tcptable.c

一个网络流量分析的完整的程序

/***

tcptable.c - table manipulation routines for the IP monitor
Written by Gerard Paul Java
Copyright (c) Gerard Paul Java 1997, 1998

This software is open source; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License in the included COPYING file for
details.
   
***/

#include <winops.h>
#include "options.h"
#include "tcptable.h"
#include "deskman.h"
#include "attrs.h"
#include "log.h"
#include "revname.h"
#include "rvnamed.h"

#define MSGSTRING_MAX	320

unsigned int bmaxy = 0;
unsigned int imaxy = 0;

void convmacaddr(char *addr, char *result);
void writetcplog(int logging, FILE * fd, struct tcptableent *entry,
		 unsigned int pktlen, int mac, char *message);

void setlabels(WINDOW * win, int mode)
{
    wmove(win, 0, 42 * COLS / 80);
    whline(win, ACS_HLINE, 23 * COLS / 80);

    if (mode == 0) {
	wmove(win, 0, 47 * COLS / 80);
	wprintw(win, " Packets ");
	wmove(win, 0, 59 * COLS / 80);
	wprintw(win, " Bytes ");
    } else if (mode == 1) {
        mvwprintw(win, 0, 47 * COLS / 80, " Source MAC Addr ");
    } else if (mode == 2) {
	wmove(win, 0, 45 * COLS / 80);
	wprintw(win, " Pkt Size ");
	wmove(win, 0, 56 * COLS / 80);
	wprintw(win, " Win Size ");
    }
}

/*
 * The hash function for the TCP hash table
 */

unsigned int tcp_hash(unsigned long saddr, unsigned int sport,
		      unsigned long daddr, unsigned int dport,
		      char *ifname)
{
    int i;
    int ifsum = 0;

    for (i = 0; i <= strlen(ifname) - 1; i++)
	ifsum += ifname[i];

    return ((ifsum + (4 * saddr) + (3 * sport) +
	     (2 * daddr) + dport) % ENTRIES_IN_HASH_TABLE);
}

void print_tcp_num_entries(struct tcptable *table)
{
    mvwprintw(table->borderwin, table->bmaxy - 1, 1, " TCP: %6u entries ",
	      table->count);
}


void init_tcp_table(struct tcptable *table)
{
    int i;

    table->bmaxy = LINES * 0.6;	/* 60% of total screen */
    table->imaxy = table->bmaxy - 2;

    table->borderwin = newwin(table->bmaxy, COLS, 1, 0);
    table->borderpanel = new_panel(table->borderwin);

    wattrset(table->borderwin, BOXATTR);
    box(table->borderwin, ACS_VLINE, ACS_HLINE);
    wmove(table->borderwin, 0, 1);
    wprintw(table->borderwin, " TCP Connections (Source Host:Port) ");

    setlabels(table->borderwin, 0);	/* initially use mode 0 */

    wmove(table->borderwin, 0, 65 * COLS / 80);
    wprintw(table->borderwin, " Flags ");
    wmove(table->borderwin, 0, 72 * COLS / 80);
    wprintw(table->borderwin, " Iface ");
    update_panels();
    doupdate();

    table->head = table->tail = NULL;
    table->firstvisible = table->lastvisible = NULL;
    table->tcpscreen = newwin(table->imaxy, COLS - 2, 2, 1);
    table->tcppanel = new_panel(table->tcpscreen);
    table->closedentries = table->closedtail = NULL;
    wattrset(table->tcpscreen, BOXATTR);
    tx_colorwin(table->tcpscreen);
    table->lastpos = 0;
    table->count = 0;

    wtimeout(table->tcpscreen, -1);
    tx_stdwinset(table->tcpscreen);
    print_tcp_num_entries(table);

    /* 
     * Initialize hash table to nulls
     */

    for (i = 0; i <= ENTRIES_IN_HASH_TABLE - 1; i++) {
	table->hash_table[i] = NULL;
	table->hash_tails[i] = NULL;
    }
    table->barptr = NULL;
    table->baridx = 0;
}

/*
 * Add a TCP entry to the hash table.
 */

int add_tcp_hash_entry(struct tcptable *table, struct tcptableent *entry)
{
    unsigned int hp;		/* hash position in table */
    struct tcp_hashentry *ptmp;

    hp = tcp_hash(entry->saddr.s_addr, entry->sport,
		  entry->daddr.s_addr, entry->dport, entry->ifname);

    ptmp = malloc(sizeof(struct tcp_hashentry));
    bzero(ptmp, sizeof(struct tcp_hashentry));

    if (ptmp == NULL)
	return 1;

    /*
     * Add backpointer from screen node to hash node for deletion later
     * (Actually point to its predecessor coz of the header cell).
     */

    entry->hash_node = ptmp;

    /* 
     * Update hash node and add it to list.
     */

    ptmp->tcpnode = entry;
    ptmp->hp = hp;

    if (table->hash_table[hp] == NULL) {
	ptmp->prev_entry = NULL;
	table->hash_table[hp] = ptmp;
        ptmp->index = 1;
    }

    if (table->hash_tails[hp] != NULL) {
	table->hash_tails[hp]->next_entry = ptmp;
	ptmp->prev_entry = table->hash_tails[hp];
        ptmp->index = ptmp->prev_entry->index + 1;
    }
    table->hash_tails[hp] = ptmp;
    ptmp->next_entry = NULL;

    return 0;
}

/*
 * Delete a hash table node
 */

void del_tcp_hash_node(struct tcptable *table, struct tcptableent *entry)
{
    struct tcp_hashentry *ptmp;

    ptmp = entry->hash_node;	/* ptmp now points to the target */

    /*
     * If the targeted node is the last entry, adjust the corresponding tail
     * pointer to the preceeding node;
     */

    if (ptmp->next_entry == NULL)
	table->hash_tails[ptmp->hp] = ptmp->prev_entry;

    if (ptmp->prev_entry != NULL)
	ptmp->prev_entry->next_entry = ptmp->next_entry;
    else
	table->hash_table[ptmp->hp] = ptmp->next_entry;

    if (ptmp->next_entry != NULL)
	ptmp->next_entry->prev_entry = ptmp->prev_entry;

    free(ptmp);
}

/*
 * Add a new entry to the TCP screen table
 */

struct tcptableent *addentry(struct tcptable *table,
			     unsigned long int saddr,
			     unsigned long int daddr,
			     unsigned int sport, unsigned int dport,
			     int protocol,  
			     char *ifname, int *rev_lookup,
			     int rvnfd, int servnames, int *nomem)
{
    struct tcptableent *new_entry;
    struct closedlist *ctemp;

    /* 
     * Allocate and attach a new node if no closed entries found
     */

    if (table->closedentries == NULL) {
	new_entry = malloc(sizeof(struct tcptableent));

	if (new_entry != NULL)
	    new_entry->oth_connection = malloc(sizeof(struct tcptableent));

	if ((new_entry->oth_connection == NULL) || (new_entry == NULL)) {
	    printnomem();
	    *nomem = 1;
	    return NULL;
	}
	new_entry->oth_connection->oth_connection = new_entry;

	if (table->head == NULL) {
	    new_entry->prev_entry = NULL;
	    table->head = new_entry;

	    table->firstvisible = new_entry;
	}
	if (table->tail != NULL) {
	    table->tail->next_entry = new_entry;
	    new_entry->prev_entry = table->tail;
	}
	table->lastpos++;
	new_entry->index = table->lastpos;
	table->lastpos++;
	new_entry->oth_connection->index = table->lastpos;

	table->tail = new_entry->oth_connection;
	new_entry->next_entry = new_entry->oth_connection;
	new_entry->next_entry->prev_entry = new_entry;
	new_entry->next_entry->next_entry = NULL;


	if (new_entry->oth_connection->index <=
	    table->firstvisible->index + (table->imaxy - 1))
	    table->lastvisible = new_entry->oth_connection;
	else if (new_entry->index <=
		 table->firstvisible->index + (table->imaxy - 1))
	    table->lastvisible = new_entry;

	new_entry->reused = new_entry->oth_connection->reused = 0;
	table->count++;

	print_tcp_num_entries(table);
    } else {
	/*
	 * If we reach this point, we're allocating off the list of closed
	 * entries.  In this case, we take the top entry, let the new_entry
	 * variable point to whatever the top is pointing to.  The new_entry's
	 * oth_connection also points to the reused entry's oth_connection
	 */

	new_entry = table->closedentries->closedentry;
	new_entry->oth_connection = table->closedentries->pair;

	ctemp = table->closedentries;
	table->closedentries = table->closedentries->next_entry;
	free(ctemp);

	/*
	 * Mark the closed list's tail as NULL if we use the last entry
	 * in the list to prevent a dangling reference.
	 */

	if (table->closedentries == NULL)
	    table->closedtail = NULL;

	new_entry->reused = new_entry->oth_connection->reused = 1;

	/*
	 * Delete the old hash entries for this reallocated node;
	 */

	del_tcp_hash_node(table, new_entry);
	del_tcp_hash_node(table, new_entry->oth_connection);
    }

    /* 
     * Fill in address fields with raw IP addresses
     */

    new_entry->saddr.s_addr = new_entry->oth_connection->daddr.s_addr =
	saddr;
    new_entry->daddr.s_addr = new_entry->oth_connection->saddr.s_addr =
	daddr;
    new_entry->protocol = protocol;

    /*
     * Initialize count fields
     */

    new_entry->pcount = new_entry->bcount = 0;
    new_entry->win = new_entry->psize = 0;
    new_entry->timedout = new_entry->oth_connection->timedout = 0;
    new_entry->oth_connection->pcount = new_entry->oth_connection->bcount =
	0;
    new_entry->oth_connection->win = new_entry->oth_connection->psize = 0;

    /*
     * Store interface name
     */

    strcpy(new_entry->ifname, ifname);
    strcpy(new_entry->oth_connection->ifname, ifname);
    
    /*
     * Zero out MAC address fields
     */
     
    bzero(new_entry->smacaddr, 15);
    bzero(new_entry->oth_connection->smacaddr, 15);

    /*
     * Set raw port numbers
     */

    new_entry->sport = new_entry->oth_connection->dport = ntohs(sport);
    new_entry->dport = new_entry->oth_connection->sport = ntohs(dport);

    new_entry->stat = new_entry->oth_connection->stat = 0;

    new_entry->s_fstat = revname(rev_lookup, &(new_entry->saddr),
				 new_entry->s_fqdn, rvnfd);
    new_entry->d_fstat = revname(rev_lookup, &(new_entry->daddr),
				 new_entry->d_fqdn, rvnfd);

    /*
     * Set port service names (where applicable)
     */

    servlook(servnames, sport, IPPROTO_TCP, new_entry->s_sname, 10);
    servlook(servnames, dport, IPPROTO_TCP, new_entry->d_sname, 10);

    strcpy(new_entry->oth_connection->s_sname, new_entry->d_sname);
    strcpy(new_entry->oth_connection->d_sname, new_entry->s_sname);

    strcpy(new_entry->oth_connection->d_fqdn, new_entry->s_fqdn);
    strcpy(new_entry->oth_connection->s_fqdn, new_entry->d_fqdn);
    new_entry->oth_connection->s_fstat = new_entry->d_fstat;
    new_entry->oth_connection->d_fstat = new_entry->s_fstat;

    if (new_entry->index < new_entry->oth_connection->index) {
	new_entry->half_bracket = ACS_ULCORNER;
	new_entry->oth_connection->half_bracket = ACS_LLCORNER;
    } else {
	new_entry->half_bracket = ACS_LLCORNER;
	new_entry->oth_connection->half_bracket = ACS_ULCORNER;
    }

    new_entry->inclosed = new_entry->oth_connection->inclosed = 0;
    new_entry->finack = new_entry->oth_connection->finack = 0;
    new_entry->finsent = new_entry->oth_connection->finsent = 0;
    new_entry->partial = new_entry->oth_connection->partial = 0;
    new_entry->spanbr = new_entry->oth_connection->spanbr = 0;
    new_entry->conn_starttime = new_entry->oth_connection->conn_starttime = time(NULL);
    
    /*
     * Mark flow rate start time and byte counter for flow computation