From 969e6e64074580d4bdcadea74de6b8f282c75713 Mon Sep 17 00:00:00 2001 From: Gerard Wagener Date: Wed, 10 Apr 2019 15:49:53 +0200 Subject: [PATCH] chg: [pibs] Moved frame processing related to SYN tracking to synseen.c --- bin/pibs.c | 35 ++--------------------------------- bin/pibs.h | 3 +++ bin/synseen.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 44 insertions(+), 33 deletions(-) diff --git a/bin/pibs.c b/bin/pibs.c index 2b323da..c146b4e 100644 --- a/bin/pibs.c +++ b/bin/pibs.c @@ -24,12 +24,9 @@ void process_frame(pibs_t* pibs, wtap *wth, uint8_t *eth) { struct ip* ipv4; - uint32_t ip; struct tcphdr* tcp; - int_fast64_t lastseen; unsigned char* buf; size_t length; - struct pcap_pkthdr pchdr; buf = eth+14; length = wth->rec.rec_header.packet_header.caplen-14; @@ -46,37 +43,9 @@ void process_frame(pibs_t* pibs, wtap *wth, tcp = (struct tcphdr*)(buf+sizeof(struct ip)); - memcpy(&ip, &ipv4->ip_src, 4); - // Record only source ips where syn flag is set - // TODO check other connection establishment alternatives - if (tcp->th_flags == 2 ){ - insert_ip(pibs, ip, wth->rec.ts.secs); - return; - } + synseen_process_frame(pibs, wth, eth, ipv4, tcp); - lastseen = get_last_timestamp(pibs, ip); - - if (lastseen > 0){ - HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n" - , ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen); - return; - } - // TODO keep these IPs in a hashtable and rank them - if (pibs->show_backscatter) { - printf("%ld,%s,%d,%d\n", - wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags, - ntohs(tcp->th_sport)); - } - //TODO relative time - //Purge old ips? - if (pibs->should_writepcap) { - pchdr.ts.tv_sec = wth->rec.ts.secs; - //TODO other part of the timestamp - pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000; - pchdr.caplen = wth->rec.rec_header.packet_header.caplen; - pchdr.len = wth->rec.rec_header.packet_header.len; - pcap_dump((u_char*)pibs->dumper, &pchdr, eth); - } + //Put other frame processing activities here } void process_file(pibs_t* pibs) diff --git a/bin/pibs.h b/bin/pibs.h index 632ffd1..b6ffd87 100644 --- a/bin/pibs.h +++ b/bin/pibs.h @@ -123,4 +123,7 @@ void process_file(pibs_t* pibs); void pibs_dump_raw(pibs_t* pibs); void pibs_dump_stats(pibs_t* pibs); void process_redis_list(pibs_t* pibs); +void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth, + struct ip* ipv4, struct tcphdr* tcp); + #endif diff --git a/bin/synseen.c b/bin/synseen.c index f17bdc3..838dc43 100644 --- a/bin/synseen.c +++ b/bin/synseen.c @@ -136,3 +136,42 @@ void pibs_dump_stats(pibs_t* pibs) } printf("#Number of unique IP addresses: %ld\n", sum); } + +void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth, + struct ip* ipv4, struct tcphdr* tcp) +{ + int_fast64_t lastseen; + uint32_t ip; + struct pcap_pkthdr pchdr; + memcpy(&ip, &ipv4->ip_src, 4); + // Record only source ips where syn flag is set + // TODO check other connection establishment alternatives + if (tcp->th_flags == 2 ){ + insert_ip(pibs, ip, wth->rec.ts.secs); + return; + } + + lastseen = get_last_timestamp(pibs, ip); + + if (lastseen > 0){ + HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n" + , ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen); + return; + } + // TODO keep these IPs in a hashtable and rank them + if (pibs->show_backscatter) { + printf("%ld,%s,%d,%d\n", + wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags, + ntohs(tcp->th_sport)); + } + //TODO relative time + //Purge old ips? + if (pibs->should_writepcap) { + pchdr.ts.tv_sec = wth->rec.ts.secs; + //TODO other part of the timestamp + pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000; + pchdr.caplen = wth->rec.rec_header.packet_header.caplen; + pchdr.len = wth->rec.rec_header.packet_header.len; + pcap_dump((u_char*)pibs->dumper, &pchdr, eth); + } +}