📄 log.c
字号:
break;
case ICMP_DEST_UNREACH:
fwrite("DESTINATION UNREACHABLE: ", 25, 1, fp);
switch (p->icmph->code)
{
case ICMP_NET_UNREACH:
fwrite("NET UNREACHABLE", 15, 1, fp);
break;
case ICMP_HOST_UNREACH:
fwrite("HOST UNREACHABLE", 16, 1, fp);
break;
case ICMP_PROT_UNREACH:
fwrite("PROTOCOL UNREACHABLE", 20, 1, fp);
break;
case ICMP_PORT_UNREACH:
fwrite("PORT UNREACHABLE", 16, 1, fp);
break;
case ICMP_FRAG_NEEDED:
fwrite("FRAGMENTATION NEEDED", 20, 1, fp);
break;
case ICMP_SR_FAILED:
fwrite("SOURCE ROUTE FAILED", 19, 1, fp);
break;
case ICMP_NET_UNKNOWN:
fwrite("NET UNKNOWN", 11, 1, fp);
break;
case ICMP_HOST_UNKNOWN:
fwrite("HOST UNKNOWN", 12, 1, fp);
break;
case ICMP_HOST_ISOLATED:
fwrite("HOST ISOLATED", 13, 1, fp);
break;
case ICMP_NET_ANO:
fwrite("NET ANO", 7, 1, fp);
break;
case ICMP_HOST_ANO:
fwrite("HOST ANO", 8, 1, fp);
break;
case ICMP_NET_UNR_TOS:
fwrite("NET UNREACHABLE TOS", 19, 1, fp);
break;
case ICMP_HOST_UNR_TOS:
fwrite("HOST UNREACHABLE TOS", 20, 1, fp);
break;
case ICMP_PKT_FILTERED:
fwrite("PACKET FILTERED", 15, 1, fp);
break;
case ICMP_PREC_VIOLATION:
fwrite("PREC VIOLATION", 14, 1, fp);
break;
case ICMP_PREC_CUTOFF:
fwrite("PREC CUTOFF", 12, 1, fp);
break;
default:
fwrite("UNKNOWN", 7, 1, fp);
break;
}
break;
case ICMP_SOURCE_QUENCH:
fwrite("SOURCE QUENCH", 13, 1, fp);
break;
case ICMP_REDIRECT:
fwrite("REDIRECT", 8, 1, fp);
break;
case ICMP_ECHO:
fprintf(fp, "ID:%d Seq:%d ", p->icmph->ih_id, p->icmph->ih_seq);
fwrite("ECHO\n", 4, 1, fp);
break;
case ICMP_TIME_EXCEEDED:
fwrite("TTL EXCEEDED", 12, 1, fp);
break;
case ICMP_PARAMETERPROB:
fwrite("PARAMETER PROBLEM", 17, 1, fp);
break;
case ICMP_TIMESTAMP:
fwrite("TIMESTAMP REQUEST", 17, 1, fp);
break;
case ICMP_TIMESTAMPREPLY:
fwrite("TIMESTAMP REPLY", 15, 1, fp);
break;
case ICMP_INFO_REQUEST:
fwrite("INFO REQUEST", 12, 1, fp);
break;
case ICMP_INFO_REPLY:
fwrite("INFO REPLY", 10, 1, fp);
break;
case ICMP_ADDRESS:
fwrite("ADDRESS REQUEST", 15, 1, fp);
break;
case ICMP_ADDRESSREPLY:
fwrite("ADDRESS REPLY", 13, 1, fp);
break;
default:
fwrite("UNKNOWN", 7, 1, fp);
break;
}
putc('\n', fp);
}
/* Input is packet and an nine-byte (including NULL) character array. Results
are put into the character array.
*/
void CreateTCPFlagString(Packet *p, char *flagBuffer)
{
memset(flagBuffer, '\0', 9);
/* parse TCP flags */
*flagBuffer++ = (p->tcph->th_flags & TH_RES1) ? '1' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_RES2) ? '2' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_URG) ? 'U' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_ACK) ? 'A' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_PUSH) ? 'P' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_RST) ? 'R' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_SYN) ? 'S' : '*';
*flagBuffer++ = (p->tcph->th_flags & TH_FIN) ? 'F' : '*';
};
void PrintIpOptions(FILE *fp, Packet *p)
{
int i;
int j;
int lastopt = IPOPT_NOP;
if (!p->ip_option_count)
return;
fwrite("IP Options => ", 15, 1, fp);
for (i = 0; i < p->ip_option_count; i++)
{
// prevent run on printing....
if(lastopt == p->ip_options[i].code && lastopt != IPOPT_NOP)
{
return;
}
switch (p->ip_options[i].code)
{
case IPOPT_RR:
fwrite("RR ", 3, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_EOL:
fwrite("EOL ", 4, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_NOP:
fwrite("NOP ", 5, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_TS:
fwrite("TS ", 3, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_SECURITY:
fwrite("SEC ", 4, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_LSRR:
case IPOPT_LSRR_E:
fwrite("LSRR ", 5, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_SATID:
fwrite("SID ", 4, 1, fp);
lastopt = p->ip_options[i].code;
break;
case IPOPT_SSRR:
fwrite("SSRR ", 5, 1, fp);
lastopt = p->ip_options[i].code;
break;
default:
fprintf(fp, "Opt %d: ", p->ip_options[i].code);
lastopt = p->ip_options[i].code;
if (p->ip_options[i].len)
{
for (j = 0; j < p->ip_options[i].len-2; j+=2)
{
fprintf(fp, "%02X%02X ", p->ip_options[i].data[j], p->ip_options[i].data[j+1]);
}
}
break;
}
}
fwrite("\n", 1, 1, fp);
}
void PrintTcpOptions(FILE *fp, Packet *p)
{
int i;
int j;
u_char tmp[5];
int lastopt = TCPOPT_NOP;
fwrite("TCP Options => ", 15, 1, fp);
for (i = 0; i < p->tcp_option_count; i++)
{
if(lastopt == p->tcp_options[i].code && lastopt != TCPOPT_NOP)
{
return;
}
switch (p->tcp_options[i].code)
{
case TCPOPT_MAXSEG:
bzero((char *)tmp, 5);
fwrite("MSS: ", 5, 1, fp);
strncpy(tmp, p->tcp_options[i].data, 2);
fprintf(fp, "%u ", EXTRACT_16BITS(tmp));
break;
case TCPOPT_EOL:
fwrite("EOL ", 4, 1, fp);
break;
case TCPOPT_NOP:
fwrite("NOP ", 4, 1, fp);
break;
case TCPOPT_WSCALE:
fprintf(fp, "WS: %u ", p->tcp_options[i].data[0]);
break;
case TCPOPT_SACK:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 2);
fprintf(fp, "Sack: %u@", EXTRACT_16BITS(tmp));
bzero((char *)tmp, 5);
memcpy(tmp, (p->tcp_options[i].data)+2, 2);
fprintf(fp, "%u ", EXTRACT_16BITS(tmp));
break;
case TCPOPT_SACKOK:
fwrite("SackOK ", 7, 1, fp);
break;
case TCPOPT_ECHO:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 4);
fprintf(fp,"Echo: %lu ", EXTRACT_32BITS(tmp));
break;
case TCPOPT_ECHOREPLY:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 4);
fprintf(fp, "Echo Rep: %lu ", EXTRACT_32BITS(tmp));
break;
case TCPOPT_TIMESTAMP:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 4);
fprintf(fp, "TS: %lu ", EXTRACT_32BITS(tmp));
bzero((char *)tmp, 5);
memcpy(tmp, (p->tcp_options[i].data)+4, 4);
fprintf(fp, "%lu ", EXTRACT_32BITS(tmp));
break;
case TCPOPT_CC:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 4);
fprintf(fp, "CC %lu ", EXTRACT_32BITS(tmp));
break;
case TCPOPT_CCNEW:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 4);
fprintf(fp, "CCNEW: %lu ", EXTRACT_32BITS(tmp));
break;
case TCPOPT_CCECHO:
bzero((char *)tmp, 5);
memcpy(tmp, p->tcp_options[i].data, 4);
fprintf(fp, "CCECHO: %lu ", EXTRACT_32BITS(tmp));
break;
default:
if (p->tcp_options[i].len > 2)
{
fprintf(fp, "Opt %d (%d): ", p->tcp_options[i].code,
p->tcp_options[i].len);
for (j = 0; j < p->tcp_options[i].len-2; j+=2)
{
fprintf(fp, "%02X%02X ", p->tcp_options[i].data[j], p->tcp_options[i].data[j+1]);
}
}
else
{
fprintf(fp, "Opt %d ", p->tcp_options[i].code);
}
break;
}
lastopt = p->tcp_options[i].code;
}
fwrite("\n", 1, 1, fp);
}
/****************************************************************************
*
* Function: LogBin()
*
* Purpose: Log packets in binary (tcpdump) format
*
* Arguments: None.
*
* Returns: void function
*
***************************************************************************/
void LogBin(Packet *p, char *msg, void *arg)
{
pcap_dump((u_char *)dumpd,p->pkth,p->pkt);
fflush((FILE *)dumpd);
}
/****************************************************************************
*
* Function: IcmpFileName(Packet *p)
*
* Purpose: Set the filename of an ICMP output log according to its type
*
* Arguments: p => Packet data struct
*
* Returns: the name of the file to set
*
***************************************************************************/
char *IcmpFileName(Packet *p)
{
if(p->icmph == NULL)
return "BAD_PACKET";
switch (p->icmph->type)
{
case ICMP_ECHOREPLY:
return "ECHO_REPLY";
case ICMP_DEST_UNREACH:
switch (p->icmph->code)
{
case ICMP_NET_UNREACH:
return "NET_UNRCH";
case ICMP_HOST_UNREACH:
return "HST_UNRCH";
case ICMP_PROT_UNREACH:
return "PROTO_UNRCH";
case ICMP_PORT_UNREACH:
return "PORT_UNRCH";
case ICMP_FRAG_NEEDED:
return "UNRCH_FRAG_NEEDED";
case ICMP_SR_FAILED:
return "UNRCH_SOURCE_ROUTE_FAILED";
case ICMP_NET_UNKNOWN:
return "UNRCH_NETWORK_UNKNOWN";
case ICMP_HOST_UNKNOWN:
return "UNRCH_HOST_UNKNOWN";
case ICMP_HOST_ISOLATED:
return "UNRCH_HOST_ISOLATED";
case ICMP_NET_ANO:
return "UNRCH_NET_ANO";
case ICMP_HOST_ANO:
return "UNRCH_HOST_ANO";
case ICMP_NET_UNR_TOS:
return "UNRCH_NET_UNR_TOS";
case ICMP_HOST_UNR_TOS:
return "UNRCH_HOST_UNR_TOS";
case ICMP_PKT_FILTERED:
return "UNRCH_PACKET_FILT";
case ICMP_PREC_VIOLATION:
return "UNRCH_PREC_VIOL";
case ICMP_PREC_CUTOFF:
return "UNRCH_PREC_CUTOFF";
default:
return "UNKNOWN";
}
case ICMP_SOURCE_QUENCH:
return "SRC_QUENCH";
case ICMP_REDIRECT:
return "REDIRECT";
case ICMP_ECHO:
return "ECHO";
case ICMP_TIME_EXCEEDED:
return "TTL_EXCEED";
case ICMP_PARAMETERPROB:
return "PARAM_PROB";
case ICMP_TIMESTAMP:
return "TIMESTAMP";
case ICMP_TIMESTAMPREPLY:
return "TIMESTAMP_RPL";
case ICMP_INFO_REQUEST:
return "INFO_REQ";
case ICMP_INFO_REPLY:
return "INFO_RPL";
case ICMP_ADDRESS:
return "ADDR";
case ICMP_ADDRESSREPLY:
return "ADDR_RPL";
default:
return "UNKNOWN";
}
}
/****************************************************************************
*
* Function: InitLogFile()
*
* Purpose: Initialize the tcpdump log file header
*
* Arguments: None.
*
* Returns: void function
*
***************************************************************************/
void InitBinLogFile()
{
time_t curr_time; /* place to stick the clock data */
struct tm *loc_time; /* place to stick the adjusted clock data */
char timebuf[10];
char logdir[STD_BUF];
bzero((char *)timebuf, 10);
curr_time = time(NULL);
loc_time = localtime(&curr_time);
strftime(timebuf,91,"%m%d@%H%M",loc_time);
bzero((char *)logdir, STD_BUF);
if (strlen(pv.log_dir)+strlen(timebuf)+12 < STD_BUF)
sprintf(logdir,"%s/snort-%s.log", pv.log_dir, timebuf);
#ifdef DEBUG
printf("Opening %s\n", logdir);
#endif
if ((dumpd=pcap_dump_open(pd,logdir)) == NULL)
{
FatalError("ERROR => InitBinFrag() pcap_dump_open: %s\n", strerror(errno));
}
#ifdef DEBUG
printf("Binfrag log file initialized\n");
#endif
return;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -