chg: [pibs] Moved frame processing related to SYN tracking to synseen.c
parent
0512a82827
commit
969e6e6407
35
bin/pibs.c
35
bin/pibs.c
|
@ -24,12 +24,9 @@ void process_frame(pibs_t* pibs, wtap *wth,
|
||||||
uint8_t *eth)
|
uint8_t *eth)
|
||||||
{
|
{
|
||||||
struct ip* ipv4;
|
struct ip* ipv4;
|
||||||
uint32_t ip;
|
|
||||||
struct tcphdr* tcp;
|
struct tcphdr* tcp;
|
||||||
int_fast64_t lastseen;
|
|
||||||
unsigned char* buf;
|
unsigned char* buf;
|
||||||
size_t length;
|
size_t length;
|
||||||
struct pcap_pkthdr pchdr;
|
|
||||||
|
|
||||||
buf = eth+14;
|
buf = eth+14;
|
||||||
length = wth->rec.rec_header.packet_header.caplen-14;
|
length = wth->rec.rec_header.packet_header.caplen-14;
|
||||||
|
@ -46,37 +43,9 @@ void process_frame(pibs_t* pibs, wtap *wth,
|
||||||
|
|
||||||
tcp = (struct tcphdr*)(buf+sizeof(struct ip));
|
tcp = (struct tcphdr*)(buf+sizeof(struct ip));
|
||||||
|
|
||||||
memcpy(&ip, &ipv4->ip_src, 4);
|
synseen_process_frame(pibs, wth, eth, ipv4, tcp);
|
||||||
// Record only source ips where syn flag is set
|
|
||||||
// TODO check other connection establishment alternatives
|
|
||||||
if (tcp->th_flags == 2 ){
|
|
||||||
insert_ip(pibs, ip, wth->rec.ts.secs);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
lastseen = get_last_timestamp(pibs, ip);
|
//Put other frame processing activities here
|
||||||
|
|
||||||
if (lastseen > 0){
|
|
||||||
HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
|
|
||||||
, ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
// TODO keep these IPs in a hashtable and rank them
|
|
||||||
if (pibs->show_backscatter) {
|
|
||||||
printf("%ld,%s,%d,%d\n",
|
|
||||||
wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
|
|
||||||
ntohs(tcp->th_sport));
|
|
||||||
}
|
|
||||||
//TODO relative time
|
|
||||||
//Purge old ips?
|
|
||||||
if (pibs->should_writepcap) {
|
|
||||||
pchdr.ts.tv_sec = wth->rec.ts.secs;
|
|
||||||
//TODO other part of the timestamp
|
|
||||||
pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
|
|
||||||
pchdr.caplen = wth->rec.rec_header.packet_header.caplen;
|
|
||||||
pchdr.len = wth->rec.rec_header.packet_header.len;
|
|
||||||
pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void process_file(pibs_t* pibs)
|
void process_file(pibs_t* pibs)
|
||||||
|
|
|
@ -123,4 +123,7 @@ void process_file(pibs_t* pibs);
|
||||||
void pibs_dump_raw(pibs_t* pibs);
|
void pibs_dump_raw(pibs_t* pibs);
|
||||||
void pibs_dump_stats(pibs_t* pibs);
|
void pibs_dump_stats(pibs_t* pibs);
|
||||||
void process_redis_list(pibs_t* pibs);
|
void process_redis_list(pibs_t* pibs);
|
||||||
|
void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth,
|
||||||
|
struct ip* ipv4, struct tcphdr* tcp);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -136,3 +136,42 @@ void pibs_dump_stats(pibs_t* pibs)
|
||||||
}
|
}
|
||||||
printf("#Number of unique IP addresses: %ld\n", sum);
|
printf("#Number of unique IP addresses: %ld\n", sum);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth,
|
||||||
|
struct ip* ipv4, struct tcphdr* tcp)
|
||||||
|
{
|
||||||
|
int_fast64_t lastseen;
|
||||||
|
uint32_t ip;
|
||||||
|
struct pcap_pkthdr pchdr;
|
||||||
|
memcpy(&ip, &ipv4->ip_src, 4);
|
||||||
|
// Record only source ips where syn flag is set
|
||||||
|
// TODO check other connection establishment alternatives
|
||||||
|
if (tcp->th_flags == 2 ){
|
||||||
|
insert_ip(pibs, ip, wth->rec.ts.secs);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
lastseen = get_last_timestamp(pibs, ip);
|
||||||
|
|
||||||
|
if (lastseen > 0){
|
||||||
|
HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
|
||||||
|
, ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// TODO keep these IPs in a hashtable and rank them
|
||||||
|
if (pibs->show_backscatter) {
|
||||||
|
printf("%ld,%s,%d,%d\n",
|
||||||
|
wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
|
||||||
|
ntohs(tcp->th_sport));
|
||||||
|
}
|
||||||
|
//TODO relative time
|
||||||
|
//Purge old ips?
|
||||||
|
if (pibs->should_writepcap) {
|
||||||
|
pchdr.ts.tv_sec = wth->rec.ts.secs;
|
||||||
|
//TODO other part of the timestamp
|
||||||
|
pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
|
||||||
|
pchdr.caplen = wth->rec.rec_header.packet_header.caplen;
|
||||||
|
pchdr.len = wth->rec.rec_header.packet_header.len;
|
||||||
|
pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue