flow-print.c

netflow,抓包

/*
 * Copyright (c) 2001 Mark Fullmer and The Ohio State University
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *      $Id: flow-print.c,v 1.29 2003/04/02 18:03:02 maf Exp $
 */

#include "ftconfig.h"
#include <ftlib.h>

#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <fcntl.h>

#if HAVE_STRINGS_H
 #include <strings.h>
#endif

#if HAVE_STRING_H
  #include <string.h>
#endif

#include "ftbuild.h"

struct jump {
    int (*where)(struct ftio *ftio, int options);
};

int format0(struct ftio *ftio, int options);
int format1(struct ftio *ftio, int options);
int format2(struct ftio *ftio, int options);
int format3(struct ftio *ftio, int options);
int format4(struct ftio *ftio, int options);
int format5(struct ftio *ftio, int options);
int format6(struct ftio *ftio, int options);
int format7(struct ftio *ftio, int options);
int format8(struct ftio *ftio, int options);
int format9(struct ftio *ftio, int options);
int format10(struct ftio *ftio, int options);
int format11(struct ftio *ftio, int options);
int format12(struct ftio *ftio, int options);
int format13(struct ftio *ftio, int options);
int format14(struct ftio *ftio, int options);
int format15(struct ftio *ftio, int options);
int format16(struct ftio *ftio, int options);
int format17(struct ftio *ftio, int options);
int format18(struct ftio *ftio, int options);
int format19(struct ftio *ftio, int options);
int format20(struct ftio *ftio, int options);
int format21(struct ftio *ftio, int options);
int format22(struct ftio *ftio, int options);
int format23(struct ftio *ftio, int options);
int format24(struct ftio *ftio, int options);

struct jump format[] = {{format0}, {format1}, {format2},
          {format3}, {format4}, {format5}, {format6}, {format7},
          {format8}, {format9}, {format10}, {format11}, {format12},
          {format13}, {format14}, {format15}, {format16}, {format17},
          {format18}, {format19}, {format20}, {format21}, {format22},
          {format23}, {format24}};

#define NFORMATS 25

void usage(void);

int main(argc, argv)
int argc;
char **argv;
{
  struct ftio ftio;
  struct ftprof ftp;
  int i, format_index, set_format, ret;
  int print_header, options, debug;
  char cc; /* comment character */

  /* init fterr */
  fterr_setid(argv[0]);

  options = 0;
  debug = 0;

  /* profile */
  ftprof_start (&ftp);

  set_format = 0;
  print_header = 0;
  cc = '#';

  while ((i = getopt(argc, argv, "ph?d:f:c:lnw")) != -1)
    switch (i) {

    case 'c': /* comment character */
      cc = optarg[0];
      break;

    case 'd': /* debug */
      debug = atoi(optarg);
      break;

    case 'f': /* format */
      format_index = atoi(optarg);
      set_format = 1;
      break;

    case 'h': /* help */
    case '?':
      usage();
      exit (0);
      break;

    case 'l': /* turn off buffered output */
      options |= FT_OPT_NOBUF;
      break;

    case 'n': /* symbolic names */
      options |= FT_OPT_NAMES;
      break;

    case 'p': /* print header */
      print_header = 1;
      break;

    case 'w': /* wide */
      options |= FT_OPT_WIDE;
      break;

    default:
      usage();
      exit (1);
      break;

    } /* switch */

  if (argc - optind)
    fterr_errx(1, "Extra arguments starting with %s.", argv[optind]);

  if (set_format && (format_index >= NFORMATS)) 
    fterr_errx(1, "No such format, %d\n", format_index);

  /* read from stdin */
  if (ftio_init(&ftio, 0, FT_IO_FLAG_READ) < 0)
    fterr_errx(1, "ftio_init(): failed");

  /* if the format was not set on the command line use a reasonable default */
  if (!set_format) {
    if (ftio.fth.d_version == 8) {
      if (ftio.fth.agg_method == 1)
        format_index = 10;
      else if (ftio.fth.agg_method == 2)
        format_index = 11;
      else if (ftio.fth.agg_method == 3)
        format_index = 12;
      else if (ftio.fth.agg_method == 4)
        format_index = 13;
      else if (ftio.fth.agg_method == 5)
        format_index = 14;
      else if (ftio.fth.agg_method == 6)
        format_index = 15;
      else if (ftio.fth.agg_method == 7)
        format_index = 16;
      else if (ftio.fth.agg_method == 8)
        format_index = 17;
      else if (ftio.fth.agg_method == 9)
        format_index = 18;
      else if (ftio.fth.agg_method == 10)
        format_index = 19;
      else if (ftio.fth.agg_method == 11)
        format_index = 20;
      else if (ftio.fth.agg_method == 12)
        format_index = 21;
      else if (ftio.fth.agg_method == 13)
        format_index = 22;
      else if (ftio.fth.agg_method == 14)
        format_index = 23;
    } else if (ftio.fth.d_version == 7) {
      format_index = 7;
    } else if (ftio.fth.d_version == 6) {
      format_index = 8;
    } else if (ftio.fth.d_version == 1005) {
      format_index = 9;
    } else
      format_index = 3;
  } /* !set_format */

  if (print_header) {
    ftio_header_print(&ftio, stdout, cc);
  }

  ret = format[format_index].where(&ftio, options);

  if ((!ret) && (debug > 0)) {
    ftprof_end(&ftp, ftio_get_rec_total(&ftio));
    ftprof_print(&ftp, argv[0], stderr);
  }

  return ret;

} /* main */


/*
 * function: format0
 *
 * 1 line summary
 */
int format0(struct ftio *ftio, int options)
{
  struct fts3rec_all cur;
  struct fts3rec_offsets fo;
  struct ftver ftv;
  char fmt_buf1[64], fmt_buf2[64];
  char *rec;

  if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_INPUT | FT_XFIELD_OUTPUT | FT_XFIELD_PROT |
    FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR | FT_XFIELD_INPUT |
    FT_XFIELD_SRCPORT | FT_XFIELD_DSTPORT | FT_XFIELD_OUTPUT)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }
 
  ftio_get_ver(ftio, &ftv);

  fts3rec_compute_offsets(&fo, &ftv);

  puts("Sif  SrcIPaddress     Dif  DstIPaddress      Pr SrcP DstP  Pkts       Octets");

  while ((rec = ftio_read(ftio))) {

    cur.dOctets = ((u_int32*)(rec+fo.dOctets));
    cur.dPkts = ((u_int32*)(rec+fo.dPkts));
    cur.srcaddr = ((u_int32*)(rec+fo.srcaddr));
    cur.dstaddr = ((u_int32*)(rec+fo.dstaddr));
    cur.input = ((u_int16*)(rec+fo.input));
    cur.output = ((u_int16*)(rec+fo.output));
    cur.srcport = ((u_int16*)(rec+fo.srcport));
    cur.dstport = ((u_int16*)(rec+fo.dstport));
    cur.prot = ((u_int8*)(rec+fo.prot));

    fmt_ipv4(fmt_buf1, *cur.srcaddr, FMT_PAD_RIGHT);
    fmt_ipv4(fmt_buf2, *cur.dstaddr, FMT_PAD_RIGHT);

    printf("%4.4x %-15.15s  %4.4x %-15.15s   %2.2x %-4x %-4x  %-10lu %-10lu\n",
      (int)*cur.input, fmt_buf1, (int)*cur.output, fmt_buf2,
      (int)*cur.prot, (int)*cur.srcport, (int)*cur.dstport,
      (u_long)*cur.dPkts, (u_long)*cur.dOctets);

    if (options & FT_OPT_NOBUF)
      fflush(stdout);

  } /* while */

  return 0;

} /* format0 */


/*
 * function: format1
 *
 * 2 line summary
 */
int format1(struct ftio *ftio, int options)
{
  struct fttime ftt;
  struct fts3rec_all cur;
  struct fts3rec_offsets fo;
  struct ftver ftv;
  struct tm *tm;
  u_long active_secs, active_msecs;
  u_long bpp;
  char fmt_buf1[64], fmt_buf2[64];
  char *rec;

  if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST | FT_XFIELD_INPUT |
    FT_XFIELD_OUTPUT | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR |
    FT_XFIELD_SRCPORT | FT_XFIELD_DSTPORT | 
    FT_XFIELD_UNIX_SECS | FT_XFIELD_UNIX_NSECS | FT_XFIELD_SYSUPTIME |
    FT_XFIELD_TOS | FT_XFIELD_TCP_FLAGS | FT_XFIELD_PROT)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  ftio_get_ver(ftio, &ftv);

  fts3rec_compute_offsets(&fo, &ftv);

  puts(
    "Sif  SrcIPaddress     DIf  DstIPaddress      Pr SrcP DstP  Pkts  Octets");
  puts(
    " StartTime          EndTime             Active   B/Pk Ts Fl\n");

  while ((rec = ftio_read(ftio))) {

    cur.unix_secs = ((u_int32*)(rec+fo.unix_secs));
    cur.unix_nsecs = ((u_int32*)(rec+fo.unix_nsecs));
    cur.sysUpTime = ((u_int32*)(rec+fo.sysUpTime));
    cur.dOctets = ((u_int32*)(rec+fo.dOctets));
    cur.dPkts = ((u_int32*)(rec+fo.dPkts));
    cur.First = ((u_int32*)(rec+fo.First));
    cur.Last = ((u_int32*)(rec+fo.Last));
    cur.srcaddr = ((u_int32*)(rec+fo.srcaddr));
    cur.dstaddr = ((u_int32*)(rec+fo.dstaddr));
    cur.input = ((u_int16*)(rec+fo.input));
    cur.output = ((u_int16*)(rec+fo.output));
    cur.srcport = ((u_int16*)(rec+fo.srcport));
    cur.dstport = ((u_int16*)(rec+fo.dstport));
    cur.prot = ((u_int8*)(rec+fo.prot));
    cur.tcp_flags = ((u_int8*)(rec+fo.tcp_flags));
    cur.tos = ((u_int8*)(rec+fo.tos));

    if (!*cur.dPkts) {
      fprintf(stderr, "Ignoring bogus flow dPkts=0\n");
      continue;
    }

    fmt_ipv4(fmt_buf1, *cur.srcaddr, FMT_PAD_RIGHT);
    fmt_ipv4(fmt_buf2, *cur.dstaddr, FMT_PAD_RIGHT);

    printf("%4.4x %-15.15s  %4.4x %-15.15s   %2.2x %-4x %-4x  %-10lu %-10lu\n",
      (int)*cur.input, fmt_buf1, (int)*cur.output, fmt_buf2,
      (int)*cur.prot, (int)*cur.srcport, (int)*cur.dstport,
      (u_long)*cur.dPkts, (u_long)*cur.dOctets);

    ftt = ftltime(*cur.sysUpTime, *cur.unix_secs, *cur.unix_nsecs, *cur.First);
    tm = localtime((time_t*)&ftt.secs);

    printf(" %-2.2d%-2.2d.%-2.2d:%-2.2d:%-2.2d.%-3.3lu  ",
      (int)tm->tm_mon+1, (int)tm->tm_mday, (int)tm->tm_hour,
      (int)tm->tm_min, (int)tm->tm_sec, (u_long)ftt.msecs);

    ftt = ftltime(*cur.sysUpTime, *cur.unix_secs, *cur.unix_nsecs, *cur.Last);
    tm = localtime((time_t*)&ftt.secs);

    active_secs = (*cur.Last - *cur.First) / 1000;
    active_msecs = (*cur.Last - *cur.First) % 1000;

    bpp = *cur.dOctets / *cur.dPkts;

    printf("%-2.2d%-2.2d.%-2.2d:%-2.2d:%-2.2d.%-3.3lu  %5lu.%-3.3lu %-3lu %2.2x %2.2x\n\n",
      (int)tm->tm_mon+1, (int)tm->tm_mday, (int)tm->tm_hour,
      (int)tm->tm_min, (int)tm->tm_sec, (u_long)ftt.msecs,
      active_secs, active_msecs, bpp, (int)*cur.tos,
      (int)*cur.tcp_flags);

    if (options & FT_OPT_NOBUF)
      fflush(stdout);

  } /* while */

  return 0;

} /* format1 */


/*
 * function: format2
 *
 * only print flows that are TCP with only a SYN bit set and
 * a single packet
 */
int format2(struct ftio *ftio, int options)
{
  struct tm *tm;
  struct fttime ftt;
  struct fts3rec_all cur;
  struct fts3rec_offsets fo;
  struct ftver ftv;
  char fmt_buf1[64], fmt_buf2[64];
  u_long active_secs, active_msecs;
  u_long bpp;
  char *rec;

  if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST | FT_XFIELD_INPUT |
    FT_XFIELD_OUTPUT | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR |
    FT_XFIELD_SRCPORT | FT_XFIELD_DSTPORT | 
    FT_XFIELD_UNIX_SECS | FT_XFIELD_UNIX_NSECS | FT_XFIELD_SYSUPTIME |
    FT_XFIELD_TOS | FT_XFIELD_TCP_FLAGS | FT_XFIELD_PROT)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  ftio_get_ver(ftio, &ftv);

  fts3rec_compute_offsets(&fo, &ftv);