diff options
| author | Guy Harris <guy@alum.mit.edu> | 1999-10-22 07:18:23 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 1999-10-22 07:18:23 +0000 |
| commit | 047b8751f369c1e466d1264afa03ac3d49ec54e1 (patch) | |
| tree | cafdd8f10fd25a8340247fdfd8f2186c20d7f68c /follow.c | |
| parent | 6921a22ac5a12dcdb38456466b8f04bc6f013dda (diff) | |
Generalize the "ip_src" and "ip_dst" members of the "packet_info"
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
Diffstat (limited to 'follow.c')
| -rw-r--r-- | follow.c | 28 |
1 files changed, 18 insertions, 10 deletions
@@ -1,6 +1,6 @@ /* follow.c * - * $Id: follow.c,v 1.15 1999/09/09 02:42:25 gram Exp $ + * $Id: follow.c,v 1.16 1999/10/22 07:17:29 guy Exp $ * * Copyright 1998 Mike Hall <mlh@io.com> * @@ -50,7 +50,7 @@ extern FILE* data_out_file; gboolean incomplete_tcp_stream = FALSE; -static u_long ip_address[2]; +static guint32 ip_address[2]; static u_int tcp_port[2]; static int check_fragments( int ); @@ -63,20 +63,21 @@ static void write_packet_data( const u_char *, int ); char* build_follow_filter( packet_info *pi ) { char* buf = malloc(1024); - if( pi->ipproto == 6 ) { - /* TCP */ + if( pi->net_src.type == AT_IPv4 && pi->net_dst.type == AT_IPv4 + && pi->ipproto == 6 ) { + /* TCP over IPv4 */ sprintf( buf, "(ip.addr eq %s and ip.addr eq %s) and (tcp.port eq %d and tcp.port eq %d)", - ip_to_str( (guint8 *) &pi->ip_src), - ip_to_str( (guint8 *) &pi->ip_dst), + ip_to_str( pi->net_src.data), + ip_to_str( pi->net_dst.data), pi->srcport, pi->destport ); } else { free( buf ); return NULL; } - ip_address[0] = pi->ip_src; - ip_address[1] = pi->ip_dst; + memcpy(&ip_address[0], pi->net_src.data, sizeof ip_address[0]); + memcpy(&ip_address[1], pi->net_dst.data, sizeof ip_address[1]); tcp_port[0] = pi->srcport; tcp_port[1] = pi->destport; return buf; @@ -88,16 +89,23 @@ build_follow_filter( packet_info *pi ) { static tcp_frag *frags[2] = { 0, 0}; static u_long seq[2]; -static u_long src[2] = { 0, 0 }; +static guint32 src[2] = { 0, 0 }; void -reassemble_tcp( u_long sequence, u_long length, const char* data, u_long data_length, int synflag, u_long srcx, u_long dstx, u_int srcport, u_int dstport ) { +reassemble_tcp( u_long sequence, u_long length, const char* data, + u_long data_length, int synflag, address *net_src, + address *net_dst, u_int srcport, u_int dstport ) { + guint32 srcx, dstx; int src_index, j, first = 0; u_long newseq; tcp_frag *tmp_frag; src_index = -1; /* first check if this packet should be processed */ + if (net_src->type != AT_IPv4 || net_dst->type != AT_IPv4) + return; + memcpy(&srcx, net_src->data, sizeof srcx); + memcpy(&dstx, net_dst->data, sizeof dstx); if ((srcx != ip_address[0] && srcx != ip_address[1]) || (dstx != ip_address[0] && dstx != ip_address[1]) || (srcport != tcp_port[0] && srcport != tcp_port[1]) || |