📄 log.c
字号:
return;
}
/****************************************************************************
*
* Function: NoAlert(Packet *, char *)
*
* Purpose: Don't alert at all
*
* Arguments: p => pointer to the packet data struct
* msg => the message to not print in the alert
*
* Returns: void function
*
***************************************************************************/
void NoAlert(Packet *p, char *msg, void *arg)
{
return;
}
/****************************************************************************
*
* Function: LogPkt(Packet *)
*
* Purpose: Log packets that match one of the Snort rules, plus the rules
* message
*
* Arguments: p => pointer to the packet data structure
*
* Returns: void function
*
***************************************************************************/
void LogPkt(Packet *p, char *msg, void *arg)
{
if(p->iph != NULL)
{
OpenLogFile(0, p);
if (msg != NULL)
{
fwrite("[**] ", 5, 1, log_ptr);
fwrite(msg, strlen(msg), 1, log_ptr);
fwrite(" [**]\n", 6, 1, log_ptr);
}
PrintIPPkt(log_ptr, p->iph->ip_proto, p);
fclose(log_ptr);
}
else
{
OpenLogFile(NON_IP, p);
PrintNetData(log_ptr, p->pkt, p->pkth->caplen);
fclose(log_ptr);
}
}
/****************************************************************************
*
* Function: LogArpPkt(Packet *)
*
* Purpose: Log ARP packets
*
* Arguments: p => pointer to the packet data structure
*
* Returns: void function
*
***************************************************************************/
void LogArpPkt(Packet *p)
{
if (!pv.nolog_flag)
{
OpenLogFile(ARP, p);
PrintArpHeader(log_ptr, p);
fclose(log_ptr);
}
}
/****************************************************************************
*
* Function: NoLog(Packet *)
*
* Purpose: Don't log anything
*
* Arguments: p => packet to not log
*
* Returns: void function
*
***************************************************************************/
void NoLog(Packet *p, char *msg, void *arg)
{
return;
}
/****************************************************************************
*
* Function: Print2ndHeader(FILE *, Packet p)
*
* Purpose: Print2ndHeader -- prints second layber header info.
*
* Arguments: fp => file stream to print to
*
* Returns: void function
*
***************************************************************************/
void Print2ndHeader(FILE *fp, Packet *p)
{
if (p->eh)
PrintEthHeader(fp, p);
if (p->trh)
PrintTrHeader(fp, p);
}
/****************************************************************************
*
* Function: PrintTrHeader(FILE *, Packet p)
&
* Purpose: Print the packet TokenRing header to the specified stream
*
* Arguments: fp => file stream to print to
*
* Returns: void function
***************************************************************************/
void PrintTrHeader(FILE *fp, Packet *p)
{
fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", p->trh->saddr[0],
p->trh->saddr[1], p->trh->saddr[2], p->trh->saddr[3],
p->trh->saddr[4], p->trh->saddr[5]);
fprintf(fp, "%X:%X:%X:%X:%X:%X\n", p->trh->daddr[0],
p->trh->daddr[1], p->trh->daddr[2], p->trh->daddr[3],
p->trh->daddr[4], p->trh->daddr[5]);
fprintf(fp, "access control:0x%X frame control:0x%X\n", p->trh->ac,
p->trh->fc);
if (!p->trhllc)
return;
fprintf(fp, "DSAP: 0x%X SSAP 0x%X protoID: %X%X%X Ethertype: %X\n",
p->trhllc->dsap, p->trhllc->ssap, p->trhllc->protid[0],
p->trhllc->protid[1], p->trhllc->protid[2], p->trhllc->ethertype);
if (p->trhmr)
{
fprintf(fp, "RIF structure is present:\n");
fprintf(fp, "bcast: 0x%X length: 0x%X direction: 0x%X largest"
"fr. size: 0x%X res: 0x%X\n",
p->trhmr->bcast, p->trhmr->len, p->trhmr->dir, p->trhmr->lf,
p->trhmr->res);
fprintf(fp, "rseg -> %X:%X:%X:%X:%X:%X:%X:%X\n",
p->trhmr->rseg[0], p->trhmr->rseg[1], p->trhmr->rseg[2],
p->trhmr->rseg[3], p->trhmr->rseg[4], p->trhmr->rseg[5],
p->trhmr->rseg[6], p->trhmr->rseg[7]);
}
}
/****************************************************************************
*
* Function: PrintEthHeader(FILE *)
*
* Purpose: Print the packet Ethernet header to the specified stream
*
* Arguments: fp => file stream to print to
*
* Returns: void function
*
***************************************************************************/
void PrintEthHeader(FILE *fp, Packet *p)
{
/* src addr */
fprintf(fp, "%X:%X:%X:%X:%X:%X -> ", p->eh->ether_src[0],
p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
p->eh->ether_src[4], p->eh->ether_src[5]);
/* dest addr */
fprintf(fp, "%X:%X:%X:%X:%X:%X ", p->eh->ether_dst[0],
p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
p->eh->ether_dst[4], p->eh->ether_dst[5]);
/* protocol and pkt size */
fprintf(fp, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len);
}
void PrintArpHeader(FILE *fp, Packet *p)
{
struct in_addr *ip_addr;
char timestamp[23];
if(p->ah == NULL)
{
ErrorMessage("[!] WARNING: PrintArpHeader got NULL p->ah pointer\n");
return;
}
bzero((char *)timestamp, 23);
ts_print((struct timeval *)&p->pkth->ts, timestamp);
/* dump the timestamp */
fwrite(timestamp, 22, 1, fp);
if (ntohs(p->ah->ea_hdr.ar_pro) != ETHERNET_TYPE_IP)
{
fprintf(fp, "ARP #%d for protocol #%.4X (%d) hardware #%d (%d)\n",
ntohs(p->ah->ea_hdr.ar_op), ntohs(p->ah->ea_hdr.ar_pro),
p->ah->ea_hdr.ar_pln, ntohs(p->ah->ea_hdr.ar_hrd),
p->ah->ea_hdr.ar_hln);
return;
}
switch (ntohs(p->ah->ea_hdr.ar_op))
{
case ARPOP_REQUEST:
ip_addr = (struct in_addr *)p->ah->arp_tpa;
fprintf(fp, "ARP who-has %s", inet_ntoa(*ip_addr));
if (memcmp((char *)ezero, (char *)p->ah->arp_tha, 6) != 0)
{
fprintf(fp, " (%X:%X:%X:%X:%X:%X)", p->ah->arp_tha[0],
p->ah->arp_tha[1], p->ah->arp_tha[2], p->ah->arp_tha[3],
p->ah->arp_tha[4], p->ah->arp_tha[5]);
}
ip_addr = (struct in_addr *)p->ah->arp_spa;
fprintf(fp, " tell %s", inet_ntoa(*ip_addr));
if (memcmp((char *)p->eh->ether_src, (char *)p->ah->arp_sha, 6) != 0)
{
fprintf(fp, " (%X:%X:%X:%X:%X:%X)", p->ah->arp_sha[0],
p->ah->arp_sha[1], p->ah->arp_sha[2], p->ah->arp_sha[3],
p->ah->arp_sha[4], p->ah->arp_sha[5]);
}
break;
case ARPOP_REPLY:
ip_addr = (struct in_addr *)p->ah->arp_spa;
fprintf(fp, "ARP reply %s", inet_ntoa(*ip_addr));
if (memcmp((char *)p->eh->ether_src, (char *)p->ah->arp_sha, 6) != 0)
{
fprintf(fp, " (%X:%X:%X:%X:%X:%X)", p->ah->arp_sha[0],
p->ah->arp_sha[1], p->ah->arp_sha[2], p->ah->arp_sha[3],
p->ah->arp_sha[4], p->ah->arp_sha[5]);
}
fprintf(fp, " is-at %X:%X:%X:%X:%X:%X", p->ah->arp_sha[0],
p->ah->arp_sha[1], p->ah->arp_sha[2], p->ah->arp_sha[3],
p->ah->arp_sha[4], p->ah->arp_sha[5] );
if (memcmp((char *)p->eh->ether_dst, (char *)p->ah->arp_tha, 6) != 0)
{
fprintf(fp, " (%X:%X:%X:%X:%X:%X)", p->ah->arp_tha[0],
p->ah->arp_tha[1], p->ah->arp_tha[2], p->ah->arp_tha[3],
p->ah->arp_tha[4], p->ah->arp_tha[5]);
}
break;
case ARPOP_RREQUEST:
fprintf(fp, "RARP who-is %X:%X:%X:%X:%X:%X tell %X:%X:%X:%X:%X:%X",
p->ah->arp_tha[0], p->ah->arp_tha[1], p->ah->arp_tha[2],
p->ah->arp_tha[3], p->ah->arp_tha[4], p->ah->arp_tha[5],
p->ah->arp_sha[0], p->ah->arp_sha[1], p->ah->arp_sha[2],
p->ah->arp_sha[3], p->ah->arp_sha[4], p->ah->arp_sha[5]);
break;
case ARPOP_RREPLY:
ip_addr = (struct in_addr *)p->ah->arp_tpa;
fprintf(fp, "RARP reply %X:%X:%X:%X:%X:%X at %s",
p->ah->arp_tha[0], p->ah->arp_tha[1], p->ah->arp_tha[2],
p->ah->arp_tha[3], p->ah->arp_tha[4], p->ah->arp_tha[5],
inet_ntoa(*ip_addr));
break;
default:
fprintf(fp, "Unknown operation: %d", ntohs(p->ah->ea_hdr.ar_op));
break;
}
fprintf(fp, "\n\n");
}
/****************************************************************************
*
* Function: PrintIPHeader(FILE *)
*
* Purpose: Dump the IP header info to the specified stream
*
* Arguments: fp => stream to print to
*
* Returns: void function
*
***************************************************************************/
void PrintIPHeader(FILE *fp, Packet *p)
{
if (p->frag_flag || (p->iph->ip_proto == IPPROTO_ICMP))
{
if(!pv.obfuscation_flag)
{
/* just print the straight IP header */
fputs(inet_ntoa(p->iph->ip_src), fp);
fwrite(" -> ", 4, 1, fp);
fputs(inet_ntoa(p->iph->ip_dst), fp);
}
else
{
if(pv.homenet != 0)
{
if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
{
fputs(inet_ntoa(p->iph->ip_src), fp);
fwrite(" -> xxx.xxx.xxx.xxx", 19, 1, fp);
}
else if((p->iph->ip_src.s_addr & pv.netmask) == pv.homenet)
{
fwrite("xxx.xxx.xxx.xxx ->", 18, 1, fp);
fputs(inet_ntoa(p->iph->ip_dst), fp);
}
else
{
fputs("xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx", fp);
}
}
else
{
fputs("xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx", fp);
}
}
}
else
{
if(!pv.obfuscation_flag)
{
/* print the header complete with port information */
fputs(inet_ntoa(p->iph->ip_src), fp);
fprintf(fp, ":%d -> ", p->sp);
fputs(inet_ntoa(p->iph->ip_dst), fp);
fprintf(fp, ":%d", p->dp);
}
else
{
if(pv.homenet != 0)
{
if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
{
fputs(inet_ntoa(p->iph->ip_src), fp);
fprintf(fp, ":%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
}
else if((p->iph->ip_src.s_addr & pv.netmask) == pv.homenet)
{
fprintf(fp, "xxx.xxx.xxx.xxx:%d -> %s:%d",p->sp, inet_ntoa(p->iph->ip_dst), p->dp);
}
else
{
fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
}
}
else
{
fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
}
}
}
if (!pv.show2hdr_flag)
{
fputc('\n', fp);
}
else
{
fputc(' ', fp);
}
if(protocol_names[p->iph->ip_proto][0] != 0)
{
fprintf(fp, "%s ", protocol_names[p->iph->ip_proto]);
}
else
{
fprintf(fp, "Proto: %d ", p->iph->ip_proto);
}
/*
switch(p->iph->ip_proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
case IPPROTO_ICMP:
fprintf(fp, "%s ", protocol_names[p->iph->ip_proto]);
break;
default:
fprintf(fp, "Proto: %d ", p->iph->ip_proto);
break;
}
*/
fprintf(fp, "TTL:%d TOS:0x%X ID:%d ", p->iph->ip_ttl, p->iph->ip_tos,
ntohs(p->iph->ip_id));
/* printf more frags/don't frag bits */
if (p->df)
fprintf(fp, " DF");
if (p->mf)
fprintf(fp, " MF");
fputc('\n', fp);
/* print IP options */
if (p->ip_option_count != 0)
{
PrintIpOptions(fp, p);
}
/* print fragment info if necessary */
if (p->frag_flag)
{
fprintf(fp, "Frag Offset: 0x%X Frag Size: 0x%X",
(p->frag_offset & 0xFFFF), p->dsize);
fputc('\n', fp);
}
}
/****************************************************************************
*
* Function: PrintTCPHeader(FILE *)
*
* Purpose: Dump the TCP header info to the specified stream
*
* Arguments: fp => file stream to print data to
*
* Returns: void function
*
***************************************************************************/
void PrintTCPHeader(FILE *fp, Packet *p)
{
char tcpFlags[9];
if(p->tcph == NULL)
{
return;
}
/* print TCP flags */
CreateTCPFlagString(p, tcpFlags);
fwrite(tcpFlags, 8, 1, fp); /* We don't care about the NULL */
/* print other TCP info */
fprintf(fp, " Seq: 0x%lX Ack: 0x%lX Win: 0x%X\n",
(u_long)ntohl(p->tcph->th_seq),
(u_long)ntohl(p->tcph->th_ack),
ntohs(p->tcph->th_win));
/* dump the TCP options */
if (p->tcp_option_count != 0)
{
PrintTcpOptions(fp, p);
}
}
/****************************************************************************
*
* Function: PrintUDPHeader(FILE *)
*
* Purpose: Dump the UDP header to the specified file stream
*
* Arguments: fp => file stream
*
* Returns: void function
*
***************************************************************************/
void PrintUDPHeader(FILE *fp, Packet *p)
{
if(p->udph == NULL)
{
return;
}
/* not much to do here... */
fprintf(fp, "Len: %d\n", ntohs(p->udph->uh_len));
}
/****************************************************************************
*
* Function: PrintICMPHeader(FILE *)
*
* Purpose: Print ICMP header
*
* Arguments: fp => file stream
*
* Returns: void function
*
***************************************************************************/
void PrintICMPHeader(FILE *fp, Packet *p)
{
if(p->icmph == NULL)
{
return;
}
switch (p->icmph->type)
{
case ICMP_ECHOREPLY:
fprintf(fp, "ID:%d Seq:%d ", p->icmph->ih_id, p->icmph->ih_seq);
fwrite("ECHO REPLY\n", 10, 1, fp);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -