} return;
}
lastseen = get_last_timestamp(pibs, ip); lastseen = get_last_timestamp(pibs, ip);
if (lastseen > 0){ if (lastseen > 0){
HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n" HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
, ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen); , ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
return; return;
} }
// TODO keep these IPs in a hashtable and rank them // TODO keep these IPs in a hashtable and rank them
if (pibs->show_backscatter) { if (pibs->show_backscatter) {
printf("%ld,%s,%d,%d\n", printf("%ld,%s,%d,%d\n",
wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags, wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
ntohs(tcp->th_sport)); ntohs(tcp->th_sport));
} }
//TODO relative time //TODO relative time
//Purge old ips? //Purge old ips?
if (pibs->should_writepcap) { if (pibs->should_writepcap) {
pchdr.ts.tv_sec = wth->rec.ts.secs; pchdr.ts.tv_sec = wth->rec.ts.secs;
//TODO other part of the timestamp //TODO other part of the timestamp
pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000; pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
pchdr.caplen = wth->rec.rec_header.packet_header.caplen; pchdr.caplen = wth->rec.rec_header.packet_header.caplen;
pchdr.len = wth->rec.rec_header.packet_header.len; pchdr.len = wth->rec.rec_header.packet_header.len;
pcap_dump((u_char*)pibs->dumper, &pchdr, eth); pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
}
} }
if (pibs->synseen_callback) { if (pibs->synseen_callback) {
synseen_callback = pibs->synseen_callback; synseen_callback = pibs->synseen_callback;