aboutsummaryrefslogtreecommitdiffstats
path: root/util.c
blob: 80fe8d8f1eb3937e5bc70a6d443aa73b27d4ad21 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
/* util.c
 * Utility routines
 *
 * $Id$
 *
 * Wireshark - Network traffic analyzer
 * By Gerald Combs <gerald@wireshark.org>
 * Copyright 1998 Gerald Combs
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 */

#ifdef HAVE_CONFIG_H
# include "config.h"
#endif

#include <glib.h>

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>

#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif

#include <epan/address.h>
#include <epan/addr_resolv.h>
#include <epan/ws_strsplit.h>

#include "util.h"

/*
 * Collect command-line arguments as a string consisting of the arguments,
 * separated by spaces.
 */
char *
get_args_as_string(int argc, char **argv, int optind)
{
	int len;
	int i;
	char *argstring;

	/*
	 * Find out how long the string will be.
	 */
	len = 0;
	for (i = optind; i < argc; i++) {
		len += strlen(argv[i]);
		len++;	/* space, or '\0' if this is the last argument */
	}

	/*
	 * Allocate the buffer for the string.
	 */
	argstring = g_malloc(len);

	/*
	 * Now construct the string.
	 */
	strcpy(argstring, "");
	i = optind;
	for (;;) {
		strcat(argstring, argv[i]);
		i++;
		if (i == argc)
			break;
		strcat(argstring, " ");
	}
	return argstring;
}

/* Compute the difference between two seconds/microseconds time stamps. */
void
compute_timestamp_diff(gint *diffsec, gint *diffusec,
	guint32 sec1, guint32 usec1, guint32 sec2, guint32 usec2)
{
  if (sec1 == sec2) {
    /* The seconds part of the first time is the same as the seconds
       part of the second time, so if the microseconds part of the first
       time is less than the microseconds part of the second time, the
       first time is before the second time.  The microseconds part of
       the delta should just be the difference between the microseconds
       part of the first time and the microseconds part of the second
       time; don't adjust the seconds part of the delta, as it's OK if
       the microseconds part is negative. */

    *diffsec = sec1 - sec2;
    *diffusec = usec1 - usec2;
  } else if (sec1 <= sec2) {
    /* The seconds part of the first time is less than the seconds part
       of the second time, so the first time is before the second time.

       Both the "seconds" and "microseconds" value of the delta
       should have the same sign, so if the difference between the
       microseconds values would be *positive*, subtract 1,000,000
       from it, and add one to the seconds value. */
    *diffsec = sec1 - sec2;
    if (usec2 >= usec1) {
      *diffusec = usec1 - usec2;
    } else {
      *diffusec = (usec1 - 1000000) - usec2;
      (*diffsec)++;
    }
  } else {
    /* Oh, good, we're not caught in a chronosynclastic infindibulum. */
    *diffsec = sec1 - sec2;
    if (usec2 <= usec1) {
      *diffusec = usec1 - usec2;
    } else {
      *diffusec = (usec1 + 1000000) - usec2;
      (*diffsec)--;
    }
  }
}

/* Try to figure out if we're remotely connected, e.g. via ssh or
   Terminal Server, and create a capture filter that matches aspects of the
   connection.  We match the following environment variables:

   SSH_CONNECTION (ssh): <remote IP> <remote port> <local IP> <local port>
   SSH_CLIENT (ssh): <remote IP> <remote port> <local port>
   REMOTEHOST (tcsh, others?): <remote name>
   DISPLAY (x11): [remote name]:<display num>
   SESSIONNAME (terminal server): <remote name>
 */

const gchar *get_conn_cfilter(void) {
	static GString *filter_str = NULL;
	gchar *env, **tokens;
	char *lastp, *lastc, *p;
	char *pprotocol = NULL;
	char *phostname = NULL;
	size_t hostlen;

	if (filter_str == NULL) {
		filter_str = g_string_new("");
	}
	if ((env = getenv("SSH_CONNECTION")) != NULL) {
		tokens = g_strsplit(env, " ", 4);
		if (tokens[3]) {
			g_string_sprintf(filter_str, "not (tcp port %s and %s host %s "
							 "and tcp port %s and %s host %s)", tokens[1], host_ip_af(tokens[0]), tokens[0],
				tokens[3], host_ip_af(tokens[2]), tokens[2]);
			return filter_str->str;
		}
	} else if ((env = getenv("SSH_CLIENT")) != NULL) {
		tokens = g_strsplit(env, " ", 3);
		g_string_sprintf(filter_str, "not (tcp port %s and %s host %s "
			"and tcp port %s)", tokens[1], host_ip_af(tokens[0]), tokens[0], tokens[2]);
		return filter_str->str;
	} else if ((env = getenv("REMOTEHOST")) != NULL) {
		if (strcasecmp(env, "localhost") == 0 || strcmp(env, "127.0.0.1") == 0) {
			return "";
		}
		g_string_sprintf(filter_str, "not %s host %s", host_ip_af(env), env);
		return filter_str->str;
	} else if ((env = getenv("DISPLAY")) != NULL) {
		/*
		 * This mirrors what _X11TransConnectDisplay() does.
		 * Note that, on some systems, the hostname can
		 * being with "/", which means that it's a pathname
		 * of a UNIX domain socket to connect to.
		 *
		 * The comments mirror those in _X11TransConnectDisplay(),
		 * too. :-)
		 *
		 * Display names may be of the following format:
		 *
		 *    [protoco./] [hostname] : [:] displaynumber [.screennumber]
		 *
		 * A string with exactly two colons separating hostname
		 * from the display indicates a DECnet style name.  Colons
		 * in the hostname may occur if an IPv6 numeric address
		 * is used as the hostname.  An IPv6 numeric address may
		 * also end in a double colon, so three colons in a row
		 * indicates an IPv6 address ending in :: followed by
		 * :display.  To make it easier for people to read, an
		 * IPv6 numeric address hostname may be surrounded by []
		 * in a similar fashion to the IPv6 numeric address URL
		 * syntax defined by IETF RFC 2732.
		 *
		 * If no hostname and no protocol is specified, the string
		 * is interpreted as the most efficient local connection
		 * to a server on the same machine.  This is usually:
		 *
		 *    o shared memory
		 *    o local stream
		 *    o UNIX domain socket
		 *    o TCP to local host.
		 */

		p = env;

		/*
		 * Step 0, find the protocol.  This is delimited by
		 * the optional slash ('/').
		 */
		for (lastp = p; *p != '\0' && *p != ':' && *p != '/'; p++)
			;
		if (*p == '\0')
			return "";	/* must have a colon */

		if (p != lastp && *p != ':') {	/* protocol given? */
			/* Yes */
			pprotocol = p;

			/* Is it TCP? */
			if (p - lastp != 3 || strncasecmp(lastp, "tcp", 3) != 0)
				return "";	/* not TCP */
			p++;			/* skip the '/' */
		} else
			p = env;		/* reset the pointer in
						   case no protocol was given */

		/*
		 * Step 1, find the hostname.  This is delimited either by
		 * one colon, or two colons in the case of DECnet (DECnet
		 * Phase V allows a single colon in the hostname).  (See
		 * note above regarding IPv6 numeric addresses with
		 * triple colons or [] brackets.)
		 */
		lastp = p;
		lastc = NULL;
		for (; *p != '\0'; p++)
			if (*p == ':')
				lastc = p;

		if (lastc == NULL)
			return "";		/* must have a colon */

		if ((lastp != lastc) && (*(lastc - 1) == ':')
		    && (((lastc - 1) == lastp) || (*(lastc - 2) != ':'))) {
		    	/* DECnet display specified */
		    	return "";
		} else
			hostlen = lastc - lastp;

		if (hostlen == 0)
			return "";	/* no hostname supplied */

		phostname = g_malloc(hostlen + 1);
		memcpy(phostname, lastp, hostlen);
		phostname[hostlen] = '\0';

		if (pprotocol == NULL) {
			/*
			 * No protocol was explicitly specified, so it
			 * could be a local connection over a transport
			 * that we won't see.
			 *
			 * Does the host name refer to the local host?
			 * If so, the connection would probably be a
			 * local connection.
			 *
			 * XXX - compare against our host name?
			 * _X11TransConnectDisplay() does.
			 */
			if (strcasecmp(phostname, "localhost") == 0 ||
			    strcmp(phostname, "127.0.0.1") == 0) {
			    	g_free(phostname);
				return "";
			}

			/*
			 * A host name of "unix" (case-sensitive) also
			 * causes a local connection.
			 */
			if (strcmp(phostname, "unix") == 0) {
			    	g_free(phostname);
				return "";
			}

			/*
			 * Does the host name begin with "/"?  If so,
			 * it's presumed to be the pathname of a
			 * UNIX domain socket.
			 */
			if (phostname[0] == '/') {
				g_free(phostname);
				return "";
			}
		}

		g_string_sprintf(filter_str, "not %s host %s",
			host_ip_af(phostname), phostname);
		g_free(phostname);
		return filter_str->str;
	} else if ((env = getenv("SESSIONNAME")) != NULL) {
		/* Apparently the KB article at
		 * http://technet2.microsoft.com/WindowsServer/en/library/6caf87bf-3d70-4801-9485-87e9ec3df0171033.mspx?mfr=true
		 * is incorrect.  There are _plenty_ of cases where CLIENTNAME
		 * and SESSIONNAME are set outside of a Terminal Terver session.
		 * It looks like Terminal Server sets SESSIONNAME to RDP-TCP#<number>
		 * for "real" sessions.
		 *
		 * XXX - There's a better way to do this described at
		 * http://www.microsoft.com/technet/archive/termsrv/maintain/featusability/tsrvapi.mspx?mfr=true
		 */
		if (g_strncasecmp(env, "rdp", 3) == 0) {
			g_string_sprintf(filter_str, "not tcp port 3389");
			return filter_str->str;
		}
	}
	return "";
}