2000-04-27 18:05:30 +08:00
|
|
|
/* $OpenBSD: print-cnfp.c,v 1.2 1998/06/25 20:26:59 mickey Exp $ */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copyright (c) 1998 Michael Shalayeff
|
|
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
|
|
|
* must display the following acknowledgement:
|
|
|
|
|
* This product includes software developed by Michael Shalayeff.
|
|
|
|
|
* 4. The name of the author may not be used to endorse or promote products
|
|
|
|
|
* derived from this software without specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Cisco NetFlow protocol */
|
|
|
|
|
|
2000-04-27 18:41:40 +08:00
|
|
|
#ifndef lint
|
|
|
|
|
static const char rcsid[] =
|
2002-11-10 01:19:16 +08:00
|
|
|
"@(#) $Header: /tcpdump/master/tcpdump/print-cnfp.c,v 1.12 2002-11-09 17:19:25 itojun Exp $";
|
2000-04-27 18:41:40 +08:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include "config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
2002-08-01 16:52:55 +08:00
|
|
|
#include <tcpdump-stdinc.h>
|
2000-04-28 19:17:36 +08:00
|
|
|
|
2000-04-27 18:05:30 +08:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include "interface.h"
|
|
|
|
|
|
Add a few more GCC warnings on GCC >= 2 for ".devel" builds.
From Neil T. Spring: fixes for many of those warnings:
addrtoname.c, configure.in: Linux needs netinet/ether.h for
ether_ntohost
print-*.c: change char *foo = "bar" to const char *foo = "bar"
to appease -Wwrite-strings; should affect no run-time behavior.
print-*.c: make some variables unsigned.
print-bgp.c: plen ('prefix len') is unsigned, no reason to
validate by comparing to zero.
print-cnfp.c, print-rx.c: use intoa, provided by addrtoname,
instead of inet_ntoa.
print-domain.c: unsigned int l; (l=foo()) < 0 is guaranteed to
be false, so check for (u_int)-1, which represents failure,
explicitly.
print-isakmp.c: complete initialization of attrmap objects.
print-lwres.c: "if(x); print foo;" seemed much more likely to be
intended to be "if(x) { print foo; }".
print-smb.c: complete initialization of some structures.
In addition, add some fixes for the signed vs. unsigned comparison
warnings:
extract.h: cast the result of the byte-extraction-and-combining,
as, at least for the 16-bit version, C's integral promotions
will turn "u_int16_t" into "int" if there are other "int"s
nearby.
print-*.c: make some more variables unsigned, or add casts to an
unsigned type of signed values known not to be negative, or add
casts to "int" of unsigned values known to fit in an "int", and
make other changes needed to handle the aforementioned variables
now being unsigned.
print-isakmp.c: clean up the handling of error/status indicators
in notify messages.
print-ppp.c: get rid of a check that an unsigned quantity is >=
0.
print-radius.c: clean up some of the bounds checking.
print-smb.c: extract the word count into a "u_int" to avoid the
aforementioned problems with C's integral promotions.
print-snmp.c: change a check that an unsigned variable is >= 0
to a check that it's != 0.
Also, fix some formats to use "%u" rather than "%d" for unsigned
quantities.
2002-09-05 08:00:07 +08:00
|
|
|
#include "addrtoname.h"
|
|
|
|
|
|
2000-09-23 16:26:30 +08:00
|
|
|
#include "tcp.h"
|
|
|
|
|
|
2000-04-27 18:05:30 +08:00
|
|
|
struct nfhdr {
|
|
|
|
|
u_int32_t ver_cnt; /* version [15], and # of records */
|
|
|
|
|
u_int32_t msys_uptime;
|
|
|
|
|
u_int32_t utc_sec;
|
|
|
|
|
u_int32_t utc_nsec;
|
|
|
|
|
u_int32_t sequence; /* v5 flow sequence number */
|
|
|
|
|
u_int32_t reserved; /* v5 only */
|
2002-11-10 01:19:16 +08:00
|
|
|
} __attribute__((packed));
|
2000-04-27 18:05:30 +08:00
|
|
|
|
|
|
|
|
struct nfrec {
|
2000-04-27 21:45:11 +08:00
|
|
|
struct in_addr src_ina;
|
|
|
|
|
struct in_addr dst_ina;
|
|
|
|
|
struct in_addr nhop_ina;
|
2000-04-27 18:05:30 +08:00
|
|
|
u_int32_t ifaces; /* src,dst ifaces */
|
|
|
|
|
u_int32_t packets;
|
|
|
|
|
u_int32_t octets;
|
|
|
|
|
u_int32_t start_time; /* sys_uptime value */
|
|
|
|
|
u_int32_t last_time; /* sys_uptime value */
|
|
|
|
|
u_int32_t ports; /* src,dst ports */
|
|
|
|
|
u_int32_t proto_tos; /* proto, tos, pad, flags(v5) */
|
|
|
|
|
u_int32_t asses; /* v1: flags; v5: src,dst AS */
|
2001-02-21 17:05:39 +08:00
|
|
|
u_int32_t masks; /* src,dst addr prefix; v6: encaps */
|
|
|
|
|
struct in_addr peer_nexthop; /* v6: IP address of the nexthop within the peer (FIB)*/
|
2002-11-10 01:19:16 +08:00
|
|
|
} __attribute__((packed));
|
2000-04-27 18:05:30 +08:00
|
|
|
|
|
|
|
|
void
|
2002-09-06 05:25:34 +08:00
|
|
|
cnfp_print(const u_char *cp, const u_char *bp)
|
2000-04-27 18:05:30 +08:00
|
|
|
{
|
|
|
|
|
register const struct nfhdr *nh;
|
|
|
|
|
register const struct nfrec *nr;
|
|
|
|
|
register const struct ip *ip;
|
|
|
|
|
struct protoent *pent;
|
|
|
|
|
int nrecs, ver;
|
|
|
|
|
time_t t;
|
|
|
|
|
|
2001-09-18 05:57:50 +08:00
|
|
|
ip = (const struct ip *)bp;
|
|
|
|
|
nh = (const struct nfhdr *)cp;
|
2000-04-27 18:05:30 +08:00
|
|
|
|
2001-09-18 05:57:50 +08:00
|
|
|
if ((const u_char *)(nh + 1) > snapend)
|
2000-04-27 18:05:30 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
nrecs = ntohl(nh->ver_cnt) & 0xffff;
|
|
|
|
|
ver = (ntohl(nh->ver_cnt) & 0xffff0000) >> 16;
|
|
|
|
|
t = ntohl(nh->utc_sec);
|
|
|
|
|
/* (p = ctime(&t))[24] = '\0'; */
|
|
|
|
|
|
|
|
|
|
printf("NetFlow v%x, %u.%03u uptime, %u.%09u, ", ver,
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)ntohl(nh->msys_uptime)/1000,
|
|
|
|
|
(unsigned)ntohl(nh->msys_uptime)%1000,
|
|
|
|
|
(unsigned)ntohl(nh->utc_sec), (unsigned)ntohl(nh->utc_nsec));
|
2000-04-27 18:05:30 +08:00
|
|
|
|
2001-02-21 17:05:39 +08:00
|
|
|
if (ver == 5 || ver == 6) {
|
2000-05-15 08:37:34 +08:00
|
|
|
printf("#%u, ", (unsigned)htonl(nh->sequence));
|
2001-09-18 05:57:50 +08:00
|
|
|
nr = (const struct nfrec *)&nh[1];
|
2000-04-27 18:05:30 +08:00
|
|
|
snaplen -= 24;
|
|
|
|
|
} else {
|
2001-09-18 05:57:50 +08:00
|
|
|
nr = (const struct nfrec *)&nh->sequence;
|
2000-04-27 18:05:30 +08:00
|
|
|
snaplen -= 16;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
printf("%2u recs", nrecs);
|
|
|
|
|
|
2001-09-18 05:57:50 +08:00
|
|
|
for (; nrecs-- && (const u_char *)(nr + 1) <= snapend; nr++) {
|
2000-04-28 19:17:36 +08:00
|
|
|
char buf[20];
|
|
|
|
|
char asbuf[20];
|
2000-04-27 18:05:30 +08:00
|
|
|
|
|
|
|
|
printf("\n started %u.%03u, last %u.%03u",
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)ntohl(nr->start_time)/1000,
|
|
|
|
|
(unsigned)ntohl(nr->start_time)%1000,
|
|
|
|
|
(unsigned)ntohl(nr->last_time)/1000,
|
|
|
|
|
(unsigned)ntohl(nr->last_time)%1000);
|
2000-04-27 18:05:30 +08:00
|
|
|
|
|
|
|
|
asbuf[0] = buf[0] = '\0';
|
2001-02-21 17:05:39 +08:00
|
|
|
if (ver == 5 || ver == 6) {
|
2000-04-28 19:17:36 +08:00
|
|
|
snprintf(buf, sizeof(buf), "/%u",
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)(ntohl(nr->masks) >> 24) & 0xff);
|
2001-02-21 17:05:39 +08:00
|
|
|
snprintf(asbuf, sizeof(asbuf), ":%u",
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)(ntohl(nr->asses) >> 16) & 0xffff);
|
2000-04-27 18:05:30 +08:00
|
|
|
}
|
Add a few more GCC warnings on GCC >= 2 for ".devel" builds.
From Neil T. Spring: fixes for many of those warnings:
addrtoname.c, configure.in: Linux needs netinet/ether.h for
ether_ntohost
print-*.c: change char *foo = "bar" to const char *foo = "bar"
to appease -Wwrite-strings; should affect no run-time behavior.
print-*.c: make some variables unsigned.
print-bgp.c: plen ('prefix len') is unsigned, no reason to
validate by comparing to zero.
print-cnfp.c, print-rx.c: use intoa, provided by addrtoname,
instead of inet_ntoa.
print-domain.c: unsigned int l; (l=foo()) < 0 is guaranteed to
be false, so check for (u_int)-1, which represents failure,
explicitly.
print-isakmp.c: complete initialization of attrmap objects.
print-lwres.c: "if(x); print foo;" seemed much more likely to be
intended to be "if(x) { print foo; }".
print-smb.c: complete initialization of some structures.
In addition, add some fixes for the signed vs. unsigned comparison
warnings:
extract.h: cast the result of the byte-extraction-and-combining,
as, at least for the 16-bit version, C's integral promotions
will turn "u_int16_t" into "int" if there are other "int"s
nearby.
print-*.c: make some more variables unsigned, or add casts to an
unsigned type of signed values known not to be negative, or add
casts to "int" of unsigned values known to fit in an "int", and
make other changes needed to handle the aforementioned variables
now being unsigned.
print-isakmp.c: clean up the handling of error/status indicators
in notify messages.
print-ppp.c: get rid of a check that an unsigned quantity is >=
0.
print-radius.c: clean up some of the bounds checking.
print-smb.c: extract the word count into a "u_int" to avoid the
aforementioned problems with C's integral promotions.
print-snmp.c: change a check that an unsigned variable is >= 0
to a check that it's != 0.
Also, fix some formats to use "%u" rather than "%d" for unsigned
quantities.
2002-09-05 08:00:07 +08:00
|
|
|
printf("\n %s%s%s:%u ", intoa(nr->src_ina.s_addr), buf, asbuf,
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)ntohl(nr->ports) >> 16);
|
2000-04-27 18:05:30 +08:00
|
|
|
|
2001-02-21 17:05:39 +08:00
|
|
|
if (ver == 5 || ver ==6) {
|
2000-04-28 19:17:36 +08:00
|
|
|
snprintf(buf, sizeof(buf), "/%d",
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)(ntohl(nr->masks) >> 16) & 0xff);
|
2001-02-21 17:05:39 +08:00
|
|
|
snprintf(asbuf, sizeof(asbuf), ":%u",
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)ntohl(nr->asses) & 0xffff);
|
2000-04-27 18:05:30 +08:00
|
|
|
}
|
Add a few more GCC warnings on GCC >= 2 for ".devel" builds.
From Neil T. Spring: fixes for many of those warnings:
addrtoname.c, configure.in: Linux needs netinet/ether.h for
ether_ntohost
print-*.c: change char *foo = "bar" to const char *foo = "bar"
to appease -Wwrite-strings; should affect no run-time behavior.
print-*.c: make some variables unsigned.
print-bgp.c: plen ('prefix len') is unsigned, no reason to
validate by comparing to zero.
print-cnfp.c, print-rx.c: use intoa, provided by addrtoname,
instead of inet_ntoa.
print-domain.c: unsigned int l; (l=foo()) < 0 is guaranteed to
be false, so check for (u_int)-1, which represents failure,
explicitly.
print-isakmp.c: complete initialization of attrmap objects.
print-lwres.c: "if(x); print foo;" seemed much more likely to be
intended to be "if(x) { print foo; }".
print-smb.c: complete initialization of some structures.
In addition, add some fixes for the signed vs. unsigned comparison
warnings:
extract.h: cast the result of the byte-extraction-and-combining,
as, at least for the 16-bit version, C's integral promotions
will turn "u_int16_t" into "int" if there are other "int"s
nearby.
print-*.c: make some more variables unsigned, or add casts to an
unsigned type of signed values known not to be negative, or add
casts to "int" of unsigned values known to fit in an "int", and
make other changes needed to handle the aforementioned variables
now being unsigned.
print-isakmp.c: clean up the handling of error/status indicators
in notify messages.
print-ppp.c: get rid of a check that an unsigned quantity is >=
0.
print-radius.c: clean up some of the bounds checking.
print-smb.c: extract the word count into a "u_int" to avoid the
aforementioned problems with C's integral promotions.
print-snmp.c: change a check that an unsigned variable is >= 0
to a check that it's != 0.
Also, fix some formats to use "%u" rather than "%d" for unsigned
quantities.
2002-09-05 08:00:07 +08:00
|
|
|
printf("> %s%s%s:%u ", intoa(nr->dst_ina.s_addr), buf, asbuf,
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)ntohl(nr->ports) & 0xffff);
|
2000-04-27 18:05:30 +08:00
|
|
|
|
Add a few more GCC warnings on GCC >= 2 for ".devel" builds.
From Neil T. Spring: fixes for many of those warnings:
addrtoname.c, configure.in: Linux needs netinet/ether.h for
ether_ntohost
print-*.c: change char *foo = "bar" to const char *foo = "bar"
to appease -Wwrite-strings; should affect no run-time behavior.
print-*.c: make some variables unsigned.
print-bgp.c: plen ('prefix len') is unsigned, no reason to
validate by comparing to zero.
print-cnfp.c, print-rx.c: use intoa, provided by addrtoname,
instead of inet_ntoa.
print-domain.c: unsigned int l; (l=foo()) < 0 is guaranteed to
be false, so check for (u_int)-1, which represents failure,
explicitly.
print-isakmp.c: complete initialization of attrmap objects.
print-lwres.c: "if(x); print foo;" seemed much more likely to be
intended to be "if(x) { print foo; }".
print-smb.c: complete initialization of some structures.
In addition, add some fixes for the signed vs. unsigned comparison
warnings:
extract.h: cast the result of the byte-extraction-and-combining,
as, at least for the 16-bit version, C's integral promotions
will turn "u_int16_t" into "int" if there are other "int"s
nearby.
print-*.c: make some more variables unsigned, or add casts to an
unsigned type of signed values known not to be negative, or add
casts to "int" of unsigned values known to fit in an "int", and
make other changes needed to handle the aforementioned variables
now being unsigned.
print-isakmp.c: clean up the handling of error/status indicators
in notify messages.
print-ppp.c: get rid of a check that an unsigned quantity is >=
0.
print-radius.c: clean up some of the bounds checking.
print-smb.c: extract the word count into a "u_int" to avoid the
aforementioned problems with C's integral promotions.
print-snmp.c: change a check that an unsigned variable is >= 0
to a check that it's != 0.
Also, fix some formats to use "%u" rather than "%d" for unsigned
quantities.
2002-09-05 08:00:07 +08:00
|
|
|
printf(">> %s\n ", intoa(nr->nhop_ina.s_addr));
|
2000-04-27 18:05:30 +08:00
|
|
|
|
|
|
|
|
pent = getprotobynumber((ntohl(nr->proto_tos) >> 8) & 0xff);
|
|
|
|
|
if (!pent || nflag)
|
2000-05-15 08:37:34 +08:00
|
|
|
printf("%u ",
|
|
|
|
|
(unsigned)(ntohl(nr->proto_tos) >> 8) & 0xff);
|
2000-04-27 18:05:30 +08:00
|
|
|
else
|
|
|
|
|
printf("%s ", pent->p_name);
|
|
|
|
|
|
|
|
|
|
/* tcp flags for tcp only */
|
|
|
|
|
if (pent && pent->p_proto == IPPROTO_TCP) {
|
|
|
|
|
int flags;
|
|
|
|
|
if (ver == 1)
|
|
|
|
|
flags = (ntohl(nr->asses) >> 24) & 0xff;
|
|
|
|
|
else
|
|
|
|
|
flags = (ntohl(nr->proto_tos) >> 16) & 0xff;
|
|
|
|
|
if (flags & TH_FIN) putchar('F');
|
|
|
|
|
if (flags & TH_SYN) putchar('S');
|
|
|
|
|
if (flags & TH_RST) putchar('R');
|
|
|
|
|
if (flags & TH_PUSH) putchar('P');
|
|
|
|
|
if (flags & TH_ACK) putchar('A');
|
|
|
|
|
if (flags & TH_URG) putchar('U');
|
|
|
|
|
if (flags)
|
|
|
|
|
putchar(' ');
|
|
|
|
|
}
|
2001-02-21 17:05:39 +08:00
|
|
|
|
|
|
|
|
buf[0]='\0';
|
|
|
|
|
if (ver == 6) {
|
|
|
|
|
snprintf(buf, sizeof(buf), "(%u<>%u encaps)",
|
|
|
|
|
(unsigned)(ntohl(nr->masks) >> 8) & 0xff,
|
|
|
|
|
(unsigned)(ntohl(nr->masks)) & 0xff);
|
|
|
|
|
}
|
|
|
|
|
printf("tos %u, %u (%u octets) %s",
|
2000-05-15 08:37:34 +08:00
|
|
|
(unsigned)ntohl(nr->proto_tos) & 0xff,
|
|
|
|
|
(unsigned)ntohl(nr->packets),
|
2001-02-21 17:05:39 +08:00
|
|
|
(unsigned)ntohl(nr->octets), buf);
|
2000-04-27 18:05:30 +08:00
|
|
|
}
|
|
|
|
|
}
|
