📄 flow-print.c
字号:
puts("Sif SrcIPaddress DIf DstIPaddress Pr SrcP DstP Pkts Octets"); puts(" StartTime EndTime Active B/Pk Ts Fl\n"); while ((rec = ftio_read(ftio))) { cur.unix_secs = ((u_int32*)(rec+fo.unix_secs)); cur.unix_nsecs = ((u_int32*)(rec+fo.unix_nsecs)); cur.sysUpTime = ((u_int32*)(rec+fo.sysUpTime)); cur.dOctets = ((u_int32*)(rec+fo.dOctets)); cur.dPkts = ((u_int32*)(rec+fo.dPkts)); cur.First = ((u_int32*)(rec+fo.First)); cur.Last = ((u_int32*)(rec+fo.Last)); cur.srcaddr = ((u_int32*)(rec+fo.srcaddr)); cur.dstaddr = ((u_int32*)(rec+fo.dstaddr)); cur.input = ((u_int16*)(rec+fo.input)); cur.output = ((u_int16*)(rec+fo.output)); cur.srcport = ((u_int16*)(rec+fo.srcport)); cur.dstport = ((u_int16*)(rec+fo.dstport)); cur.prot = ((u_int8*)(rec+fo.prot)); cur.tcp_flags = ((u_int8*)(rec+fo.tcp_flags)); cur.tos = ((u_int8*)(rec+fo.tos)); if (!*cur.dPkts) { fprintf(stderr, "Ignoring bogus flow dPkts=0\n"); continue; } /* If it's not TCP */ if (*cur.prot != IPPROTO_TCP) continue; /* If more than the SYN bit is set */ if (*cur.tcp_flags != 2) continue; /* many SYN bit only packets per flow are suspect */ if (*cur.dPkts != 2) continue; /* 40 byte datagrams are the output of the current tool */ if (*cur.dOctets != (*cur.dPkts * 40)) continue; fmt_ipv4(fmt_buf1, *cur.srcaddr, FMT_PAD_RIGHT); fmt_ipv4(fmt_buf2, *cur.dstaddr, FMT_PAD_RIGHT); printf("%2.2x %-15.15s %2.2x %-15.15s %2.2x %-4x %-4x %-10lu %-10lu\n", (int)*cur.input, fmt_buf1, (int)*cur.output, fmt_buf2, (int)*cur.prot, (int)*cur.srcport, (int)*cur.dstport, (u_long)*cur.dPkts, (u_long)*cur.dOctets); ftt = ftltime(*cur.sysUpTime, *cur.unix_secs, *cur.unix_nsecs, *cur.First); tm = localtime((time_t*)&ftt.secs); printf(" %-2.2d%-2.2d.%-2.2d:%-2.2d:%-2.2d.%-3.3lu ", (int)tm->tm_mon+1, (int)tm->tm_mday, (int)tm->tm_hour, (int)tm->tm_min, (int)tm->tm_sec, (u_long)ftt.msecs); ftt = ftltime(*cur.sysUpTime, *cur.unix_secs, *cur.unix_nsecs, *cur.Last); tm = localtime((time_t*)&ftt.secs); active_secs = (*cur.Last - *cur.First) / 1000; active_msecs = (*cur.Last - *cur.First) % 1000; bpp = *cur.dOctets / *cur.dPkts; printf("%-2.2d%-2.2d.%-2.2d:%-2.2d:%-2.2d.%-3.3lu %5lu.%-3.3lu %-3lu %2.2x %2.2x\n\n", (int)tm->tm_mon+1, (int)tm->tm_mday, (int)tm->tm_hour, (int)tm->tm_min, (int)tm->tm_sec, (u_long)ftt.msecs, active_secs, active_msecs, bpp, (int)*cur.tos, (int)*cur.tcp_flags); if (options & FT_OPT_NOBUF) fflush(stdout); } /* while */ return 0;} /* format2 *//* * function: format3 * * another 1 line format */int format3(struct ftio *ftio, int options){ struct ftsym *sym_tcp, *sym_prot; struct fts3rec_all cur; struct fts3rec_offsets fo; struct ftver ftv; char fmt_buf1[64], fmt_buf2[64], fmt_buf3[64], fmt_buf4[64], fmt_buf5[64]; char *rec; if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS | FT_XFIELD_DOCTETS | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR | FT_XFIELD_SRCPORT | FT_XFIELD_DSTPORT | FT_XFIELD_PROT)) { fterr_warnx("Flow record missing required field for format."); return -1; } ftio_get_ver(ftio, &ftv); fts3rec_compute_offsets(&fo, &ftv); sym_tcp = sym_prot = (struct ftsym*)0L; if (options & FT_OPT_NAMES) { sym_tcp = ftsym_new(FT_PATH_SYM_TCP_PORT); sym_prot = ftsym_new(FT_PATH_SYM_IP_PROT); } if (options & FT_OPT_WIDE) puts("srcIP dstIP prot srcPort dstPort octets packets"); else puts("srcIP dstIP prot srcPort dstPort octets packets"); while ((rec = ftio_read(ftio))) { cur.dOctets = ((u_int32*)(rec+fo.dOctets)); cur.dPkts = ((u_int32*)(rec+fo.dPkts)); cur.srcaddr = ((u_int32*)(rec+fo.srcaddr)); cur.dstaddr = ((u_int32*)(rec+fo.dstaddr)); cur.srcport = ((u_int16*)(rec+fo.srcport)); cur.dstport = ((u_int16*)(rec+fo.dstport)); cur.prot = ((u_int8*)(rec+fo.prot)); fmt_ipv4(fmt_buf1, *cur.srcaddr, FMT_PAD_RIGHT); fmt_ipv4(fmt_buf2, *cur.dstaddr, FMT_PAD_RIGHT); fmt_uint16s(sym_prot, 5, fmt_buf3, (u_int16)*cur.prot, FMT_PAD_RIGHT); fmt_uint16s(sym_tcp, 16, fmt_buf4, (u_int16)*cur.srcport, FMT_PAD_RIGHT); fmt_uint16s(sym_tcp, 16, fmt_buf5, (u_int16)*cur.dstport, FMT_PAD_RIGHT); if (options & FT_OPT_WIDE) printf("%-15.15s %-15.15s %-5.5s %-16.16s %-16.16s %-10lu %-10lu\n", fmt_buf1, fmt_buf2, fmt_buf3, fmt_buf4, fmt_buf5, (u_long)*cur.dOctets, (u_long)*cur.dPkts); else printf("%-15.15s %-15.15s %-4.4s %-7.7s %-7.7s %-10lu %-10lu\n", fmt_buf1, fmt_buf2, fmt_buf3, fmt_buf4, fmt_buf5, (u_long)*cur.dOctets, (u_long)*cur.dPkts); if (options & FT_OPT_NOBUF) fflush(stdout); } /* while */ ftsym_free(sym_tcp); ftsym_free(sym_prot); return 0;} /* format3 *//* * function: format4 * */int format4(struct ftio *ftio, int options){ struct fts3rec_all cur; struct fts3rec_offsets fo; struct ftver ftv; struct ftsym *sym_prot, *sym_asn; char fmt_buf1[64], fmt_buf2[64], fmt_buf3[64], fmt_buf4[64], fmt_buf5[64]; char *rec; if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS | FT_XFIELD_DOCTETS | FT_XFIELD_INPUT | FT_XFIELD_OUTPUT | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR | FT_XFIELD_SRC_AS | FT_XFIELD_DST_AS | FT_XFIELD_PROT | FT_XFIELD_SRC_MASK | FT_XFIELD_DST_MASK)) { fterr_warnx("Flow record missing required field for format."); return -1; } ftio_get_ver(ftio, &ftv); fts3rec_compute_offsets(&fo, &ftv); sym_prot = sym_asn = (struct ftsym*)0L; if (options & FT_OPT_NAMES) { sym_prot = ftsym_new(FT_PATH_SYM_IP_PROT); sym_asn = ftsym_new(FT_PATH_SYM_ASN); } if (options & FT_OPT_WIDE) puts("Sif Dif srcIP dstIP prot srcAS dstAS octets packets"); else puts("srcIP dstIP prot srcAS dstAS octets packets"); while ((rec = ftio_read(ftio))) { cur.dOctets = ((u_int32*)(rec+fo.dOctets)); cur.dPkts = ((u_int32*)(rec+fo.dPkts)); cur.First = ((u_int32*)(rec+fo.First)); cur.Last = ((u_int32*)(rec+fo.Last)); cur.srcaddr = ((u_int32*)(rec+fo.srcaddr)); cur.dstaddr = ((u_int32*)(rec+fo.dstaddr)); cur.input = ((u_int16*)(rec+fo.input)); cur.output = ((u_int16*)(rec+fo.output)); cur.src_as = ((u_int16*)(rec+fo.src_as)); cur.dst_as = ((u_int16*)(rec+fo.dst_as)); cur.prot = ((u_int8*)(rec+fo.prot)); cur.src_mask = ((u_int8*)(rec+fo.src_mask)); cur.dst_mask = ((u_int8*)(rec+fo.dst_mask)); fmt_ipv4prefix(fmt_buf1, *cur.srcaddr, *cur.src_mask, FMT_JUST_LEFT); fmt_ipv4prefix(fmt_buf2, *cur.dstaddr, *cur.dst_mask, FMT_JUST_LEFT); fmt_uint16s(sym_prot, 5, fmt_buf3, (u_int16)*cur.prot, FMT_PAD_RIGHT); fmt_uint16s(sym_asn, 18, fmt_buf4, (u_int16)*cur.src_as, FMT_JUST_LEFT); fmt_uint16s(sym_asn, 18, fmt_buf5, (u_int16)*cur.dst_as, FMT_JUST_LEFT); if (options & FT_OPT_WIDE) printf("%4.4x %4.4x %-18.18s %-18.18s %-5.5s %-16.16s %-16.16s %-10lu %-10lu\n", (int)*cur.input, (int)*cur.output, fmt_buf1, fmt_buf2, fmt_buf3, fmt_buf4, fmt_buf5, (u_long)*cur.dOctets, (u_long)*cur.dPkts); else printf("%-18.18s %-18.18s %-4.4s %-5.5s %-5.5s %-10lu %-10lu\n", fmt_buf1, fmt_buf2, fmt_buf3, fmt_buf4, fmt_buf5, (u_long)*cur.dOctets, (u_long)*cur.dPkts); if (options & FT_OPT_NOBUF) fflush(stdout); } /* while */ ftsym_free(sym_prot); ftsym_free(sym_asn); return 0;} /* format4 *//* * function: format5 * * 1 line summary, steve's favorite */int format5(struct ftio *ftio, int options){ struct tm *tm; struct fttime ftt; struct fts3rec_all cur; struct fts3rec_offsets fo; struct ftver ftv; char fmt_buf1[64], fmt_buf2[64]; char *rec; if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS | FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST | FT_XFIELD_INPUT | FT_XFIELD_OUTPUT | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR | FT_XFIELD_SRCPORT | FT_XFIELD_DSTPORT | FT_XFIELD_UNIX_SECS | FT_XFIELD_UNIX_NSECS | FT_XFIELD_SYSUPTIME | FT_XFIELD_TCP_FLAGS | FT_XFIELD_PROT)) { fterr_warnx("Flow record missing required field for format."); return -1; } ftio_get_ver(ftio, &ftv); fts3rec_compute_offsets(&fo, &ftv); puts("Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets\n"); while ((rec = ftio_read(ftio))) { cur.unix_secs = ((u_int32*)(rec+fo.unix_secs)); cur.unix_nsecs = ((u_int32*)(rec+fo.unix_nsecs)); cur.sysUpTime = ((u_int32*)(rec+fo.sysUpTime)); cur.dOctets = ((u_int32*)(rec+fo.dOctets)); cur.dPkts = ((u_int32*)(rec+fo.dPkts)); cur.First = ((u_int32*)(rec+fo.First)); cur.Last = ((u_int32*)(rec+fo.Last)); cur.srcaddr = ((u_int32*)(rec+fo.srcaddr)); cur.dstaddr = ((u_int32*)(rec+fo.dstaddr)); cur.input = ((u_int16*)(rec+fo.input)); cur.output = ((u_int16*)(rec+fo.output)); cur.srcport = ((u_int16*)(rec+fo.srcport)); cur.dstport = ((u_int16*)(rec+fo.dstport)); cur.prot = ((u_int8*)(rec+fo.prot)); cur.tcp_flags = ((u_int8*)(rec+fo.tcp_flags)); ftt = ftltime(*cur.sysUpTime, *cur.unix_secs, *cur.unix_nsecs, *cur.First); tm = localtime((time_t*)&ftt.secs); printf("%-2.2d%-2.2d.%-2.2d:%-2.2d:%-2.2d.%-3.3lu ", (int)tm->tm_mon+1, (int)tm->tm_mday, (int)tm->tm_hour, (int)tm->tm_min, (int)tm->tm_sec, (u_long)ftt.msecs); ftt = ftltime(*cur.sysUpTime, *cur.unix_secs, *cur.unix_nsecs, *cur.Last); tm = localtime((time_t*)&ftt.secs); printf("%-2.2d%-2.2d.%-2.2d:%-2.2d:%-2.2d.%-3.3lu ", (int)tm->tm_mon+1, (int)tm->tm_mday, (int)tm->tm_hour, (int)tm->tm_min, (int)tm->tm_sec, (u_long)ftt.msecs); /* other info */ fmt_ipv4(fmt_buf1, *cur.srcaddr, FMT_PAD_RIGHT); fmt_ipv4(fmt_buf2, *cur.dstaddr, FMT_PAD_RIGHT); printf("%-5u %-15.15s %-5u %-5u %-15.15s %-5u %-3u %-2d %-10lu %-10lu\n", (u_int)*cur.input, fmt_buf1, (u_int)*cur.srcport, (u_int)*cur.output, fmt_buf2, (u_int)*cur.dstport, (u_int)*cur.prot, (u_int)*cur.tcp_flags & 0x7, (u_long)*cur.dPkts, (u_long)*cur.dOctets); if (options & FT_OPT_NOBUF) fflush(stdout); } /* while */ return 0;} /* format5 *//* * function: format6 * * 1 line summary, similar to `show ip accounting` */int format6(struct ftio *ftio, int options){ struct fts3rec_all cur; struct fts3rec_offsets fo; struct ftver ftv; char fmt_buf1[64], fmt_buf2[64]; char *rec; if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS | FT_XFIELD_DOCTETS | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR)) { fterr_warnx("Flow record missing required field for format."); return -1; } ftio_get_ver(ftio, &ftv); fts3rec_compute_offsets(&fo, &ftv); puts( " Source Destination Packets Bytes"); while ((rec = ftio_read(ftio))) { cur.dOctets = ((u_int32*)(rec+fo.dOctets)); cur.dPkts = ((u_int32*)(rec+fo.dPkts)); cur.srcaddr = ((u_int32*)(rec+fo.srcaddr)); cur.dstaddr = ((u_int32*)(rec+fo.dstaddr)); fmt_ipv4(fmt_buf1, *cur.srcaddr, FMT_PAD_RIGHT); fmt_ipv4(fmt_buf2, *cur.dstaddr, FMT_PAD_RIGHT); printf(" %-15.15s %-15.15s %17lu %18lu\n", fmt_buf1, fmt_buf2, (u_long)*cur.dPkts, (u_long)*cur.dOctets); if (options & FT_OPT_NOBUF) fflush(stdout); } /* while */ return 0;} /* format6 *//* * function: format7 * * 1 line, 132 column -- includes router_sc from v7 format */int format7(struct ftio *ftio, int options){ struct fts3rec_all cur; struct fts3rec_offsets fo; struct ftver ftv; struct ftsym *sym_tcp, *sym_prot; char fmt_buf1[64], fmt_buf2[64], fmt_buf3[64], fmt_buf4[64], fmt_buf5[64]; char fmt_buf6[64]; char *rec; if (ftio_check_xfield(ftio, FT_XFIELD_DPKTS | FT_XFIELD_DOCTETS | FT_XFIELD_PROT | FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR | FT_XFIELD_SRC_MASK | FT_XFIELD_DST_MASK | FT_XFIELD_ROUTER_SC | FT_XFIELD_SRCPORT | FT_XFIELD_DSTPORT )) { fterr_warnx("Flow record missing required field for format."); return -1; } ftio_get_ver(ftio, &ftv); fts3rec_compute_offsets(&fo, &ftv); sym_tcp = sym_prot = (struct ftsym*)0L; if (options & FT_OPT_NAMES) { sym_tcp = ftsym_new(FT_PATH_SYM_TCP_PORT);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -