itrafmon.c

一个网络流量分析的完整的程序

		switch (ch) {
		case KEY_UP:
		    if (!curwin) {
		        if (table.barptr != NULL) {
		            if (table.barptr->prev_entry != NULL) {
		                tmptcp = table.barptr;
		                set_barptr((char **) &(table.barptr),
		                    (char *) table.barptr->prev_entry,
		                    &(table.barptr->prev_entry->starttime),
		                    (char *) &(table.barptr->prev_entry->spanbr),
		                    sizeof(unsigned long), statwin, &statcleared, statx);
		                
		                printentry(&table, tmptcp, screen_idx,  mode);

		                if (table.baridx == 1)
			            scrollupperwin(&table, SCROLLDOWN, &screen_idx,
		  		           mode);
			        else
			            (table.baridx)--;

			        printentry(&table, table.barptr, screen_idx, mode);
		            }
		        }
		    } else
			scrolllowerwin(&othptbl, SCROLLDOWN);
		    break;
		case KEY_DOWN:
		    if (!curwin) {
		        if (table.barptr != NULL) {
		            if (table.barptr->next_entry != NULL) {
		                tmptcp = table.barptr;
		                set_barptr((char **) &(table.barptr), 
		                    (char *) table.barptr->next_entry,
		                    &(table.barptr->next_entry->starttime),
		                    (char *) &(table.barptr->next_entry->spanbr),
		                    sizeof(unsigned long), statwin, &statcleared, statx);
		                printentry(&table, tmptcp, screen_idx, mode);
		            
		                if (table.baridx == table.imaxy)
			            scrollupperwin(&table, SCROLLUP, &screen_idx,
				           mode);
			        else
			            (table.baridx)++;
			        
			        printentry(&table, table.barptr, screen_idx, mode);
			    }
			}
		    } else
			scrolllowerwin(&othptbl, SCROLLUP);
		    break;
		case KEY_RIGHT:
		    if (curwin) {
			if (othptbl.strindex != VSCRL_OFFSET)
			    othptbl.strindex = VSCRL_OFFSET;

			refresh_othwindow(&othptbl);
		    }
		    break;
		case KEY_LEFT:
		    if (curwin) {
			if (othptbl.strindex != 0)
			    othptbl.strindex = 0;

			refresh_othwindow(&othptbl);
		    }
		    break;
		case KEY_PPAGE:
		case '-':
		    if (!curwin) {
		        if (table.barptr != NULL) {
			    pageupperwin(&table, SCROLLDOWN, &screen_idx,
			  	         mode);
                            set_barptr((char **) &(table.barptr),
                                (char *) table.lastvisible,
                                &(table.lastvisible->starttime),
                                (char *) &(table.lastvisible->spanbr),
                                sizeof(unsigned long), statwin, &statcleared, statx);
                            table.baridx = table.lastvisible->index - screen_idx + 1;
                            refreshtcpwin(&table, screen_idx, mode);
                        }
		    } else {
			pagelowerwin(&othptbl, SCROLLDOWN);
			refresh_othwindow(&othptbl);
	            }
		    break;
		case KEY_NPAGE:
		case ' ':
		    if (!curwin) {
		        if (table.barptr != NULL) {
			    pageupperwin(&table, SCROLLUP, &screen_idx, mode);
                            set_barptr((char **) &(table.barptr), 
                                (char *) table.firstvisible,
                                &(table.firstvisible->starttime),
                                (char *) &(table.firstvisible->spanbr),
                                sizeof(unsigned long), statwin, &statcleared, statx);
                            table.baridx =  1;
                            refreshtcpwin(&table, screen_idx, mode);
                        }
		    } else {
			pagelowerwin(&othptbl, SCROLLUP);
			refresh_othwindow(&othptbl);
		    }
		    break;
		case KEY_F(6):
		case 'w':
		case 'W':
		case 9:
		    curwin = !curwin;
		    markactive(curwin, table.borderwin, othptbl.borderwin);
		    uniq_help(curwin);
		    break;
		case 'm':
		case 'M':
		    if (!curwin) {
			mode = (mode + 1) % 3;
			if ((mode == 1) && (!options->mac))
			    mode = 2;
			refreshtcpwin(&table, screen_idx, mode);
		    }
		    break;
		case 12:
		case 'l':
		case 'L':
		    tx_refresh_screen();
		    break;

		case 'F':
		case 'f':
		case 'c':
		case 'C':
		    flushclosedentries(&table, &screen_idx,
				       logging, logfile, options);
		    refreshtcpwin(&table, screen_idx, mode);
		    break;
		case 's':
		case 'S':
		    keymode = 1;
		    show_tcpsort_win(&sortwin, &sortpanel);
		    break;
		case 'Q':
		case 'q':
		case 'X':
		case 'x':
		case 24:
		case 27:
		    exitloop = 1;
		    break;
		}
	    } else if (keymode == 1) {
		keymode = 0;
		del_panel(sortpanel);
		delwin(sortwin);
		show_sort_statwin(&sortwin, &sortpanel);
		update_panels();
		doupdate();
		sortipents(&table, &screen_idx, ch, mode, logging, logfile,
		           options->timeout, &nomem, options);
		
		if (table.barptr != NULL) {
		    set_barptr((char **) &(table.barptr), (char *) table.firstvisible,
		        &(table.firstvisible->starttime),
		        (char *) &(table.firstvisible->spanbr), sizeof(unsigned long),
		        statwin, &statcleared, statx);
		    table.baridx = 1;
		}
		refreshtcpwin(&table, screen_idx, mode);
		del_panel(sortpanel);
		delwin(sortwin);
		update_panels();
		doupdate();
            }
	}
	
	if (readlen > 0) {
            total_pkts++;
  	    show_stats(statwin, total_pkts);
  	    
            pkt_result = processpacket((char *) tpacket, &packet, &readlen,
                                       &br, &sport, &dport, &fromaddr,
                                       &linktype, ofilter, ifname, ifptr);            

            if (pkt_result != PACKET_OK)
                continue;
                
            if (fromaddr.sll_protocol != ETH_P_IP) {
		othpent = add_othp_entry(&othptbl, &table,
					     0, 0, NOT_IP,
					     fromaddr.sll_protocol,
					     linktype, (char *) tpacket,
					     (char *) packet, br, ifname, 0, 0,
					     0, logging, logfile,
					     options->servnames, 0,
					     &nomem);
	        continue;
	    } else {
	        ippacket = (struct iphdr *) packet;
	        iphlen = ippacket->ihl * 4;
	        transpacket = (struct tcphdr *) (packet + iphlen);

	        if (ippacket->protocol == IPPROTO_TCP) {

		tcpentry = in_table(&table, ippacket->saddr, ippacket->daddr,
			     ntohs(sport), ntohs(dport), ifname,
			     logging, logfile, &nomem, options);

		/* 
		 * Add a new entry if it doesn't exist, and, 
		 * to reduce the chances of stales, not a FIN.
		 */

		if ((ntohs(ippacket->frag_off) & 0x3fff) == 0) {	/* first frag only */
		    totalhlen = iphlen + transpacket->doff * 4;

		    if ((tcpentry == NULL) && (!(transpacket->fin))) {

			/*
			 * Ok, so we have a packet.  Add it if this connection
			 * is not yet closed, or if it is a SYN packet.
			 */

			if (!nomem) {
			    wasempty = (table.head == NULL);
			    tcpentry = addentry(&table,
						(unsigned long)
						ippacket->saddr,
						(unsigned long)
						ippacket->daddr, sport,
						dport, ippacket->protocol,
						ifname, &revlook,
						rvnfd, options->servnames,
						&nomem);

			    if (tcpentry != NULL) {
				printentry(&table,
					   tcpentry->oth_connection,
					   screen_idx, mode);
					   
				if (wasempty) {
				    set_barptr((char **) &(table.barptr),
				        (char *) table.firstvisible,
				        &(table.firstvisible->starttime),
				        (char *) &(table.firstvisible->spanbr),
				        sizeof(unsigned long), statwin, &statcleared, statx);
				    table.baridx = 1;
				}
				
				if ((table.barptr == tcpentry) ||
				    (table.barptr == tcpentry->oth_connection))
				    set_barptr((char **) &(table.barptr),
				        (char *) table.barptr,
				        &(table.barptr->starttime),
				        (char *) &(table.barptr->spanbr),
				        sizeof(unsigned long), statwin, &statcleared, statx);
			    }
			}
		    }
		}
		/* 
		 * If we had an addentry() success, we should have no
		 * problem here.  Same thing if we had a table lookup
		 * success.
		 */

		if (tcpentry != NULL) {
		    /* 
		     * Don't bother updating the entry if the connection
		     * has been previously reset.  (Does this really
		     * happen in practice?)
		     */

		    if (!(tcpentry->stat & FLAG_RST)) {
			if (revlook) {
			    p_sstat = tcpentry->s_fstat;
			    p_dstat = tcpentry->d_fstat;
			}
			updateentry(&table, tcpentry, transpacket, tpacket,
			            linktype, readlen,
				    br, ippacket->frag_off, logging,
				    &revlook, rvnfd, options, logfile,
				    &nomem);

			/*
			 * Log first packet of a TCP connection except if
			 * it's a RST, which was already logged earlier in
			 * updateentry()
			 */
			 
		        if ((tcpentry->pcount == 1) &&
		           (!(tcpentry->stat & FLAG_RST)) && (logging)) {
			    strcpy(msgstring, "first packet");
			    if (transpacket->syn)
			        strcat(msgstring, " (SYN)");

			    writetcplog(logging, logfile,
				    tcpentry, readlen, options->mac, msgstring);
		        }
			
			if ((revlook)
			    && (((p_sstat != RESOLVED)
				 && (tcpentry->s_fstat == RESOLVED))
				|| ((p_dstat != RESOLVED)
				    && (tcpentry->d_fstat == RESOLVED)))) {
			    clearaddr(&table, tcpentry, screen_idx);
			    clearaddr(&table, tcpentry->oth_connection,
				      screen_idx);
			}
			printentry(&table, tcpentry, screen_idx, mode);

			/*
			 * Special cases: Update other direction if it's
			 * an ACK in response to a FIN. 
			 *
			 *         -- or --
			 *
			 * Addresses were just resolved for the other
			 * direction, so we should also do so here.
			 */

			if (((tcpentry->oth_connection->finsent == 2) &&	/* FINed and ACKed */
			     (ntohl(transpacket->seq) ==
			      tcpentry->oth_connection->finack))
			    || ((revlook)
				&&
				(((p_sstat
				   != RESOLVED)
				  && (tcpentry->s_fstat == RESOLVED))
				 || ((p_dstat != RESOLVED)
				     && (tcpentry->d_fstat == RESOLVED)))))
			    printentry(&table, tcpentry->oth_connection,
				       screen_idx, mode);
		    }
		}
	    } else {		/* now for the other IP protocols */
		fragment = ((ntohs(ippacket->frag_off) & 0x1fff) != 0);
		
		if (ippacket->protocol == IPPROTO_ICMP) {

		    /*
		     * Cancel the corresponding TCP entry if an ICMP
		     * Destination Unreachable or TTL Exceeded message
		     * is received.
		     */

		    if (((struct icmphdr *) transpacket)->type ==
		        ICMP_DEST_UNREACH)
	                process_dest_unreach(&table, (char *) transpacket,
	                    ifname, &nomem);

		}

		    othpent =
			add_othp_entry(&othptbl, &table, ippacket->saddr,
				       ippacket->daddr, IS_IP,
				       ippacket->protocol, linktype,
				       (char *) tpacket, (char *) transpacket,
				       readlen, ifname, &revlook,
				       rvnfd, options->timeout, logging, logfile,
				       options->servnames, fragment,
				       &nomem);
		}
	    }
	}
    }

    if (get_instance_count(ITRAFMONCOUNTFILE) <= 1)
        killrvnamed();

    if (options->servnames)
	endservent();

    close_rvn_socket(rvnfd);

    if ((options->promisc) && (is_last_instance())) {
	load_promisc_list(&promisc_list);
	srpromisc(0, promisc_list);
	destroy_promisc_list(&promisc_list);
    }
    adjust_instance_count(PROCCOUNTFILE, -1);
    adjust_instance_count(ITRAFMONCOUNTFILE, -1);
    
    attrset(STDATTR);
    mvprintw(0, COLS - 20, "                    ");
    del_panel(table.tcppanel);
    del_panel(table.borderpanel);
    del_panel(othptbl.othppanel);
    del_panel(othptbl.borderpanel);
    del_panel(statpanel);
    update_panels();
    doupdate();
    delwin(table.tcpscreen);
    delwin(table.borderwin);
    delwin(othptbl.othpwin);
    delwin(othptbl.borderwin);
    delwin(statwin);
    close(fd);
    destroytcptable(&table);
    destroyothptable(&othptbl);
    pkt_cleanup();
    writelog(logging, logfile,
	     "******** IP traffic monitor stopped ********\n");
    unmark_facility(IPMONIDFILE, ifptr);
    if (logfile != NULL)
	fclose(logfile);
	
    strcpy(current_logfile, "");

    signal(SIGUSR1, SIG_DFL);

    return;
}